Lotus Notes and Domino 6 System Administrator Exam Cram 2 (Exam Cram 620, 621, 622)

Lotus Notes and Domino 6 System Administrator ® ® Tony Aveyard Karen Fishwick Lotus Notes ® and Domino ® 6 System A...

81 downloads 988 Views 8MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

Lotus Notes and Domino 6 System Administrator ®

®

Tony Aveyard Karen Fishwick

Lotus Notes ® and Domino ® 6 System Administrator Exam Cram 2

Publisher Paul Boger

Copyright © 2004 by Que Publishing All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein.

Executive Editor Jeff Riley

Acquisitions Editor Carol Ackerman

Development Editor Lorna Gentry

International Standard Book Number: 0-7897-2918-0 Library of Congress Catalog Card Number: 2003109276

Managing Editor Charlotte Clapp

Printed in the United States of America

Project Editor

First Printing: November 2003 06 05 04 03

4

3

2

1

Tonya Simpson

Copy Editors Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Lotus Notes is a registered trademark of IBM Corporation. Domino is a registered trademark of IBM Corporation.

Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The authors and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the CD or programs accompanying it.

Krista Hansing Karen Annett

Indexer Heather McNeill

Proofreader Juli Cook

Technical Editors Dennis Teague David Wilde

Team Coordinator Pamalee Nelson

Multimedia Developer Bulk Sales Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside the U.S., please contact International Sales 1-317-428-3341 [email protected]

Dan Scherf

Page Layout Bronkella Publishing

Que Certification • 800 East 96th Street • Indianapolis, Indiana 46240

A Note from Series Editor Ed Tittel You know better than to trust your certification preparation to just anybody. That’s why you, and more than two million others, have purchased an Exam Cram book. As Series Editor for the new and improved Exam Cram 2 series, I have worked with the staff at Que Certification to ensure you won’t be disappointed. That’s why we’ve taken the world’s best-selling certification product—a finalist for “Best Study Guide” in a CertCities reader poll in 2002—and made it even better. As a “Favorite Study Guide Author” finalist in a 2002 poll of CertCities readers, I know the value of good books. You’ll be impressed with Que Certification’s stringent review process, which ensures the books are high-quality, relevant, and technically accurate. Rest assured that at least a dozen industry experts—including the panel of certification experts at CramSession—have reviewed this material, helping us deliver an excellent solution to your exam preparation needs. We’ve also added a preview edition of PrepLogic’s powerful, full-featured test engine, which is trusted by certification students throughout the world. As a 20-year-plus veteran of the computing industry and the original creator and editor of the Exam Cram series, I’ve brought my IT experience to bear on these books. During my tenure at Novell from 1989 to 1994, I worked with and around its excellent education and certification department. This experience helped push my writing and teaching activities heavily in the certification direction. Since then, I’ve worked on more than 70 certification-related books, and I write about certification topics for numerous Web sites and for Certification magazine. In 1996, while studying for various MCP exams, I became frustrated with the huge, unwieldy study guides that were the only preparation tools available. As an experienced IT professional and former instructor, I wanted “nothing but the facts” necessary to prepare for the exams. From this impetus, Exam Cram emerged in 1997. It quickly became the best-selling computer book series since “…For Dummies,” and the best-selling certification book series ever. By maintaining an intense focus on subject matter, tracking errata and updates quickly, and following the certification market closely, Exam Cram was able to establish the dominant position in cert prep books. You will not be disappointed in your decision to purchase this book. If you are, please contact me at [email protected]. All suggestions, ideas, input, or constructive criticism are welcome!

Expand Your Certification Arsenal!

Lotus Notes and Domino 6 Application Development Exam Cram 2 (Exam 610, 611, 612) Tim Bankes and David Hatter ISBN 0-7897-2917-2 $39.99 US/$60.99 CAN/£28.99 Net UK

•

Key terms and concepts highlighted at the start of each chapter

•

Notes, Tips, and Exam Alerts advise what to watch out for

•

End-of-chapter sample Exam Questions with detailed discussions of all answers

•

Complete text-based practice test with answer key at the end of each book

•

The tear-out Cram Sheet condenses the most important items and information into a two-page reminder

•

A CD that includes PrepLogic Practice Tests for complete evaluation of your knowledge

•

Our authors are recognized experts in the field. In most cases, they are current or former instructors, trainers, or consultants— they know exactly what you need to know!

www.examcram2.com

From Tony Aveyard I dedicate this book to the following people: Kathi, my wife and my best friend: My life is richer because of you and was incomplete until you joined it. Thanks for always sticking with me and believing in me. My dreams have come true and still do because of you. Marie, my daughter, my friend, and one of the reasons I was able to survive as a single parent for seven years: You are the twinkle in a father’s eye, and I will always regret the day when you move out to make your own life. Thanks for all the memories you gave your dad. Garet, my computer partner and movie-going buddy: Don’t forget that I can beat you at Unreal Tournament! You’re a lot of fun to be around, and the way you look at life is refreshing and exhilarating. I love the time we spend together and the way you laugh at the Stooges and MXC. Terry Brooks: Your work inspires me, and when I read your books I feel like I know the Ohmsfords personally. Thanks for all the memories and for the inspiration. I know this isn’t a book of fiction, but at least I’m writing! Thanks, Terry. And last but not least, God: for giving me the strength to write again and the patience and endurance to finish the task. From Karen Fishwick: I’d like to dedicate this book to my children, Beth and Cam. Thanks for being willing to share Mommy with the computer and for obeying the sign on the door. ❧

About the Authors

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Tony Aveyard has been in the IT business for more than 20 years. During his career, he has worked on the desk side support team and the data communications team, and has spent more than seven years in Notes administration. He’s currently leading the Web & eBusiness team for Siemens Business Services in Mason, Ohio. He lives in Cincinnati, Ohio, with Kathi, his lovely bride of five years; his two kids, Marie and Garet; and the beloved family dog, Tango. FPS and role-playing computer games are still a passion after many years of world-conquering and Orc-killing, but the desire nearest his heart is to be a full-time fiction writer and share his adventures with the world. Karen Fishwick has been actively working with Notes and Domino since Release 3. She became a Certified Lotus Professional in Release 3 in 1995 and a Certified Lotus Instructor in 1996. She has upgraded that certification through each release of Notes/Domino and now holds the CLP designation for R6 in both the system administration and application development tracks. Karen has been delivering the certified Lotus curriculum to students all over Canada for more than eight years. Based in Ottawa, Canada, she provides consulting and training services to a wide array of both public- and privatesector clients. She has been involved as an author or technical editor for many book projects over the past five years. Karen is ideally suited to be a co-author of this book because of her long-standing experience with the Lotus certification tests. She has written exams in every release of the Domino System Administration track, from R3 to R6. She has also participated as author or editor in books dealing with Domino certification for R4, R5, and R6. As an independent consultant, Karen has assisted many clients with both administration and development projects. Her focus over the past couple of years has been in the areas of administrative troubleshooting for servers and resolving access-control problems within applications.

Karen currently lives in Ottawa with her husband, Warren, and her 4-yearold twins, Beth and Cam. In her spare time, she enjoys cooking, playing sports, and taking an active role in her local church.

About the Contributing Author Randy Smith lives in Omaha, Nebraska with his wife, Patty, and two sons, Kevin and Eric. He began his Lotus Notes/Domino consulting career in 1996 and founded R.D. Smith Consulting in 2000. Randy is an IBM Certified Advanced System Administrator and an IBM Certified Advanced Application Developer in Lotus Notes/Domino 6. He has also attained Principal CLP certification in Lotus Notes/Domino R5 and R4 for both Application Development and System Administration. He is currently consulting at the State of Nebraska, where he supports their Lotus Notes/Domino infrastructure and mentors their Lotus Notes development teams.

About the Technical Editors Dennis Teague has been working with Lotus Notes/Domino since version 4 came out. He has worked for several worldwide firms over the years doing Notes administration and network support. He has obtained his CLP in R4, R5, and R6 and his PCLP in R4 and R5 in Notes Administration. Thanks to his wife for all her help in getting these certifications in Notes and Domino— drilling him with question after question until he knew why the answer was right versus knowing, when she started out saying “Heidi is a Domino administrator and has a user Milo that is having a problem replicating...,” that the answer was C. He is glad that his wife, Susan, and his two sons, Trevor and Devon, allowed him the time to tech edit this book, so as to reinforce some of the practices he is already using in R6 and remind him of some other features that could be implemented. David C. Wilde is a Lotus Notes senior consultant and Team Lead with the fourth-largest independent information technology services firm in North America. His team is responsible for maintaining a Lotus Notes environment that supports well over 20,000 users spread across Canada and the United States. His expertise in system security and back-end system integration is in high demand, and he has been utilized to perform security audits for many of these clients. David has more than 17 years of IT experience and has been specializing in Lotus Notes for the last 8 years, with considerable time spent in both System Administration and Application Development capacities. His Lotus Notes background includes certifications as an IBM certified Advanced System Administrator—Lotus Notes and Domino in versions 4, 5 and 6, as an IBM Advanced Application Developer—Lotus Notes and Domino in versions 4, 5 and 6, and as an IBM Certified for e-business Solution Advisor. David is also the former president and founder of the CONDORS Lotus Notes and Domino User’s Group located in Saskatchewan, Canada. David is currently working toward his WebSphere and SUN Java certifications.

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

I would like to thank Carol Ackerman for giving me the chance to write again and believing in me. Her patience and support have been invaluable in driving me to keep pressing forward. I would also like to say thanks to my friends and co-workers who gave me the encouragement and showed genuine excitement at my chance to participate in another project. Andrew, Chris, Eric, Heather, Ken, and Susan, you’re the best. —Tony Aveyard I’d like to thank Que Certification for allowing me the opportunity to work with them again on an interesting publication. Thanks also to my husband, Warren, for supporting me through the endless writing times, and to my parents, who help so much with child care for my kids so that I can work on projects like this one. —Karen Fishwick

Contents at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction

xxv

Self-Assessment Chapter 1

xxxi

Overview of Domino System Administration Certification Exams 1

Part I: Exam 620 Chapter 2

Installing and Configuring

Chapter 3

Mail

Chapter 4

Managing and Maintaining

Chapter 5

Replication

Chapter 6

Security

13

35 61

99

127

Part II: Exam 621 Chapter 7

Installing and Configuring

161

Chapter 8

Mail

Chapter 9

Monitoring Server Performance

189

Chapter 10

Replication

Chapter 11

Security

207

255

279

Part III: Exam 622 Chapter 12

Managing Non-Notes and Notes Clients

Chapter 13

Setting Up Server Monitoring

Chapter 14

Managing Servers

Chapter 15

Managing Users and Groups

327

337 363

317

Chapter 16

Monitoring Server Performance

Chapter 17

Resolving Server Problems

Chapter 18

Resolving User Problems

379

391 407

Part IV: Sample Exams Chapter 19

Practice Exam 620

Chapter 20

Answer Key for 620

Chapter 21

Practice Exam 621

Chapter 22

Answer Key for 621

Chapter 23

Practice Exam 622

Chapter 24

Answer Key for 622

425 445 463 485 499 519

Part V: Appendixes Appendix A

Resources

Appendix B

What’s on the CD-ROM?

Appendix C

Using the PrepLogic Practice Exams, Preview Edition Software 539 Glossary Index

535

547

565

537

Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction.....................................................................xxv Self-Assessment ..............................................................xxxi Chapter 1 Overview of Domino System Administration Certification Exams .......1 Assessing Exam-Readiness 2 The Exam Objectives 3 The Exam Situation 4 Exam Layout and Design 5 Lotus’s Testing Formats 7 Exam-Taking Techniques 7 Mastering the Inner Game 9 Additional Resources 9

Part I Exam 620 .......................................................11 Chapter 2 Installing and Configuring ...................................................13 Registering Servers 14 Server Setup 14 Setting Up Additional Domino Servers 16 Setting Up Server Protocols and Ports 17 Implementing a Hierarchical Naming Scheme 18 Maintaining Domino Certifier IDs 18 Configuring Directories 19 Understanding the Domino Domain 19 Implementing Distributed Versus Centralized Directories Creating Groups in the Directory 21 Setting Up Administration Groups 22 Notes Client Configuration 22 Registering New Users 22 Installing Clients of Different License Types 23 Setting Up and Configuring a Notes R6 User 24

20

xiv

Table . . . .of. Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Deploying Notes User Authentication—Notes ID 25 Maintaining Notes User IDs 26 Applying Policy Documents 26 Applying Policies During New User Registration 27 Applying Policies to Existing Users 27 Exam Prep Questions 29 Need to Know More? 33

Chapter 3 Mail .............................................................................35 Server Messaging Configuration 36 Setting Up and Configuring Mail Routing 36 Setting Up and Configuring Message Distribution Using Schedules 38 Forcing Mail to Route to a Specific Server 40 Monitoring and Maintaining Mail Routing 41 Troubleshooting Routing Problems 46 Basic Messaging Settings 48 Creating Archiving Policies 48 Implementing Mail Quotas 51 Understanding Mail Encryption 52 User Messaging Configuration 53 User Preferences Related to Mail 53 Setting Workstations for Different Locations 54 Exam Prep Questions 56 Need to Know More? 60

Chapter 4 Managing and Maintaining .................................................61 Application Deployment 62 Deploying Server-Based Applications 62 Deploying HTML-Based Applications 64 Deploying Web Applications for Internationalization 65 Deploying Applications Based on Coding: Formula Language, LotusScript, JavaScript, C 66 Deploying Applications Based on Document Characteristics: Document Size 69 Managing Application Design 70 Distributing Application Design Changes Using the Design Task 70 Replicating Design Changes 73

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table . . .of. Contents . . . . .

Application Maintenance 73 Monitoring Application Size 74 Maintaining Data Integrity 75 Domino Server Monitoring and Maintenance 77 Monitoring Server Tasks 77 Monitoring and Managing Log Files 78 Monitoring and Managing Web Services 80 Setting Up and Configuring Administration Monitoring Tools 84 Other Maintenance Tasks 87 Migrating from a Distributed Directory to a Central Directory 87 Creating a Policy Synopsis to Determine an Effective Policy 88 Maintaining Users 89 Maintaining Groups 91 Exam Prep Questions 93 Need to Know More? 98

Chapter 5 Replication .....................................................................99 The Replica Task 100 Understanding Document Replication Order 101 Setting Up and Configuring Replication Through Force 101 Forcing Replication Using the Server Console 102 Setting Up and Configuring Replication Through Scheduling 104 Replication Topologies 104 Creating a Replication Connection Document 106 How Access Control Lists Affect Replication 108 Guidelines for Assigning Server Access to Databases 109 Other Access Control Settings That Affect Replication 112 Resolving Replication and Save Conflicts 113 Choosing Which Document to Keep 114 Using Design or Administration Techniques to Prevent Replication or Save Conflicts 114 Clustered Replication 115 Monitoring and Maintaining Replication 116 Monitoring Replication History 116 Viewing the Replication Events View in the Log File 117 Using an Event Generator to Monitor Replication 118 Viewing Replication Schedules 118 Replication-Topology Maps 118

xv

xvi

Table . . . .of. Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions 120 Need to Know More? 125

Chapter 6 Security ........................................................................127 Physical Security 128 Securing Domino Applications Based on Password Encryption 129 Domino Server Security 129 Securing Domino Resources Based on Notes Authentication 130 Securing Domino Resources Based on the Domino Directory 131 Securing Domino Resources Based on Web Authentication 134 Setting Up and Configuring Server Access 135 Monitoring and Maintaining Server Access Control 139 Troubleshooting Common Server Access Problems 140 Domino Application Security 141 Understanding the ACL 141 Securing Applications with Groups 144 Securing Applications with Authors Fields 146 Securing Applications with Readers Fields 146 Troubleshooting Data Access Control Problems 148 Creating Security Policies 149 Exam Prep Questions 152 Need to Know More? 157

Part II Exam 621 ......................................................159 Chapter 7 Installing and Configuring ..................................................161 Capacity Planning Based on Performance 162 Installing a Notes/Domino Release 6 Server 163 Setting Up Servers of Different Types 164 Running the Installation Program 164 Setting Up and Configuring a Notes/Domino Release 6 Server Setting Up/Configuring Directories 169 Deploying a Corporate Standard Welcome Page 170 Creating/Registering Certificates 172 Creating an Organization Certifier ID 173 Creating an Organizational Unit Certifier ID 174 Creating/Registering Users 175

165

xvii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table . . .of. Contents . . . . .

Certifying with a CA Key 175 Setting Up Multiuser Support 176 Setting Up Workstations for Different Clients 176 Setting Up/Configuring Calendaring and Scheduling 177 Setting Up Servers for Sharing Resources 177 Defining the Database ACL 178 Completing the Site Profile 178 Setting Up/Configuring Transaction Logging 179 Planning the Transaction Logging Implementation 180 Setting Up Transaction Logging on the Server 181 Setting Up Servers for Load Balancing and Failover 181 Applying Policy Documents to Existing Users 183 Migrating from a Distributed Directory to a Central Directory Exam Prep Questions 185 Need to Know More? 188

183

Chapter 8 Mail ............................................................................189 Setting Up and Configuring Message Distribution Using Notes-Based Mail 190 Notes Routing to External Domains 191 Implementing and Changing Mail Quotas 195 Configuring Message Tracking 197 Deploying Applications Based on Routing Fundamentals 199 Exam Prep Questions 202 Need to Know More? 205

Chapter 9 Monitoring Server Performance ............................................207 Adding/Moving/Upgrading/Deleting Databases 208 Backing Up/Verifying and Restoring Databases 210 Creating Archiving Policies 210 Deploying Applications Based on Coding 212 Deploying Applications Based on Design Elements 212 Deploying Applications Based on Design Elements: Shared Versus Nonshared 214 Deploying Applications Based on How Attachments Are Handled 214 Deploying Applications Based on Replication Fundamentals 215 Deploying Based on the NSF Structure: NSF Components 215 Deploying Server-Based Applications: HTML 216 Distributing Application Design Changes Based on Design 216 Enabling/Disabling Compression 218

xviii Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Maintaining Domino Server IDs 218 Maintaining Domino User IDs 220 Managing Users 220 Creating and Setting Up Roaming Users 221 Maintaining User Profiles 222 Changing User Names 223 Deleting Users 225 Using the Administration Process 225 Monitoring Server Tasks 226 Monitoring/Maintaining Domains 228 Monitoring/Maintaining Mail Routing 229 Tracking Messages 230 Resolving Mail Routing Errors 231 Monitoring/Maintaining/Repairing Databases 231 Monitoring Database Size 232 Using Database Maintenance Utilities 232 Other Database Maintenance Tasks 234 Monitoring/Modifying Application Access Control 235 Setting Up Authentication 236 Setting Up/Configuring/Monitoring Monitors 236 Troubleshooting Administration Process Problems 237 Troubleshooting Clustering Problems 238 Troubleshooting Network/Protocol Problems 239 Troubleshooting Partitioning Problems 239 Troubleshooting Port (Modem) Problems 240 Troubleshooting User Problems 241 Using a Java-Based Domino Console 241 Launching jconsole 241 Using jconsole 242 Exiting from jconsole 244 Using Distributed and Centralized Directories 244 Using the Remote Console 245 Managing User Passwords 247 Monitoring/Maintaining Domain Access 247 Exam Prep Questions 249 Need to Know More? 253

Chapter 10 Replication ....................................................................255 Setting Up and Configuring Replication Through Force 256 Forcing Replication Using the Notes Client 257 Forcing Replication Using the Domino Administrator Client 258

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table . . .of. Contents . . . . .

Setting Up and Configuring Replication Through Scheduling 260 Streaming Replication 263 Planning Applications Based on the Impact of Replication on Document Distribution 263 Understanding How the ACL Affects Replication 265 Guidelines for Assigning Server Access to Databases 266 Understanding Changes to xACL Replication 269 Replicating Design Changes 270 Monitoring and Maintaining Replication 271 Exam Prep Questions 273 Need to Know More? 277

Chapter 11 Security.........................................................................279 Setting Up Authentication 280 Setting Up and Configuring ID Backup and Recovery 282 Specifying Recovery Information for a Certifier ID File and Creating a Mail-In Database to Store Backup ID Files 282 Making User ID Files Recoverable 284 Recovering an ID File 286 Managing User Passwords 287 Using the ICL and the CRL 289 The Issued Certificate List (ICL) 290 Certificate Revocation List (CRL) 290 Setting Up and Configuring Server Access 291 Troubleshooting Common Server Access Problems 293 The Administrator Can’t Enter Commands at the Server 293 Users Can’t See a New Server in the List of Servers 294 The Server Is Not Responding 294 Adding Security to an Application 294 Designing a Secure Application—Security Versus Deterrence 295 Setting Up and Configuring Agent Access 297 Monitoring and Maintaining Agents 300 Setting Up and Configuring Database Access Using the ACL 302 Securing Applications with Roles 304 Securing Applications with Authors Fields and Readers Fields 305 Troubleshooting User Access Problems 306 Users Report That They Can’t Access the Database 306 Users Can’t Find a New Server in the List of Servers 307

xix

xx

Table . . . .of. Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Users Complain That They Can’t Seem to “See” All the Documents in the Database 307 A User Complains That He Can’t Edit a Document That He Created in the Database 307 Users Complain That They Can’t Create Agents in the Database 308 Users Complain That They Don’t Have the Correct Access Level Within the Database 308 Exam Prep Questions 309 Need to Know More? 313

Part III Exam 622 .....................................................315 Chapter 12 Managing Non-Notes and Notes Clients .................................317 Applying Policy Documents to New Users 318 Setting Up Browser Clients 319 Setting Up Version Reporting and Updating Client Software Exam Prep Questions 322 Need to Know More? 325

320

Chapter 13 Setting Up Server Monitoring ..............................................327 Creating Event Generators 328 Creating Event Handlers 329 Enabling Agent Logging 329 Identifying Mechanisms for Collecting Server Information Starting the Statistics Collectors Task 331 Exam Prep Questions 333 Need to Know More? 336

330

Chapter 14 Managing Servers ...........................................................337 Analyzing Activity Data 338 Applying Policy Documents to Existing Users Automating Server Tasks 342 Changing Administrator Access 343 Changing Server Access 344 Configuring Domino Network Names 344 Creating Security Policies 345 Decommissioning a Server 346 Defining a Backup Process 347 Defining Domino Domains 348

341

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table . . .of. Contents . . . . .

Enabling Protocols 349 Enabling Transaction Logging 349 Transaction Logging Versions 350 Implementing Transaction Logging 350 Identifying a Registration Server 351 Implementing Distributed and Centralized Directories 352 Recertifying a Server ID 353 Searching for Server References in a Domain 354 Setting Up Authentication with Other Domino Organizations Creating a New Organization Certifier ID 356 Creating a New Organizational Unit ID 356 Exam Prep Questions 358 Need to Know More? 362

355

Chapter 15 Managing Users and Groups ...............................................363 Changing a User’s Group Membership 364 Changing a User’s Location in the Hierarchy 365 Changing a User’s Name 367 Deleting Groups 368 Deleting Users 368 Extending a Notes ID’s Expiration Date 369 Managing Groups 370 Modifying Person Documents 371 Moving a User’s Mail File 371 Renaming Groups 372 Setting Up Roaming Users 372 Exam Prep Questions 375 Need to Know More? 378

Chapter 16 Monitoring Server Performance ...........................................379 Using the Domino Console 380 Using the Domino Web Administrator Viewing Real-Time Statistics 384 Viewing Statistics with Server Monitor Exam Prep Questions 387 Need to Know More? 390

382 385

Chapter 17 Resolving Server Problems ................................................391 Monitoring Application Size 392 Monitoring Server Tasks 393

xxi

xxii Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Recovering from a Server Crash 393 Solving Agent Manager Issues 394 Solving Authentication and Authorization Issues 395 Verifying Correct Domino Directory Setup 396 Verifying Server ID 397 Troubleshooting User Problems 397 Troubleshooting Administration Process Problems 397 Troubleshooting Replication Problems 398 Troubleshooting Mail Routing Issues 399 Using Event Triggers to Troubleshoot Problems 400 Exam Prep Questions 401 Need to Know More? 405

Chapter 18 Resolving User Problems ...................................................407 Tracking User Mail Messages 408 Troubleshooting Routing Problems 408 Troubleshooting Server Access Problems 409 Directory Errors 410 Other Techniques for Troubleshooting Server Access Problems 411 Troubleshooting Connection Problems 411 Troubleshooting Data Access Control Problems 412 Troubleshooting Database Issues 413 Troubleshooting Workstation Problems 416 Exam Prep Questions 417 Need to Know More? 421

Part IV Sample Exams ...............................................423 Chapter 19 Practice Exam 620 ...........................................................425 Chapter 20 Answer Key for 620 ..........................................................445 Chapter 21 Practice Exam 621 ...........................................................463 Chapter 22 Answer Key for 621 ..........................................................485 Chapter 23 Practice Exam 622 ...........................................................499

xxiii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table . . .of. Contents . . . . .

Chapter 24 Answer Key for 622 ..........................................................519

Part V Appendixes ...................................................533 Appendix A Resources .....................................................................535 Print Resources 535 Web Resources 535

Appendix B What’s on the CD-ROM ......................................................537 The PrepLogic Practice Exams, Preview Edition Software An Exclusive Electronic Version of the Text 538

537

Appendix C Using the PrepLogic Practice Exams, Preview Edition Software .....539 The Exam Simulation 539 Question Quality 540 The Interface Design 540 The Effective Learning Environment 540 Software Requirements 540 Installing PrepLogic Practice Exams, Preview Edition 541 Removing PrepLogic Practice Exams, Preview Edition from Your Computer 541 How to Use the Software 542 Starting a Practice Exam Mode Session 542 Starting a Flash Review Mode Session 543 Standard PrepLogic Practice Exams, Preview Edition Options 543 Seeing Time Remaining 544 Getting Your Examination Score Report 544 Reviewing Your Exam 544 Contacting PrepLogic 545 Customer Service 545 Product Suggestions and Comments 545 License Agreement 545

Glossary .......................................................................547 Index ............................................................................565

We Want to Hear from You!

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you’re willing to pass our way. As an executive editor for Que Publishing, I welcome your comments. You can email or write me directly to let me know what you did or didn’t like about this book—as well as what we can do to make our books better. Please note that I cannot help you with technical problems related to the topic of this book. We do have a User Services group, however, where I will forward specific technical questions related to the book. When you write, please be sure to include this book’s title and author as well as your name, email address, and phone number. I will carefully review your comments and share them with the author and editors who worked on the book. Email:

[email protected]

Mail:

Jeff Riley Executive Editor Que Publishing 800 East 96th Street Indianapolis, IN 46240 USA

For more information about this book or another Que Certification title, visit our Web site at www.examcram2.com. Type the ISBN (excluding hyphens) or the title of a book in the Search field to find the page you’re looking for.

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Welcome to the Notes and Domino 6 System Administration certification IBM CP Exam Cram. The purpose of this book is to prepare you to take—and pass—the IBM/Lotus Certified Professional exams for version 6. This introduction explains the IBM Certified Professional exam and gives you an idea of the preparations required in getting ready to take the test. Additional information about Prometric and exam locations can be found at www.prometric.com. Exam Cram books are not teaching guides. They assume that the reader has some familiarity with the subject matter and are used to reinforce and prepare the tester for the exams. They will not teach you how to fully operate a specific application or system, but they enable you to focus on passing the exam based on your experience and study. The authors have taken the exams and attempt to prepare you for the types of material that can be covered and items of specific importance.

Whom Is This Book For? Nothing can prepare you for the exam better than actually using the product on a regular basis. Lotus Notes administration can be a challenging but rewarding experience, and the enhanced capabilities Lotus has introduced in version 6 have made it even more flexible and powerful as a workflow application. The most complete training program you can experience is actually performing the administrative tasks on a regular basis. On-the-job training, along with supervised classroom instruction led by a trainer who has actually had experience running a Notes Network, is invaluable to becoming a worldclass administrator. Reading a book or taking a CBT will help you understand the basics of how the Notes components all work together, but nothing can compare to spending a weekend upgrading or installing a server and encountering all of the “challenges” that can occur. Experience is the best teacher, and it will set you apart from the other Notes IBM CPs who have only a paper certification with no real experience. We strongly recommend that if

xxvi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

you are not currently involved in daily Notes Administration, you download and install the R6 server and client trials at www.lotus.com.

The Lotus Notes and Domino 6 System Administration Certification CLP Exams To achieve the IBM CP certification, you must pass three separate tests: ➤ Exam 620: “Notes Domino 6 System Administration Operating

Fundamentals.” The skills tested in this exam include installing and configuring Domino Servers, using Mail, managing and maintaining Servers, using replication, and managing security. After you have passed the Exam 620, you earn a certification of Certified Lotus Specialist. ➤ Exam 621: “Notes Domino 6: Building the Infrastructure.” The skills

tested in this exam are also installing and configuring Domino domains, using Mail, managing and maintaining Domino domains, using replication, and managing security. ➤ Exam 622: “Notes Domino 6: Managing Servers and Users.” The skills

tested in this exam are managing non-Notes and Notes clients, managing servers, managing users and groups, monitoring server performance, resolving server problems, resolving user problems, and setting up server monitoring. After passing the preceding two exams, you become an IBM Certified System Administrator—Lotus Notes and Domino 6. One additional test is available if you want to achieve a certification of IBM Advanced System Administrator: ➤ Exam 623: “Notes Domino 6: Configuring Domino Web Servers.” The

skills tested in this exam are handling administration, installing and configuring Domino Web Servers, and managing security.

xxvii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . .

Scheduling the Exam After you have studied this book and taken and consistently passed the sample tests, you must schedule the exams with Prometric at www.prometric.com. When this book was written, the cost for the exams was $100, but this is always subject to change. You are required to pay for the exam in advance using a credit card. If you have a problem that requires you to reschedule the exam, you must contact the exam site directly. When you schedule the exam, you might be required to give some or all of the following information: ➤ Your name ➤ Your Social Security, social insurance, or Prometric testing ID number ➤ Contact phone numbers ➤ Mailing address ➤ Exam number and title ➤ Eligibility information ➤ Email address

Taking the Exam Schedule your exam at a time that will enable you to arrive early to the test site with a minimal amount of frustration. There’s nothing more tiring or distracting than having to fight bad traffic or inclement weather on the way to the test site; make sure you arrive with ample time to regain your concentration and composure. A good night’s sleep goes a long way toward maintaining your concentration, so try to work that in as well. When you arrive at the exam site, you will check in with the exam facilitators, who will verify your exam time and your identity. You will be asked to provide two valid forms of identification, one of which must be a picture ID, such as a driver’s license. After you have successfully checked in at the exam center, you will be asked to leave your cell phone, your keys, and any papers or books at a designated location, where they will be monitored for you. You will then be taken to an exam station. When you sit down at the exam station, you will be given a piece of paper that includes your login ID and that you can also use as scrap paper. An exam facilitator will then assist you in logging in and selecting the test that you

xxviii Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

have been assigned. Before you begin the test, take a look at your surroundings to make sure that the area is conducive to test taking. Make sure that the lighting in the test station is adequate and that your chair is comfortable and adjusted properly. You might be sitting in this station for more than an hour, and you want to make sure that you are not distracted by bright lights or excessive noise. If the conditions are not properly conducive to taking the exam, speak to the exam facilitator and ask to have them corrected, or reschedule the test for a later time, after the problems have been corrected. You will be observed while you are taking the test, so be prepared to have someone in the testing room. Additionally, depending on when you are taking the test, you might be the only person in the room or the room might be full. If something needs to be corrected, bring it to the examiner’s attention immediately. The most important thing about taking the test is this: Don’t rush. You will have an adequate amount of time to take the test, so there is no reason to hurry. Read each question carefully, and make sure you understand exactly what is being asked and in what context. If a question seems confusing, mark it and come back to it later. Answer the questions that you are certain of initially, and return to the more difficult ones later. However, make sure that you read each question completely and understand what is being asked. Often test-takers avoid choosing incorrect answers simply by taking the time to read the question more than once. When you complete the exam, you might be presented with a quick survey. The test facilitator will require you to complete the survey before allowing you to leave. After you have completed the survey, you will be given your test score and then escorted back to the arrival area, where you will be presented with a printout of your score and you can pick up your personal items.

About This Book Each Exam Cram chapter follows a standard format, along with graphical cues containing important information that the reader will need to remember. Each chapter begins with hotlists. These are bulleted lists that highlight terms, concepts, and techniques that you will need to become familiar with throughout the chapter. ➤ The first list is titled “Terms You’ll Need to Understand.” This list con-

sists of important terms that you will need to learn and understand. These

xxix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . .

terms appear in the order in which they appear in the chapter (these terms and others are included in the book’s glossary). ➤ The second list is titled “Techniques/Concepts You’ll Need to Master.”

This list might be a mix of concepts and techniques related to exam objectives that you must master by the end of the chapter before proceeding. The chapters are presented in a logical order that builds upon each concept covered in the certification exam. Within each chapter, pay attention to these special elements: An exam alert stresses concepts, terms, configurations, or activities that might relate to one or more certification exam questions. You should note items identified by the alert notice as vital to successfully passing an exam question.

Tips, notes, and cautions are used to describe shortcuts, some efficient ways to accomplish a task, an “inside take” on some alternative way to accomplish a task, asides that provide good information that supplements the regular text, or cautions about potential pitfalls to watch for. Longer sidebars might offer case studies or extended examples to illustrate the current topic.

➤ Practice questions—Near the end of each chapter, you’ll find a set of prac-

tice questions to test your comprehension of the material you’ve just read. Be sure to complete each question; if you have difficulty, reread that material in the text until you have a better understanding of the concepts. ➤ Backup detail and additional resources—At the end of each chapter is a list of

other sources you can use to further your understanding of the material covered in that chapter of the Exam Cram. Remember, the intent of this book is to prepare you for the exam, not teach you how to become an experienced Notes/Domino administrator. ➤ The Cram Sheet—In the front of this book you will find a removable sheet

of tips and important points that you will need to remember for your exam. Keep in mind that when you are in the exam center, you will not be able to take notes or look over any study aids, so arrive early enough to take one final look at the Cram Sheet before going into the testing area.

xxx Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

How to Use This Book Although this book has been modeled from the proposed exam requirements at www.lotus.com, we also have organized the content to present information in a logical flow. If you feel comfortable with your knowledge of some of the book’s material, focus your study on other sections of the book and pay special attention to these items in the practice tests. If you find errors or material that could be presented more clearly, feel free to contact us at [email protected].

Self-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The authors have included a Self-Assessment in this Exam Cram to help you evaluate your readiness to take the IBM Certified System Administrator Lotus Notes and Domino 6 certification exams. The exams are broken into three sections; 620, “Notes Domino 6 System Administration Operating Fundamentals”; 621, “Notes Domino 6: Building the Infrastructure”; and 622, “Notes Domino 6: Managing Servers and Users.” Before jumping in to study the material required for the exams, let’s take a few moments to discuss what it’s like to be a Domino Administrator.

Domino Administration in These Challenging Times As of the writing of this book, the IT industry is struggling as companies reinvent themselves after the dot-com failure of the last decade. Although the industry isn’t the free-for-all, high-salary industry it once was, it’s still flourishing and people are working and making good salaries. What’s different now is that, in the past, a simple paper certification would allow someone to get an interview and a subsequent hiring. The situation has now changed, and candidates are interviewed and tested before they are hired to make sure they have the experience to hit the ground running. Our goal in the next section is to show you what is expected of a Domino Administrator and what you can do to gain an edge over other candidates. Whether you’re an experienced Domino Administrator and are trying to move to the next certification level, or someone who is picking up this book out of curiosity, everyone had to start somewhere. No one has just walked into an exam center without ever cracking a book or administering a server for a significant amount of time and passed all of the Notes exams on the first try. Although the Domino product line is easy to learn when you understand the fundamentals of the products, it is a highly specialized application and takes skill and training to support.

xxxii Self-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

You need to take a skills inventory to determine your strengths and weaknesses and what you need to do to get to the level you desire. Keep in mind that the authors and tech editors of this book all started in the same place. We all built our first server, created our first user ID, and spent a late night or early morning trying to figure out why that one troublesome server would not route mail when everything else in the Domain worked fine. Don’t be discouraged. It has all been worth it, and we are better for the challenges we have faced and conquered. Our goal with this Exam Cram is to make at least one part of the challenge easier, and that’s to help in passing the exams. We’ll show you what to focus on when you study, and we’ll point out things we feel are important not only in passing the test, but also in broadening your skill base.

The “World Class” Domino Administrator What does it take to be a “world-class” administrator and stand out from the crowd? In this section, we point out some items that we feel are essential to a Domino Administrator. Based on how long you have been in the IT industry, you might meet some or all of these requirements. Don’t be discouraged if you take a look at the list and recognize only some of your skills. The goal is to identify areas that you can work on and improve. Here are some recommended “baseline” qualifications for anyone pursuing certification as a Domino Certified System Administrator: ➤ Academic or professional training in Windows or Linux operating sys-

tems, and certifications in each discipline at an administrator level. A well-trained administrator will be able to see where a problem might be occurring in the Domino configuration and will also be able to think outside the box for other system-related issues and how to correct them. ➤ Three-plus years of professional system administration experience,

including experience installing and upgrading operating systems, doing performance tuning, troubleshooting problems, creating users, and managing backup and recovery scenarios. There is no substitute for real-world experience; although having a lab environment can be instrumental in testing new configurations, it might not assist in troubleshooting problems

xxxiii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Assessment . . . . . . . . .

Remember, you are trying to distinguish yourself from the other administrators and stand out in the crowd. Consider two things when assessing your readiness for the certification exams: ➤ Even a modest background in computer science is helpful. ➤ Hands-on experience with a Domino server is essential for certification

success. Nothing compares to real-world experience. We believe that most certification candidates meet these requirements. With this level of experience in general administration, half the battle is won. Now you just need to focus on finishing the job and acquiring the Domino knowledge needed to finish the picture.

Put Yourself to the Test The following series of questions and observations is designed to help you determine how much work you’ll face in completing the IBM Lotus Certification Exams and where to turn for help in getting ready for the tests. Be absolutely honest in your answers, or you’ll end up wasting money on exams that you’re not ready to take. There are no right or wrong answers, only steps along the path to certification.

Educational Background 1. Have you ever taken any computer-related classes? (Yes or No)

If yes, proceed to question 2; if no, consider a CBT or class at a local community college to gain a base understanding of computer operating systems administration. 2. Have you taken any classes on the Domino application? (Yes or No)

If yes, you will probably be able to handle the discussions related to Domino system administration. If you’re rusty, brush up on the basic concepts related to building a server and creating users. If the answer is no, consider reading a book in this area. We strongly recommend a good Domino administration book, such as Lotus Notes & Domino Essential Reference, by Tim Bankes and Dave Hatter (1999). If this title doesn’t appeal to you, check out reviews for similar titles at your favorite online bookstore. 3. Have you taken any networking concepts or technologies classes?

(Yes or No)

xxxiv Self-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

If yes, you will probably be able to handle the networking terminology, concepts, and technologies. If you’re rusty, brush up on basic networking concepts and terminology. If your answer is no, you might want to check out some titles on the Transport Communication Protocol/Internet Protocol (TCP/IP). 4. Have you done any reading on certificates or public/private keys?

(Yes or No) If yes, review the requirements from questions 2 and 3. If you meet them, move to the next section, “Hands-On Experience.” If you answered no, consult the recommended reading for both topics. This kind of strong background will be of great help in preparing for the Lotus exams.

Hands-On Experience The next question assesses the extent of your hands-on experience as a Domino server administrator. Nothing will prepare you for the exams more than actually working on a Domino server. If we leave you with only one realization after taking this Self-Assessment, it should be that there’s no substitute for time spent installing, configuring, and using the Domino administration procedures and processes covered in the exams. 5. Have you installed, configured, and worked with Domino version 6?

(Yes or No) If yes, make sure you understand the basic concepts covered in Exams 620, 621, and 622. If you haven’t installed Domino version 6, download an evaluation copy from www.lotus.com and install the enterprise server and the three administrator clients. Then learn about the installation and administration concepts required for the exams. You can obtain the exam objectives, practice questions, and other information about Domino exams from the Lotus Certification page on the Web at www.lotus.com.

Testing Your Exam-Readiness Whether you attend a formal class on a specific topic to get ready for an exam or use written materials to study on your own, some preparation for

xxxv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Assessment . . . . . . . . .

the Domino certification exams is essential. If you can, attend an instructorled class at an authorized Lotus training facility. If you can’t afford a class, practice exams are available to gauge your readiness. Check for the practice exams at the Lotus Web site, www.lotus.com. Search the Internet for Lotus sites that might have information about what to expect from people who have taken the exam and what their experiences were. The most effective thing that you can do is study, study, study. We have included in this book several practice exam questions for each chapter and a sample test. If you don’t score well on the chapter questions, you can study more and then tackle the sample tests at the end of each part. 6. Have you taken a practice exam on your chosen test subject? (Yes or No)

If yes and you passed consistently, you’re probably ready to take the real exam. If you’re struggling, keep studying and taking the exams until you pass. If you answered no, obtain all practice tests you can find (or afford), study this book, and retake the tests.

Using Other Sources to Prepare for the Lotus 620, 621, and 622 Exams In addition to the information in this chapter, other resources are available to help you prepare for the exams. As previously discussed, the Lotus Web site, www.lotus.com, is a great source for information about the certification exams. Another great Web site for general Lotus information is www. lotusadvisor.com. If you have access to an NNTP news server, the comp newsgroups comp.groupware.lotus-notes and comp.groupware.lotus.notes-admin are great resources for Domino information. Whitepapers and redbooks are also available at www.redbooks.ibm.com.

Onward, Through the Fog! After you’ve taken a look at your skills and decided where you want to focus your studies, nothing is left but to get started. Every journey begins with that first step, and you have already taken it by picking up this book. Study, take the practice exams, and then go back and study the areas where you struggled. When you’re consistently passing the practice exams, go to the testing center with confidence and pass the tests.

xxxvi Self-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Remember this wisdom from Wayne Antaw: “Lessons learned by ourselves have a greater value than lessons learned through others.” Now, go study and pass the tests. Good luck!

1 Overview of Domino System Administration Certification Exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ Self-assessment ✓ Practice test ✓ Testing center ✓ Exam proctor ✓ Passing mark ✓ Radio button ✓ Review mark

Techniques you’ll need to master: ✓ Preparing to take a certification exam ✓ Preparing to take a certification exam using practice questions and tests ✓ Understanding the intricacies of the testing software and its interface ✓ Budgeting your time to allow you to answer all questions ✓ Formulating a test-taking strategy in advance to ensure success

2

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Regardless of how much you’ve studied, exam taking is not likely something you’ll enjoy. In most cases, familiarity helps relieve test anxiety. You probably won’t be as nervous when you take your second or third Domino certification exam as you will be when you take your first one. Whether it is your second exam or your tenth, understanding the finer points of exam taking (how much time to spend on questions, the setting you will be in, and so on) and the exam software will help you concentrate on the questions at hand rather than on the surroundings. Likewise, mastering some basic exam-taking skills should help you recognize—and perhaps even outsmart—some of the tricks and traps you are bound to find in several of the exam questions. This chapter explains the Lotus Domino System Administration exam environment and software, and describes some proven exam-taking strategies you can use to your advantage when preparing for and taking the exams.

Assessing Exam-Readiness Before you take any Domino exam, we strongly recommend that you read through and take the Self-Assessment included with this book (it appears in the Introduction). It will help you compare your knowledge base with the requirements for obtaining the Domino R6 System Administrator certification and help you identify parts of your background or experience that might need improvement through experience or learning. If you get the right set of basics under your belt, obtaining Domino certification is that much easier. After you’ve gone through the Self-Assessment, you’ll have a better idea of what your strengths and weaknesses are so that you can judge how much time to spend in studying the different subject areas. Your next step in preparing for the Domino exams should be to visit the Lotus Certification Web site to look at Lotus’s recommended exam-preparation strategy. Lotus outlines a preparation method for each of the three administration exams at www.lotus.com/. Look for the link to Training and Certification on the left side of the page, and then navigate to Lotus Certification and finally Exam Preparation, all on the left menus. After you’ve worked through this Exam Cram, read the supplementary materials, and taken the practice tests at the end of the book, you’ll be well prepared to take the exam.

. . . . . . . . . . . . . . Overview . . . . . of . . Domino . . . . System . . . . .Administration . . . . . . . .Certification . . . . . . Exams . . . .

You’ll likely want to continue practicing the tests until you achieve a score of 90% or higher.

The Exam Objectives Your next step in preparing for the Domino exams should be to visit the Lotus Certification Web site to look at Lotus’s recommended exam-preparation strategy. Use the URL mentioned in the previous section to locate the exam Lotus exam guides. Lotus recommends that you download its exam guide for a complete listing of exam competencies and that you prepare for the exam by using a combination of training, hands-on practice, practice exams, and other third-party materials. We’ve structured this Exam Cram book so that each chapter covers all of the topics listed in the exam-preparation guide. We’ve stuck closely to the wording used in the exam guide for each of the topics, but we’ve reordered the topics within each chapter so that topic areas are grouped by subject, which allows us to present the material in a more logical order. After reading through the exam guide, you can proceed to work your way through this Exam Cram book. This book covers the exam competencies for all three administration exams: ➤ Exam 620, “Notes Domino 6 System Administration Operating

Fundamentals”: Chapters 2 to 6 ➤ Exam 621, “Notes Domino 6: Building the Infrastructure”: Chapters 7

to 11 ➤ Exam 622, “Notes Domino 6: Managing Servers and Users”: Chapters

12 to 18 If you haven’t taken any of the exams, you’ll likely want to prepare for and take the exams in order, starting with Exam 620. You might want to consider reading the material for both Exams 620 and 621 before attempting either exam because there is quite a bit of overlap in the exam topics for those two exams. Exam 622 has a more unique topic listing, so you can prepare for that exam separately from the other two. After you’ve worked your way through the chapters related to each exam and have read some of the suggested supplementary materials, you’ll want to try the practice tests included with this book. You might also want to purchase additional practice tests. Refer to the Lotus Certification Web site listed earlier for up-to-date listings of practice exam vendors.

3

4

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Exam Situation First, it’s important to note that all Lotus exams are administered by a thirdparty testing center, not by Lotus itself. To register for the exam, you’ll need to contact the testing vendor. Two testing vendors administer the Lotus exams: ➤ Thompson Prometric (formerly Sylvan Prometric): 1-800-74-LOTUS,

or www.prometric.com ➤ CAT Global (now owned by Promissor):

www.catglobal.com

The testing vendor will ask for all of your personal information, as well as the name of the exam you want to take, the name and location of the testing center, and your payment method. Each exam attempt costs $100, payable at registration. When you arrive at the testing center where you scheduled your exam, you will need to sign in with an exam proctor. The proctor will ask you to show two forms of identification, one of which must be a photo ID. After you have signed in, you will be asked to deposit any books, bags, or other items you brought with you. The exam proctor will advise you to go to the restroom before you start the exam because you won’t be allowed to leave the exam room after the exam has started. Then you’ll be escorted into the closed room that houses the exam seats. All exams are completely closed book. In fact, you won’t be permitted to take anything with you into the testing area. You will be furnished with a pen or pencil and a blank sheet of paper—or, in some cases, an erasable plastic sheet and an erasable felt-tip pen. You are allowed to write down any information you want on both sides of this sheet. You might want to jot down notes from the Cram Sheet on this piece of paper before you begin writing the exam. The exam proctor will help you log in to the exam using the testing ID provided by the testing vendor. Typically, the room will be furnished with one to half a dozen computers, and each workstation will be separated from the others by dividers designed to keep you from seeing what is happening on someone else’s computer. Most test rooms feature a wall with a large picture window. This permits the exam proctor to monitor the room, to prevent exam takers from talking to one another, and to observe anything out of the ordinary that might go on. All Domino certification exams allow a predetermined, maximum amount of time in which to complete your work. This time is indicated on the exam by an onscreen timer in the upper-right corner of the screen, so you can check

. . . . . . . . . . . . . . Overview . . . . . of . . Domino . . . . System . . . . .Administration . . . . . . . .Certification . . . . . . Exams . . . .

the time remaining whenever you like. At the beginning of each test is a tutorial that you can go through if you are unfamiliar with the testing environment. The time allocated for the tutorial is not included in the testing time. All exams are computer generated and use a multiple-choice format. The exams vary in the number of questions asked, the amount of time allocated per exam, and the passing mark for each exam. Table 1.1 lists the information available for each of the three exams at the time of printing: Table 1.1 Exam Details for Each Exam Exam Number

Time Allocated

Number of Questions

Passing Score

620

1 hour

45

75%

621

1 hour

45

70%

622

1 hour

45

72%

When Exam 622 is released in gold format, the exam format likely will follow the format for Exam 621—a one-hour exam with 45 questions and a passing score of 70%.

When you complete a Domino certification exam, the software tells you whether you have passed or failed. The results are then broken down into several competencies. You are shown the percentage of correct answers for each individual competency. Even if you fail, you should ask for and keep the detailed report that the test proctor prints for you. You can use this report to help you prepare for another attempt, if needed. If you need to retake an exam, you will have to schedule a new test with Prometric or CAT Global and pay for another exam attempt. Keep in mind that because the questions come from a pool, you will receive different questions the second time around. In the following section, you will learn more about how Domino test questions look and how they must be answered.

Exam Layout and Design All exam questions present multiple-choice answers and require you to select a single answer. At the time of this printing, Lotus has confirmed that there are no multiple-answer questions on the Domino exams. The following question is an example of a multiple-choice question that requires you to

5

6

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

select a single correct answer. Following the question is a brief explanation of why the answer is correct.

Question 1 When is mail routed between servers that are in the same Domino Named Network? ❍ A. Immediately ❍ B. Every 10 minutes ❍ C. According to the schedule in the Connection document ❍ D. When there are five messages pending

Answer A is correct. The router immediately routes mail to servers in the same Notes Named Network. The messages are immediately routed from the MAIL.BOX file on the sender’s server to the MAIL.BOX file on the recipient’s server. Because servers in a Notes Named Network share a common protocol and are always connected, you do not need to create Connection documents for mail routing. Although there are no multiple-answer questions on the exams, there might be an answer like this one: “D. All of the above.” This answer means that A, B, and C are all correct, and, therefore, the answer should be D. Make sure you carefully read all answers to determine whether to choose the “All of the above” option.

This sample question format corresponds closely to the Lotus Certification Exam format—the only difference on the exam is that questions are not followed by answer keys. To select an answer, position the cursor over the radio button next to the answer and then click the mouse button to select the answer. At the end of every chapter are several practice exam questions to help test your knowledge of the competencies covered in that chapter. Most of the questions are single-answer questions; however, there may be a few multipleanswer questions in which you are asked to select more than one right answer. We’ve included these questions to help you learn the material, but there will be no multiple-answer questions on the exam. For that reason, you’ll notice that the practice exams at the end of the book use single-answer questions only.

. . . . . . . . . . . . . . Overview . . . . . of . . Domino . . . . System . . . . .Administration . . . . . . . .Certification . . . . . . Exams . . . .

Lotus’s Testing Formats When you start the exam, the timer begins ticking immediately. The timer appears in the top-right corner of the screen. You’ll want to keep your eyes on the timer from time to time to ensure that you’re managing your time wisely. The question number also appears on the screen, followed by the total number of questions. For example, if you’re on question 3, the screen will read “Question 3 of 45,” so you’ll know how many questions you’ve completed of the total number of questions. There will also be a Mark Question check box, to allow you to mark a question to find the question easily at the end. When you’ve completed all questions, you’re presented with a summary screen that shows all questions with their corresponding answers. The screen shows a mark beside the questions you chose to mark. You’ll be able to push a button that allows you to Review All questions or to Review Marked questions. You can then go back through the questions and change your answer, if desired. When you’ve finished reviewing your questions, you can push the button to end the exam. You’re prompted to confirm that you want to end the exam. When you’ve confirmed that you have finished the exam, the computer takes a few moments to tally your score. You then are informed of your score and whether you passed or failed. A printout of your marks prints to the proctor. The proctor then stamps your printout with the seal of the testing center, to prove the printout’s authenticity. At that point, you must retrieve your belongings, and you’re free to go.

Exam-Taking Techniques Each exam has 45 questions (assuming that Exam 622 also follows this format), and you have 60 minutes to complete the exam. Here is our advice on how you should approach your exam. Read the first question quickly, and scan the list of answers provided. Then reread the same question carefully, and read each answer carefully. If you are sure that you know the answer to the question, choose the correct radio button. Then proceed to the next question without marking it. If after reading the question carefully you don’t know the answer, take your best guess and mark one of the radio buttons as your answer. Then choose the Mark Question check box at the top of the page. Proceed this way through the entire exam until you’ve completed all of the questions. You

7

8

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

should allow yourself approximately 1 minute per question, which should leave you with 15 minutes to spare at the end of the exam. Watch the clock every so often, to see if you’re on track for your timings. If you’re on question 23, you should have spent approximately 23 minutes on the test, and you should have 37 minutes left. If you’re ahead of schedule, you can slow down a bit and take more time with each remaining question. If you’re behind schedule, you should try to speed up a bit. When you’ve answered each question and you’re looking at the question summary, review only the questions you’ve marked. You should have approximately 15 minutes left, during which time you can proceed through the marked questions and change your answer if you think you’ve found a better answer. Make sure that you choose the Review Marked button and not the Review All button so that you don’t have to go through all of the questions again. On the Lotus exams, you’re allowed to change your answer to the question whether you marked it or not. You can go forward and backward through the questions and change answers if you find you’ve made a mistake. Lotus exams are more flexible than some types of exams that don’t allow you to go back to a question after you’ve answered it. Rest assured that if you think you made a mistake, you can always go back to any question and change your answer.

When you’ve reviewed all of the marked questions, if you still have time left, you might want to consider reviewing all of the questions. Personally, I don’t review the questions for which I am sure of the correct answer, to avoid second-guessing myself and changing a potentially right answer to a wrong one. Make sure that you read each question carefully. Some questions are deliberately ambiguous, some use double negatives, and others use terminology in incredibly precise ways. I have taken numerous exams—both practice and live—and in nearly every one I have missed at least one question because I didn’t read it closely or carefully enough.

Based on exams I’ve have taken, some interesting trends have become apparent. For most questions, usually two or three of the answers will be obviously incorrect, and one or two of the answers will be possible—of course, only one can be correct. Unless the answer leaps out at you, begin the process of answering by eliminating those answers that are most obviously wrong. If you have done your homework for an exam, no valid information should be completely new to you. In that case, unfamiliar or bizarre terminology most likely indicates a bogus answer.

. . . . . . . . . . . . . . Overview . . . . . of . . Domino . . . . System . . . . .Administration . . . . . . . .Certification . . . . . . Exams . . . .

If you are not finished when 95% of the time has elapsed, use the last few minutes to guess your way through the remaining questions. Remember that guessing is potentially more valuable than not answering: Blank answers are always wrong, but a guess could turn out to be right. Make sure that you enter an answer for every question.

Mastering the Inner Game Knowledge breeds confidence, and confidence breeds success. If you study the information in this book carefully and review all the practice questions at the end of each chapter, you should become aware of the areas for which you need additional learning and studying. Follow up by reading some or all of the materials recommended in the “Need to Know More?” section at the end of each chapter, and check the resources offered in Appendix A, “Resources.” Don’t hesitate to look for more resources online. Remember that the idea is to become familiar enough with the concepts and situations you find in the sample questions that you can reason your way through similar scenarios on a real exam. If you know the material, you have every right to be confident that you can pass the exam. Make sure you follow up and review materials related to the questions that you miss on the sample test before scheduling a real exam. The key is to know the why and how. If you memorize the answers, you do yourself a great injustice and might not pass the exam. Only when you have covered all the ground and feel comfortable with the whole scope of the sample test should you take a real one. With the information in this book and the determination to supplement your knowledge, you should be able to pass the certification exam. Get a good night’s sleep and prepare thoroughly; you should do just fine. Don’t forget to eat something before you attempt the exam—don’t take it on an empty stomach. Good luck!

Additional Resources A good source of information about Domino certification exams comes from the software vendor—in this case, Lotus. The best place to go for examrelated information is online at www.lotus.com/certification.

9

10

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Coping with Change on the Web Sooner or later, all the information we have shared about Web-based resources mentioned throughout this book will go stale or be replaced by newer information. There is always a way to find what you want on the Web if you are willing to invest some time and energy. Lotus’s site has a site map to help you find your way around. Most large or complex Web sites offer search engines. Finally, feel free to use general search tools to search for related information.

PART I Exam 620 2 Installing and Configuring 3 Mail 4 Managing and Maintaining 5 Replication 6 Security

2 Installing and Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Server registration Server ID CERTLOG.NSF Server setup Utility server Messaging server Enterprise server Protocol Port Hierarchical naming

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Certifier ID Organizational unit (OU) Directories Domain Group User registration Client license Smart Upgrade User ID Policy settings document

Techniques and concepts you’ll need to master: ✓ Registering and setting up a Domino server ✓ Knowing server and user license types ✓ Setting up server protocols and ports ✓ Understanding Domino domains and the role of the Domino Directory ✓ Creating groups in the Domino Directory

✓ Implementing central and distributed directories ✓ Registering, installing, and setting up Notes clients ✓ Maintaining and deploying Notes user IDs ✓ Applying policy documents

14

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

It’s important to remember that this chapter does not provide a comprehensive, step-by-step approach to installation, but rather covers only the topics specified in the exam guide for this particular exam. For this reason, we don’t go through the installation process from start to finish. The best way to prepare for the Installation and Configuration portion of the exam is to perform the installation and configuration tasks several times with the actual software, and then review the exam-specific topics covered in this book. If you’re looking for a comprehensive installation guide, please consult the Lotus Domino Administration Help database. Look for the topic called “Installation” in the Contents section.

Registering Servers Setting up a Domino server involves two processes: server registration and server setup. If the Domino server is the first server in the domain, then these two steps are combined into a single step. Server registration allows the administrator to create an identity for the new server in the domain’s Domino Directory. The registration process does the following: ➤ Creates a server ID for the new server and certifies it with the certifier

ID. The server ID is a file that uniquely identifies each server within an organization, and allows the server to authenticate with other servers and with users. ➤ Creates a Server document for the new server in the Domino Directory. ➤ Encrypts and attaches the server ID to the Server document and saves

the ID on a disk or in a file on the server. ➤ Adds the server name to the LocalDomainServers group in the Domino

Directory. ➤ Creates an entry for the new server in CERTLOG.NSF.

Server Setup After registering the server, the administrator must set up the server. Server setup involves installing the Domino software, and then configuring that software using the ID file generated during the registration process. Perform the following steps to install the Domino server software:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . . 1. Run the install program (SETUP.EXE), which is on the installation

CD. 2. Read the Welcome screen, and click Next. Then read the License

Agreement and click Yes. 3. Enter the administrator’s name and the company name. 4. Choose whether to install partitioned servers. On a Domino partitioned server, all partitions share the same Domino program directory, and thus share one set of Domino executable files. However, each partition has its own Domino data directory and NOTES.INI file; thus, each has its own copy of the Domino Directory and other administrative databases. There will likely be at least one exam question about partitioned servers, so it’s important to remember what this installation option means.

5. Choose the program and data directory in which to copy the software,

and then click Next. For partitioned servers, choose only a program directory. 6. Select one of the following server types: ➤ Domino Utility Server—Installs a Domino server that provides appli-

cation services only, with support for Domino clusters. The Domino Utility server is a new installation type for Lotus Domino 6 that removes client access license requirements. There is NO support for messaging services. ➤ Domino Messaging Server—Installs a Domino server that provides

messaging services. There is NO support for application services or Domino clusters. ➤ Domino Enterprise Server—Installs a Domino server that provides

both messaging and application services, with support for Domino clusters. Only the Domino Enterprise Server supports a service provider (xSP) environment.

7. Click Customize to choose which components to install, or click Next

to accept all components. 8. If installing partitioned servers, specify a data directory for each parti-

tion.

15

16

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. Specify the program folder or accept Lotus Applications as the pro-

gram folder that will contain the software. 10. Click Finish to complete the install program.

After the installation program has finished, the administrator must start the server in order to complete the server configuration. Choose Start, Programs, Lotus Applications, Lotus Domino Server to start the Server Setup program. The Domino Server Setup program guides the administrator through the settings required to configure a Domino server.

Setting Up Additional Domino Servers Setting up the first Domino server in a domain establishes a framework that consists of the Domino Directory, ID files, and documents. When the administrator sets up additional servers, they build upon this framework. Setting up an additional Domino server does the following: ➤ Creates a replica of the Domino Directory, if a file location was specified

during the setup program, names it NAMES.NSF, and saves it in the Domino data directory. ➤ Copies the server’s ID from the location specified during the setup pro-

gram, either from a file, a copy of the directory, or the existing Domino server’s directory; names it SERVER.ID; and saves it in the Domino data directory. ➤ Retrieves the domain name and administrator name from the Server

document in the Domino Directory. ➤ Creates a new log file, names it LOG.NSF, and saves it in the Domino

data directory. ➤ Creates a replica of the Administration Requests file, names it

ADMIN4.NSF, and saves it in the Domino data directory. ➤ Creates a replica of the Monitoring Configuration file, names it

EVENTS4.NSF, and saves it in the Domino data directory. ➤ Creates a Connection document to the existing Domino server in the

Domino Directory. ➤ Creates a replica of the Reports file, names it REPORTS.NSF, and saves

it in the Domino data directory. ➤ Updates network settings in the Server document of the Domino

Directory.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . . ➤ Configures SMTP, if selected during the setup program. ➤ If “DOLS Domino Off Line Services” was selected during the setup

program, creates the Off-Line Services file, names it DOLADMIN.NSF, and saves it in the Domino data directory. ➤ Updates the Access Control List in all databases and templates in the

Domino data directory tree to remove Anonymous access and/or add LocalDomainAdmin access, depending on the selections made during the setup program. ➤ Configures xSP Service Provider information, if selected during the

install program. For the exam, remember that in Domino R6, if there is an error generated during server setup, the administrator has the option to either go back and correct the error, or cancel setup. In previous releases, after an error was generated, the administrator had to stop the setup, fix the problem, and restart setup again. Be prepared to answer questions involving this new procedure on the exam.

Setting Up Server Protocols and Ports Port and protocol settings for a Domino server can be configured either before or after the server has been set up. A port refers to the networking software that allows the server to communicate with other servers or clients that share a common protocol; a protocol is the interface that allows either two servers or a client and a server to communicate over a network. If the administrator wants to complete port configuration during the setup program, he should ensure that they have completed the following before installing a Domino server: ➤ Install one or more NICs on the system. ➤ Install protocol software as necessary. ➤ Install all network drivers in the correct directories. ➤ Install any network software required for the protocols

The administrator can then use the Domino Server Setup program to accept network defaults or customize network settings for any ports and protocols that are detected by the setup program itself. After the administrator has run the setup program, he or she may need to complete one or more of these tasks to finish setting up Lotus Domino on the network:

17

18

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Change the default names assigned to Notes named networks to make

them consistent with actual network topography. ➤ Fine-tune network port setup by adding, enabling, renaming, reorder-

ing, disabling, or deleting ports or by enabling network encryption or compression on a port. ➤ Complete tasks specific to the TCP/IP, NetBIOS, or IPX/SPX protocol.

Implementing a Hierarchical Naming Scheme Hierarchical naming is the cornerstone of Domino security; therefore, planning it is a critical task. Hierarchical names provide unique identifiers for servers and users in a company. When the administrator registers new servers and users, the hierarchical names determine their certification, or their level of access to the system, and control whether users and servers in different organizations and organizational units can communicate with each another.

Maintaining Domino Certifier IDs A hierarchical name scheme uses a tree structure that reflects the actual structure of a company. At the top of the tree is the organization name, which is usually the company name. The organization name is associated with the top-level certifier ID—usually called the cert.id. Below the organization name are organizational units (OUs), which are created to suit the structure of the company. These OUs are associated with OU certifier ID files. The administrator can create up to four levels of organizational unit (OU) certifiers. To create first-level OU certifier IDs, use the organization certifier ID. To create second-level OU certifier IDs, use the first-level OU certifier IDs, and so on. The cert.id file is created during first server setup. Now in R6, OU IDs can also be created during first server setup, or they can be created by the administrator at any time using the Domino Administrator client. OU ID filenames are typically similar to the OU name itself; for example, sales.id would be associated with the Sales/Acme OU certifier. Watch for exam questions that test your ability to recognize that OU certifiers can now be created on first server setup.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

Using organizational unit certifier IDs, administrators can decentralize certification by distributing individual certifier IDs to administrators who manage users and servers in specific branches of the company. For example, the Acme Company has three administrators. One administers servers and users in West/Acme and has access to only the West/Acme OU certifier ID, and the second administers servers and users in East/Acme and has access to only the East/Acme OU certifier ID. The third administrator works out of Acme’s head office and has access to the cert.id, as well as all OU IDs. He is also responsible for generating any new OU certifiers. Each certifier ID has a unique password, and in order to use the certifier ID for registration, the administrator must enter the password. Lotus recommends that passwords for certifier IDs be at least nine characters, and that certifier IDs be stored in secure locations, only to be accessed by trusted Domino administrators.

Configuring Directories Directory services are an integral part of how Domino facilitates client authentication and data transmission for clients. It is necessary to understand the Domino Directory—the most important database in the Domino system for the administrator.

Understanding the Domino Domain A Domino domain is a group of Domino servers that share the same Domino Directory. The Domino Directory contains, among other documents, a Server document for each server and a Person document for each Notes user. There are different scenarios for setting up Domino domains. The most common scenario, used by many small- and medium-size companies, involves creating only one Domino domain and registering all servers and users in one Domino Directory. All users and servers are stamped with either the organization certifier or an OU that inherited certificates from that toplevel certifier, so all users and servers can authenticate. Mail routing is simplified, because all users and servers share the same directory. Some companies use a multidomain scenario whereby users and servers are registered into different Domino Directories. This scenario is harder to manage, and usually requires that the administrator facilitate directory management using Directory Assistance and/or Directory Catalog.

19

20

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Often, the domain name and organization name are the same name, but they have two separate functions. The domain name refers to the collection of users and servers in the Domino Directory, whereas the organization name refers to the company’s security system. The title of the Directory is always “Domain’s Directory”; for example, “Acme’s Directory.”

Implementing Distributed Versus Centralized Directories A central directory architecture is an optional directory architecture that can be implemented in a Domino domain. This architecture is new to R6 and differs from the traditional distributed directory architecture in which every server in a domain has a full replica of the primary Domino Directory. With a central directory architecture, some servers in the domain have selective replicas of a primary Domino Directory. These replicas, which are known as Configuration Directories, contain only those documents that are used to configure servers in a Domino domain, such as Server, Connection, and Configuration Settings documents. A server with a Configuration Directory uses a remote primary Domino Directory on another server to look up information about users and groups and other information related to traditional directory services. A central directory architecture has the following key features: ➤ Provides secondary servers quick access to new information because the

servers aren’t required to wait for the information to replicate to them ➤ Enables secondary servers to run on less powerful machines because

they don’t have to store and maintain the primary Domino Directory ➤ Provides tighter administrative control over directory management

because only a few directory replicas contain user and group information A server with a Configuration Directory connects to a remote server with a primary Domino Directory to look up information in the following documents that it doesn’t store locally—Person, Group, Mail-in Database, Resource, and any custom documents added by the administrator. The administrator can set up a Domino Directory as either a primary Domino Directory or a Configuration Directory in one of the following two ways: ➤ For a new server, when an additional server is registered and set up

within the domain

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . . ➤ For an existing server in the domain, by using replication settings for the

directory to change a primary Domino Directory to a Configuration Directory or to change a Configuration Directory to a primary Domino Directory After a server has been designated with a Configuration Directory, it can locate a primary Domino Directory replica by using either default logic or can use a directory replica specified through directory assistance.

Creating Groups in the Directory Many administration tasks can be simplified through the use of groups. A group is a list of Domino servers or users that share common characteristics and are grouped together for a common purpose. Groups are used mainly to control access and as mail distribution lists. To create a group, the administrator must have at least Author access with the Create Documents privilege, and must be assigned to the GroupCreator role. To edit the group, the administrator must have at least Author access, and must either be assigned to the GroupModifier role, or must be listed in the group document as the owner or administrator. There are five different types of groups: ➤ Multipurpose—A group that has multiple purposes; for example, mail,

ACLs, and so on. This is the default group type. ➤ Access Control List Only—A group that is used in ACLs so that access can

be restricted for databases to servers and users. ➤ Mail Only—A group that is used as a mail distribution list. ➤ Servers Only—A special group that can be used in Connection docu-

ments and in the Domino Administrator client’s domain bookmarks for grouping servers together. ➤ Deny List Only—A group that is used to control access to servers.

Typically used in the Deny Access field of the Server document to prevent terminated employees from accessing a server. Deny List Only groups are not listed in the Groups view in the Domino Directory. They are, however, listed in the Deny Access Groups view. An administrator must be assigned to either the GroupModifier or NetModifier role to be able to access this view.

21

22

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Setting Up Administration Groups Typically, the administrator creates one or more multipurpose groups specifically for administrators of the Domino system. In a small company, there may be only one group of administrators who all do the same jobs. Typically, this one group would be given high access to resources. Larger organizations may have several different groups of administrators, based on the jobs those groups perform. For example, there may be one group called “Senior Administrators” that is given high access to resources and another group called “Junior Administrators” that is given limited access to resources. Administrators can also be given different access rights to the server through the use of Administrator fields on the Server document. Please consult the topic “Restricting Administrator Access to the Server” in Chapter 6, “Security,” for a detailed overview of administrator rights.

Notes Client Configuration Like the Domino server, Notes client configuration involves two steps—registering the client and running the setup program to configure the client.

Registering New Users The administrator needs to register users before he can install Notes on users’ workstations. The administrator can use either the Notes Administrator client or the Web Administrator client to perform the registration. For each user, the user registration process creates: ➤ A Person document in the Domino Directory ➤ A user ID that is stamped with appropriate certificates (does not apply to

non-Notes users) ➤ A mail file (optional) The user’s name and the certificates that a user’s ID inherits depend upon which certifier ID is chosen during registration. If the administrator chooses the OU ID called West/Acme when registering Mary Green, then her name will be Mary Green/West/Acme, and she will have two certificates—one for the organization, /Acme, and one for the OU, /West/Acme.

Notes offers different options for registering users, as follows: ➤ Basic user registration ➤ Advanced user registration

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . . ➤ Text file registration ➤ Migration tools registration (for companies using an external mail sys-

tem or directory)

Installing Clients of Different License Types Depending on the size of the company, the administrator may need to provide an installation method for only a few users or for thousands of users. In addition, they may need to customize the installation process so that users install only the features they need. There are three types of clients that can be installed: ➤ Notes client ➤ Domino Administrator client ➤ Domino Designer client A user might require one or a combination of the preceding clients. If the Domino Administrator or Designer client is installed, the Notes client is also installed. The client installation software also offers the option to install all three clients.

Domino offers several methods or types of installation that the administrator can make available to the Domino Notes users in their company. Companies must purchase a client license for each client they want to install. A client license is an authorization purchased from Lotus that allows the administrator to register and set up a client machine running the Lotus Notes client, the Notes Administrator client, or the Designer client. ➤ Single-user Client Installation—This installation is usually done from the

CD or from files placed on the network. ➤ Multiuser Installation—This option allows the administrator to configure

the workstation for use by more than one user. This option is available only for Notes client installation, not for installing the Domino Administrator client or Domino Designer. ➤ Shared Installation—This option installs all program files to a file server

while the users’ data files reside on their local workstations. ➤ Automated Client Installations (Silent Installation)—This option can be

used with or without a transform file depending on whether the administrator wants to customize the silent installation.

23

24

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Customized Installations—This option uses a transform file to customize

the installation process. ➤ Batch File Installation—This option enables users to install the clients by

running a batch file that you create for them. ➤ Installation with Command-line Utilities—This option allows users to

install the clients using a command-line utility that is provided for them by the administrator. ➤ Scriptable Setup—This option uses a setting in the NOTES.INI file to

provide information to the Client Setup Wizard. After the R6 client software has been installed and configured, administrators will likely need to upgrade the client installation over time. Lotus Notes 6 provides the following options for upgrading Notes clients: ➤ Upgrade-by-mail ➤ IBM Lotus Notes Smart Upgrade ➤ Administrative installation Lotus Notes Smart Upgrade is a new R6 upgrade option that works with the Lotus Notes 6 update kits or incremental installers that can be downloaded from the Lotus Developer Domain (www.lotus.com/ldd/smartupgrade). Smart Upgrade sends a notification to users to upgrade their Notes clients. Smart Upgrade lets you set a grace period in which users must upgrade their clients. This upgrade method uses policy and settings documents to help manage updates. Because this is a new R6 feature, watch for exam questions that test your understanding of how the Smart Upgrade process works.

Setting Up and Configuring a Notes R6 User Lotus Notes 6 users are people who use the Notes client to access Domino servers and databases and have a Notes ID, a Person document, and, if they use Notes Mail, a mail file. After the administrator has registered the new user and installed the client software on the user’s workstation, they must run setup at that workstation. To run the client setup program, choose Start, Programs, Lotus Applications, Lotus Notes. The setup wizard asks a series of questions and uses the answers to configure all of the client connections. During setup, users are asked to provide the following information: ➤ Notes name ➤ ID file, to which they must know the password

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . . ➤ Name of mail server ➤ Names of Internet mail server, newsgroup server, and directory server

for Internet address searching (optional) ➤ Whether to connect to the Internet through a proxy server (optional) ➤ Whether to set up a schedule for replicating mail (optional)

For all these options, users are asked whether the physical connection method is a local area network or a dial-up modem. Clients can create new or modify existing connections at any later time by choosing File, Preferences, Client Reconfiguration Wizard, or by creating connections directly in their Personal Address Book (names.nsf).

Deploying Notes User Authentication— Notes ID Domino uses ID files to identify users and to control access to servers. Every Domino server and Notes user must have an ID in order to authenticate. ID files are created during the registration process. A user ID file contains: ➤ The owner’s name—A user ID file may also contain one alternative name. ➤ A permanent license number—This number indicates that the owner is

legal and specifies whether the owner has a North American or International license to run Domino or Notes. ➤ At least one Notes certificate from a certifier ID—A Notes certificate is a

digital signature added to a user ID or server ID. This signature, which is generated from the private key of a certifier ID, verifies that the name of the owner of the ID is correctly associated with a specific public key. ➤ A private key—Notes uses the private key to sign messages sent by the

owner of the private key and to decrypt messages sent to its owner. ➤ Internet certificates (optional)—An Internet certificate is used to secure

SSL connections and encrypt and sign S/MIME mail messages. ➤ One or more secret encryption keys (optional)—Encryption keys are created

and distributed by users to allow other users to encrypt and decrypt fields in a document.

25

26

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Maintaining Notes User IDs When ID files are created, the certificates on the ID are stamped with an expiration date. After the expiration date, the ID becomes unuseable. Before a user ID reaches its expiration date, the administrator should recertify it using the original certifier ID. The user ID is recertified without renaming the user. Administrators can use the Certificate Expiration view to determine which certifiers need to be recertified. Access this view from within certlog.nsf from the Files tab in the Administrator client. All certifiers are listed by expiration date within the By Expiration Date view. A user whose ID is close to expiring will start to receive a warning message every day starting three months before the expiration date. At that time, the user can ask the administrator to update the ID file. If the ID file expires, it becomes unuseable and the administrator must either recertify a backup ID or create a new ID for the user. Administrators should be checking the certlog.nsf and monitoring the IDs coming up for expiration, allowing them to be proactive about preventing IDs from expiring.

If a user loses or damages an ID file or forgets a password, the user can work with administrators to recover the ID file from backup. Administrators must have a database within which they have saved a backup copy of each user ID they want to recover. When the user notifies the administrator of a problem with the ID, the administrator must detach the backup copy of the ID from the database. He can then send the copy of the user ID to the user, and provide the user with the recovery password required to recover the ID file. Usually, users need to be in contact with an administrator by phone in order to receive the recovery password, because they can’t access their mail file without their ID.

Applying Policy Documents Using a policy, administrators can control how users work with Notes. A policy is a document that identifies a collection of individual policy settings documents. Each of these policy settings documents defines a set of defaults that apply to the users and groups to which the policy is assigned. After a policy is in place, administrators can easily change a setting, and it will automatically apply to those users to whom the policy is assigned.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

Policy settings documents cover these administrative areas: ➤ Registration ➤ Setup ➤ Desktop ➤ Mail archiving ➤ Security

Applying Policies During New User Registration Ideally, administrators should plan and create policies before they register and set up users. Then, during user registration, they can assign the policies. If users are already registered, administrators can plan and create policies, but they cannot assign any registration and setup policy settings, because those apply only once, during user registration and setup. There are two types of policies: organizational and explicit. An organizational policy automatically applies to all users registered in a particular organizational unit. An explicit policy assigns default settings to individual users or groups. To plan and assign policies, administrators should complete the following steps: 1. Determine which settings to assign to all users in specific organization-

al units. For these settings, create organizational policies. 2. Determine which settings to assign to individual users or groups. For

these settings, create explicit policies. 3. Register users and assign explicit policies during registration.

Applying Policies to Existing Users Administrators can assign explicit policies manually in one of three ways: during user registration, in the Person document, or by using the Assign Policy tool.

27

28

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Assigning Explicit Policies in the Person Document When the administrator wants to change policies for one or a few users, he can assign or change a user’s explicit policies directly in the Person document. Changes to the Desktop, Security, or Archive policy settings that are associated with an explicit policy can be distributed this way. Changes to a user’s settings that were previously defined using registration and setup policy settings are not made retroactively, so administrators would need to make any changes to those settings manually in the Person document; for example, roaming user settings can be defined in a Registration policy setting document, but administrators can’t change a user’s roaming user status by changing the Registration policy setting document for that user.

Assigning Explicit Policies Using the Assign Policy Tool Administrators also have the option of assigning an explicit policy using the Assign Policy tool. Administrators should use this tool when they want to make changes to multiple users or groups. Administrators can distribute changes to the Desktop, Security, or Archive policy settings that are defined in explicit policies using this tool. When changing the explicit policy for a user or group using this tool, administrators have the option of viewing the way the policy assignment change impacts the effective policy for that user or group.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

Exam Prep Questions Question 1 Which of the following is not true of the Domino Utility server? ❍ A. Includes an integrated Web server ❍ B. Provides application services ❍ C. Provides mail services ❍ D. Provides support for clusters

Answer C is correct. The Domino Utility server provides application services only, with support for Domino clusters. The Domino Utility server is a new installation type for Lotus Domino 6 that removes client access license requirements and can be hosted on multiple platforms. There is NO support for messaging services, and none of the Domino servers can host ASPs.

Question 2 Cam was installing a Domino R6 server and encountered the following error: “An error occurred during setup. The file server.id already exists.” 55% of the setup had already completed. Cam confirmed that there was a server.id left over from a previous attempt at the setup process. What can he do to fix the problem? ❍ A. Go back and correct the problem and either continue with the setup or cancel the setup. ❍ B. Domino will automatically fix the problem and continue with the setup. ❍ C. Cam must exit out of setup, fix the problem, and restart setup again. ❍ D. Cam must exit out of setup and reinstall the server software before attempting the setup process again.

Answer A is correct. The new Domino 6 server setup allows you to go back and correct any problems, and then continue with the setup or you can choose to cancel the setup. Answer B is incorrect because Domino has never “fixed” problems in setup automatically, and answers C and D are incorrect because the administrator does not have to halt setup in R6 to fix errors.

29

30

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 3 Bert is upgrading his Domino server to R6 in order to be able to take advantage of policy documents. Which of the following statements is true about policybased administration? ❍ A. Policy documents can be defined for either organizations or servers. ❍ B. Policy documents can be defined for either organizations or organizational units (OUs). ❍ C. Policy documents can be defined for either users or servers. ❍ D. Policy documents can be defined for groups, users, or servers.

Answer B is correct. Policy documents can be defined for organizations or organizational units. An organizational policy is automatically applied at the organization level, and organizational unit policy is automatically applied to an organizational unit. Policies can also be explicit. Policies can never be applied to servers—only to users.

Question 4 A user at Acme Company received a message indicating that his ID was about to expire. The user ignored the warning, and the ID eventually expired. What must happen before the user can use the ID again? ❍ A. A new Person document must be created for the user. ❍ B. The administrator must extend the expiration date on the expired ID. ❍ C. The ID file must be recertified by an administrator. ❍ D. The user must request a recovery password from the administrator to unlock his ID file.

Answer C is correct. ID files contain expiration dates. To assign a new expiration date, you must recertify the ID file. Expired IDs cannot be recovered, so answer D is incorrect. Answer B is incorrect because once an ID file has expired, the expiration date cannot be extended. Answer A is incorrect because the ID file is not stored on the Person document—it is stored locally on the workstation.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

Question 5 Which of the following is true of a partitioned server installation? ❍ A. Partitioned servers share the same Domino data directory. ❍ B. Partitioned servers share the same Domino program directory. ❍ C. Partitioned servers share the same NAMES.NSF. ❍ D. Partitioned servers share the same NOTES.INI.

Answer B is correct. Domino server partitioning lets you run multiple Domino servers on a single computer. Using partitioned servers reduces hardware expenses and minimizes the number of computers that you have to administer. Each partitioned server has its own Domino data directory and NOTES.INI file and data files, so answers A, C, and D are incorrect.

Question 6 Which of the following is not true about the Server registration process? ❍ A. An ID file is created for the server. ❍ B. The server name is added to the LocalDomainServers group in the Domino Directory. ❍ C. The MAIL.BOX is created on the server. ❍ D. A new Server document is created for the server in the Domino Directory.

Answer C is correct. The server registration process creates an ID file for the server, a Server document, adds the server to the LocalDomainServers group and adds an entry for the server in CERTLOG.NSF. The MAIL.BOX file does not get created until the server is started for the first time.

Question 7 Joan created a group in the Domino Directory, but after saving and closing the group, she can’t find it listed in the Groups view. Which type of group did she create? ❍ A. A Mail-only group ❍ B. A Multipurpose group ❍ C. A User group ❍ D. A Deny Access group

31

32

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer D is correct. The Deny Access list denies access to users listed in the group. A Deny Access group usually contains former employees of companies in which the user may still have their Notes ID file. The Deny Access group type doesn’t display in the Groups view of the Domino Directory, but rather displays in a separate Deny Access Groups view.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

Need to Know More? Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notes and Domino 6. Indianapolis, IN: Que Publishing, 2003. Installing Domino Servers:

www-12.lotus.com/ldd/doc/uafiles.nsf/

docs/Domino6PR2/$File/install.pdf.

Webcast: Lotus Live! Series: What’s New in Notes/ Domino 6 Administration: http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci857398,00.html. Webcast: Preparation & Test Taking Strategies with Lotus Education Managers: http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci876208,00.html.

33

3 Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Domino Named Network (DNN) Notes Remote Procedure Call (NRPC) MAIL.BOX Router Routing tables Connection document Routing cost Pending mail Dead messages/mail Held mail Shared mail Message tracking

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

MTSTORE.NSF Mail usage reports ISpy Delivery failure Archiving policy Mail quota Warning threshold Encryption Public key Private key Location document

Techniques you’ll need to master: ✓ Defining the role of the DNN in message transfer ✓ Scheduling mail routing between servers using Connection documents ✓ Monitoring and maintaining mail routing ✓ Troubleshooting mail-routing problems using administrative tools

✓ Controlling mail archiving through policies and settings ✓ Controlling mail file size by implementing mail quotas and warning thresholds ✓ Understanding the role of the public and private keys in encryption ✓ Setting workstation preferences and locations to use mail

36

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This chapter outlines the basic messaging-configuration options that enable the Domino administrator to set up servers for mail routing and to monitor and troubleshoot mail routing within the Domino network. The chapter also covers basic messaging settings such as mail-archiving policies, mail quotas, and mail encryption. We finish the chapter with a brief look at configuring the Notes client workstation to work with different locations for both local and server-based mail. For the purposes of the exam, it is important to understand when mail routes automatically within a Domino Named Network, as opposed to mail that needs to be scheduled between networks with a Connection document. As with every chapter, it’s also important to learn and memorize the console commands related to routing.

Server Messaging Configuration Configuring the Domino servers for mail routing involves understanding how mail routes between servers based on the server’s Domino Named Network (DNN). A DNN is a group of servers in a given Domino domain that share a common protocol and are constantly connected. The administrator must then be capable of creating any necessary Connection documents and using tools to help monitor and maintain routing. A Connection document is a document that contains all of the settings necessary to schedule mail routing between servers in different DNNs.

Setting Up and Configuring Mail Routing By default, Domino uses Notes Remote Procedure Calls (NRPC), also called Notes routing, to transfer mail between servers. Notes routing uses information in the Domino Directory to determine where to send mail addressed to a given user. Notes routing moves mail from the sender’s mail server to the recipient’s mail server. A user creates a mail message in the mail database. When the user sends the message, a workstation task called the MAILER transfers the message to the MAIL.BOX database on the user’s server (also known as the user’s mail server or home server). MAIL.BOX is the transfer point for all messages being routed to and from a server. The ROUTER task polls MAIL.BOX and asks two questions about the messages waiting to be routed: ➤ Where this message should be delivered—to which recipients on which

servers? ➤ How this message should be delivered—which routes and connections

should be used?

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

The router consults its routing tables to determine where the recipient’s mail database is stored. Routing tables are built in memory on the server when the router first starts and are refreshed every few minutes. These routing tables are built using information in various documents in the Domino Directory— Person documents, Connection documents, Domain documents, and so on. The location of the recipient’s mail database determines how the message is dispatched by the router. A recipient’s mail database can be stored in any of the following locations: ➤ On the same server as the sender’s mail database—If the sender and the

recipient share the same mail server, the message is delivered immediately and the Router task is not involved in the message transfer. The Router task is invoked only for transfer to another server. ➤ On a different server in the same DNN—If the Server document for the

destination server is found within the Domino Directory, the router checks that document to determine the network information for the server. ➤ On the ports—On the Notes Network Ports tab of the Server document,

the server is assigned to one or more DNNs. As you learned earlier, a DNN is a group of servers in a given Domino domain that share a common protocol and are constantly connected. If the two servers share a DNN, the Router immediately routes the message from the MAIL.BOX file on the sender’s server to the MAIL.BOX file on the recipient’s server. Because mail routes automatically between servers in the same DNN, you do not need to create any Connection documents to facilitate mail routing. Mail routing within a DNN is always automatic and instantaneous.

➤ On a server in a different DNN within the local Domino domain—When

servers are members of two different DNNs, the Domino administrator must create connections between the two networks. ➤ On a server in an external Domino domain—In this case, the Router must

find a Connection document between domains or must route the message using SMTP, configured to route outside of the local domain. The exam will likely use scenario questions to test your ability to understand mail routing between servers, based on your understanding of DNNs and domains. When taking the exam, you may find it helpful to draw a diagram of servers with labels for each of the server names. Then place a circle around each of the servers in the same DNN so that you’re able to clearly see where automatic mail routing occurs and where it needs to be scheduled by the administrator.

37

38

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Setting Up and Configuring Message Distribution Using Schedules By default, when using Notes routing, Domino can transfer messages only to other servers in the same DNN. To extend Notes routing beyond a single DNN, you must create Connection documents in the Domino Directory and specify a routing schedule. Domino does not automatically create Connection documents for mail routing. The best way to prepare for this exam topic is to practice creating sample Connection documents and populating all of the settings. If you’re able to configure some Domino servers and clients, practice putting two Domino servers in different DNNs and practice scheduling mail routing between the two servers with Connection documents. To schedule Notes routing using a Connection document, follow these steps: 1. From the Domino Administrator, click the Configuration tab and

expand the Messaging section. 2. Click Connections. 3. Click the Add Connection button. 4. On the Basics tab, enter the names of both the source (originating) and

target (destination) servers, as well as their domain names and the name(s) of the network ports that the two servers will use to connect. Optionally, you can also enter a network address for the target. 5. Click the Schedule tab and complete the following fields in the

Scheduled Connection section: ➤ Schedule—Choose either Enabled to use this schedule to control

connections between the specified servers, or Disabled to cause the server to ignore the schedule. ➤ Connect at Times—Enter a time range during which you want mail to

route. The default is 8 a.m. to 10 p.m. For 24-hour mail routing, enter 12 a.m. to 11:59 p.m.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . . ➤ Repeat interval of—The number of minutes between routing

attempts; the default is 360 minutes. ➤ Days of week—The days of the week when the server should use this

schedule and route mail. The default is to use this connection for each day of the week. 6. Click the Replication/Routing tab and complete the following fields in

the Routing section: ➤ Routing task—Choose either Mail Routing to enable Notes mail

routing between the servers, or SMTP Mail Routing to enable routing in Internet mail to a server that can connect to the Internet ➤ Route at once if—The number of normal-priority messages that accu-

mulate before the server routes mail. The default is 5. Entering a value of 1 in the Route at Once field causes each mail message to route as soon as it is received in MAIL.BOX.

➤ Routing Cost—The relative cost of this server connection. This field

affects the building of least-cost routes in the router’s routing tables on the server. ➤ Router Type—The router can route in one direction with either the

Pull or Push options, or the router can trigger two-way routing, with either the Pull Push or the Push Wait options. In the case of the Pull Push routing option, the router on the originating server pushes mail to the destination server and then triggers the destination server to route mail back again. With the Push Wait routing option, the source server first pushes to the target server and then waits to receive a connection from the target. This last option is usually used between servers with dialup connections. New connections or changes to existing Connection documents take effect after the next router configuration update, which typically occurs every 5 minutes on the server, when the routing tables are refreshed. To put the new setting into effect immediately, reload the routing configuration by entering the following console command: Tell router update config

39

40

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Forcing Mail to Route to a Specific Server To force the server to immediately route all pending mail to another server, use the Route command at the server console. Pending mail is mail that is sitting in the MAIL.BOX waiting to be routed. The syntax of the command is as follows: Route servername

The Route command initiates mail routing with a specific server. This command overrides any mail-routing schedules that you create using Connection documents in the Domino Directory. Use the Route command to send mail to or request mail from a server immediately.

Here are some examples of how to use the Route command: ➤

Route ServerA/Acme—Sends

➤

Route “Server B/Acme”—Sends

➤

Route *—Sends

mail to ServerA in the Acme organization. The server console displays messages indicating when routing begins.

mail to Server B. Use quotes around server names that are more than one word. mail to all pending destinations.

In the exam questions, be sure to note which server is initiating the command. A server cannot successfully route mail to itself; for example, if the administrator was using the console on ServerA, the command Route ServerA would have no effect. The exam questions will test your ability to read and understand which server console is being used to issue the commands.

If no mail is queued for routing, Domino ignores the Route command. Use the Tell Router show command at the console to check for messages pending for local delivery or to check for held mail—messages that the administrator has configured the router to hold in order to examine them. Often the administrator will configure the router to hold undeliverable messages in order to examine them before releasing them, as in the case of spam. To check which servers have mail queued, use this command at the console: Tell Router show

As an alternative to using the console, the administrator can route mail directly from the Server, Status tab in the Domino Administrator client interface. This interface mimics the Route command at the console. To route mail directly from the Server, Status tab, follow these steps: 1. From the Domino Administrator, click the Server, Status tab. 2. If necessary, click Tools to display the toolbar and then click Server, Route Mail. 3. Under Route Mail with Server, enter the name of the server you want to route mail to, or select the name of the server from the list. 4. Click Route.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

Monitoring and Maintaining Mail Routing Domino provides the administrator with many tools to monitor and maintain mail routing between Domino servers. This section is designed to give the reader a broad overview of many of the tools. Consult Domino Administrator Help for detailed descriptions of how to use each tool. For the purposes of the exam, it’s important to understand what each tool does, but it’s not necessary to memorize each command or button in the interface. That being said, the best way to study the monitoring tools is to use them in the Domino Administrator interface so that you can recall the purpose of each tool.

Using the Messaging, Mail tab The Domino Administrator client has an entire section dedicated to the monitoring and maintaining of mail. The Domino administrator uses this tab extensively during the work day. Using the Messaging, Mail tab, the administrator can observe and monitor the following: ➤ Mail users—You can display a view of the Domino Directory that lists all

users by mail server and provides each user’s Notes mail address and mail filename. From this view, you can add, edit, and delete Person documents and send upgrade notifications. ➤ Routing mailboxes—You can display the current contents of each

MAIL.BOX database on the server. Servers can be configured to have multiple mailboxes using the Messaging Configuration document. MAIL.BOX databases on the server can contain three types of undeliverable messages: pending messages, designated with no icon; dead messages, designated by a stop-sign icon; and held messages, designated by a red exclamation point. ➤ Pending messages—These messages are waiting to be routed by the router

on the server. Pending messages are not problematic for the administrator unless they start to pile up in the MAIL.BOX, indicating that there is a routing problem. ➤ Dead messages—These messages are “stuck” in MAIL.BOX because they

can’t be delivered to the recipient and they can’t deliver their failure to the originator of the message. The most common cause of dead mail is spam. The spammer guesses incorrectly the name of a person in your mail system. When the router can’t deliver the message, it attempts to deliver a failure to the spammer. The spammer has purposely not provided a way to return messages, so the message gets stuck in your server’s mailbox. In the case of spam, the administrator usually uses the

41

42

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

information in the dead message to assist in blocking spam and then deletes the dead message. Dead messages might also indicate networking or other problems with the company. In that case, the administrator corrects the problem and then releases the dead message; the failure message then is attempted again. ➤ Held messages—These messages are held because the administrator has

configured the server to hold mail for manual transfer. This is another setting available in the Mail Configuration document. When you configure the router to hold messages, each held message remains in MAIL.BOX indefinitely and is processed only if an administrator releases the message. You can improve mail performance significantly by creating multiple MAIL.BOX databases on a server. Using multiple MAIL.BOX databases removes contention for a MAIL.BOX, allows multiple concurrent processes to act on messages, and increases server throughput. As a further benefit, having multiple MAIL.BOX databases provides failover in case one MAIL.BOX becomes corrupted. Watch for the exam to mention using multiple MAIL.BOX databases as a way to improve messaging efficiency. When this feature is enabled, the mailbox databases are named MAIL1.BOX, MAIL2.BOX, and so on.

➤ Shared mail—You can display shared mail statistics from the Object

Store Usage view of the server’s Notes Log database. Shared mail, sometimes referred to as the Single Copy Object Store (SCOS), offers an alternative to message-based mail, allowing servers to store a single copy of messages received by multiple recipients in a special central database or object store. By default, the Domino mail system employs a messagebased model for mail storage, delivering a separate and complete copy of every document to each recipient’s mail file. To use disk space more efficiently, the administrator can set up shared mail on each mail server after setting up the Domino mail system. ➤ Mail routing status—You can displays a Java applet providing a graphic

representation of current mail.dead and mail.waiting statistics for this server. Domino refreshes the information in this view at intervals of approximately 1 minute. ➤ Mail routing events—You can display the Routing Events view of the

server’s Notes Log. This view enables the administrator to scan and search through all console messages related to mail. ➤ Mail routing topology—You can display Java applets providing graphic

representations of the available routing paths defined by Connection documents and Notes Named Networks.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . . ➤ Reports—You can display information from the server’s Reports database.

For more information, see the section “Generating Mail Usage Reports,” later in this chapter.

Message Tracking Domino administrators often get requests from users asking them to pinpoint where a mail message is at any given point in time. Domino has a message-tracking system that is similar to the sophisticated tracking systems used by courier companies to trace packages. Message tracking enables the administrator to check the status of any message that has been routed within the Domino network. Message tracking is configured using the Message Tracking tab in the Messaging Configuration document. Because message tracking isn’t enabled by default, the administrator must enable it in the Configuration document and complete the fields to establish the settings for message tracking. When you configure mail tracking, you can specify which types of information Domino records. For example, Domino administrators can decide whether to track message subjects, they can disable tracking for certain groups of users, and they can decide who should be allowed to track messages from server to server. The Mail Tracker Collector task (MTC) reads special mail tracker log files (MTC files) produced by the router and copies certain messaging information from them to the MailTracker Store database (MTSTORE.NSF). The MailTracker Store database is created automatically when you enable mail tracking on the server. When an administrator searches for a particular message, Domino searches the MailTracker Store database to find the information. The Mail Tracker Collector differs from the Statistics Collector (Collect task), which is responsible for gathering statistical information about servers.

When Message Tracking has been enabled, the administrator can issue tracking requests using the Messaging, Tracking Center tab of the Domino Administrator client. The administrator issues the request by clicking the New Tracking Request button and completing the fields in the New Tracking Request dialog box, as illustrated in Figure 3.1.

43

44

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 3.1 The Messaging, Tracking Center tab of the Domino Administrator.

The administrator clicks OK to complete the request. Domino then displays summary results that include the sender’s name, recipient, delivery time, and message subject, if subject tracking is allowed. The administrator can then select a message and click Track Selected Message. When the message has been found, Domino displays the following information about the message: delivery status, mailbox status, previous server, next server, unique message ID, inbound message ID, outbound message ID, inbound originator, outbound originator, subject, disposition time, message arrival time, and message size in bytes.

Generating Mail Usage Reports Over time, the Domino MailTracker Store database (MTSTORE.NSF) accumulates valuable data about message-routing patterns on the server. The Domino administrator can then generate mail usage reports from this data. For example, you can generate reports of recent messaging activity, message volume, individual usage levels, and heavily traveled message routes. You can use the Reports database (REPORTS.NSF) to generate and store mail usage reports. The Reports database is typically created automatically when you set up the first server in the domain, or the administrator can manually create the Reports database from a template. On the Messaging, Mail tab, the administrator locates the Reports database at the bottom of the left navigation pane and either generates a new report

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

with the New Report button or opens an existing report. The administrator then completes all of the fields in the Create New Report dialog box. Here is a list of some of the types of reports that can be created: ➤ Top 25 users by count ➤ Top 25 users by size ➤ Top 25 senders by count ➤ Top 25 senders by size ➤ Top 25 receivers by count ➤ Top 25 receivers by size ➤ Top 25 most popular “next hops” ➤ Top 25 most popular “previous hops” ➤ Top 25 largest messages ➤ Message volume summary ➤ Message status summary

Mail usage reports provide important information that you can use to resolve problems and improve the efficiency of the mail network. In addition, this information is valuable when you plan changes or expansions to the mail network. For example, you can generate reports that show the 25 users who received the most mail over a given period of time (a day, a week, a month, and so forth) or the volume of mail sent by a specified user over some interval. With this information, you can identify users who might be misusing the mail system. Other reports show the most frequently used next and previous hops, enabling you to assess compliance with mail-use policies. Agents stored in the Reports database let administrators schedule reports on a one-time, daily, weekly, and monthly basis. By default, Domino generates scheduled reports at midnight at the interval you specify—daily, weekly, or monthly. When a report query is run, the active report agent examines the data collected in the Domino MailTracker Store database to generate the resulting report. You can configure a report to save results in the Reports database or mail results to one or more administrators. Saved reports are organized in the Reports database under several different views. You cannot generate mail reports if servers are not configured to do message tracking. Reports are generated using the information collected in MTSTORE.NSF on each server. For reporting and tracking to be most effective, message tracking should be enabled on all or most Domino servers in the domain.

45

46

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Mail-Routing Event Generators To monitor a mail network, you can configure mail-routing event generators to test and gather statistics on mail routes. These event generators are also known as mail probes. In essence, a mail probe “pokes” at a server’s router to see how quickly that server responds to mail requests. To test a mail route, the ISpy task sends a mail-trace message to a specified user’s mail server. This event generator creates a statistic that indicates the amount of time, in seconds, that it takes to deliver the message. If the mailrouting trace fails, the statistic has the value -1. If the Statistic Collector task is running, the Monitoring Results database (STATREP.NSF) stores the statistics. The format of a mail routing statistic is as follows: QOS.Mail.RecipientName.ResponseTime

In addition, the ISpy task monitors the local mail server by default and generates events for traces that fail. To monitor other Domino mail servers, create a mail probe and set up an event handler to notify you when an event has occurred. Probes are created in Domino Administrator by clicking the Configuration tab and then opening the Monitoring Configuration view. Open the Event Generators, Mail view; then click New Mail Routing Event Generator and complete the fields. The ISpy task must be running on the server to generate the statistics gathered by the mail probe. To check whether this task is running on the server, enter Show Tasks at the server console. If the ISpy task isn’t running, start the task using the command Load runjava ISpy. Add the ISpy task to the server’s NOTES.INI file if you want the task to start up the next time the server restarts. The notation of the ISpy task is case sensitive; the task will not initiate if the command is entered as ispy or Ispy.

Troubleshooting Routing Problems A variety of error conditions can prevent Domino from properly sending and delivering mail. These topics describe common mail-routing problems and tools you can use to help resolve them.

Delivery Failure Reports A delivery failure is a message that is returned to the sender indicating that the message was not delivered successfully. Delivery failures are generated for one of two reasons: ➤ The address of the mail recipient is incorrect. ➤ The connection to the recipient is not available or is not working.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

Users should always try to resend a memo for which they receive a delivery failure report. In resending, the user is presented with the opportunity to fix the address of the recipient. When a memo has been resent once and the user is certain that the address is correct, the user should alert the administrator to the problem so that the administrator can investigate mail connections and server routes.

Mail Trace To troubleshoot mail routing or test mail connections, trace a mail delivery to test whether a message can be successfully delivered without actually sending a test message. The results of the trace are returned to the administrator’s mail database in the form of a mail message, listing every server in the route. 1. From the Domino Administrator, click the Messaging, Mail tab. 2. If necessary, click Tools to display the toolbar. 3. From the toolbar, click Messaging, Send Mail Trace. 4. Address the message to the person you want to trace. Choose Last Router

Only to receive a message from the last server to successfully route the message; otherwise, you’ll receive a message from each server hop.

Mail-Routing Topology Maps Mail-routing topology maps are useful to track mail-routing problems between servers because the administrator has a pictorial view of the connections between servers in the domain. To create a mail-routing topology map, follow these steps: 1. From the Domino Administrator, click the Messaging, Mail tab. 2. Choose one of the two available views: ➤ Mail Routing Topology by Connections ➤ Mail Routing Topology by Named Networks

Console Commands Used to Troubleshoot Mail Routing In the interest of saving time, many Domino administrators use console commands where possible instead of using the equivalent option in the Domino Administrator interface. For this reason, Lotus often includes several exam questions related to console commands in all exams. The following is a listing of console commands that are helpful in troubleshooting mail-routing problems or in displaying mail-related information:

47

48

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤

Tell Router Delivery Stats—Shows

➤

Tell Router Compact—Compacts

router delivery statistics

MAIL.BOX and cleans up open router queues. You can use this command to compact MAIL.BOX at any time. If more than one MAIL.BOX is configured for the server, each MAIL.BOX database will be compacted in sequence. By default, MAIL.BOX is automatically compacted at 4 a.m.

➤

Tell Router Show Queues—Shows mail held in transfer queues to specific servers and mail held in the local delivery queue.

➤

Tell Router Exit

➤

Load Router—Starts

➤

Tell Router Update Config—Updates

or Tell

Router Quit—Stops

the router task on a server.

the router task on a server.

the server’s routing tables to immediately modify how messages are routed. This removes the 5-minute delay before a router configuration change takes effect.

Basic Messaging Settings The following sections address a few of the basic settings that can be applied to mail and messaging. Other messaging settings are covered in more detail in the Mail chapters in this book related to the other exams (Chapter 8, “Mail,” for Exam 621, and Chapter 17, “Resolving Server Problems,” for Exam 622).

Creating Archiving Policies An archiving policy is a document that defines and can control the settings for mail archiving for users in the domain. For the first time in Domino Release 6, administrators can centrally control mail file archiving using policies. Archiving is particularly useful for mail databases because users typically save both sent and incoming mail, causing the mail file to increase in size. Archiving the mail file frees up space and improves the performance of the mail database by storing documents in an archive database when they are old or not in use anymore.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

The mail archive database is a Notes database and can be accessed like any other Notes database. The views in a user’s mail archive mirror the views in the mail file. The archive includes the folder hierarchy of the original mail database, enabling users to easily find and read messages in the archive. Mail file archiving is a three-step process that includes selecting documents (deciding which ones should be archived), copying files to an archive database, and performing mail file cleanup. When you use policies to manage archiving, you use either server-based archiving or client-based archiving. The terms server-based and client-based don’t refer to the storage location for the archive, but rather to where the archiving process occurs: either on a server or on the client’s workstation. The server performs archiving using the Compact task. The administrator triggers the server to archive by scheduling the running of the Compact task using a Program document. Client-based archiving assumes that the user will be initiating the archiving process, which means that the workstation must be running for archiving to be successful. If the user schedules client-based archiving when the workstation is not running, archiving will not occur.

An Example of How to Use Policies to Manage Mail Archiving The administrator at Acme Corporation has had difficulty controlling or supporting users who want to archive mail. She plans to use policy-based archiving to solve some of the following problems and issues related to mail archiving: ➤ Acme needs a centralized archive server. ➤ Space is limited on the current mail server. ➤ Because archiving increases network traffic, Acme wants all mail archiving

to happen during off-peak hours. ➤ To ensure consistency, users must not be allowed to control their archive

settings. Archive settings will be implemented and changed only by administrators. ➤ Users within different organizational units will need to have slightly

different archiving settings.

49

50

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

To resolve Acme’s archiving issues, the administrator uses these Archive policy settings and applies them to all users via organizational policies: ➤ Server-based archiving is enabled from a mail server to a designated

archive server. ➤ Archive settings are centrally managed and enforced by the administra-

tor; users are prohibited from changing or creating archive settings. ➤ Archiving is scheduled to be server-based and will occur during off-peak

hours. ➤ Optionally, the administrator can implement pruning (removing attach-

ments and body of mail, but leaving header information intact), which might help conserve server disk space.

Creating an Archive Policy Settings Document Setting up mail file archiving is a two-step process: You must create the following three documents in the Domino Directory: ➤ The Archiving Settings document(s)—This specifies whether users are

allowed to archive. If they are, all further archiving settings are created in this document. ➤ The Archive Criteria Settings document(s)—This document is created from

within the Archiving Settings document. The criteria determine which documents are archived and how the mail file is cleaned up. ➤ The Policy document that references the correct Archiving Settings document—

This policy refers to the correct Archiving Settings document and might also refer to other Settings documents. The Archiving Settings document specifies whether to allow archiving either centrally by administrators or privately by Notes users. If you prevent all archiving, that is essentially the only setting listed in your Archiving Settings document. You must then reference that Settings document in your Policy document. If you prevent private archiving, the Archiving Settings document determines how documents in the user’s mail file are archived, and users cannot change these settings or create private archive settings. If you allow archiving, use the Archiving Settings document to define whether archiving is server-based or client-based, to specify source and destination archive servers, and to set the archive schedule. You can also change the name and location of the default archive log file if you want.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

Implementing Mail Quotas Users can receive and save a high volume of email, including their own sent messages, in their mail files. Large mail files can overwhelm a server’s disk capacity and reduce the performance of the mail client. Because you generally cannot provide users with unlimited storage space, set a size limit, or database quota, for each mail file; these limits are called mail quotas. When delivering mail to a user’s mail file, the router checks the current size of the mail file against the specified mail quota. You can set two types of size limits on a user’s mail file: a warning threshold and an absolute quota size. Set a warning threshold to provide users with advance notice when their mail files approach the designated mail file quota, so they can reduce the size of their mail files before message flow is interrupted. Set a quota if you intend to establish a policy of interrupting users’ mail usage if their mail files exceed a specified size. You must set a quota before you can set a warning threshold.

You can configure the router to respond in several ways when a mail file exceeds its quota, each representing a higher level of enforcement. The least restrictive response is to have the router issue automatic notifications to users when their mail files exceed the quota. If users fail to respond to notifications, you can hold pending messages in MAIL.BOX or return messages to the senders as undeliverable until the users reduce the size of their mail files. Along with the methods the router uses to enforce quotas, the Notes client displays a warning to any user who has exceeded the designated warning threshold or quota whenever the user attempts to send mail.

Setting the Quota or Warning Threshold on a Mail Database You can set quota limits and warning thresholds in one of two ways: ➤ During registration—Quotas specified during registration apply only to

new users, not to existing users. You can also set mail quotas before registration by listing the quota information in the Registration Policy document and applying this document during registration. ➤ Per database—Using the Domino Administrator, you can manually speci-

fy the warning threshold and quota of one or more mail files. This method works for any database, including the mail database. Quotas and warning thresholds are set using the Quotas tool in the File Tab of the Administrator client.

51

52

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Understanding Mail Encryption Encryption protects data from unauthorized access. Using Notes and Domino, you can encrypt the following: ➤ Mail messages sent to other users—Encryption can be applied to outgoing

messages, in which case an unauthorized user cannot read the message while it is in transit. You can also encrypt saved and incoming messages. ➤ Network ports—Information can be encryption when being sent between

a Notes workstation and a Domino server, or between two Domino servers, thereby preventing unauthorized users from reading the data while it is in transit. ➤ SSL transactions—You can use SSL to encrypt information sent between

an Internet client, such as a Notes client, and an Internet server, to prevent unauthorized users from reading the data while it is in transit. ➤ Fields, documents, and databases—Application developers can encrypt

fields within a document, an entire document, and local databases, allowing only the specified users to read the information.

The Role of Public and Private Keys in Mail Encryption Domino uses public and private keys so that data encrypted by one of the keys can be decrypted only by the other. The public and private keys are mathematically related and uniquely identify the user. Both keys are stored in the ID file. The certificate containing the public key is also stored in the user’s Person document in the Domino Directory, where it is available to other users. Domino uses two types of public and private keys: Notes and Internet. You use the Notes public key to encrypt fields, documents, databases, and messages sent to other Notes users; the Notes private key is used for decryption. Similarly, you use the Internet public key for S/MIME encryption and the Internet private key for S/MIME decryption. For both Notes and Internet key pairs, electronic signatures are created with private keys and verified with public keys. To properly understand mail encryption, it is best to use a scenario. Let’s say that John wants to send an encrypted mail message to Carol. John and Carol both work for Acme Corporation and are listed in the Domino Directory. John creates the mail message and chooses to encrypt it in the Delivery Options for the message. When he pushes the Send button, his Notes workstation encrypts the message by applying three keys:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . . 1. John’s public key from his user ID 2. John’s private key from his user ID 3. Carol’s public key from her Person document in the Domino Directory

While the message is in transit, the body of the message is encrypted. When Carol receives the message, her workstation decrypts it using the private key located on her ID file. Only the Body field in a mail message is encrypted. The only key that can decrypt the message is the recipient’s private key, which is mathematically related to the public key and is only stored on the ID file. The To, cc, bcc, and Subject fields are not encrypted and can be read by anyone who can access the message in the mail database.

In general, mail sent to users in an external domain cannot be encrypted. However, if the recipient of the mail uses Lotus Notes and the sender has access to the recipient’s public key, the sender can encrypt the mail message. The recipient’s public key can be stored in the Domino Directory, in an LDAP directory to which the sender has access, or in the sender’s Personal Address Book. If a user attempts to send an encrypted message to someone and the user can’t access the recipient’s public key, encryption will fail at the time of sending, prompting the user with an error message that asks whether to continue sending the message in unencrypted format.

User Messaging Configuration Users can configure their workstations with a number of different settings that affect mail and mail routing. Nearly all of these settings are configured using documents in the user’s Personal Address Book (NAMES.NSF). Most users lack the expertise and interest to configure their own workstations, so administrators often sit down at the user’s client machine to configure the workstation on behalf of the user, for the sake of efficiency and accuracy. For the purposes of the exam, it’s important to be familiar with the documents in the Personal Address Book that relate to messaging configuration: specifically, the Location document and the Connection document.

User Preferences Related to Mail Users have a number of options available to them for dictating how the workstation processes and handles mail. The user accesses these settings by choosing File, Preferences, User Preferences, Mail. The following is a list of settings in the General section of the User Preferences dialog box (see Figure 3.2):

53

54

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Configuration—Lists the user’s local address books and an optional alter-

nate mail memo editor ➤ Sending—Indicates whether sent mail is saved and whether sent mail is

automatically signed or encrypted ➤ Forwarding—Indicates whether a forwarding prefix is used ➤ Receiving—Specifies the polling interval in minutes that the workstation

uses to check for new mail ➤ When New Mail Arrives—Enables the user to choose the interface

prompt for new mail: sound, pop-up, and so on

Figure 3.2 The Mail, General section of the User Preferences dialog box.

Additionally, an Internet mail preferences section lists preferences for Internet mail.

Setting Workstations for Different Locations Users can specify mail settings, such as whether to use their mail on a server or use their local replica, from the Mail tab of a Location document. A Location document contains communication and location-specific settings for use with the Notes client. The user switches locations to change the way in which the workstation sends, receives, and stores mail. Here is a brief description of the main fields on the Mail tab of the Location document:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . . ➤ Mail File Location—Select On Server to use the mail file directly on a

server, or select Local to use a local replica of the mail file. When the user uses a local replica, Notes transfers outgoing mail to a local outgoing mailbox (MAIL.BOX) until replication occurs. ➤ Mail File—The path to the mail file. Notes opens the mail file that you

specified in this field when the user chooses a mail command from the main menu, clicks the Mail icon in the Bookmark bar or Welcome page, or forwards a mail message. ➤ Domino Mail Domain—The name of the Domino domain. ➤ Internet Domain for Notes Addresses When Connecting Directly to the

Internet—The name of the Internet domain to use if the user has set up any Internet mail accounts. ➤ Recipient Name Typeahead—Where the typeahead feature looks for mail

addresses. ➤ Format for Messages Addressed to Internet Addresses—Notes Rich Text

Format allows all messages over the Internet to be sent as plain text, while MIME Format converts the message to MIME format before sending.

55

56

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 When is mail routed between servers that are in the same Domino Named Network? ❍ A. Immediately ❍ B. Every 10 minutes ❍ C. According to the schedule in the Connection document ❍ D. When there are five messages pending

Answer A is correct. The router immediately routes mail to servers in the same Notes Named Network. The messages are immediately routed from the MAIL.BOX file on the sender’s server to the MAIL.BOX file on the recipient’s server. Because servers in a Notes Named Network share a common protocol and are always connected, you do not need to create Connection documents for mail routing.

Question 2 Debbie, the Domino administrator, has noticed that one of her servers is processing a huge volume of mail compared to the other two mail servers in her domain. What can she do to increase mail throughput in the server? ❍ A. Enable multiple router tasks ❍ B. Enter the following setting in the server’s NOTES.INI: MailServerThreads = 3 ❍ C. Change the users’ Location documents to send mail directly to the destination server ❍ D. Enable multiple MAIL.BOX databases on the server

Answer D is correct. She can configure the Domino server to route mail using multiple MAIL.BOX databases. A substantial performance improvement can be gained by multiple MAIL.BOX databases because the router can push messages through more than one transfer point.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

Question 3 A TCP/IP networking problem caused mail to stop transferring between ServerA and ServerB. After fixing the networking problem, what command should the administrator use to manually router mail from ServerA to ServerB? ❍ A. Route Mail ServerB ❍ B. Route ServerB ❍ C. Tell Router Route ServerB ❍ D. Send Mail ServerB

Answer B is correct. The administrator can issue the Route command to initiate mail routing with a specific server. Issuing the Route command overrides any mail-routing schedules that have been created using Connection documents in the Domino Directory. For server names that contain multiple words or spaces, enclose the entire name in quotes.

Question 4 Using the Domino console, what command can the Domino administrator use to determine which servers have mail waiting to be transferred in MAIL.BOX? ❍ A. Tell Router Config ❍ B. Tell Router Show Queues ❍ C. Load Router ❍ D. Tell Router Quit

Answer B is correct. To display mail held in transfer queues to specific servers, the administrator would issue the console command Tell Router Show Queues.

Question 5 Where are Person documents stored? ❍ A. In MAIL.BOX on the server ❍ B. In the Domino Directory on the server ❍ C. In names.nsf on the workstation ❍ D. In log.nsf on the server

57

58

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer B is correct. Person documents are stored in the Domino Directory (names.nsf) on the server. In previous releases, the Domino Directory was sometimes referred to as the Public Address Book or the Name and Address Book (NAB).

Question 6 Sean needs to ensure that all mail is routed between servers in the same Domino Named Network. How many Connection documents should he create? ❍ A. 1 ❍ B. 2 ❍ C. 0 ❍ D. One for every pair of servers in the domain

Answer C is correct. Mail is routed immediately by the router to servers in the same Domino Named Network. The messages are immediately routed from the MAIL.BOX file on the sender’s server to the MAIL.BOX file on the recipient’s server. Because servers in a DNN share a common protocol and are always connected, you do not need to create Connection documents for mail routing.

Question 7 Which of the following best describes mail servers that the ISpy task monitors by default? ❍ A. All mail servers ❍ B. The local mail server only ❍ C. All servers in the domain ❍ D. None

Answer B is correct. By default, the ISpy task monitors the local mail server on which it is running. However, you can monitor other Domino mail servers by creating probe documents. The ISpy task must be running to monitor the server.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

Question 8 Sean needs to ensure that all mail is routed between ServerA and ServerB. The two servers are not in the same Domino Named Network. What should Sean do to schedule mail routing between the two servers? ❍ A. Create Connection documents in the Domino Directory ❍ B. Create Connection documents in the names.nsf on his workstation ❍ C. Create a Domain document in the Domino Directory ❍ D. Nothing—the two servers will route mail automatically

Answer A is correct. When two servers are not in the same Domino Named Network, mail routing must be configured using at least one Connection document in the Domino Directory.

59

60

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBM Redbooks, 2002. Also available on the Web at www.redbooks.ibm. com/. For references to mail, consult Chapter 9, “New Messaging Administration Options.” Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notes and Domino 6. Indianapolis, Indiana: Que Publishing, 2003. Lotus Domino 6 Technical Overview: www-10.lotus.com/ldd/ today.nsf/3c8c02bbcf9e0d2a85256658007ab2f6/ 089a22f9f8a573af85256a1b00782950?OpenDocument.

For references to

mail, consult the section “Messaging.” Webcast: “Lotus Live! Series: What’s New in Notes/Domino 6 Administration.” http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci857398,00.html. Webcast: “Preparation and Test Taking Strategies with Lotus Education Managers.” http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci876208,00.html.

4 Managing and Maintaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Full-text index Web server HTML Home URL Character set mapping Execution Control List (ECL) Agent signer Network compression Design template Refresh and Replace Design Compact Fault recovery Fixup

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Program document LOG.NSF DOMLOG.NSF Memory cache Timeout Web Site rule Web Administrator EVENTS4.NSF Live console Central directory Distributed directory Policy synopsis

Techniques you’ll need to master: ✓ Deploying applications for the Notes client and the Web client ✓ Deploying applications based on other characteristics, such as document size and coding content ✓ Managing the design of a database using both the Design task and replication ✓ Understanding the role of the workstation ECL ✓ Effectively monitoring application size

✓ Maintaining the integrity of a database ✓ Monitoring the Domino server environment: monitoring server tasks, managing and monitoring log files, maintaining Web services, and configuring administration monitoring tools ✓ Migrating from a distributed to a central directory ✓ Creating a policy synopsis

62

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

In this chapter, we discuss many of the maintenance tasks that an administrator would perform in order to maintain Domino servers and applications. Some of these tasks are performed on a scheduled basis—once a day or once a week, for example—whereas others are performed in an ad hoc or on an asneeded basis. In this chapter, we show you how to deploy many different kinds of Domino applications. We then show you how to manage and maintain an application’s design, size, and integrity. The latter half of the chapter is devoted to server monitoring—all the different ways the administrator can monitor the tasks and processes running on a server. This is likely one of the more tedious chapters you’ll read, because administrators rarely enjoy maintenance and monitoring—configuring and troubleshooting are much more fun! However, the material presented here is just as important to an exam scenario as the material in other chapters. In fact, there are more competencies listed for this chapter than for any of the other chapters for the 620 exam.

Application Deployment One of the administrator’s most critical day-to-day jobs is to ensure that applications are implemented and maintained properly, so that users and servers can access data in a timely manner. In the sections that follow, we show how different kinds of Domino applications are deployed, based on where they are stored, what types of information they contain, and which types of clients will access the application. For the purposes of this and other chapters, the word “application” is synonymous with “database.”

Deploying Server-Based Applications The following are some of the tasks that an administrator should complete in order to deploy a database in production. Domino Administrators must have Manager access in the database Access Control List (ACL) to perform these tasks. Follow these steps to deploy server-based applications: 1. Set up the database ACL for users and servers that require access. If

there will be multiple replicas of a database, make sure that the database ACL lists the name of each server containing a replica. If the database uses roles, all roles should be assigned to each server so that the server can successfully replicate all documents.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . . 2. Verify that server access is set up correctly in the Server document.

Without proper access to the server, users and servers won’t have access to databases on that particular server. 3. Copy the new database to a server. Consider server disk space, topolo-

gy, and network protocols; for example, there must be adequate disk space on the server to store the database, and the server’s resources must be sufficient for the number of clients who will access the database. Placing a database on a cluster requires that you consider cluster resources. 4. Verify that the database appears in the Open Database dialog box as

specified in the Database Properties box. 5. Decide which servers require replicas of the database and then create

the replicas on those servers. Consider the purpose and size of the database, the number and location of users who need access to the database, and the existing replication schedules between servers. 6. Create or edit Connection documents to schedule replication. For

more information on scheduled replication, consult Chapter 5, “Replication,” in this book. Optionally, the administrator might want to consider performing some or all of the following tasks, none of which are absolutely necessary to successful database deployment, but which may enhance the user’s experience with the database. ➤ Create About This Database and Using This Database documents—These

documents help to provide valuable information to the user about where and how to seek out help for the database. ➤ Create a full-text index—A full-text index is a collection of files that

indexes the text in a database to allow Notes to process users’ search queries. Creating this index for the database allows users to perform full-text searches. ➤ Create a Mail-In Database document—If the database is designed to

receive mail, you must create a Mail-In Database document in the Domino Directory. ➤ List the database in the database catalog—This assists users in finding data-

bases on different servers. ➤ Publish the database in a database library—Administrators can create data-

base libraries that list the database name, filename, location, and a brief

63

64

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

description of the database. A library allows a user to “browse” through a listing of databases in order to find one of interest easily. ➤ Add the database to the Domain Index—If an application database will be

useful to a wide audience, include the database in the Domain Index. ➤ Notify users that the database is available—Provide the database title, file-

name, and server location. Administrators can also provide a link to the database in an email so that users can easily launch the database.

Deploying HTML-Based Applications Domino provides an integrated Web application server that can host Web sites that both Internet and intranet clients can access, and can serve pages that are stored in the file system or in a Domino database. When a Web browser requests a page in a Domino database, Domino translates the document into HTML. HyperText Markup Language (HTML) is an Internetstandard language that allows text to be rendered to the Web browser client. When a Web browser requests a page in an HTML file, Domino reads the file directly from the file system. The Web server then uses HTTP to transfer the information to the Web browser. A Web server is a Domino server that is running the HTTP task to allow Web client access to data. Domino looks for individual HTML, CGI, and icon files in specific directories on the server’s hard drive. The administrator can change the URL path for icons and CGI program files. The URL path is where Domino looks for icons or CGI programs when it encounters a reference in the HTML code to one of these. Mapping rules are set in the Server document, on the Internet Protocols, HTTP tab, in the “Mapping” section. The following list offers a basic description of each of the mapping rules: ➤ Home URL—The URL command to perform when users access the

Web site without specifying a resource; for example, the user simply types http://www.acme.com. ➤ HTML Directory—The directory that will be used to find HTML files if

a URL does not specify a path; for example, http://www.acme.com/welcome. The default path is domino\html, relative to the Domino data directory.

html.

➤

Icon Directory—The directory where icon files are located, either a relative or fully qualified path.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . . ➤ Icon URL Path—The URL path that is used to map to the icon directory.

The default is /icons; for example, the URL http://servername/icons/ returns the file c:\lotus\domino\data\domino\icons\ abook.gif.

abook.gif

➤ CGI Directory—The default directory where CGI programs are located.

The default is domino\cgi-bin. ➤ CGI URL Path—The URL path that is used to map to the default CGI

directory. The default is cgi-bin; for example, the URL http://servername/ cgi-bin/test123.pl runs the CGI program c:\lotus\domino\data\domino\ cgi-bin\test123.pl. ➤ Java Applet Directory—The directory where the Domino Java applets are

located. The default is domino\java. ➤ Java URL Path—The URL path that is used to access files in the default

Java directory. The default is /domjava.

Deploying Web Applications for Internationalization Domino uses the default character set and character set mapping selection to generate HTML text for the browser. Character set mapping is a “map” or template used by the Web server to generate character sets for HTML text. For international users who need to see text in nonwestern languages, the administrator needs to make changes to the settings. The character set setting affects all databases on the server. Character set mapping is specified in the Server document on the Internet protocols tab, on the Domino Web Engine tab, under “Character Set.” The following list describes the character set mapping options: ➤ Default Character Set Group—Choose a character set group to allow users

to choose their preferred character set when they create or edit documents. The default is Western. ➤ Use UTF-8 for Output—Choose Yes to generate pages using UTF-8;

choose No (default) to generate pages using the character set mapping selected by the administrator. ➤ Use Auto-Detection if Database Has No Language Information—Choose Yes

to detect automatically the language to use for the database if no default language is selected on the Design tab of the Database Properties box; choose No (default) to use the language specified by the Use UTF-8 for Output field.

65

66

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

If the language is specified for a database on the Design tab of the Database Properties box, Domino uses that language for text in the database.

➤ Character Set in Header—Choose Yes (default) to add the character set to

the “Content-Type” HTTP header of an HTML page; choose No to exclude the characters from the HTTP header of an HTML page. This option should be used if there are early versions of browsers that do not understand the character set tag in the HTTP header. ➤ Meta Character Set—Choose Yes to add the character set to the

<META> tag of an HTML page; choose No (default) to exclude the character set from the <META> tag of an HTML page.

Deploying Applications Based on Coding: Formula Language, LotusScript, JavaScript, C There are several ways in which an administrator can protect and restrict users and servers from executing unauthorized code. An administrator can restrict and control how agents run on the Domino server, and the administrator can also dictate which code gets executed on the client workstation through the deployment of an Execution Control List (ECL). The following sections detail each of these methods.

Controlling Agents That Run on a Server To control the types of agents users can run on a server, the administrator must set up restrictions for server agents in the Security section of the Server document. The fields in this section are organized hierarchically with regard to privileges. “Run Unrestricted Methods and Operations” has the highest level of privilege and “Run Simple and Formula Agents” has the lowest. A user or group name in one list will automatically receive the rights of the lists beneath. Therefore, a name has to be entered in only one list, which then gives that user the highest rights.

Here is the list of fields in the Programmability Restrictions section of the Security tab on the Server document:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . . ➤ Run Unrestricted Methods and Operations—The names of users and groups

who are allowed to select, on a per agent basis, one of three levels of access for agents signed with their ID. Users with this privilege select one of three access levels when they are using Domino Designer 6 to build an agent. Those levels include Restricted Mode, Unrestricted Mode, and Unrestricted Mode with Full Administration Rights. To have the ability to run agents in Unrestricted Mode with Full Administration Rights, the agent signer should be listed in this field, or in the Full Access Administrator field, as well as have this mode selected in the Agent Builder. Being listed in the Full Access Administrator list alone is not sufficient to run agents in this mode. The agent signer is the last user to save the agent, thereby signing it with their user ID.

➤ Sign Agents to Run on Behalf of Someone Else—The names of users and

groups who are allowed to sign agents that will be executed on anyone else’s behalf. The default is blank, which means that no one can sign agents in this manner. This privilege should be used with caution because the name for whom the agent is signed is the name used to check ACL access in the database when the agent runs.

➤ Sign Agents to Run on Behalf of the Invoker of the Agent—The names of

users and groups who are allowed to sign agents that will be executed on behalf of the invoker, when the invoker is different from the agent signer. This setting is ignored if the agent signer and the invoker are the same. This is used currently only for Web agents. The default is blank, which means that everyone can sign agents invoked in this manner (this is for backward compatibility). ➤ Run Restricted LotusScript/Java Agents—The names of users and groups

allowed to run agents created with LotusScript and Java code, but excluding privileged methods and operations, such as reading and writing to the file system. This field should be left blank to deny access to all users and groups. ➤ Run Simple and Formula Agents—The names of users and groups allowed

to run simple and formula agents, both private and shared. Leave the field blank to allow all users and groups to run simple and formula agents, both private and shared.

67

68

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Sign Script Libraries to Run on Behalf of Someone Else—The names of users

and groups who are allowed to sign script libraries in agents executed by someone else. For the purposes of backward compatibility, the default value is to leave the field empty, to allow all. Be careful when studying fields on the Server document that allow or restrict access. For some fields, blank allows everyone, whereas for other fields, blank allows no one.

The Execution Control List (ECL) An ECL protects user workstations against active code from unknown or suspect sources, and can be configured to limit the action of any code that runs on workstations. The ECL determines whether the signer of the code is allowed to run that code on a given workstation, and defines the access that the code has to various workstation functions. For example, an ECL can prevent another person’s code from running on a computer and damaging or erasing data. Figure 4.1 shows the ECL within the User Security dialog box.

Figure 4.1 The workstation ECL as displayed in the User Security dialog box.

There are two kinds of ECLs: ➤ The administration ECL, which resides in the Domino Directory ➤ The workstation ECL, which is stored in the user’s Personal Address

Book

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

The administration ECL is the template for all workstation ECLs. The workstation ECL is created when the Notes client is first installed. The setup program copies the administration ECL from the Domino Directory to the Notes client to create the workstation ECL. For this reason, the administration ECL should be evaluated and modified prior to the installation of the majority of Notes clients. A workstation ECL lists the signatures of trusted authors of code. “Trust” implies that the signature comes from a known and safe designer. For example, every system and application template shipped with Domino or Notes contains a signature for the Lotus Notes Template Development. Administrators should ensure that every template and database within the organization contains the signature of either a trusted application developer or the administrator. Administrators can easily sign design elements using the Sign tool in the Files tab of the Domino Administrator. Workstation ECLs can be altered and maintained even after they have been created on client setup. Administrators can deploy updates to the workstation ECL through one of the following methods: ➤ Using a Security policy settings document (explained in detail at the end

of Chapter 6, “Security”) ➤ Using the @Refresh ECL function, through a memo or common data-

base event ➤ Having users update their ECLs through the User Security dialog box

Deploying Applications Based on Document Characteristics: Document Size When an administrator deploys an application and wants to reduce the amount of data transmitted between a Notes workstation and Domino server or between two Domino servers, he can enable network compression for each enabled network port. Network compression is a style of compression that speeds up data transmission either between a Notes client and a Domino server or between two Domino servers. For compression to be successful, the administrator must enable it on both sides of a network connection. To enable compression for a network port on a server, the administrator chooses the Configuration tab in the Domino Administrator by selecting Tools, Server, Setup Ports. To enable compression on network ports on Notes workstations, the administrator can use a

69

70

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

setup or Desktop policy settings document. The user can also enable network compression on client ports using the User Preferences dialog box. The benefits of using network compression can only be realized if the data being transmitted is not already compressed. In the case of a network dial-up service such as the Microsoft Remote Access Service (RAS), which includes built-in compression, enabling compression on Notes network ports does not provide any additional benefit.

There is also a new Domino R6 database property that the administrator can enable to save space in documents in a database, called “Use LZ1 Compression for Attachments.” Administrators can now choose to compress attachments using the new LZ1 algorithm instead of the older Huffman algorithm. Because LZ1 compression can be performed quickly and efficiently, it is favored over the Huffman method. If the administrator is working in an environment that uses different versions of client and server software (for example, a Lotus Domino Designer 6 client and an R5 server) and he chooses the LZ1 compression option, attachments are automatically recompressed on the server using the Huffman method. For best performance, administrators should use LZ1 in primarily Domino 6 environments.

Managing Application Design Design changes are typically not made directly in a database after the database goes into production and there are users actively creating, editing, and deleting documents. Usually a separate database called a template is created to allow the designer to make and test new design changes before migrating those changes to the production copy of the database.

Distributing Application Design Changes Using the Design Task Before design changes can be copied from the template to the production database, the administrator must designate the template as a Master Design template in the Database Properties box. Then, he must set the Database Properties of the Production database to inherit design changes from the template. The name that is used as the Master Design template name must match up with the name used in the inheriting database. It often saves confusion if the template name is the same as or similar to the filename of the template itself.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

Figure 4.2 shows the Database Properties of a database that has been designated as a Master Design template.

Figure 4.2 The Design tab of the Database Properties box showing a database designated as a Master Design template.

Figure 4.3 depicts the properties of the production database that inherits design changes from the template designated as the Master Design template (the properties of which you saw in Figure 4.2). Note that the template name is exactly the same in each properties list. After the relationship between the template and the production database has been established through the database properties of both the template and the database, the administrator is ready to update the design of the production database through a Design Refresh. The administrator can refresh the design of a database either manually or automatically. If the Master Design template and the production database are both located on the same server, the Design task on the server will initiate the Design Refresh automatically. The Design task is scheduled to run on the server every day at 1:00 a.m. The administrator can change the timing of the Design tasks by editing the notes.ini file on the server, and changing the number in the following line: ServerTasksAt1 = Design

71

72

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 4.3 The Design tab of the Database Properties box.

The administrator also has the option of scheduling the Design task using a Program document. A Program document is a document that is used to automatically run a server task at a specific time. If the Master Design template and the database are not located on the same server, the administrator must refresh the design of the production database manually by opening the production database and initiating the File, Database, Refresh Design command. The administrator is prompted to choose the location of the template (server or local). The Design Refresh then proceeds as long as there is a related template in the location specified by the administrator. The Refresh Design command is similar to another command called Replace Design. The Refresh Design command updates the production database with any design elements that have been added, changed, or deleted since the last Design Refresh. The Replace Design command deletes the design of the production database and completely replaces it with the design of the chosen template. The Replace Design command is often invoked when the administrator wants to upgrade a database from one version of a template to another (for example, R5 to R6 mail), or when he suspects that the database could be corrupted, and he wants to replace the design of the database without affecting the actual Data documents. Watch out for exam questions that may try to confuse you as to how these commands differ. Refresh is a partial refresh based on changes, whereas Replace is complete replacement of design elements.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

Replicating Design Changes When the administrator invokes the Refresh Design command either manually or by scheduling the Design task, only the Design documents are transferred from the Master Design template to the production database. This transfer happens only in one direction, and does not affect the ACL of the database or the Data documents. The administrator can also rely on replication to transfer design changes from one database to another. There are two major differences between the Design Refresh and replication: ➤ Replication transfers the ACL, Design documents, and Data documents,

not just the Design documents as in a Design Refresh. ➤ Replication can be bidirectional, whereas the Design Refresh can occur

in only one direction. Most designers prefer to manage design changes through the use of Design templates and Design Refreshes. This method provides designers several advantages: ➤ They can carry out rigorous testing of their design elements using sam-

ple data in the template, without worrying about having that data transfer to the production database. ➤ They can maintain a separate ACL for the template. ➤ They can better manage and control the frequency of the design updates

through the Refresh command than with replication. You must have at least Designer access to the production database to be able to initiate a Design Refresh, but anyone with Depositor access and above could initiate a replication between replicas.

Application Maintenance There are many tasks that an administrator should perform on a daily, weekly, and as-needed basis to keep database applications in good working order. In this section, we focus on some of the database maintenance tasks related to managing database size, maintaining data integrity, and maintaining groups.

73

74

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Monitoring Application Size When an administrator effectively monitors and minimizes database size, database applications typically show increased performance. Database operations require less I/O and fewer CPU resources, view indexing and updating is faster, and memory and disk space allocation is improved. The maximum database size in Domino R6 is 64GB on the Windows and Unix platforms. The administrator has a variety of methods and tools at his disposal to help control and minimize database size: ➤ Compact databases—When documents and attachments are deleted from

a database, Domino tries to reuse the unused space rather than immediately reduce the file size. Administrators should regularly compact databases so that the fragmented or “white space” can be reused effectively. Compact is the process by which a database is compressed, in order to reclaim space freed by the deletion of documents and attachments. The Compact command can be issued manually from within the database properties or by invoking the Load Compact command at the server console. Most administrators choose to schedule Compact to run at an off-peak time on a daily or weekly basis through the use of a Program document. ➤ Set database size quotas to prevent databases from growing beyond a specified

size—Quotas are set using the tools on the Files tab of the Domino Administrator client. When a database reaches its quota, users receive an error message stipulating that the database has exceeded its quota. Data cannot be saved in the database until the file size has been reduced. ➤ Delete inactive documents using the document archiving tool or using agents—

Archiving allows the administrator to move old or inactive documents to an archive database, thus freeing up space in the production database. ➤ Disable soft deletions in databases—Documents that have been soft deleted

remain in the database until the specified time interval has passed. ➤ Disable the default user activity recording in databases—By default, each

database logs and records information about each user who has read or written to and from the database. Disabling this feature in the database properties reduces the size of the database. To prevent Statlog from automatically recording activity in User Activity dialog boxes, add No_Force_Activity_Logging=1 to the NOTES.INI file on the server. Then, the administrator can enable activity recording per database, as needed.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

The administrator can further control database size by setting database performance properties that also reduce database size. There are several settings in the Database Properties box that can be set to help reduce database size: ➤ Allow Use of Stored Forms in This Database—This option should be dese-

lected so that the form isn’t saved with every document in the database. ➤ Don’t Maintain Unread Marks—This option should be selected so that

the database doesn’t have to track unread documents for each user. ➤ Limit Entries in $UpdatedBy Fields; Limit Entries in $Revisions Fields—This

option limits the entries in both of these fields, saving space. In addition to the options in the preceding list that help control and reduce application size, the administrator should use the following tools on a daily or as-needed basis to monitor database size: ➤ Domino Administrator Files tab—The Files tab lists all files stored on the

Domino server, from the root data directory through all subdirectories. The administrator can use the Files tab to quickly glance at the database size as well as the quota and warning amounts set on each database. This Files view can be sorted in ascending or descending order by size. ➤ Log file (LOG.NSF): Database—Sizes view—Similar to the Files tab, the

Notes log for the server has a sizes view that lists each database with its corresponding size. The Statlog task on a server runs by default once a day at 5:00 a.m., at which time it reports database activity for databases on the server in Database Activity Log entries in the Usage—By Date and Usage—By Size views of the log file (LOG.NSF) and to the User Activity dialog box of individual databases.

Maintaining Data Integrity Domino server crashes can cause data corruption in applications. New in Domino R6, the administrator can set up fault recovery to automatically handle server crashes. When the server crashes, it shuts itself down and then restarts automatically, without any administrator intervention. A fatal error such as an operating system exception or an internal panic terminates each Domino process and releases all associated resources. The startup script detects the situation and restarts the server. Fault recovery is enabled on the Basics tab of the Server document. Here is a listing of the fields on the Server document related to fault recovery: ➤ Fault Recovery—Specifies whether the server automatically restarts fol-

lowing a crash.

75

76

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Cleanup Script Name—Specifies the name of an optional script that runs

after a crash and before any other cleanup takes place. Enter the complete path and script name, including file extension. ➤ Cleanup Script Maximum Execution Time—Specifies the time, in seconds

that the cleanup script is allowed to run. If the script does not complete within the specified interval, it is stopped. ➤ Maximum Fault Limits—Specifies the number of times the server is

allowed to restart during a specified time period, in minutes; for example, two faults within 7 minutes. If the number of crashes exceeds the number of allowed restarts for the interval, the server exits without restarting. ➤ Mail Crash Notification to—Specifies the name of a user or group that

Domino sends mail to after server restart. Domino records crash information in the data directory. When the server restarts, Domino checks to see if it is restarting after a crash. If it is, an email is sent automatically to the person or group in the “Mail Fault Notification to” field. The email contains the server name, the time of the crash, and, if available, the FAULT_RECOVERY.ATT file is attached, detailing additional failure information from the cleanup script. The fault-recovery system is initialized before the Domino Directory can be read. During this initialization, fault-recovery settings are read from the NOTES.INI file, and then later read from the Domino Directory and saved back to the NOTES.INI file. Any changes to the Domino Directory or the NOTES.INI file become effective when the Domino server is restarted.

When the server restarts after a crash, it quickly searches for any unlogged databases that were modified but improperly closed. A few minutes after server startup is complete, the Fixup task then runs on these databases to attempt to fix any inconsistencies that resulted from partially written operations caused by a failure. The administrator can also invoke the Fixup task manually with the following console command: Load fixup databasepath options databasepath specifies the files on which to run Fixup and options indicates the Fixup command-line options.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

Domino Server Monitoring and Maintenance Not only does the Domino Administrator monitor and maintain database applications, but he must also monitor and maintain the Domino servers themselves. Server monitoring can involve a huge range of tasks that are performed by the administrator or by a team of administrators. For the purposes of this exam, we examine how to monitor server tasks, how to manage log files, how to maintain and monitor Web services, and how to configure some of the available server monitoring tools.

Monitoring Server Tasks Server tasks perform complex administration procedures, for example, compacting databases, updating indexes, transferring mail, gathering statistics, and running agents. The administrator has several options for invoking server tasks: ➤ Run a server task manually by loading the task at the server console. ➤ Run a server task manually by using the Domino Administrator Task,

Start tool. ➤ Run the task automatically when the server starts by adding the name of

the task to the ServerTasks= line in the server’s NOTES.INI file. ➤ Run the task automatically by editing or adding ServerTasksAt settings

in the NOTES.INI file. (The number that follows the “At” is the time according to the 24-hour clock.) ➤ Create a Program document in the Domino Directory to run a task at

scheduled intervals. To start tasks, administrators often use the console commands. To load a task, enter the word load, followed by the task name; for example, load router, load adminp, load updall. To stop a task using the console, the administrator enters the tell task quit command; for example, tell router quit, tell replica quit. By using the console interface and memorizing the names of the most common commands, administrators can quickly start and stop tasks.

The administrator can also use the Domino Server Monitor on the Server, Monitoring tab of the Administrator client (see Figure 4.4). This tab displays real-time statistics and provides a graphical representation of the status of servers and server tasks. You can view all servers or a subset of servers, and you can view the status by state or by time line. Many administrators use this

77

78

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

view when they first log in to get a quick, accurate picture of what is running on each server.

Figure 4.4 The Server, Monitoring tab of the Domino Administrator.

Monitoring and Managing Log Files Every Domino server has a log file (LOG.NSF) that reports all server activity and provides detailed information about databases and users on the server. The log file is created automatically when you start a server for the first time. The server cannot start without a log. The log for each server can be accessed on the Server, Analysis tab of the Domino Administrator client (see Figure 4.5). By default, the log file records information about the Domino server system. Because the log file can become quite large, it is important to manage its size. The administrator can control the size of the log file automatically, using NOTES.INI settings, user preferences, and other settings. For example, the Log setting in the NOTES.INI file determines how long documents are maintained before being deleted from the log file. By default, documents in the log are deleted after seven days. You must do a complete backup of the information in the log at least once a week to ensure that you have accurate historical log information for the server.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

Figure 4.5 The Design Miscellaneous Events view of the Notes Log, shown in the Server, Analysis tab of the Domino Administrator.

The Log setting in the NOTES.INI file on the server specifies the contents of the log file and controls other logging actions. There is no UI option to control this particular setting—the administrator must edit the INI file directly. The syntax of the command is as follows: Log = logfilename, log_option, not_used, days, size

The following list details each portion of the preceding command: ➤

logfilename—The

➤

log_option—The

➤

not_used—Always

➤

days—The

number of days to retain log documents

➤

size—The

size of log text in event documents

log database file name, usually LOG.NSF

log options: 1 = Log to the console; 2 = Force database fixup when opening the log file; 4 = Full document scan set to zero; this parameter is not currently used

Example: Log = LOG.NSF,1,0,14,20000

This setting ensures that the log file documents are kept for 14 days and can contain up to 20,000 bytes. All log information is also sent to the console.

79

80

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

In addition to monitoring the Domino server log (LOG.NSF), the administrator also has the option of setting up logging for the Web server. Web server logging is configured on the Server document on the Internet Protocols, HTTP tab, as shown in Figure 4.6. Domino Web server requests can be logged to a database or to text files. Remember the following points when choosing: ➤ Text files—Text files are smaller and can be used with third-party analysis

tools. ➤ Domino Web Server Log (DOMLOG.NSF)—Logging to a database allows

the administrator to create views and view data in different ways. However, the size of the database can become large so that maintenance becomes an issue.

Figure 4.6 The Log File Names section of the Server document.

The administrator can choose to log to both text files and to the DOMLOG.NSF database. These options are not mutually exclusive, but would result in duplicate information being logged.

Monitoring and Managing Web Services The administrator has control over many settings that control the operation and performance of the Web server. A Domino server is considered to be a Web server when it is running the HTTP task. The HTTP task can be started automatically by adding it to the ServerTasks= line in the server’s NOTES.INI file, or by issuing the Load HTTP command at the server console. After the Web server has been started, the administrator can use different documents in the Domino Directory to configure the Web server services.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

Managing the Memory Cache on the Web Server Mapping information about databases and authenticating users can take valuable server time. To optimize response time, Domino uses a memory cache (command cache) to store this information. The memory cache stores the information for quick access. To monitor the effectiveness of the memory cache settings, the Domino Administrator can look at the Domino.Cache statistics using the Server, Statistics tab of the Domino Administrator client. To manage memory cache on a Web server, open the Server document and choose Internet Protocols, Domino Web Engine. Under Memory Caches, complete the following fields: ➤ Maximum Cached Designs—The number of database design elements to

cache for users. The default is 128. ➤ Maximum Cached Users—The number of users to cache. The default is 64. ➤ Cached User Expiration Interval—The time interval in seconds during

which Domino regularly removes usernames, passwords, and group memberships from the cache. The default is 120.

Specifying the Number of Threads Used by the Web Server An HTTP request is processed by a thread. A server thread, in turn, can handle a number of network connections. The administrator can specify the number of threads the Web server can process. In general, the number of threads specified is an indication of the number of users who can access the server simultaneously. If the number of active threads is reached, the Domino server queues new requests until another request finishes and threads become available. The more power the server machine has, the higher the number of threads the administrator should specify. Web server threads are set and changed on the Server document, on the Internet Protocols, HTTP tab. The administrator must enter a number in the Number Active Threads field. The default number is 40, which means that there could only be approximately 40 users connected to the Web server at one time.

Specifying Network Timeouts on the Web Server Open, inactive sessions can prevent other users from accessing the server. Administrators should specify time limits for activities between the Domino Web server and clients or CGI programs so connections do not remain open if there is no network activity between them.

81

82

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Network timeouts on the Web server are specified on the Server document on the Internet Protocols, HTTP tab in the Timeouts section (see Figure 4.7). A timeout is the amount of time that passes before Domino drops an inactive thread.

Figure 4.7 The Timeouts section of the Server document.

The following list describes the available timeout options: ➤ HTTP Persistent Connections—Indicates whether persistent HTTP con-

nections should be enabled on the Web server. ➤ Maximum Requests per Persistent Connection—The maximum number of

HTTP requests that can be handled on one persistent connection. The default is five. ➤ Persistent Connection Timeout—The length of time for which persistent

connections should remain active. The default is 180 seconds. ➤ Request Timeout—The amount of time for the server to wait to receive

an entire request. The default is 60 seconds. If the server doesn’t receive the entire request in the specified time interval, the server terminates the connection. ➤ Input Timeout—The time, in seconds, that a client has to send a request

after connecting to the server. The default is 15 seconds. If no request is sent in the specified time interval, then the server terminates the connection. If only a partial request is sent, the input timer is reset to the specified time limit in anticipation of the rest of the data arriving. ➤ Output Timeout—The maximum time, in seconds, that the server has to

send output to a client. The default is 180 seconds. ➤ CGI Timeout—The maximum time, in seconds, that a CGI program

started by the server has to finish. The default is 180 seconds.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

Running Web Agents Administrators can specify whether Web application agents, that is, agents triggered by browser clients, can run concurrently. These include application agents invoked by the WebQueryOpen and WebQuerySave form events, and for agents invoked by the URL command “OpenAgent.” If the administrator chooses to enable this option, the agents run concurrently; otherwise, the server runs one agent at a time. Also, the administrator should set an execution time limit for Web application agents. The purpose of the time limit is to prevent Web agents from running indefinitely and using server resources. Web application agents options are set in the Server document on the Internet Protocols, Domino Web Engine tab under Web Agents using the following two fields: ➤ Run Web Agents Concurrently?—Choose either Enabled to Allow More

Than One Agent to Run on the Web Server Concurrently or Disabled (default) to Run Only One Agent at a Time. ➤ Web Agent Timeout—The maximum number of seconds (elapsed clock

time) for which a Web application agent is allowed to run. A 0 value (default value) allows Web application agents to run indefinitely. The Web agent timeout setting has no effect on scheduled agents or other types of server or workstation agents.

Using Web Site Rules Web Site rules are documents that help the administrator maintain the organization of a Web site. Rules have two main uses: ➤ Enable the administrator to create a consistent and user-friendly naviga-

tion scheme for a Web site, which is independent of the site’s actual physical organization ➤ Allow parts of the site to be relocated or reorganized without breaking

existing links or browser bookmarks There are four types of Web Site rules. If more than one type of Web Site rule has been created for a Web Site document, the Rules documents are evaluated in this order: 1. Substitution 2. Redirection

83

84

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. Directory 4. HTTP Response Header

Setting Up and Configuring Administration Monitoring Tools Domino includes many server-monitoring features that work together to inform you about the processes, networks, and use of the Domino system. The administrator would use one of three tools to monitor the system: ➤ The Domino Administrator client ➤ The Web Administrator client ➤ The server

Using the Monitoring Tools in the Domino Administrator Client In “Monitoring Server Tasks,” earlier in the chapter, we described how to use the Server, Monitoring tab to display a graphical picture of tasks and statistics for each server. In order for the Server, Monitoring tab to function properly, the administrator should set their administration preferences correctly for their client. The administrator can use the default monitoring preferences or can customize them by choosing File, Preferences, Administration Preferences. On the Monitoring tab, complete the following fields: ➤ Do Not Keep More Than MB of Monitoring Data in Memory

(4–99MB)—This option sets the maximum amount of virtual memory, in MB, used to store monitoring data. Default is 4 MB. ➤ Not Responding Status Displayed After Minutes of Inactivity—This

option sets the amount of time after which the “not responding” status displays. The default is 10 minutes. ➤ Generate Server Health Statistics—This option includes health statistics in

charts and reports. You must enable the Generate Server Health Statistics option to use the Server Health Monitor, which is part of the IBM Tivoli Analyzer for Lotus Domino. This part of the product is purchased and licensed separately.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . . ➤ Monitor Servers—This option allows you to choose “From This

Computer” to monitor servers from the local Domino Administrator client, or choose “From Server” and then click Collection Server to select the Domino server running the Collector task for the servers being monitored by the location you selected. ➤ Poll Server Every Minutes (1-60 minutes)—This option sets the serv-

er’s polling interval, in minutes. ➤ Automatically Monitor Servers at Startup—This option starts the Domino

Server Monitor automatically when the Domino Administrator client is started, instead of relying on the administrator clicking the Start button. There is also a monitoring section used to configure statistics and monitoring on the Configuration tab of the Administrator client. The administrator chooses the Monitoring Configuration section to access the Monitoring Configuration database (EVENTS4.NSF), which includes a set of default documents used to set up system monitoring. The administrator can then choose to edit the default documents or use the configuration wizards in the Monitoring Configuration database to create new ones. The Monitoring Configuration database includes these documents: ➤ Event Generator—Defines the parameters of an event ➤ Event Handler—Describes what action to take when an event occurs ➤ Event Notification Method—Defines the notification method to use when

the Event Handler document prescribes notification ➤ Log Filter—Specifies events that you do not want to log ➤ Server Console Configuration—Sets the text, background, and color attrib-

utes for the Domino server console ➤ Statistic Description—Describes a statistic ➤ Server Statistic Collection—Specifies one or more servers from which sta-

tistics are collected and identifies the server that performs the collecting

Using the Web Administrator Client The Web Administrator client is almost identical to the Domino Administrator client with very few exceptions. The user interface looks the same, and most menu options, dialog boxes, and information boxes are identical, although the Web Administrator may occasionally display additional information. For example, the Mail tab in the Web Administrator offers additional mail-specific statistics—Mail Routing Schedule, Mail Routing

85

86

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Statistics, and Mail Retrieval Statistics. This information is available in the Domino Administrator; however, it is not displayed in the same way. The Web Administrator includes most of the Domino Administrator functionality; however, the Domino Server Monitor and performance charting are not available in the Web Administrator. The Web Administrator uses the Web Administrator database (WEBADMIN. NSF). The first time the HTTP task starts on a Web server, Domino automatically creates this database in the Domino data directory; however, the administrator needs to ensure that the Web browser and server meet the following requirements for the Web Administrator to run: ➤ Web browser requirements include Microsoft Explorer 5.5 or higher on

Windows 98, Windows NT 4, Windows 2000, or Windows XP; or Netscape 4.7x or higher on Windows 98, Windows NT 4, Windows 2000, Windows XP, or on Linux 7.x. ➤ Domino server tasks that must be running on the server include ➤ The Administration Process (AdminP) task. ➤ The Certificate Authority (CA) process must be running on the

Domino 6 server that has the Issued Certificate List database on it to register users or servers. ➤ The HTTP task.

Using the Domino Administrator Server Console to Monitor Events The administrator can choose to create a Server Console Configuration document for the server they are monitoring in order to specify the text, background, and color attributes that the Domino server console uses to display monitoring information. To customize the appearance of the Domino server console, the administrator must access the Server, Status tab, open the Server Console view, and from the menu, select Live Console, Server, Console Attributes. The Live Console is the console interface to the Domino server that allows the administrator to issue console commands from the Notes Administrator client. The administrator then selects a server and clicks the color palette to select a color attribute for the background and event text. Color choices can be viewed in real time at the console display beneath the palette. When the administrator uses the Domino Administrator server console to monitor events, they can set a stop trigger for an event. The stop trigger

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

causes the console to pause and display only the event and the next 10 lines of console text when the event occurs. In addition, administrators can retrieve information about error messages, including possible causes and solutions, and create event handlers. All of these options can be set or changed by accessing the Server, Status tab, choosing Server Console and using the buttons or the options on the Live Console menu.

Other Maintenance Tasks The following topics are included in the Monitoring and Maintaining chapter topics for the exam but don’t necessarily fit into any of the other categories or topics in this chapter.

Migrating from a Distributed Directory to a Central Directory A central directory architecture is an optional directory architecture that can be implemented in a Domino domain. This architecture is new to R6 and differs from the traditional distributed directory architecture in which every server in a domain has a full replica of the primary Domino Directory. With a central directory architecture, some servers in the domain have selective replicas of a primary Domino Directory. These replicas, which are known as Configuration Directories, contain only those documents that are used to configure servers in a Domino domain, such as Server, Connection, and Configuration Settings documents. A server with a Configuration Directory uses a remote primary Domino Directory on another server to look up information about users and groups and other information related to traditional directory services. A central directory architecture has the following key features: ➤ Provides secondary servers quick access to new information because the

servers aren’t required to wait for the information to replicate to them ➤ Enables secondary servers to run on less powerful machines because

they don’t have to store and maintain the primary Domino Directory ➤ Provides tighter administrative control over directory management

because only a few directory replicas contain user and group information

87

88

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A server with a Configuration Directory connects to a remote server with a primary Domino Directory to look up information in the following documents that it doesn’t store locally—Person, Group, Mail-in Database, Resource, and any custom documents added by the administrator. The administrator can set up a Domino Directory as either a primary Domino Directory or a Configuration Directory in one of the following ways: ➤ For a new server, when an additional server is registered and set up

within the domain. When the new server is set up for the first time, a replica of the Domino Directory is pulled from the Registration server. This replica can be configured as either a full directory or a Configuration directory. ➤ For an existing server in the domain, use replication settings for the

directory to change a primary Domino Directory to a Configuration Directory or to change a Configuration Directory to a primary Domino Directory. Figure 4.8 shows the Replication Settings dialog box with the settings for a Configuration Directory.

Figure 4.8 The Replication Settings dialog box for a Configuration Directory.

Creating a Policy Synopsis to Determine an Effective Policy The effective policy for a user is a set of derived policy settings that are dynamically calculated at the time of execution. The field values in an effective policy may originate from many different policy settings documents. Each hierarchical level can have an associated policy, so users may have a

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

combination of policy settings that include the values set at their OU level, and those inherited from a parent policy. The resolution of those settings, stepping up through the organizational hierarchy, determines the effective policy for each user. In addition to organizational policies, users may also have explicit policies assigned to them. In that case, the order of resolution is that all organizational policy settings are resolved first, and any explicit policy settings are resolved next.

There are two tools that can help the administrator determine the effective policy governing each user. The Policy Viewer shows the policy hierarchy and associated settings documents, and a Policy Synopsis report shows the policy from which each of the effective settings was derived. The administrator can use the Policy Synopsis tool to generate a report that is written to the Policy Synopsis Results database (POLCYSYN.NSF).

Maintaining Users Administrators will often find themselves in a situation in which they must perform various maintenance tasks associated with usernames and ID files. The most common maintenance tasks are renaming a user, moving a user to another certifier, and deleting a user. Domino has automated these types of maintenance tasks with something called the Administration Process. This process performs all of the routine maintenance steps for the administrator, which saves the administrator time and cuts down on errors. The Administration Process automates the following tasks: ➤ Name management tasks, such as rename person, rename group, delete

person, delete group, delete server name, recertify users, and store Internet certificate. ➤ Mail file management tasks, such as delete mail file and move mail file. ➤ Server document-management tasks, such as store CPU count, store

platform, and place network protocol information in Server document. ➤ Roaming user management, such as roaming user setup, move roaming

users to other servers, upgrade a nonroaming user to roaming status, and downgrade roaming user to nonroaming status. ➤ User mail file management tasks, such as performing Access Control

List (ACL) changes and enabling agents. For example, the “Out of Office” agent is enabled and disabled by Notes client users.

89

90

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Person document management tasks, such as storing the user’s Notes

version and client platform information. ➤ Replica management tasks, such as create replica, move replica, or delete

all replicas of a database. The Administration Process (also referred to as AdminP) must be configured as follows: 1. There must be an Administration Server for the Domino Directory in the

domain—This step is done during installation. There is always one server in the domain that is responsible for making the changes to documents in the Directory. Those changes are then replicated to the other servers in the domain. 2. The administrator must specify an Administration Server for other databases

in the domain—In order for AdminP to change database ACLs and documents within databases, each database replica must be “covered” by an Administration Server, meaning that there is one server designated to make the AdminP changes to that replica of the database. Administrators set the Administration Server in the Advanced tab of the database ACL. 3. Each server must have a replica of the Administration Requests database

(ADMIN4.NSF)—ADMIN4.NSF is created on first server setup, and a replica is created on every other server in the domain on additional server setup. This database tracks and processes all AdminP requests. 4. NAMES.NSF and ADMIN4.NSF must be replicating around the domain

frequently—Ideally, these two databases should be replicating several times a day, so that requests are replicated to the Administration Servers for different databases. 5. Each server involved in the Administration Process must have a certification

log (CERTLOG.NSF)—This database is created on first server setup, and keeps track of all AdminP tasks that involve certification of ID files. 6. The AdminP task must be running on all servers involved in the process—

This task is designed to start up by default on server startup. 7. (Optional) The administrator can configure the settings and intervals for the

Administration Process on the Server document for each server—If the administrator chooses not to alter any settings, then the default settings will apply and the AdminP process will function properly.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

After the Administration Process has been configured properly, all AdminP requests should be processed automatically, without assistance from the administrator. The administrator initiates the request using the Domino Administrator client, and can then monitor the status of each request using the different views in the ADMIN4 database. The Administration Process should always be used to rename and delete users, to save time, and to ensure accuracy. Administrators initiate all AdminP requests using the Tools section within the People view of the People and Groups tab (see Figure 4.9).

Figure 4.9 The Tools section of the People and Groups tab in the Domino Administrator client, showing the Rename and Delete commands.

Maintaining Groups After the Administration Process has been configured as described in the preceding section, the administrator can use the Process to manage and maintain groups. If groups need to be renamed or deleted, AdminP should be used. Administrators should not rename or delete groups manually. Group names could be referenced in many places—within other groups, in Server documents, in Person documents, in ACLs, and so on. If the administrator doesn’t use the Administration Process to initiate renaming or deleting, he may not “catch” every instance of the group name.

91

92

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

All AdminP requests associated with groups are initiated from the Tools section within the Groups view in the People and Groups tab of the Domino Administrator (see Figure 4.10). The requests can then be monitored using the views within ADMIN4.NSF.

Figure 4.10 The Server, Analysis tab of the Domino Administrator, showing the Admin Requests database.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

Exam Prep Questions Question 1 Which of the following properties can be set to improve the database performance of a database called TEST.NSF? ❍ A. Enable the Maintain Last Accessed property. ❍ B. Disable the database cache for TEST.NSF. ❍ C. Disable the Don’t Allow Headline Monitoring database property. ❍ D. Enable the Don’t Maintain Unread Marks database property.

Answer D is correct. The Notes & Domino 6 Administration Help recommends enabling the Don’t Maintain Unread Marks database property on several reference databases, such as the help databases, the Domino Directory, and the server’s log file (LOG.NSF), and on any other database in which unread marks are not necessary.

Question 2 Which of the following is not a real Domino server task? ❍ A. Fixup ❍ B. Design ❍ C. Report ❍ D. HTTP

Answer C is correct. There is no such task as the Report task, although this task did exist in Release 4 of the Domino product.

Question 3 Toby wants to administer the server using a Web browser. Which of the following fields on the Server document must reference his name? ❍ A. Administer server from a browser ❍ B. Access server from a browser ❍ C. Web browser administrator ❍ D. Database administrator

93

94

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer A is correct. By default, the Domino server grants users listed in the Administrators field of the Server document in the Domino Directory the ability to administer the server from a browser when the Web Administrator database is created; however, if you need to add a new user and allow them to administer the server from a browser, you need to add their name to the Administer Server from a Browser field on the Security tab of the Server document, as well as add their name to the Access Control List (ACL) of the WEBADMIN.NSF database.

Question 4 Tom is creating a Web Site Rules document. Which of the following is not a valid type of rule? ❍ A. Redirection ❍ B. HTTP Response Header ❍ C. HTTP Request Header ❍ D. Substitution

Answer C is correct. The Web Site Rules document is created from within the corresponding Web Site document. The four types of Web Site Rules documents are ➤ A Directory Rules document is used to direct incoming URLs to a spe-

cific directory, and to assign an access level. ➤ A Redirection Rules document is used to specify that designated incom-

ing URL patterns be redirected to a specified URL. ➤ A Substitution Rules document is used to replace a specified URL pat-

tern with another specified URL pattern. ➤ An HTTP Response Header Rules document is used to specify HTTP

headers that are to be added to HTTP responses.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

Question 5 Web users are complaining that they can’t seem to complete the download of a large file from the Web server. Which of the following settings should be changed to allow the downloads to work successfully? ❍ A. Decrease the Input Timeout setting. ❍ B. Increase the Output Timeout setting. ❍ C. Reduce the number of active threads. ❍ D. Decrease the CGI Timeout setting.

Answer B is correct. The Output Timeout setting is the number of seconds that Domino can take to send output to requesting Web clients. The default value for this is 180 seconds.

Question 6 Which of the following is not true about Program documents? ❍ A. They are stored in ADMIN4.NSF. ❍ B. They are stored in NAMES.NSF. ❍ C. They can be used to run a server task at a regularly scheduled time. ❍ D. They can be used to run a command-line executable.

Answer A is correct. All Program documents are stored in the Domino Directory and can be used to run tasks on a server at a regularly scheduled time or at server startup and to run a command such as an OS/2 command file or a Unix shell script or program.

Question 7 Which of the following best describes the steps required to enable compression for file attachments? ❍ A. Enable the Use LZ1 Compression for Attachments option on the Database Properties box. ❍ B. Enable the Use LZ1 Compression for Attachments option on the Form Properties box. ❍ C. Enable the Use LZ1 Compression for Attachments option in the Server document. ❍ D. Enable the Use LZ1 Compression for Attachments in the Replication Settings box.

95

96

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer A is correct. To enable LZ1 compression for attachments, open the Advanced Options tab of the database properties and select Use LZ1 Compression for File Attachments. Doing this may increase the amount of I/O overhead. By default, Notes uses a compression method known as Huffman Encoding when compressing file attachments. LZ1 (Lempzel/Ziv Level 1) compression replaces the current Huffman Encoding compression algorithm used by R5.

Question 8 Bob is interested in implementing a centralized directory structure. Which one of the following statements best describes this structure? ❍ A. A centralized directory structure is not supported in R6. ❍ B. In a centralized directory structure, a small number of servers store full Domino Directories, whereas a large number of servers store Configuration Directories. ❍ C. In a centralized directory structure, a large number of servers store full Domino Directories, whereas a small number of servers store Configuration Directories. ❍ D. None of the answers are correct.

Answer B is correct. Notes & Domino 6 support both a distributed directory architecture and a central directory architecture. In a distributed directory architecture, all servers use the standard Domino Directory. In a central directory architecture, many servers store Configuration Directories (contain configuration settings only) and then use the full Domino Directories on remote servers for lookups. Only a few servers store the full Domino Directory.

Question 9 Timothy noticed the following line in the NOTES.INI file on the server. Given this example, how many days will documents be kept in the LOG.NSF? Log = LOG.NSF,1,0,10,20000

❍ A. 10 ❍ B. 7 ❍ C. 1 ❍ D. Forever

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . and . . .Maintaining . . . . . .

Answer A is correct. The syntax for the LOG= key is as follows: log=logfilename, log_option, not_used, days, size

In this case, the number of days is 10.

Question 10 John, the administrator, moved a database from ServerA to ServerB. Now users are complaining that they cannot find the database to be able to launch it for the first time. What should John do to fix this problem? ❑ A. He can create a database. ❑ B. He can ask users to launch the database from within the database catalog. ❑ C. He can publish the database in a library. ❑ D. He can create a Database Redirection document.

Answers A, B, and C are correct. Directory links and database links are text files that are created by an administrator and appear as directory or database icons in the Domino data directory. Using the Domino Administrator or the Lotus Notes client Open Database dialog box in the Notes client, directory links appear to the user as a directory folder icon, and database links appear as a database icon. They provide a pointer to a new location of a directory or database. The administrator can also point users to the catalog or a library database.

97

98

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notes and Domino 6. Indianapolis, IN: Que Publishing, 2003. What’s in Store for the Domino R6 Database:

www-10.lotus.com/

ldd/today.nsf/8a6d147cf55a7fd385256658007aacf1/acc8a09b7e3e624f85256 af700621c8a?OpenDocument.

Webcast: Lotus Live! Series: What’s New in Notes/Domino 6 Administration: http://searchdomino.techtarget.com/webcastsTranscriptSecurity/ 1,289693,sid4_gci857398,00.html. Webcast: Preparation & Test Taking Strategies with Lotus Education Managers: http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci876208,00.html.

5 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Replication Replica ID Replication history Document-level sequence number Field-level sequence number ACL Push Pull-pull replication Connection document

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Replication topologies Source versus destination servers Repeat interval Replication conflict Merge conflicts Clustered replication Event Monitor

Concepts and techniques you’ll need to master: ✓ Understanding document replication order ✓ Using remote console commands to force replication ✓ Scheduling replication of databases between servers using Connection documents ✓ Understanding the relationship between the Call at Times field and the Repeat Interval field on the Replication Connection document

✓ Understanding how a server’s access level in the database ACL affects replication ✓ Resolving replication conflicts keeping either the main document or the conflict document ✓ Identifying the tools used for monitoring replication

100 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Replication involves the synchronization of data between two replica copies of a database. Replicas can be stored either locally or on the Domino server. Replication between two server-based databases is called server-to-server replication. Replication involving a local database is called workstationto-server replication. This chapter focuses mainly on server-to-server replication, which is typically administered and scheduled by the Domino administrator. Workstation-to-server replication is usually forced or scheduled by the user, and the Notes client performs all of the work involved in pushing and pulling the data to the server-based replica. For the purposes of the exam, it is important to remember that replication never happens automatically, as is the case with mail routing. Replication must be either forced or scheduled with a Connection document. You should memorize all of the console commands to force replication, and you should be familiar with all of the fields on the Connection document that relate to replication and its schedule. The best way to understand replication is to study the case studies included in this chapter. Practice replication by creating replicas on different servers and by forcing and scheduling replication to occur. Then verify that replication has occurred by looking at the replication history and at LOG.NSF on the server. You can verify that two or more databases are replicas by comparing the replica IDs of the two databases using the second tab of the Database Properties box. Databases are replicas when the replica ID of each database is identical. A replica ID uniquely identifies a replica and is assigned when the replica is first created. Filenames of two or more replicas may be different, and a server can store more than one replica of a database.

The Replica Task The server task involved in replication is the Replica task. The Replica task initializes on server startup and sits idle, waiting to perform replication tasks. You can enable multiple Replica tasks on a server to increase the amount of replication activity that the server can perform. When replication is initiated, the Replica task first checks the time stamp of the last replication by reading the replication history. The replication history is a record of successful replications, including the time stamp and the name of the server involved in the replication. The Replica task then builds a list of documents in the database that have been changed, added, or deleted since the last successful replication. After creating this list in memory, the Replica task performs a sophisticated examination of both document- and field-level

101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

sequence numbers to determine which documents and fields to replicate. A document-level sequence number records the number of times the document has been edited, while the field-level sequence number records the number of times an individual field has been edited. Replication then proceeds on a document-by-document basis at the field level; that is, field contents are replicated if they have been changed, added, or deleted since the last replication. The Replica task does not replicate fields within documents that haven’t changed, thereby allowing replication to proceed as quickly as possible.

Understanding Document Replication Order It is important to understand the order in which the Replica task on the Domino server proceeds with the replication of documents. The exam may use scenario questions to test your understanding of replication order, and it’s easy to become confused. You may want to consider jotting down the document order before you start the exam. The Replica task replicates documents in the following order: 1. Access Control List (ACL) document 2. Design documents 3. Data documents

The Access Control List (ACL) is a listing of the users and servers that are authorized to access the database. The document replication order can affect the way in which replication continues between two replicas and can affect exactly which documents replicate. For example, if in replicating the ACL document the destination server is denied access to the database, replication could not proceed for the Design documents or the Data documents. For more information, see “How Access Control Lists Affect Replication,” later in this chapter.

Setting Up and Configuring Replication Through Force If replication must be performed immediately and cannot wait until the next scheduled replication, the Domino administrator has the option of

102 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

forcing replication between replicas. The administrator can force replication manually using several different methods.

Forcing Replication Using the Server Console One of the fastest ways to force replication between replicas on two different servers involves using replication commands at the console. You will likely encounter many exam questions that test your ability to use the console to force replication. The best way to prepare for these types of questions is to practice entering the console commands so that you can easily recall the syntax of each command. Activate the live remote console on the Administrator client by performing the following steps: 1. From the Domino Administrator, click the Server, Status tab. 2. Open the Server Console view. 3. (Optional) Click the Live button to turn on the Live console.

Turning on the Live console enables the administrator to view console commands in real time, as they are processed by the server. It is helpful to have the Live console interface turned on before issuing console commands, to see the results that follow the initiation of the command. If you forget to turn on the Live console before issuing a command, you will simply receive the following message: “Command has been executed on remote server. Use Live console option, in future, to view responses from the server.”

The Replicate Command The Replicate command is used to force two-way replication between two servers—the server where you enter this command and the server specified in the command. The syntax of this command is as follows: Replicate servername [databasename]

You should specify the server’s full hierarchical name. If the server name is more than one word, enclose the entire name in quotes. You can also substitute a server group in place of a server name. If you specify a server group, the initiating server (the server where you enter this command) replicates with each server in the list in the order in which the servers are listed in the group document.

103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

If you don’t specify a database name, the Replica task replicates every database replica that the two servers have in common. To force replication of a particular database replica, specify the database name after the server name. The initiating server (where you’re currently working) first pulls changes from the other server and then gives the other server the opportunity to pull changes from it. This type of replication is also referred to as pull-pull replication. Pull-pull replication is two-way replication that involves the Replica task on both servers. For example, if you are using the console on ServerA/Acme, the following command would issue two-way replication of all databases in common between ServerA/Acme and ServerB/Acme: Replicate ServerB/Acme

Alternatively, if you were using the console on ServerB/Acme, the following command would issue two-way replication of the Administration Requests database between ServerB/Acme and ServerA/Acme: Rep ServerA/Acme admin4.nsf

The short form of the Replicate command is Rep.

For the exam, remember that when issuing replication commands through the console, it is important to understand which server is initiating the command. The server where you issue the console command is the initiator, also known as the source server. The server or server group listed in the command itself is the destination server, also known as the target server. The exam questions will test your ability to read and understand which server is the source; for example, if the question indicates that the administrator is using the console on ServerA, the command Rep ServerA/Acme would have no effect because a server can’t replicate with itself. Make sure that you read the question carefully so that you know which server is the source server. Then you can easily eliminate answer choices that don’t make sense.

The Pull Command The Pull command issues one-way replication between the server specified in the command and the server at which you issue the command. The syntax of the command is as follows: Pull servername [databasename]

104 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The initiating server receives data from the named server but doesn’t request that the other server pull data from it. This forces a server to replicate immediately with the initiating server, overriding any replication scheduled in the Domino Directory. For example, if you are using the console on ServerA/Acme, the following command would pull all changes, additions, and deletions from ServerB’s replica of the Domino Directory. No changes, additions, or deletions would be sent from ServerA to ServerB. Pull ServerB/Acme names.nsf

The Push Command The Push command is similar to the Pull command, except that it forces replication in the opposite direction. The Push command instructs the initiating server to send data to the named server but doesn’t request data in return. The syntax of the command is as follows: Push servername [databasename]

Setting Up and Configuring Replication Through Scheduling Domino has the facility to allow the administrator to schedule replication through a Connection document. A Connection document is a document that contains all of the settings necessary to schedule replication between servers. Connection documents can also be used to schedule mail routing. When replication is scheduled, the server’s Replica task carries out replication with no prompting or initiation from the administrator. For the purposes of the exam, it is important to remember that replication never happens automatically, as is the case with mail routing. If servers are in the same Domino Named Network (DNN), mail routing happens automatically and the administrator never needs to create a Connection document to get mail routing working. Replication never happens automatically; it must be either forced or scheduled. Be careful to watch for exam questions that try to confuse you into thinking that replication is automatic.

Replication Topologies The number of servers and database replicas in your Domino domain determines the type of topology the administrator chooses for scheduled

105 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

replication. A replication topology is the configuration an administrator uses to connect servers for replication. A topology ensures that all servers are updated in a timely and orderly manner instead of replicating haphazardly. As the number of servers and replicas increases, so does the amount of replication required to distribute information across the network. Planning is required to determine how servers will connect to perform replication. You can use several different configurations, or topologies, to control how replication occurs between servers. Here are a few of the more common topologies: ➤ Hub-and-spoke—This topology is generally the most common and effi-

cient replication topology in larger organizations because it minimizes network traffic. Hub-and-spoke replication establishes one central server as the hub, which then schedules and initiates all replication with all of the other servers, or spokes. To set up replication in a hub-and-spoke system, you create one Connection document for each hub-and-spoke connection. ➤ Peer-to-peer—In this topology, replication is less centralized than in a

hub-and-spoke configuration, with every server being connected to every other server. Because peer-to-peer replication quickly distributes changes to all servers, it is often the best choice for use in small organizations or for sharing databases locally among a few servers. ➤ Ring—Servers are connected in a circle, where documents replicate from

one server to another in a single direction. Regardless of which replication topology you choose, you need to create Connection documents to connect servers for the purposes of automating replication. Connection documents are used to connect servers for replication and for mail routing. A single connection can be created to schedule the transfer of mail as well as the replication of documents. If a single connection is created, both mail and replication will follow the same schedule. Where mail and replication follow different schedules, the administrator should consider creating separate connections. It is often easier to troubleshoot replication problems if the scheduling of replication is automated through connections that do not include the routing of mail. This chapter outlines the steps required to create connections for replication. Mail connections were discussed in Chapter 3, “Mail.”

106 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Creating a Replication Connection Document Many fields on the Connection document control the settings required to schedule replication. The best way to study for the exam is to create several Connection documents, carefully filling out each field and using your mouse to point to the field help for instructions about the contents of each field. The exam won’t test your ability to memorize the contents of the Connection document, but it will likely have at least a couple of scenario questions that refer to scheduled replication. It’s important to be able to picture the fields on the Connection document in your mind. Follow these steps to create a Replication Connection document: 1. From the Domino Administrator, click the Configuration tab. 2. Click Server and then click Connections, or Click Replication and then

Connections. 3. Click the Add Connection button to create a new connection. To edit

an existing connection, click the connection you want to edit and then click Edit Connection. To set basic options, choose from among these options on the Basics tab: ➤ Connection Type—Indicates how the servers will connect—for example,

via network connection (LAN) or via dialup ➤ Usage Priority—Choose Normal to force the server to use the network

information in the current Connection document to make the connection ➤ Source Server—Specifies the name of the calling server (the server initiat-

ing the replication request) ➤ Source Domain—Specifies the name of the calling server’s domain ➤ Use the Port(s)—Specifies the name of the network port (or protocol)

that the calling server uses ➤ Destination Server—Specifies the name of the target or destination server ➤ Destination Domain—Specifies the name of the target server’s domain

To configure replication or mail routing settings, choose from among these options on the Replicating/Routing tab: ➤ Replication Task—Choose Enabled for scheduled replication

107 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . . ➤ Replicate Databases of Priority—If the administrator chooses to set a repli-

cation priority for a database, replication of databases of different priority can be scheduled at different times. A priority of Low, Medium, or High is set for each database in that database’s Replication Settings dialog box. ➤ Replication Type—Four different types of replication exist. The type you

choose affects the direction of replication as well as which of the servers performs the work of the replication. ➤ Pull Pull—Replication is bidirectional, whereby the source server initi-

ates replication and pulls documents from the target server. The source server then signals the target server’s Replica task to pull documents in the opposite direction. Both servers are involved in the replication. ➤ Pull Push (default)—Replication is bidirectional, whereby the source

server’s Replica task performs all of the work, pushing and pulling documents to and from the target server. The target server’s Replica task is never engaged. ➤ Pull Only—Replication is one-way, whereby the source server pulls doc-

uments from the target. ➤ Push Only—Replication is one-way, whereby the source server pushes

documents to the target. Pull-push replication is the only replication type in which the target server’s replicator is involved. The other three types of replication involve only the source server’s Replica task. Watch for exam questions that test your knowledge of whether replication is one-way or two-way, and that ask you to figure out which server is doing all of the work. During the exam, it may be easier to figure out the replication scenario if you draw a diagram of the servers, labeled with the servers’ names, and arrows that represent the direction of the replication.

➤ Files/Directory Paths to Replicate—These are the names of specific data-

bases or directories of databases that you want to replicate. You can list either database names or directories. ➤ Files/Directory Paths to Not Replicate—These are the names of specific

databases or directories of databases that should be excluded from replication. You can list either database names or directories. ➤ Replication Time Limit—This is the amount of time, in minutes, that

replication has to complete. This setting is usually used only for dialup connections.

108 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

To schedule the replication, choose from among these options on the Schedule tab: ➤ Schedule—Choose Enabled to enable the schedule; choose Disabled to

suspend the schedule. ➤ Connect at Times—Indicates times or a time range during which you

want the source server to initiate replication. This field can contain a single time entry, a list of times separated by commas, or a time range separated by the dash. Use this field in conjunction with the Repeat Interval field to determine how many times a day a server attempts to initiate replication. ➤ Repeat Interval Of—Specifies the number of minutes between replication

attempts. If you specify a repeat interval of 0, the server connects only once. ➤ Days of Week—Specifies the days of the week to use this replication

schedule; the default has all days of the week selected. If you specify a time range during which a source server attempts replication, the next replication attempt is made at the specified interval after which the replication has completed. For example, let’s say you specify a Connect at Times range of 7 a.m. to 11 p.m., with a Repeat interval of 60 minutes. The source server attempts to replicate at 7:00 and is successful in initiating the replication. The total time of the replication between servers takes 7 minutes. The source server then attempts to call the target server again at 8:07 a.m. For more examples of scheduled replication timing, consult the document titled “Scheduling Server-to-Server Replication” in the Lotus Domino Administration Help database. The exam may have a scenario question asking about the timing of scheduled replication.

How Access Control Lists Affect Replication For a server to replicate changes to documents in a database, that server must have sufficient access in the replica’s Access Control List (ACL). Servers must be listed explicitly or within a group in the ACL, with an access level that is appropriate for the documents the server is allowed to propagate to other replicas.

109 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

A server must have these types of access: ➤ Editor access to replicate changes to documents ➤ Designer access to replicate changes to design elements such as views,

forms, and agents ➤ Manager access to replicate ACL changes

Guidelines for Assigning Server Access to Databases The best way to explain the different access levels assigned to servers is to use a case study or a series of examples. These examples will help you prepare for the exam by using scenarios similar to the scenarios used in many of the exam questions. Don’t attempt to memorize the different scenarios; use them to test your understanding of how server access in the ACL affects replication. Again, during the exam you may find it helpful to draw diagrams of the servers and databases, and label the diagrams with the servers’ access level, to help you arrive at the correct answer. Let’s assume that there are two servers in our examples—ServerA/Acme and ServerB/Acme. Let’s examine the implications of creating an ACL that lists the different servers with different levels of access. We’ll refer to a discussion database in this example called the Marketing Research Forum. This database is used by the Marketing group to share ideas about new promotion research for the company’s products. The ACL of the database contains references to servers and to a group for the administrators (LocalDomainAdmins), as well as to a group containing the company’s Domino developers (CorpDesigners).

Scenario 1: Both Servers Have Manager Access Here is the ACL listing for this scenario: ServerA/Acme: Manager ServerB/Acme: Manager LocalDomainAdmins: Manager CorpDesigners: Designer Marketing: Author In this scenario, both servers are capable of replicating any changes to ACL, Design, or Data documents in any direction. For example, if Joe

110 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Smith/Acme in the LocalDomainAdmins group changed the ACL on ServerB’s replica, ServerB/Acme could successfully replicate that ACL change to ServerA/Acme. If Susan Jones/Acme in the CorpDesigners group changed the background color of a form on ServerA’s replica, ServerA/Acme could replicate that form design change to ServerB/Acme. Data documents could be changed, added, or deleted on either server and would replicate successfully to the other server.

Scenario 2: One Server Has Manager Access and the Other Has Designer Access Here is the ACL listing for this scenario: ServerA/Acme: Manager ServerB/Acme: Designer LocalDomainAdmins: Manager CorpDesigners: Designer Marketing: Author In this scenario, both servers are capable of replicating any changes to Design or Data documents in any direction, but ServerA/Acme is the only server capable of replicating changes to the ACL. For example, if Joe Smith/Acme in the LocalDomainAdmins group changed the ACL on ServerB’s replica, that ACL change would not replicate to ServerA/Acme. If Joe made that same ACL change on ServerA’s replica, the change would replicate to ServerB/Acme. All other design or data changes would replicate as in Scenario 1.

Scenario 3: One Server Has Manager Access and the Other Has Editor Access Here is the ACL listing for this scenario: ServerA/Acme: Manager ServerB/Acme: Editor LocalDomainAdmins: Manager CorpDesigners: Designer Marketing: Author In this scenario, ServerA/Acme is the only server capable of replicating the ACL and the Design documents. For example, if Joe Smith/Acme in the LocalDomainAdmins group changed the ACL on ServerB’s replica, that

111 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

ACL change would not replicate to ServerA/Acme. If Susan Jones/Acme in the CorpDesigners group created a shared view on ServerA’s replica, ServerA/Acme could replicate that new view to ServerB/Acme. But if she made that same change on ServerB’s replica, the change couldn’t replicate to ServerA/Acme. In a hub-and-spoke configuration, the spoke servers are often given Editor access, while the hub has Manager access. All ACL and design changes would have to be made on the hub.

Scenario 4: One Server Has Manager Access and the Other Has Reader Access Here is the ACL listing for this scenario: ServerA/Acme: Manager ServerB/Acme: Reader LocalDomainAdmins: Manager CorpDesigners: Designer Marketing: Author In this scenario, replication of changes, additions, and deletions can happen in only one direction: from ServerA/Acme to ServerB/Acme. If any documents are changed, added, or deleted by administrators, designers, or users on ServerB/Acme, the documents will not replicate to ServerA/Acme. In a hub-and-spoke configuration, when the spoke servers are given Reader access, they effectively become “read-only” servers. In this scenario, all changes, additions, and deletions would need to be made on the hub server to propagate to the spokes.

Scenario 5: Both Servers Have Editor Access Here is the ACL listing for this scenario: ServerA/Acme: Editor ServerB/Acme: Editor LocalDomainAdmins: Manager CorpDesigners: Designer Marketing: Author In this scenario, each server can replicate only changes, additions, and deletions involving Data documents. Design elements will never replicate. This scenario is effective when a company wants to maintain two different ACLs or designs for a database on two different servers. For example, Susan

112 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Jones/Acme in the CorpDesigners group could create two different sets of views in each replica of the database. But the documents added by users in the Marketing group would continue to replicate between servers. During the exam, if you encounter replication questions that involve analyzing access control scenarios, you might find it helpful to draw a diagram with the servers, replicas, and ACL listings. Draw three documents in each replica—one each for the ACL, Design documents, and Data documents. Then you can draw arrows among the replicas as you analyze the replication scenario.

Other Access Control Settings That Affect Replication Several other settings can affect the way documents replicate from server to server. The following settings are worth mentioning here, but it’s unlikely that the exam questions would test your knowledge of these finer points.

Appropriate Access to Intermediate Servers If replication occurs through an intermediate server, the intermediate server acts first as a destination server and then as a source server, and must have the access level necessary to pass along the changes. For example, if you want ACL changes on ServerA’s replica to replicate to ServerC by way of ServerB, ServerB’s replica must give Manager access to ServerA, and ServerC’s replica must give Manager access to ServerB.

Enforcing a Consistent ACL You can ensure that an ACL remains identical on all database replicas on servers by selecting the Enforce a Consistent Access Control List setting on the Advanced tab of the ACL. Setting this option ensures that the replica whose server has Manager access to other replicas will keep the Access Control List the same across all server replicas of a database. If you select a replica whose server does not have Manager access to other replicas, replication fails because the server has inadequate access to replicate the ACL.

Read Access Lists for Database Design Elements and Documents Simply put, if the server can’t read something in the database, it can’t replicate it. Replication problems sometimes arise when a database designer restricts the reading of design elements such as forms and views but forgets to include the server or a server group in the read access lists. Similarly, if the designer restricts reading of documents with a Readers field, he must ensure

113 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

that the servers are listed in that field if the servers should be replicating the data to other server-based replicas.

Resolving Replication and Save Conflicts A replication conflict occurs when two or more users edit the same document and save the changes in different replicas between replications. A save conflict occurs when two or more users open and edit the same document at the same time on the same server, even if they’re editing different fields. When these conditions occur, Domino stores the results of one editing session in a main document and stores the results of additional editing sessions as response documents. These response documents have the title Replication or Save Conflict. The exam will test your ability to understand how conflicts are generated and how they can be resolved. Remember that conflicts are created because too many people have too high of a level of access to documents. Domino R6 includes a new feature called document locking that enables a user to lock a document during editing so that other users cannot save edits to the document. Document locking can help reduce save conflicts, in which more than one person edits the same document in the same replica; however, this feature can’t help with replication conflicts, when more than one person edits the same document in different replicas.

When a conflict is generated, Domino applies the following rules in order to determine whether a document is saved as the main document (the “winner”) or a conflict document (the “loser”): 1. The document edited and saved the most times becomes the main doc-

ument; other documents become Replication or Save Conflict documents. 2. If all of the documents are edited and saved the same number of times,

the document saved most recently becomes the main document, and the others become Replication or Save Conflict documents. 3. If a document is edited in one replica but is deleted in another replica,

the deletion takes precedence unless the edited document is edited more than once or the editing occurs after the deletion.

114 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Choosing Which Document to Keep When a conflict is generated, the administrator (or someone with enough access to edit the documents in the database) must choose which document should be kept and which one should be deleted. If the main document is your “winner,” you can simply delete the conflict. If the conflict document should be the real winner, you must promote the conflict document to be a main document before you delete the original main document. Because the conflict document is saved as a response to the main document, the conflict will be “orphaned” and will disappear from the view if the main document is deleted while the conflict is still a child. To save the main document, follow these steps: 1. Copy any information that you want to save from the Replication

Conflict document into the main document. 2. Delete the conflict document.

To save the Replication or Save Conflict document, do this: 1. Copy any information that you want to save from the main document

into the Replication Conflict document. 2. Save the conflict document. If you didn’t make any changes to the con-

flict, you must “force” a save by choosing File, Save. The conflict document then becomes a main document. 3. Delete the original main document.

Using Design or Administration Techniques to Prevent Replication or Save Conflicts You can reduce or eliminate replication conflicts by using either designer or administrator techniques. Although this is an administration exam, it’s possible that the exam may also test your knowledge of design techniques that minimize replication. The following designer techniques can reduce or eliminate replication conflicts: ➤ Select the form property Merge Conflicts from the Conflict Handling

field on the first tab of the Form Properties box to automatically merge conflicts into one document if no fields conflict. When this property is turned on, Domino can combine the changed fields into a single document and does not generate a conflict, as long as different fields are

115 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

changed in the documents. If the same field is changed in two documents in different replicas, a conflict is generated. This form property is not turned on by default. To view the properties of a design element, you need to install and use the Designer client. ➤ Specify a form property for versioning so that edited documents auto-

matically become new documents. ➤ Use LotusScript to write a custom conflict handler.

As an administrator, you can use these techniques to resolve or avoid replication conflicts: ➤ Assign users Author access or lower in the database ACL to prevent

users from editing other users’ documents. ➤ Keep the number of replicas to a minimum.

Clustered Replication Clustered replication refers to replication that happens between servers that are clustered for failover. Replication in a cluster is quite different from standard replication. Cluster replication is event-driven rather than schedule-driven, so replication happens in real time instead of according to a schedule. The standard Replica task is replaced with the Cluster Replica task. To start the Clustered Replicator, the administrator enters the following console command: LOAD CLREPL

When the Cluster Replicator learns of a change to a database, it immediately pushes that change to other replicas in the cluster. If there is a backlog of replication events, the Cluster Replicator stores these in memory until it can push them to the other cluster servers. If a change to the same database occurs before a previous change has been sent, the Cluster Replicator pools these changes and sends them together to save processing time. In addition, the Cluster Replicator does not honor the settings on the Advanced panel in the Replication Settings dialog box. Therefore, you cannot disable the replication of specific elements of a database, such as the ACL, agents, and design elements. The Cluster Replicator always attempts to make all replicas identical so that users who fail over do not notice that they failed over. Failover refers to Domino’s capability to redirect a user to another server’s replica for database access if the server is down or is too busy.

116 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Replication with a cluster is more reliable than replication with an individual server because Domino replicates with any server in the cluster that contains a replica of the database it is processing. Therefore, if a server in the cluster is unavailable, replication can still proceed if another replica exists in the cluster. Replication with a cluster can also improve performance because Domino uses workload balancing when choosing a server with which to replicate.

Monitoring and Maintaining Replication Several tools can be used to monitor replication. Some of the tools, such as the replication history and the log file, are historical, meaning that they provide the administrator with information about how replication has happened. The replication monitor document allows the administrator to be notified if replication hasn’t happened within a specified time period. Viewing replication schedules and topology maps provides the administrator with a graphical view of the replication schedule for the domain.

Monitoring Replication History A database’s replication history can be accessed from the Basics tab of the Database Properties box or by choosing File, Replication, History. The first time one server replica successfully replicates with a replica on another server, Domino creates an entry in the replication history. The entry contains the name of the other server, as well as the date and time of the replication. Separate entries are created when a replica sends information and when a replica receives it. On each subsequent replication with a specific server, Domino updates the entry in the history to reflect the most recent replication time. If a database doesn’t replicate successfully, Domino doesn’t update the replication history. Domino uses the replication history to determine which documents to scan for changes during the next replication. If you have Manager access to a database, you can clear the database replication history if you think the database doesn’t contain all the documents that it should or if the database replication history is not synchronized with that of other replicas.

117 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . . Clear the replication history only as a last resort to solve replication problems. If you clear the history, during the next replication Domino must make a more comprehensive evaluation of documents to use for candidates for replication. Normally, you would clear this setting only if you suspect time/date problems with server or client clocks.

Viewing the Replication Events View in the Log File The replication log entries in the Replication Events view of the log file (LOG.NSF) display detailed information about the replication of specific databases (see Figure 5.1). For each database that has replicated on a specified server, a replication log shows the access the server has to the database; the number of documents added, deleted, and modified; the size of the data exchanged; and the name of the replica that this database replicated with. The Events section of a replication log shows any problems that occurred when a specific database replicated. For example, the Events section shows whether replication is disabled or whether the database ACL is preventing replication.

Figure 5.1 The Replication Events view of LOG.NSF as shown on the Server, Analysis tab of the Domino Administrator.

118 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Using an Event Generator to Monitor Replication A database event generator can monitor database use and ACL changes. If an administrator creates a database event generator and checks off the Monitor Replication field, he can choose to be notified if replication doesn’t occur within a specified time period. A more correct name for this monitor is Database Replication Failure Monitor. A server administrator creates database event generators as a part of configuring the Event Monitor task. All monitor documents are created in events4.nsf. To create a database event generator from the Domino Administrator, perform the following steps: 1. Click the Configuration tab, and then open the Monitoring

Configuration view. 2. Open the Event Generators, Database view, and then click New

Database Event Generator. 3. On the Basics tab in the Databases to Monitor section, select Monitor

Replication. In the field labeled Filename, enter the name(s) of databases to monitor (see Figure 5.2). 4. On the Replication tab, select which servers to monitor, and then enter

a time period in hours, which represents the maximum time allowed to elapse between replications.

Viewing Replication Schedules You can see a graphical representation of the replication schedules of the servers in your Domino system. To view replication schedules, from the Domino Administrator, click the Replication tab.

Replication-Topology Maps View a replication-topology map to display the replication topology and identify connections between servers. To view replication topology maps, from the Domino Administrator, click the Replication tab (see Figure 5.3). You must load the Topology Maps task before you can view a replication topology map. Use this graphical view to verify that each server is connected for replication.

119 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

Figure 5.2 The Database Event Generator document.

Figure 5.3 The Replication Topology, By Connections view on the Replication tab of the Domino Administrator.

120 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 Dave wants to force one-way replication from ServerA to ServerB. Assuming that he’s using the console on ServerA, what command would he issue? ❍ A. Push ServerB ❍ B. Push ServerA ❍ C. Pull ServerA ❍ D. Pull ServerB

Answer A is correct. By issuing Push ServerB at the server console, the administrator forces a one-way replication from the server they are on to the specified server in the command. This command forces one-way replication of all replicas in common between the two servers. An optional parameter allows replication of a single database from the server you are on to the specified server. For example, Push Server1 ADMIN4.NSF forces a one-way replication of ADMIN4.NSF from the server they are on to the specified server in the command.

Question 2 Jenny, the Lotus Domino administrator, has just finished rebooting ServerB after a crash. She now wants to pull all of the documents created on ServerA while ServerB was down. Which one of the console commands can she issue? ❍ A. Documents cannot be pulled from one replica to another after a server crash. ❍ B. Push ServerA ❍ C. Pull ServerA ❍ D. Replicate ServerB, ServerA

Answer C is correct. By issuing Pull ServerA at the server console, the administrator forces a one-way replication from the specified server (the target server) to the server referenced in the command (the source server). This command forces one-way replication of all replicas in common between the two servers since the last replication. This command can be issued after a server has crashed and rebooted.

121 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

Question 3 Which of the following are valid types of replication as listed in the Replication Connection document? (Choose all that apply.) ❑ A. Push Wait ❑ B. Pull Only ❑ C. Push Only ❑ D. Replicate

Answers B and C are correct. Four types of replication can be scheduled in a Connection document: pull-pull, push-pull, pull only, and push only. Push Wait is a type of mail connection choice, and Replicate doesn’t exist as an option for scheduled replication, although it is one of the commands an administrator can issue for forced replication.

Question 4 What can a database designer do to minimize replication conflicts? (Choose all that apply.) ❑ A. Enable the form property Merge Conflicts ❑ B. Enable the database property Merge Replication Conflicts ❑ C. Specify a form property for versioning so that edited documents automatically become new documents ❑ D. Specify a database property for versioning so that edited documents automatically become new documents ❑ E. Write custom code using LotusScript to prevent documents from being edited.

Answers A, C, and E are correct. Merge Replication Conflicts and Document Versioning are both form properties, not database properties. LotusScript is a language that can trap for the moment that a user tries to edit a document, thereby enabling the designer to write a custom conflict handler. Also, this release of Domino supports document locking.

122 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 5 Which of the following commands could the Domino administrator use to start the Clustered Replicator task on the server? ❍ A. Replicate Cluster ❍ B. Load CLREPL ❍ C. Load Updall ❍ D. Start CLUSTREPL

Answer B is correct. Answers A and D are not recognized console commands. The Updall task is the task on the server that updates view indexes and full-text indexes.

Question 6 Which one of the following can the Domino administrator use to view detailed information about replication of a database between two servers? ❍ A. names.nsf ❍ B. log.nsf ❍ C. noteslog.nsf ❍ D. admin4.nsf

Answers B is correct. The Domino Directory (names.nsf) stores information about replication connections but doesn’t track replication information. There is no database called noteslog.nsf. The Administration Requests database (admin4.nsf) tracks information about requests processed by adminp. The adminp process can be used to create replicas on servers but doesn’t track information about replication activity.

Question 7 Users are complaining that there are many replication conflicts in a database. What can a Domino administrator do to minimize replication conflicts? ❑ A. Decrease or limit the number of replicas on servers ❑ B. Increase the number of replicas on servers ❑ C. Grant Editor access to all users of the application ❑ D. Grant Author access to all users of the replicas

123 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

Answers A and D are correct. The fewer the number of replicas there are, the less potential there is for multiple users to be opening the same document on different replicas. Ensuring that users have only Author access to the application means that users can edit only their own documents, not documents being edited by other users. Granting Editor access to users of an application increases the potential for conflicts because multiple users could edit any document in any replica.

Question 8 Acme Corporation has just rolled out an inventory-tracking database to allow its IT department to track equipment within the organization. Acme has decided to create three replicas across three servers to allow IT staff across the country to access the database. Replicas are created on the following servers: Server1/Acme, Server2/Acme, and Server3/Acme. John, the Domino administrator, wants to make sure that he sets the ACL correctly to allow documents in the tracking database to replicate across servers. He wants all ACL changes and design changes to be made on Server2/Acme. Users should be able to add, edit, and delete documents on any of the three servers. Data documents should then replicate around to the other replicas. How should he grant access to the three servers in the ACL of the tracking database? ❑ A. Server1/Acme: Reader; Server2/Acme: Manager; Server3/Acme: Reader ❑ B. Server1/Acme: Author; Server2/Acme: Manager; Server3/Acme: Author ❑ C. Server1/Acme: Editor; Server2/Acme: Manager; Server3/Acme: Editor ❑ D. All three servers should have Manager access in the ACL.

Answer C is correct. If Server1/Acme and Server3/Acme had either Reader or Author access in the ACL, neither server would be capable of replicating additions, changes, or deletions made by users on those servers. A server must have a minimum of Editor access to replicate Data document changes. Granting Manager access would allow ACL and design changes to be made on all replicas, when the question specified that those types of changes were to be made only on Server2/Acme.

124 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 9 Dawn is setting up scheduled replication between ServerA and ServerB. She has specified a Connect at Times range of 6 a.m. to 8 p.m., with a repeat interval of 120 minutes. Give the first and second replication times, assuming the following: The first replication connection was successful. The first replication took 8 minutes to complete. ❍ A. 6 a.m., 7 a.m. ❍ B. 6 a.m., 8 a.m. ❍ C. 6 a.m., 8:08 a.m. ❍ D. 6:08 a.m., 8:08 a.m.

Answer C is correct. If the first replication connection was successful and completed in 8 minutes, the second replication would occur 120 minutes after the completion of the first replication.

125 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

Need to Know More? Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notes and Domino 6. Indianapolis, Indiana: Que Publishing, 2003. What’s in Store for the Domino R6 Database:

www-10.lotus.com/

ldd/today.nsf/8a6d147cf55a7fd385256658007aacf1/acc8a09b7e3e624f8525 6af700621c8a?OpenDocument.

Webcast: “Lotus Live! Series: What’s New in Notes/Domino 6 Administration.” http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci857398,00.html. Webcast: “Preparation and Test Taking Strategies with Lotus Education Managers.” http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci876208,00.html.

6 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Physical security Server access ACL Roles Encryption Public key Private key ID file Certificates Domino Directory File protection document

✓ Anonymous access ✓ Basic name-and-password authentication ✓ Session-based name-and-password authentication ✓ Authors field ✓ Readers field ✓ Group document ✓ Deny Access group ✓ User type ✓ Security settings document ✓ Policy document

Techniques and concepts you’ll need to master: ✓ Understanding each layer of the Domino security model ✓ Securing an application using password encryption ✓ Securing Domino resources using Notes authentication and Web authentication ✓ Understanding the role of Domino Directory in the security model ✓ Describing the different types of Domino administrators and the tasks they can perform ✓ Controlling access to the server using the Server document

✓ Troubleshooting techniques for both server and database access ✓ Understanding the ACL, roles, user types, and the different levels of access within the ACL ✓ Providing security through the use of groups ✓ Understanding the role of Authors and Readers fields in securing edit and read access for documents

128 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The security model within the Domino environment is designed to protect resources. Information about access rights and privileges is stored with each protected resource; thus, a given user or server can have different sets of access rights, depending on the resources to which that user or server requires access. Five basic layers make up the Domino security model: 1. Physical security 2. Network and operating system security 3. Authentication 4. Server access 5. Database (application) access

This chapter explores the basic security settings that apply first to physical security and then to the Domino server and the Domino application. We finish with a brief discussion of security policies. For exam purposes, it’s important to remember that security is applied in a “top-down” method through the security layers in order. You may want to jot down the security layers before you begin to write the exam. You’ll also need to remember each of the seven database access levels and what they mean. Most of the exam questions will present scenarios involving the different layers.

Physical Security Physical security involves securing the Domino server’s hardware and software from local, physical access. Physically securing servers and databases is as important as preventing unauthorized user and server access. Unauthorized users or servers must be prevented from having direct physical or network access to Domino servers. All Domino servers should be locked away in a ventilated, secure area. Without physical security in place, unauthorized users could circumvent the database ACL and access applications directly on the server, use the operating system to copy or delete files, or physically damage the server hardware itself. Physical network security concerns should also include disaster planning and recovery.

129 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Securing Domino Applications Based on Password Encryption Password encryption for databases is designed to prevent unauthorized access to locally stored databases. Encryption protects data from unauthorized access, using a dual-key system to secure (encrypt) and decode (decrypt) data. Database encryption provides an additional layer of security because Access Control List (ACL) settings do not necessarily protect locally stored databases. The ACL is a listing of the users and servers that are authorized to access the database. Database encryption uses a public-key algorithm. Encryption generates a random encryption key, encrypts this key with the public key associated with a specific user ID, and appends the resulting key to the specified database. The public key is the key that is used to encrypt the data. A user can access an encrypted database only if the user’s private key can decrypt the appended key. The private key is used to decrypt the data and is mathematically related to the public key so that only the holder of the private key can properly decrypt that data. You can also use local encryption to encrypt databases on a server with the server ID if you fear that those databases could be accessed locally using the network operating system. In this case, only those Domino administrators with access to the server ID can read the database. Local databases are often encrypted if they are stored on a portable computer because the security of a portable computer is easily compromised. For example, let’s say that somebody steals a laptop computer from the vice president of sales. The VP stores replicas of his mail database and the Domino Directory, as well as the Corporate Sales Tracking database, all of which contain sensitive information. If the local replicas have not been encrypted with the ID file and password of the owner, anyone who can access the operating system files can read the data in the databases.

Local database encryption is applied by accessing the Database Properties box and choosing the Encryption Settings button.

Domino Server Security The Domino server is the most critical resource to secure. Server access is the collection of security settings that control access to the server’s resources. You can specify which users and servers have access to the server and restrict activities on the server; for example, you can restrict who can create new databases and use passthru connections.

130 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

You can also restrict and define administrator access by delegating access based on the administrator duties and tasks. For example, you can enable access to operating system commands through the server console for system administrators, and you can grant database access to those administrators who are responsible for maintaining Domino databases.

Securing Domino Resources Based on Notes Authentication A Notes or Domino ID uniquely identifies a user or server. Domino uses the information contained in IDs to control the access that users and servers have to other servers and applications. One of the administrator’s responsibilities is to register and protect IDs and to make sure that unauthorized users do not use them to gain access to the Domino environment. An ID file is a file that uniquely identifies a certifier, server, or user within the Domino security environment, using certificates stored on the ID. Three different types of ID files can be generated by the Domino Administrator, using the Administrator client: ➤ Certifier ID—Used as a “stamp” to register a new server or user ID ➤ Server ID—Used to identify each unique server in the organization ➤ User ID—Used to identify each unique person in the organization

An ID file contains the following components: ➤ The owner’s name ➤ A permanent license number. This number indicates that the owner has

purchased a legal Domino/Notes license for the software and specifies whether the owner has a North American or international license to run Domino or Notes. ➤ At least one Notes certificate from a certifier ID. A Notes certificate is a

digital signature added to a user ID or server ID. ➤ A private key. Notes uses the private key to sign messages sent by the

owner of the private key, to decrypt messages sent to its owner, and, if the ID belongs to a certifier, to sign certificates. ➤ (Optional for the Notes client only) Internet certificates. An Internet

certificate is used to secure SSL connections and to encrypt and sign S/MIME mail messages. An Internet certificate is issued by a Certification Authority (CA) and verifies the identity of the user.

131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . . ➤ (Optional) Secret encryption keys. These are keys created and distrib-

uted by developers to allow other users to encrypt and decrypt fields in a document. When two Domino servers want to authenticate, or when a user authenticates with a server, each party presents its ID file to the other to verify that they hold a certificate in common. A fairly complex but rapid comparison process between the two entities involves generating random numbers using certificates and keys. When the two entities have ascertained that they have a certificate in common, authentication proceeds. If the authentication process fails, the error message that results on the client or in the log always has the word authenticate in it—for example, “ServerA does not have any certificates capable of authenticating you.”

Securing Domino Resources Based on the Domino Directory The Domino Directory is the most important administrative application in the Domino environment. The Directory contains a listing of all of the documents that help to control security and mail routing for the entire Domino domain: Server documents, Person documents, file protection documents, certificates, and so on. Anyone who can add documents to or edit documents in the directory can control access to many of the resources in the system. The Domino Directory is protected from unauthorized editing by the following security features: ➤ The ACL and roles ➤ A file protection document

Understanding the Domino Directory’s Access Control List (ACL) and Roles Access Control Lists define the users and servers who are authorized to access the database and are discussed in detail in a later section. We briefly illustrate the features of the ACL for the Domino Directory here, since the exam competencies specify that the ACL for the Domino Directory must be examined in detail. To save confusion, we’ve kept all topics related to the Directory together in the chapter; however, you may want to reread this section after reading the more detailed explanation of the ACL. Figure 6.1 shows a typical Directory’s default ACL.

132 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 6.1 The ACL of a Domino Directory.

Here are the points to remember about the major features of the ACL: ➤ The Default access level for the Directory is typically set to Author, with

no Create or Delete privileges checked in the check boxes and no Roles assigned. This level allows the average user to read all of the documents in the Directory, to effectively address mail. Users can also edit their own Person documents in the Directory, allowing them to change certain fields such as their Internet password and address information. Users are allowed to edit only their own Person documents because they are listed in an Authors field for that document (see the section on Authors fields later in this chapter). ➤ The Anonymous access level is usually assigned the level No Access.

This level prevents Web users from accessing the Directory. ➤ Servers and server groups listed in the ACL are typically assigned

Manager access, with all of the Create and Delete privileges and Roles assigned. This high level of access ensures that servers can replicate changes, additions, and deletions to the Directory to other replicas on other servers. ➤ There is also typically an Administrators group listed in the Directory’s

ACL (or perhaps several Person groups). Different groups of administrators are typically assigned different access levels and roles within the ACL. The Domino Directory ACL includes Creator and Modifier roles that can be assigned to administrators so that they have the authority to create and edit specific types of documents.

133 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Roles are useful when groups of administrators have specialized responsibilities. A role defines a set of users and/or servers, and is unique to each database. For example, senior administrators might have all of the roles assigned, allowing them to create and modify every type of Directory document, while junior administrators might have only the GroupCreator and GroupModifier roles to allow them to create and modify groups. Here is a complete listing of all of the roles within the Directory’s ACL: ➤ GroupCreator—Can create Group documents ➤ GroupModifier—Can edit Group documents ➤ NetCreator—Can create all documents except Person, Group, Policy, and

Server documents ➤ NetModifier—Can edit all documents except Person, Group, Policy, and

Server documents ➤ PolicyCreator—Can create Policy documents ➤ PolicyModifier—Can edit Policy documents ➤ PolicyReader—Can read Policy documents ➤ ServerCreator—Can create Server documents ➤ ServerModifier—Can edit Server documents ➤ UserCreator—Can create Person documents ➤ UserModifier—Can edit Person documents The access defined in the ACL by a role never exceeds a general access level. For example, even if you give the UserCreator role to an administrator who has Reader access in the ACL, the administrator cannot use the Create menu to create Person documents.

Securing the Directory with a File Protection Document A file protection document is created in the Domino Directory during initial server startup. This document provides administrators with Write, Read, and Execute access to the Domino Directory. Other users are assigned No Access. The file protection document is a security feature that protects the files on a server’s hard drive by controlling the Web clients’ access to files. The file protection document for the Directory ensures that Web users cannot access or edit any of the documents in the Directory using a browser.

134 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Securing Domino Resources Based on Web Authentication Web users authenticate with the Domino server using their name and an Internet password. The name and Internet password are stored in a Person document in the Domino Directory for the server’s domain. This type of Web authentication is called name-and-password authentication. To set up name-and-password authentication for Web clients, one of two methods can be used: ➤ Basic name-and-password authentication uses the name and password

recorded in the user’s Person document in the Directory. These Person documents either can be created by the administrator or can be created via agents using some kind of registration database. ➤ Session-based name-and-password authentication is a more sophisticated

authentication model that includes additional functionality that is not available with basic name-and-password authentication. A session is the time during which a Web client is actively logged onto a server with a cookie. The administrator has two options when enabling sessionbased authentication in the Server document: ➤ Single Server—Causes the server to generate a cookie that is honored

only by the server that generated it ➤ Multiserver—Generates a cookie that allows single sign-on with any

server that shares the Web SSO configuration document To use session-based authentication, Web clients must use a browser that supports cookies. Domino uses cookies to track user sessions. Web clients can also authenticate with the Domino server anonymously. To set up Web clients for anonymous access, you set up either the Internet site or the server for anonymous access, and then set up database ACLs to include the entry Anonymous with an access level of at least Depositor. Anonymous access means that a Web browser client is not required to enter a name and password to access the Web page. If you do not allow anonymous access and a user tries to access the server anonymously, the user is prompted to authenticate, as shown in Figure 6.2.

135 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Figure 6.2 The Web Authentication dialog box.

Setting Up and Configuring Server Access An administrator can configure many settings to control access to the Domino server. After a user successfully authenticates with the server, that user must negotiate the server access layer to gain access to resources stored on the server.

Securing the Server Console You can password-protect the server console to force administrators to know the console password to enter console commands. The syntax of the command for doing so is as follows: Set Secure currentpassword

After the console has been password-protected, administrators can’t use the Load, Tell, Exit, Quit, and Set Configuration server commands until they enter the password. Console security remains in effect until the password is cleared by entering a second Set Secure command with the same password. Here are some examples of the how the Set

Secure

➤

Set Secure TesTing123—Password-protects

➤

Set Secure TesTing123 456neWpassWord—Changes

command can be used:

the console if no password is currently in effect. In this case, the new password is TesTing123. the existing password

from TesTing123 to 456neWpassWord. ➤

Set Secure TesTing123—If

the console is already protected by a password—in this case, TesTing123—entering a second Set Secure command with the same password clears the password.

136 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Restricting Administrator Access to the Server You can specify various access levels for different types of administrators in your organization. For example, you might want to give only a few people high administrative access, while all of the administrators on your team are designated as database administrators. Administrators are listed either as individuals or as members of groups in the different administrator fields on the Security tab of the Server document located in the Domino Directory. Here is a list of the administrator fields that control administrative access to the server: ➤ Full-access administrators—These administrators have full access to

administer the server. This is the highest level of administrative privilege. The feature to assign full-access administrators replaces the need to run a Notes client locally on a server. Full-access administrators are automatically assigned Manager access with all roles in every database ACL, thus allowing them full access to every application on the server. This feature is new in Release 6 and will probably appear in at least one exam question because it is new and gives a great deal of power to the administrator. Be sure to study the different administrator fields and know what each type of administrator is allowed to do.

➤ Administrators—Administrators listed here have the following rights:

Manager access to the Web Administrator database (WEBADMIN.NSF) Capability to create, update, and delete folder and database links Create, update, and delete directory link ACLs Compact and delete databases Create, update, and delete full-text indexes Create databases, replicas, and master templates Get and set certain database options (for example, in/out of service, database quotas, and so on) Use message tracking and track subjects Use the console to remotely administer Unix servers Issue any remote console command ➤ Database administrators—These administrators are responsible for

administering databases on the server. Users listed here have the following rights only: Create, update, and delete folder and database links Create, update, and delete directory link ACLs

137 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Compact and delete databases Create, update, and delete full-text indexes Create databases, replicas, and master templates Get and set certain database options (for example, in/out of service, database quotas, and so on) Database administrators are not automatically granted Manager access to databases on the server, nor do they have any access to the Web Administrator database. On the exam, make sure that you don’t confuse this level with the level of full-access administrators, which is the only type of administrator that can bypass the ACL.

➤ Full remote console administrators—These administrators can use the

remote console to issue commands to the server. ➤ View-only administrators—These administrators can use the remote con-

sole to issue only those commands that provide system status information, such as SHOW TASKS and SHOW SERVER. View-only administrators cannot issue commands that affect the server’s operation. ➤ System administrators—These administrators are allowed to issue a full

range of operating system commands to the server. ➤ Restricted system administrators—These administrators are allowed to

issue only the operating system commands that are listed in the Restricted System Commands field.

Allowing and Denying Access to the Server To control user and server access to other servers, Domino uses the settings specified on the Security tab in the Server document. If a user or server can authenticate and the settings in the Server document allow access, the user or server is allowed access to the server. The administrator can specify Notes users and Domino servers that are allowed to access the server, as well as users who access the server using Internet protocols (HTTP, IMAP, LDAP, POP3). All of these settings are specified in the Security section of the Server document in the Domino Directory. Notes user and Domino server access to a Domino server is controlled through the following fields in the Security section of the server document: ➤ Access Server—The administrator can allow server access to users listed

in all trusted directories, or only to specific Notes users, servers, and groups. If the Access Server field is left blank, all users and servers that can authenticate can access the server.

138 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Some administrators use an asterisk followed by a certificate name to control access to the server; for example, */Sales/Acme would give all users in the Sales OU access. An asterisk followed by the name of a view, such as *($Users), would give all names that appear in a specific view in the Domino Directory access. It is handy to be able to use this reference within an ACL to save the time of adding several groups to the ACL. For example, instead of having to maintain and update an All Users group in the Directory, the administrator can use */Acme to refer to all users in the company.

➤ Not Access Server—These users, servers, and groups are denied access to

the server. Again, administrators also have the option of using the asterisk notation. The default value for this field is blank, which means that all names entered in the Access Server field can access the server. Remember that names entered in the Not Access Server field take precedence over names entered in the Access Server field. For example, if you enter a group name in the Access Server field and enter the name of an individual member of this group in the Not Access Server field, the user will not be capable of accessing the server. Typically, the Domino Administrator lists a Deny Access group in this field to deny access to servers within the company for people who have left the company. See the discussion about groups and group types later in this chapter.

➤ Create Databases and Templates—These specific servers, users, and groups

are allowed to create databases with the File, Database, New command. Typically, this capability is restricted to administrators or designers. The default value for this field is blank, which means that all users can create new databases. ➤ Create New Replicas—These specific servers, users, and groups are

allowed to create replicas using the File, Replication, New Replica command. The default value for this field is blank, which means that no one can create new replicas. ➤ Create Master Templates—These specific servers, users, and groups are

allowed to create master design templates. Servers, users, and groups who cannot create new databases or replicas on the server cannot create or update templates. The default for this field is blank, which means that no one can create master design templates on the server.

Controlling Access to a Specific Network Port Administrators can use a port access list to allow or deny Notes user and Domino server access to a specific network port. If the administrator uses both a port access list and a server access list, users and servers must be listed on both to gain access to the server.

139 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Access to a specific port is controlled using these NOTES.INI settings: Allow_Access_portname = names Deny_Access_portname = names

Here, portname is the name of the port, and names is a list of users, servers, and groups to which you want to deny or allow access. These names must be contained in the Domino Directory.

Monitoring and Maintaining Server Access Control Not too many hands-on tools provided with the Domino Administrator client are designed to assist the administrator with monitoring or maintaining access control for servers. But the administrator can put in place some strategies and plans to help keep a tight rein on server security. Develop strategies to protect your computing environment. When you understand the potential threats to your Domino environment, you can create procedures to protect each part of your Domino computing infrastructure. This can include developing procedures and rules for some of the following areas: ➤ Limits on physical access to the Domino servers ➤ Network access and protection ➤ Messaging infrastructure, through the use of antispam and antivirus

products ➤ Change control, to help manage changes to your security model ➤ User training for organizational security rules and technology ➤ Security incident reporting ➤ Development of incident-handling procedures ➤ Planning and delivery of employee security training ➤ Keeping security processes and documentation current and up-to-date

Domino administrators should periodically review the Administrator fields on the Server document, as well as the fields on the Security section of the Server document, to assess whether access to the server is being properly granted or denied.

140 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Troubleshooting Common Server Access Problems Many scenarios illustrate situations in which users and servers can have difficulty accessing Domino servers. The following sections illustrate these potential problems. Each section lists a common error resulting in a server access problem and documents the solutions to those problems.

The Administrator Can’t Enter Commands at the Server If an administrator can’t run the workstation program on the server, run standalone server programs, or use the Load, Tell, or Set Configuration commands, the console has likely been password-protected. The administrator needs to use the Set Secure command at the console or use the Domino Administrator client to clear the password. The administrator must know the password to clear it. An administrator might also fail to enter commands at the console because he isn’t listed as an administrator in the Administrator fields in the Server document, or he might be listed as a view-only administrator, with limited access to enter console commands.

Users Can’t See a New Server in the List of Servers If users can’t see a new server when they try to add, create, copy, or replicate a database, the administrator should make sure that the Domino Directory contains a Server document for the new server and that the information in the document is accurate and correctly spelled. If no Server document exists, the administrator should register the new server and ensure that the Server document gets added to the Directory and then replicated to other servers in the domain. If a Server document exists and contains accurate information for the new server, the administrator can check the log file on both the user’s home server and the inaccessible server to see if there are network problems.

The Server Is Not Responding The message “Server not responding” might appear when you install a client or try to open any database on a particular server. Here are some strategies for resolving this problem, listed in the order in which they should be attempted: 1. Check that the Domino server and the network are running. 2. Check whether the server has been renamed or recertified. When a

user tries to open a database on a server that has been recertified or renamed, the message “Server not responding” might appear.

141 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . . 3. If the client and server are using NetBIOS, make sure that the protocol

is configured properly and that it’s running on the workstation and server. The workstation and the server must use the same version of NetBIOS, and the server must be enabled for sufficient NetBIOS sessions.

The User Received the Error Message “You Are Not Authorized to Access the Server” When this message appears, the most likely cause is that the user or server is being denied access to the server through the Deny Access field in the Server document. Check the names and groups listed in that field, and, if necessary, remove the name from the field or from the group. Any direct changes to the Server document require that the server be restarted for the changes to take effect. For example, if Joe Smith/Acme was listed in the Deny Access field on the Server document and the administrator removed his name from the field, the server would need to be restarted for Joe to gain access to the server. But if Joe was listed as a member of a group in the Deny Access field and the administrator removed him from the Group document, the server would not need to be restarted for Joe to gain access to the server. Groups are usually used to grant and deny access to the server so that the server doesn’t need to be restarted each time someone is added or removed from the group.

Domino Application Security As the final layer in the Domino security model for resources, administrators must understand how to apply security to the database, also known as the application. The security for the database itself is also multilayer, beginning with the database Access Control List. Within the database, security can also be provided for design elements (views, forms, agents, and so on), documents, sections of documents, and fields. The following sections of this chapter focus on three main security features: the database ACL with both individual and group listings, Authors fields, and Readers fields.

Understanding the ACL Every database has an Access Control List (ACL) that specifies the level of access that users and servers have to that database. Only someone with Manager access can create or modify the ACL. Although the names of access levels are the same for users and servers, those levels assigned to users determine the tasks that they can perform in a database. Those assigned to servers determine what information within the database the servers can replicate.

142 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

To control the access rights of Notes users, select the access level, user type, and access-level privileges for each user or group in a database, within the ACL by choosing File, Database, ACL. Access levels assigned to users in a database ACL control which tasks users can perform in the database. Accesslevel privileges enhance or restrict the access level assigned to each name in the ACL. For each user, group, or server added in the ACL, you select the user type and access level in the User Type and Access drop-down lists. To further refine the access, you select a series of access privileges by selecting or deselecting the various check boxes located on the right side of the Basics tab of the ACL. If the application designer created roles, assign them to the appropriate users, groups, or servers. Figure 6.3 shows the ACL of a database.

Figure 6.3 A database ACL showing entries for groups and individuals.

All changes to the ACL are tracked through the ACL log, which can be accessed within the ACL itself by choosing File, Database, ACL and choosing the Log tab. Each entry in the list shows when the change occurred, who made the change, and what changed. The log stores only 20 lines of changes, not the complete history. Only users who have manager access in the ACL can view the ACL log.

Access Levels in the ACL Here is a listing of the seven access levels, from lowest to highest, along with a brief description of what each level means:

143 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . . ➤ No Access—Denies access to the database. The error message that

appears to the user is “You are not allowed to access this database.” The exception to the No Access level is the Public Access level. If the designer of the database creates Public Access forms and documents are created with these forms, the documents are marked as Public. Anyone in the ACL with Public Access can read or write Public documents. The Public Access level is granted by checking the Read or Write Public Documents check box in the ACL. This technology is used in the Mail database, where calendar documents get marked as public documents so that access to those documents can be controlled separately from access to mail messages. Be careful when selecting the Public Access option—you should check with the database designer to see if public access forms were used in the database so that access to those documents can be properly set in the ACL.

➤ Depositor—Allows the writing or adding of documents only. Users can-

not read, edit, or delete documents, with the exception of public documents. ➤ Reader—Allows the reading of documents only. Users cannot add, edit,

or delete documents. ➤ Author—Allows users to read documents and to edit documents in which

they are listed in an Authors field (see the topic later in this chapter regarding Authors fields). Optionally, users may create or delete documents. ➤ Editor—Allows the creating, reading, and editing of all documents. This

is the highest level of access to the document data, but it does not grant access to design documents or to the ACL. ➤ Designer—Includes all the rights of Editors, as well as access to create,

edit, and delete all Design documents in the database such as forms, shared views, navigators, and so on. ➤ Manager—Includes all the rights of designers, as well as the capability to

modify the ACL and delete the database from the server using the client user interface commands (File, Database, Delete). Users and servers who are granted Reader access or higher can be allowed or denied access to read documents through the use of a Readers field. See the topic later in this chapter regarding Readers fields.

In some cases, users can have high access to a database that is not defined in the database ACL. Administrators who are designated as full-access administrators in the Server document have manager access to all databases, with all privileges and roles enabled, regardless of whether they are listed in the database ACLs.

144 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrators who are designated as administrators or database administrators in the Server document are allowed to delete any database on the server or modify the database (for example, designate an administration server or create a full-text index), even if they are not listed as managers in the database ACL. Don’t forget about these special database privileges when answering exam questions related to database security and ACLs.

User Types in the ACL A user type identifies whether a name in the ACL is for a person, server, or group. A user type is assigned to a name to associate an ID type with that name so that only that type of ID can access the application. For example, if you entered a value of Training as the ACL entry and assigned a user type of Server, the Training server could gain access to the database, but the person group called Training couldn’t gain access. The user types are Person, Server, Mixed Group, Person Group, Server Group, and Unspecified. The default group in the ACL is always assigned Unspecified as the user type. If you have added Anonymous to the ACL, it should have a user type of Unspecified. User types provide additional security for a database. For example, assigning the Person user type to a name other than Unspecified prevents an unauthorized user from creating a group document with the same person name, adding his or her name to the group, and then accessing the database through the group name. Designating a name as a server or server group prevents a user from using the server ID at a workstation to access a database on the server.

Securing Applications with Groups Most administrators control access to databases through the use of groups. Group documents are created in the Domino Directory to create a single reference point for people and servers for easy citation within ACLs and mail messages. An administrator must have at least Author access to the Directory with the GroupCreator role to create groups. Using groups can help simplify many administration tasks. Figure 6.4 shows a sample Group document. Groups are lists of users, groups, and servers that have common traits. Groups are given a name, group type, description, domain, and Internet address. The administrator then lists the members of the group in the Members field. The two group types that are suitable for ACLs are Multipurpose and Access Control List Only. It’s important to provide a description for the group so that administrators can keep track of the purpose of each group in the Directory.

145 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Figure 6.4 A Group document in the Domino Directory. One of the group types in the Group Type list is the Deny List Only group. The Deny Access group is typically listed in the Not Access Server field in the Server document, and it is used to deny access to servers for people who have left the company. These groups cannot be seen within the Groups view. Deny Access groups are located within their own view in the Directory called Deny Access Groups. To see this view, you must be assigned the GroupModifier role. Watch out for references to this group type on the exam, and remember that these groups are always located within their own, separate view.

After the group has been created, the Administrator can easily add the group to the ACL and assign access privileges to it. It is much easier to add and remove members from a Group document than it is to add and remove individual users from the ACL. When someone is listed in the ACL more than once, the following rules apply: ➤ If the user or server is listed in the ACL as an individual, that user or

server gets the access level assigned as an individual, regardless of whether the user or server is also listed in one or more groups. For example, if Jim Smith/Acme is listed in the ACL as a Reader but is also in the group called Acme Employees with an assigned level of Author access, Jim will get Reader access to the database. If his individual access level is Designer, he will get Designer access to the database.

146 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ If the user or server is not listed in the ACL as an individual but is listed

in more than one group, that user or server gets the highest of the group access. For example, if Jim Smith/Acme is listed in the Acme Employees group with Reader access and in the Administrators group with Manager access, he will have Manager access to the database.

Securing Applications with Authors Fields An Authors field works in conjunction with Author access in the database ACL, and it is used to grant access to edit a document. For someone with Author access to edit a document, that person must be listed in an Authors field on that document. In a typical scenario, someone with Author access has the Create Document privilege and can create documents in the database. Usually the designer of the database places an Authors field on the form, and computes and stores the name of the user who created the document. That user then can edit the document later. The Authors field can also be editable, in which case the creator or editor of a document can enter other names into the Authors field, thus allowing those users to edit the document. Always remember that Authors fields apply only to users who have Author access in the ACL. Entries in an Authors field cannot override the database ACL; they can only refine it. Users who have been assigned Reader access or lower in an ACL can never edit a document, even if they are listed in an Authors field. Users who have Editor access or higher in the ACL can edit all the documents in the database and are not affected by an Authors field.

If the designer of the database chooses not to place an Authors field on the form, users with Author access to the database might be able to create documents but will never be able to edit those documents after they have been created and saved in the database.

Securing Applications with Readers Fields A designer can limit reading on a per-document basis by including a Readers field on the form. A Readers field can be populated with the name of a group, role, user, or server name. If any group, role, user, or server is listed in the Readers field, only that entity can read the document, regardless of someone’s access level in the database ACL. For example, a designer could architect the Main Topic form of a Discussion database with a button called Mark Private that would allow any author of a Main Topic document to mark a document so that it was visible only to that author, and a Mark Public button that would make the document visible to

147 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

all readers of the database. When the user pushes the Mark Private button in any document that he is capable of editing, a Readers field gets populated with the name of the user who pushed the button. When that user then saves the document, that user is the only person who can read the document. Other users who have access levels in the database that range from Reader right up to Manager cannot see or read the document. There are several exceptions to the rules surrounding Readers fields: ➤ If someone is listed in an Authors field on the document, that person

can read the document, regardless of whether he is listed in the Readers field. ➤ If the Readers field on a document is empty, everyone with Reader

access and higher to the database can read the document. ➤ Full-access administrators can always read all the documents in a data-

base, regardless of whether they are listed in a Readers field for those documents. Don’t forget that servers also need to read documents to replicate them. Readers fields are useful when the designer wants to ensure that some documents can be read only by certain people or groups. But many designers forget that servers also need to read documents to replicate them. If a designer decides to use a Readers field on a form, that designer should always ensure that a server or server group is computed in a Readers field so that servers can replicate all the documents in the database to other servers.

Form Read Access Lists A Form Read Access List lists users, server, roles, or groups that can read documents created with the form. Many people confuse the Readers field with the Form Read Access List. Every form in a database contains a section in which the designer can list users, server, roles, or groups that can read documents created with the form. You can access this list on the last tab (the Security tab, marked with a key icon) of the Form Properties box, as shown in Figure 6.5. If the designer removes the check mark from the box All Readers and Above and places the check mark next to one of the entries in the list, any documents saved with the form are saved with a $Readers field. This field contains the names of all the entries checked in the form’s Read Access List. The $Readers field achieves the same result as the Readers field, restricting read access for the document to those users listed in the field.

148 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 6.5 The Security tab of the Form Properties box.

Troubleshooting Data Access Control Problems Many scenarios can cause problems for users and servers who are attempting to access or perform tasks in a database. The following sections discuss some of the more common complaints that relate to application access control.

Servers Aren’t Replicating Document Deletions to Other Replicas To receive document deletions, the ACL on a destination server replica must give the source server Editor access or higher and must have the access-level privilege Delete Documents selected. If servers don’t have adequate access to the database, they might not be capable of properly replicating changes, additions, or deletions to the database.

Users Are Complaining That They Can’t Seem to Lock Documents in a Database When administrators set the database property Allow Document Locking, users with Author access or higher can lock documents in that database as long as they are listed in an Authors field for that document. Locking a document prevents editing and replication conflicts by ensuring that the person who locks the document has exclusive rights to modify the document. Managers of a database cannot edit a locked document; however, managers can unlock documents that are locked. If a user is experiencing difficulty when attempting to lock a document, the most likely problem is that the user doesn’t have enough access to edit the document.

149 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Users Complain That They Can’t Seem to “See” All the Documents in the Database If users cannot locate or read documents in a database, they likely have been excluded from reading a document because they aren’t listed in the Readers field for those documents. If the user needs to be able to read certain documents, that user needs to find out how to get added to the Readers field— likely through the use of a role or group.

A User Complains That He Cannot Edit a Document That He Created in the Database If a user has Author access in the database and cannot edit a document that he originally created, that user likely isn’t listed in an Authors field on that document. The user should look at the database documentation or consult with the designer or manager of the database. Perhaps the database has been architected to prevent users from editing their own documents for business reasons that support the business rules for the application. Or perhaps the designer has omitted the Authors field by mistake, in which case the designer will need to add an Authors field to the form(s) and run agents in the database to populate the Authors fields on existing documents. When the user’s full hierarchical name has been stored in the document, that user should be able to edit that document.

Users Complain That They Can’t Create Agents in the Database If a user can’t create agents in a particular database, the administrator should check the database ACL to see if the user has the access level required to create agents in that database. To create personal agents, a user must have at least Reader access to the database, with the Create Private Agents privilege checked. To create shared agents, a user must have at least Designer access. If the designer wants to create agents that use either LotusScript or Java code, the Create LotusScript/Java Agents privilege also must be checked.

Creating Security Policies Domino policies are a way of distributing administrative settings, standards, and configurations to users, groups, or entire organizations. A policy document is a collection of administrative settings that addresses an administrative area. An administrator can then use this document to establish and enforce administrative standards and to distribute them throughout the organization. The administrator can easily modify and maintain security standards across an

150 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

organization by simply editing a security settings document. Security settings documents can be used to control the management and deployment of the following security settings: ➤ Execution control lists (ECLs) ➤ Notes and Internet password settings and synchronization

The security settings document has two major sections: the Password Management tab and the Execution Control List tab. Here is a summary and brief explanation of the fields on the Password Management tab: ➤ Allow Users to Change Internet Password over HTTP—Allows users to use a

Web browser to change their Internet passwords ➤ Update Internet Password When Notes Client Password Changes—Allows

users to use the same password to log in to both Notes and the Internet ➤ Check Notes Password—Requires Notes client IDs to use a password for

Notes authentication ➤ Enforce Password Expiration—Enables or disables password expiration for

Notes only, Internet only, or both Notes and Internet passwords If password expiration has been enabled, the administrator must complete the following fields: ➤ Required Change Interval—The number of days a password can be in

effect before it must be changed. ➤ Allowed Grace Period—The number of days users have to change an

expired password before being locked out. ➤ Password History (Notes only)—The number of expired passwords to store.

Storing passwords prevents users from reusing old passwords. ➤ Required Password Quality—Sets password quality or length requirements

for passwords. An ECL protects user workstations against active code from unknown or suspect sources, and can be configured to limit the action of any code that runs on workstations. The ECL determines whether the signer of the code is allowed to run that code on a given workstation, and it defines the access that the code has to various workstation functions. For example, an ECL can prevent another person’s code from running on a computer and damaging or erasing data. The following settings are set on the Execution Control List tab of the security settings document:

151 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . . ➤ Admin ECL—Choose Edit to edit the default administration ECL, or

choose New to create a new administration ECL. ➤ Update Mode—Choose Refresh to update workstation ECLs with

changes made to the Administration ECL, or choose replace to overwrite the workstation ECL with the Administration ECL. ➤ Update Frequency—Choose Once Daily, When Admin ECL Changes, or

Never to control how often the workstation ECL is updated.

152 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 Which of the following best describes the role of the full-access administrator? ❍ A. Performs database creation and deletion. ❍ B. Performs user registration and deletion. ❍ C. Performs day-to-day database maintenance. ❍ D. Performs any administrative task, including full access to all databases. Can be used for emergency use.

Answer D is correct. Full-access administrators have Manager access with all roles to all databases on the server, regardless of the database ACL. This administrative access level can be for emergency use, when the administrator needs to be able to access data for troubleshooting purposes.

Question 2 Which of the following is not a valid level of administrative access to the Domino server? ❍ A. Database administrator ❍ B. Domino administrator ❍ C. Restricted system administrator ❍ D. Full-access administrator

Answer B is correct. Domino administrators is not a valid option on the server document. The valid options are: Full-Access Administrators Administrators Database Administrators Full Remote Console Administrators View-Only Administrators System Administrator Restricted System Administrator

153 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Question 3 Colin, a Notes user, wants to lock a document in a database. Which of the following is the lowest level of access he can have to the database that allows him to lock the document? ❍ A. Reader ❍ B. Editor ❍ C. Author ❍ D. Manager

Answer C is correct. To lock a document in Notes, you must be able to edit the document. The lowest level of database access that allows document editing is Author access. Colin’s name would also need to be listed in an Authors field on the document to allow him to edit it. Additionally, document locking must be enabled for the database.

Question 4 Which of the following statements about password synchronization is true? ❍ A. Users can synchronize their Notes and Internet passwords in the User Security dialog box in the Notes client. ❍ B. Users can synchronize their Notes and Internet passwords by accessing their own Person document in the Directory. ❍ C. Notes and Internet passwords can be synchronized by the administrator if he creates a security settings document specifying that both passwords should be synchronized, and applies that security setting through the use of a policy document. ❍ D. Notes and Internet passwords cannot be synchronized.

Answer C is correct. The Domino administrator can choose to synchronize the Internet password with the Notes password through the use of policies and security settings, thus giving the end user the same password to log into both Notes and the Internet.

154 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 5 Wendy needs to change some of the fields on a security settings document. Which of the following roles does she need to make the changes? ❍ A. PolicyEditor ❍ B. PolicyModifier ❍ C. PolicyCreator ❍ D. PolicyAuthor

Answer B is correct. Three ACL roles are associated with policies: the PolicyCreator role, the PolicyReader role and the PolicyModifier role. The PolicyCreator role is required to create a policy document. The PolicyModifier role is required to modify a policy document. The PolicyReader role is required to read a policy document.

Question 6 Beth, one of the Domino administrators in the Acme Corporation, needs to use the Domino Administrator client to create a replica of a Discussion database on ServerB/Acme. Which of the following best describes the rights she needs to accomplish this task? ❍ A. She must be listed in the Access Server field for ServerA/Acme. ❍ B. She must be listed in the Create New Databases and Templates field for ServerB/Acme. ❍ C. She must be listed in the Create Replica Databases field for ServerB/Acme. ❍ D. She must be added to the Administrators group in the Directory.

Answer C is correct. The Create Replica Databases field contains a list of users who are authorized to create new replica databases on the Domino server. If the field is blank, no one can create replica databases. Answer D isn’t necessarily correct because we don’t know whether the Administrator group is listed in the Create Replica Databases field.

155 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Question 7 Bob just finished creating a group within the Domino Directory, but he can’t locate the group within the Groups view. Which type of group did he create? ❍ A. Multipurpose ❍ B. User ❍ C. ACL Only ❍ D. Deny List Only

Answer D is correct. The Deny List Only group denies access to users listed in the group when the group name is used within a server access list. A Deny List Only group usually contains the names of former employees of companies. The Deny List Only group type doesn’t display in the Groups view of the Domino Directory, but rather displays within the Deny Access Groups view. To see this view, you must be assigned to the GroupModifier role.

Question 8 Susan locked a document within a database and then went on vacation the next day. She isn’t scheduled to return to the office for another two weeks, and Jesse needs to be able to edit the document in her absence. Which of the following access levels does Jesse need to unlock the document? ❍ A. Manager ❍ B. Designer ❍ C. Editor ❍ D. Author

Answer A is correct. Document locks prevent any users from immediately editing the document, including those with Manager access to the database. However, a user with Manager access to a database can unlock a locked document, and then proceed to edit it.

156 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 9 Joey enters the following command at the server console: Set secure passwordabc

Which of the following statements is true? ❑ A. If the console was password-protected using the password passwordabc, then by entering this command, Joey has cleared the current password and the console is no longer protected. ❑ B. If the console was password-protected using the password 123abcdef, then by entering this command, Joey has reset the console password to passwordabc. ❑ C. If the console was not password-protected, then by entering this command, Joey has protected the console with the password password123. ❑ D. Joey has not used the correct syntax for the set secure command; therefore this command will have no effect at the server console.

Answers A and C are correct. If a the console is already password-protected, you must enter the set secure command with the current password to unlock the console. If the console isn’t password-protected, entering the set secure command with a password secures the console with that password. To reset a password on a secure console, you must enter the following command: Set secure “oldpassword” “newpassword”

157 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Need to Know More? Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBM Redbooks, 2002. Also available on the Web at www.redbooks.ibm.com/. For references to security, consult Chapter 10, “Security.” Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notes and Domino 6. Indianapolis, Indiana: Que Publishing, 2003. Policy-based system administration with Domino 6: www-10.lotus.com/ ldd/today.nsf/8a6d147cf55a7fd385256658007aacf1/d78ede75b351cf8100256b e9005b7d35?OpenDocument.

Lotus

Domino

6

Technical

Overview:

www-10.lotus.com/

ldd/today.nsf/3c8c02bbcf9e0d2a85256658007ab2f6/089a22f9f8a573af8525 6a1b00782950?OpenDocument.

For references to security, consult the section “New Security Features.” Accessing and protecting the file system:

www-10.lotus.com/

ldd/today.nsf/f01245ebfc115aaf8525661a006b86b9/a115026680fd74498525 6b34000f4c1b?OpenDocument.

Webcast: “Lotus Live! Series: What’s New in Notes/ Domino 6 Administration.” http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci857398,00.html. Webcast: “Preparation and Test Taking Strategies with Lotus Education Managers.” http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci876208,00.html.

PART II Exam 621 7 Installing and Configuring 8 Mail 9 Monitoring Server Performance 10 Replication 11 Security

7 Installing and Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ Domino server types ✓ Transaction logging ✓ Domino clustering ✓ Domino Welcome page ✓ Certificate authority ✓ Multiuser support

Techniques you’ll need to master: ✓ Capacity planning based on performance ✓ Setting up and configuring a Notes/Domino Release 6 Server ✓ Installing a Notes/Domino Release 6 server ✓ Setting up servers of different types ✓ Setting up/configuring Directories ✓ Deploying a corporate standard Welcome page ✓ Creating/registering certificates ✓ Creating/registering users ✓ Certifying with a CA key ✓ Setting up multiuser support ✓ Setting up workstations for different clients ✓ Setting up/configuring calendaring and scheduling ✓ Setting up/configuring transaction logging ✓ Setting up servers for load balancing and failover ✓ Setting up servers for sharing resources ✓ Applying policy documents to existing users ✓ Migrating from a distributed directory to a central directory

162 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

In this chapter, we cover how to install and configure the prime components of a Domino domain. Topics discussed include setting up and installing a server, the different server types available, and how to ensure that you have planned properly for the maximum performance throughout the domain.

Capacity Planning Based on Performance Capacity planning in a Domino domain consists of establishing the parameters that will be used to make sure the servers and network are running at optimum efficiency. Domino is a powerful application, but it must be set up properly to achieve peak performance. Before beginning the setup of a Domino server, take the time to map out the domain and plan accordingly to deploy a premium installation. Items to consider when creating a capacity plan for the domain include ➤ Create a map of the proposed Domino network and the anticipated

number of users as well as the proposed size of the databases as the domain grows. Engage a Domino consultant if necessary to assist with the project scope to help determine the manner in which the network should be defined. ➤ Configure the server with the fastest processor or multiple processors

available if possible. Specific Domino tasks, such as the indexer and replicator, perform more efficiently on faster machines and reduce the performance overhead. ➤ Domino can be disk intensive. Use high-speed disk arrays with RAID

striping enabled to achieve the quickest reads and writes in the disk subsystem. Use drives with a low seek time and install disk controllers with disk caching. ➤ Most programs use memory if it is available and Domino is no excep-

tion. Using large amounts of memory with Domino causes less disk swapping to occur because the paging file requires minimal access; therefore, having the most memory available is the optimal choice. ➤ User and servers are required to connect to the server, so network infra-

structure should be a prime consideration when deploying the servers. Setting up servers on a congested network causes problems from the start, so take the time to perform proper network diagramming before installing the servers.

163 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

When planning for a Domino installation, make sure that the network cards in the server can make the best use of the available bandwidth. Using a 10Mbps card on a 100Mbps network will not allow the server to participate on the network efficiently.

➤ Consider the work hours of the user community when scheduling sys-

tem tasks such as server backups. Domino has specific tasks, such as Compact or Fixup, that run more efficiently when the server access is low, so Lotus schedules these programs to run in the early morning hours when the server load is light. Backing up the system is no different and proper care should be taken to schedule backups so that they will start when users are logged off the server and before the nightly maintenance routines launch. After the server has been built and the Domino server software has been installed, consider these options to gain the maximum performance in the domain: ➤ Certain tasks are loaded by default when the server is built. If not all

services are being used, remove them from the server configuration to allow the server to process only the necessary tasks. For instance, if calendaring and scheduling is not being used in the server, remove Calconn and Sched from the Notes.ini file. Take a look at all tasks that are being loaded and remove what isn’t necessary. ➤ Take advantage of special codes that Lotus has written to maximize the

performance of the server. For instance, if the server only has a single processor installed, set the SERVER_MAXSESSIONS to a specific number to manage the number of concurrent Notes client sessions. Lotus has created an entire white paper, “Maximizing Domino Performance” that addresses these issues as well as other recommendations. The paper is available at http://www-10.lotus.com/ldd/.

Installing a Notes/Domino Release 6 Server Lotus has spent a considerable amount of time making it as easy as possible for an administrator to install the server. These are the major phases of the setup process:

164 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Creation of the Domino Directory ➤ Creation of the ID files, including the server ID, certifier ID, and the

administrator ID ➤ Creation of the Domino log ➤ Definition of appropriate network configurations Before beginning the install, make sure that thought has been given to the requirements needed for the most efficient hardware platform to provide the optimum performance. Copious amounts of RAM, adequate bandwidth, and fast drive arrays are well worth the investment to building a premium server.

Lotus has provided multiple server types to allow administrators to have various options for creating a Domino domain that will perform as needed based on the user’s requirements. Make sure that you are familiar with these different types and that you install each of them in your development environment when studying for the exam.

Setting Up Servers of Different Types Before launching the setup program, consider the type of server that needs to be running based on the needs of the organization. There are three types of servers that can be installed: ➤ Domino Utility Server—Select this server type if the requirement is for

application services only and no messaging services. This selection does support Domino clustering. The Utility server is a new product type provided by Domino release version 6. ➤ Domino Messaging Server—Select this server type if the requirement is

for messaging services only. The Messaging server does not support Domino clustering. ➤ Domino Enterprise Server—Select this server type if the requirement is for

application services, messaging services, and Domino clustering services.

Running the Installation Program After launching the installation program, the setup utility will guide the administrator through the following steps: 1. The setup program unpacks the installation files to a temporary direc-

tory. This is an automatic process and requires no intervention from the administrator.

165 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . . 2. The Lotus Domino program dialog box appears after the files are

decompressed. Click Next to continue. 3. The license agreement appears next. Read the agreement and click Yes

to continue. 4. A dialog box appears asking for your name, company name, and a

check box allowing the administrator to choose a partitioned server if required. Complete the fields and select Next to continue. 5. The next screen that appears allows the administrator to select the

server locations for the Program folder and the Data folder. Typically, the Program folder is small in size and can be placed on a system volume. The Data folder contains all the databases on the server and should be placed on the fastest drives on the server where there is sufficient room for growth. Select the destination folders and click Next to continue. 6. A dialog box appears allowing the administrator to select the type of

server to install (see “Setting Up Servers of Different Types,” earlier in this chapter). As each server type is selected, the text next to the Customize button at the bottom of the dialog box changes, allowing each server type to be set up as needed based on custom selections that are chosen. Select the server type and click Next to continue. 7. The next screen provides the choices for Program folders. Either type

the name of a new folder or select an existing folder from the list. Click Next to continue. The setup program will now install the server. 8. After the software installation program has finished, click Finish to exit

the setup program. Setting up and configuring a Domino server is a key skill needed by an experienced administrator. Carefully review the information in the following section when preparing for the exam. If it has been some time since you have installed a server, make sure you spend time drilling on these concepts and, as stated before, install a server in your development environment. Real-world, hands-on experience is the best teacher, but the information here can help extend your knowledge.

Setting Up and Configuring a Notes/Domino Release 6 Server After the server software is installed, it needs to be configured. To start the configuration process, select the Lotus Domino Server selection on the Program menu and follow these steps:

166 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. The Server Setup screen loads. On this screen, there is an option to

change the fonts if desired. Click Next to continue. 2. Server Setup now needs to know if this is the first server in a domain

or is a server being added to an existing domain. The two choices are ➤ Set up the first server or a stand-alone server. This will set up a new

Domino server and a new Domino domain. ➤ Set up an additional server. This will setup an additional Domino

server into an existing Domino domain. This requires that the server is already registered in the Domino Directory. (You may need to obtain additional information from your Domino administrator.) Select “Setup the first server or a stand-alone server” and click Next to continue. Selecting the option to set up an additional server requires a server ID that has already been created from the domain’s registration server. If this option is being chosen, make sure that the ID is available before continuing. The setup program will then make a connection to the registration server and obtain a copy of the Domino Directory to finish the setup. To get a true understanding of the total process involved in setting up a server from scratch, we are going to assume that we are selecting the first option and setting up the first server in a domain.

3. At this time, a server name and title need to be provided. In the Server

Name field, enter a unique name for the server, keeping in mind that the name chosen is difficult to change and should be reflective of the purpose of the server, such as “Sales Hub” or “Primary Domain Server.” The default name populated in this field is the host name of the server but should be changed as necessary to provide a logical domain name. 4. An optional field on this page is the Server Title. Use this field to pro-

vide a description of this server’s purpose. A check box also exists in the event that an existing server ID is available. Complete the required fields and click Next to continue. 5. The next screen allows the administrator to select the organization

name. Each server and user ID has the organization name as a component of its name, so care should be taken to use a short name identifier. Complete the Organization Name field. This is an active field. Directly below the Input field, the setup program displays an example of a server name as well as a username. 6. The other two fields on this page are related to the Organization

Certifier password. Enter a password, a minimum of five characters,

167 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

and then enter it again in the Confirm Password field. A check box exists in the event that a certifier ID that the administrator would want to use with this domain already exists. 7. Select the Customize button and the Advanced Organization Settings

screen loads. Enter the Organizational Unit name in the blank field. 8. Enter an Organization Certifier password, using a minimum of five

characters, and then enter it again in the Confirm Password field. A check box exists in the event that a certifier ID that the administrator would want to use with this domain already exists. 9. If this server is going to be used in a country other than the United

States, select a Country code from the drop-down box at the bottom of the page and click OK to continue. The setup program now returns to the Organization Name page. If an Organizational Unit name was chosen, it is now displayed on this page with the example names. Click Next to continue. 10. The setup program now needs to define the Domino domain name.

The Choose the Domino Domain Name dialog box appears. There is only one field on this page to be completed. Enter the name of the Domino domain and click Next to continue. 11. Domino now requires the identification of an administrator before

continuing the setup process. The Specify an Administrator Name and Password dialog box appears. Enter the first name, middle initial, and last name of the person who will serve as the administrator for the server. 12. The other two fields on this page are related to the Organization

Certifier password. Enter a password, a minimum of five characters, and then enter it again in the Confirm Password field. Check boxes on this page allow the saving of a local copy of the ID file to a location of the administrator’s choice, or allow an existing administrator ID to be used if one exists. Complete the selections on this page and click Next to continue. 13. The next screen is used to determine what Internet services this server

will offer. The default services available on the screen include ➤ Web Browsers (HTTP Services) ➤ Internet Mail Clients (SMTP, POP3, and IMAP Services) ➤ Directory Services (LDAP Services)

168 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

In addition, this screen has a Customize button that opens the Advanced Domino Services dialog box, which is used to select advanced Domino services to run on the server. The following services are available: ➤ Database Replicator ➤ Mail Router ➤ Agent Manager ➤ Administration Process ➤ Calendar Connector ➤ Schedule Manager ➤ Statistics ➤ DIIOP CORBA Services ➤ DECS Domino Enterprise Connection Services ➤ DOLS Domino Offline Services ➤ Billing ➤ HTTP Server ➤ IMAP Server ➤ Ispy ➤ LDAP Server ➤ POP3 Server ➤ Remote Debug Server ➤ SMTP Server ➤ Stats ➤ Statistics Collector ➤ Web Retriever ➤ Change Manager

Select the desired choices for this server and click OK to return to the Internet Services screen. Click Next to continue. 14. The Domino Network Settings dialog box now appears and displays

enabled port drives and host names. To change these settings, click the Customize button. The Advanced Network Settings dialog box is

169 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

displayed. Make the changes as needed for the server and click OK. Click Next to continue. 15. Security is now set using the Secure Your Domino Server dialog box.

Two check boxes are available on this page. ➤ Prohibit Anonymous Access to All Databases and Templates ➤ Add LocalDomainAdmins Group to All Databases and Templates

Select the desired options and click Next to continue. 16. A summary page now appears with the choices that have been selected

during setup. If changes need to be made, select the Back button to return to the setup page needing to be changed, make the desired changes, and click Next to return to this page. If everything is correct, click Setup. 17. Server setup now starts and a progress bar is displayed until the process

is completed. The setup summary screen reappears when the process is finished. Click Finish to close the setup.

Setting Up/Configuring Directories The primary application on the Domino server is the Domino Directory. The first server in a domain always starts with the primary Directory in the domain and is sometimes known as a Hub server. Without the Directory, the server is unable to function, so care should be taken to maintain it and set it up properly. The Directory contains information about users, servers, and groups, as well as information needed to communicate with other servers in the domain and the Internet. Administrators use the Domino Directory to maintain security throughout the domain and control how the servers operate. Mail routing, database replication, and Web access are all controlled within the Directory. The default database name associated with the Directory is NAMES.NSF and the template used for the design of the Directory is PUBNAMES.NTF. The Domino Directory can be configured by accessing the database from the client workspace, by using the Administrator client or by accessing the server with a Web browser. The Directory contains the following sections that can be modified: ➤ People ➤ By Organization ➤ Alternate Languages

170 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Certificate Expiration ➤ Policies ➤ Groups ➤ By Organization ➤ Deny Access Groups ➤ Configuration ➤ Servers ➤ Messaging ➤ Replication ➤ Directory ➤ Policies ➤ Web ➤ Clusters ➤ Certificates ➤ Miscellaneous

Editing the Directory consists of selecting a section, opening the documents, making the changes, and then saving the changes by clicking the Save & Close button.

Deploying a Corporate Standard Welcome Page In these days of Web pages and Program menus, there are some users who are intimidated by the sight of the Lotus Workspace. In an effort to accommodate these users, Lotus has given administrators the ability to modify the Welcome page and customize it so that users can easily access the information they need to do their daily job. The Welcome Page is a customizable application interface that allows users to easily run these programs by using icons and dialog buttons. To create the Welcome page, perform the following steps:

171 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . . 1. Launch the Domino Administrator. Open the File menu, select

Database, and then select New. Complete the following fields: ➤ Server field—Leave this set to Local. ➤ Title field—Enter a name for the database. ➤ File Name field—The File Name field populates automatically based

on the Title field. It can be changed if necessary to be a more descriptive filename. 2. Click the check box at the bottom of the page to select advanced tem-

plates. 3. Scroll down the window to select the Bookmarks (6) template. 4. Click OK to create the Welcome Page database. The Welcome Page

now displays three options: ➤ 1—Click Here to Create a New Welcome Page ➤ 2—Click Here to See What’s New in Lotus Notes 6 ➤ Check mark—No Thanks, Just Give Me the Defaults 5. Click selection 1 to create a custom Welcome page. 6. A New Page dialog box appears. Enter the name of the new page in

the field provided and click Next. 7. Decide how the page should be displayed. Select Frames or Personal

Page and click Next. If you selected Personal Page, go to step 8 to finish the process; if you selected Frames, complete steps 9 through 13 to finish the process. 8. Select a layout from the Welcome Page gallery and click Next; then

click Finish to launch the new Welcome page. 9. Select the Frame contents to be displayed on the page and select Next. 10. Choose a frame layout and click Next. 11. Select the content on the Content Placement page to place it on the

Welcome page. 12. Check the box to either load the Launch Pad and/or the Action Bar

buttons and click Next to continue. 13. Click Finish to launch the new Welcome page.

172 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 7.1 This is an example of a very basic Welcome page.

Creating/Registering Certificates Lotus uses certificates to allow users and servers to be identified with a unique digital signature. Servers and user IDs contain at least one certificate that will be set to expire within a specific amount of time. Certificates are created when IDs are created and can also be added when a user or server needs to access a new resource that requires a common certificate to exist. Certificate information can be determined by selecting File, Security, User Security, and then selecting Your Identity, Your Certificates. The following information is shown in this view: ➤ Certificate names ➤ Issue date ➤ Issuer ➤ Activation date ➤ Expiration date ➤ Type ➤ Key identifier

173 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

As mentioned earlier, in the event that Domino organizations are required to exchange data, they need to share a common certificate. This is accomplished by using an organization certifier ID file. Cross certifying a user or server ID with an organizational certifier guarantees that both IDs have a common certificate. Domino uses two types of certifier IDs related to organizations: ➤ Organization certifier ID—The default name for this ID file is CERT.ID.

This ID file is created when the server is deployed. This ID typically includes the company name and is the highest point on the hierarchy tree. ➤ Organizational Unit certifier IDs—This level of organizational certifier is

typically used to delineate the next level on the hierarchy tree, usually identifying county or department names.

Creating an Organization Certifier ID To create a new organization certifier ID, follow these steps: 1. Using the Administrator client, select the Configuration tab and open

the Tools pane. Select Registration, and then click Organization. 2. In the dialog box that appears, complete the following information: ➤ Organization name ➤ Country code (optional) ➤ Certifier password 3. Use the Password quality slide bar to determine the quality of pass-

word security to assign to the ID file. The default location of the slider is to the extreme left, which is no password and a value of 0. Sliding the bar to the extreme right forces a very strong password and a value of 16. 4. Choose a Security type; the two choices are North American and

International. 5. In the Mail Certification Requests to (Administrator) field, supply the

name of the administrator. 6. Optionally, complete the Location and Comments fields. 7. Click Register to create the new certifier ID.

174 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Creating an Organizational Unit Certifier ID To create a new Organizational Unit certifier ID, complete these steps: 1. Using the Administrator client, select the Configuration tab and select

the Server document for the server to be recertified. 2. Open the Certification menu option under the Tools pane and select

Organizational Unit; a dialog box appears. 3. Click the Server button to select the registration server and click OK.

Choose one of these two options: ➤ Supply Certifier ID and Password—A file navigation dialog box

appears when this option is selected. Navigate to the required certifier ID and select OK. ➤ Use the CA Process—This option allows the administrator to recertify

the ID without having access to the certifier ID or the certifier password. A drop-down box is provided to allow the administrator to select a CA-configured certifier from the ones available on the server. 4. After you’ve selected one of the two options, click OK. If Supply

Certifier ID and Password is chosen, a dialog box appears requiring the certifier password. Enter the password and select OK to continue. 5. The Register Organizational Unit Certifier dialog box appears; select

the registration server. 6. Select the certifier ID. 7. Select Set ID File to define the location for the new certifier ID being

created. 8. Complete the Organizational field. 9. Complete the Certifier Password field. 10. Use the Password quality slide bar to determine the quality of password

security to assign to the ID file. The default location of the slider is to the extreme left, which is no password and a value of 0. Sliding the bar to the extreme right forces a very strong password and a value of 16. 11. Choose a Security type; the two choices are North American and

International. 12. Complete the Mail Certification Requests to (Administrator) field. 13. Optionally, complete the Location and Comment fields. 14. Click Register to create the new ID file.

175 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

Creating/Registering Users To create a new user, follow these steps: 1. Launch the Domino Administrator and select the People & Groups tab. 2. Using the Tools pane, select People and Register. A dialog box appears

requiring the certifier password. Enter the password and click OK to continue. 3. The Register Person—New Entry dialog box appears. Enter the rele-

vant user information related to name and password. 4. Select the Create a Note ID for This Person option and then click

Register. 5. A dialog box appears asking if you want to add the new person to the

pending registration queue. Click Yes to continue and create the ID and register the user.

Certifying with a CA Key A certificate authority is used to issue a trusted certificate that will be used to enable a client and a server or two servers to communicate in a secure manner. A CA key, or Certificate Authority key, is made available to the domain via a Domino Web server. To provide CA certification, follow these steps: 1. Configure the server to act as a Web server. Make sure the HTTP task

is running. 2. Launch the Domino Administrator. Open the File menu, select

Database, and then select New. Complete the following fields: ➤ Server field—Leave this set to Local. ➤ Title field—Enter a name for the database. ➤ File Name field—The File Name field populates automatically based

on the Title field. It can be changed if necessary to be a more descriptive filename. 3. Click the check box at the bottom of the page to select advanced tem-

plates. 4. Scroll down the window to select the Domino Certificate Authority (6)

template (CCA50.NTF). 5. Click OK to create the Certificate Authority Setup application.

176 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. Select Create a CA Key Ring File and CA Certificate. 7. Complete the fields on the form and click Create Certificate Authority

Key Ring. A summary page is generated containing information about the CA key. Click OK to continue. 8. Open the Configurations tab and select the Server document. 9. Open the Server document, navigate to the Ports document, and select

the Internet Ports tab. 10. Complete the SSL information on this tab and select Save & Close to

enable certificate authentication.

Setting Up Multiuser Support Multiuser support allows users to share a workstation but still retain their own settings and desktop when logging into the server. It is only supported on Domino clients that are loaded on Microsoft Windows operating systems. Setting up multiuser support requires extra work for the administrator on the Domino workstation. The Multiuser installation is only available in the Notes installation kit. A single instance of the Notes client software is installed on the workstation, but each user has his own data directory to retain their distinct settings. System administrator access is required to install the Multiuser installation.

Setting Up Workstations for Different Clients Historically, the most common way to access the Domino server has been to use the Domino client. Over time, Lotus has provided multiple solutions to access the server. The various ways to access the server include ➤ Notes clients—This option includes the Administrator and Designer

clients. ➤ IMAP clients—The most common IMAP client in use today is probably

Microsoft Outlook. Using IMAP clients requires the IMAP service and the SMTP listener task to be active.

177 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . . ➤ POP3 clients—Typically known as Internet mail clients, examples include

Microsoft Outlook and Netscape Messenger. The POP3 service and the SMTP listener task need to be active. ➤ Web browsers—Internet Explorer and Netscape Communicator are sup-

ported. ➤ iNotes Web Access clients—This option is used by users whose mail file was

created using the iNotes Web Access (R6.0) template (iNotes60.ntf). This client requires the HTTP service to be running on the server. ➤ iNotes Web Access for Microsoft Outlook—Users running Microsoft

Outlook can access the server if their mailbox was created using the Extended Mail (R6) template (mail6ex.ntf). Domino Offline Services, or DOLS, must be running on the server.

Setting Up/Configuring Calendaring and Scheduling Calendaring and scheduling is used on the server to allow users to coordinate their schedules and plan meetings, schedule resources such as conference rooms, and plan vacations and holidays. The Schedule Manager task (Sched) and the Calendar Connector task (Calconn) are loaded by default when a new server is deployed and added to the ServerTasks line in the Notes.ini file. The Schedule Manager then creates the Free Time database and assigns it the name BUSYTIME.NSF for nonclustered servers and CLUBUSY.NSF for clustered servers. The database is then populated with the names of all users who have completed a Calendar Profile. The Calendar Profile dictates who can access the user’s free time information and displays the time that a user may be free for a meeting invitation.

Setting Up Servers for Sharing Resources Domino uses the Resource Reservations database to facilitate resource scheduling within the domain. As discussed previously, resources can be conference rooms, but can also include equipment or even fleet cars. Using a reservation system, users can select a resource and schedule it as needed

178 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

without having to involve someone in the process by simply letting Domino manage the task. To create the Resource Reservations database, follow these steps: 1. Launch the Domino Administrator. Open the File menu, select

Database, and then select New. Complete the following fields: ➤ Server field—Leave this set to Local. ➤ Title field—Enter a name for the database. ➤ File Name field—The File Name field populates automatically based

on the Title field. It can be changed if necessary to be a more descriptive filename. 2. Click the check box at the bottom of the page to select advanced tem-

plates. 3. Scroll down the window to select the Resource Reservations (6) tem-

plate and click OK to create the database.

Defining the Database ACL After the database is created, access needs to be defined to determine who can modify the database. Follow these steps to define the database ACL: 1. Open the File menu, select Database, and then select Access Control. 2. Add the groups or users who will be allowed to create Resources and

Site Profile documents and assign the CreateResource role to their name. Click OK to continue.

Completing the Site Profile The Resource Reservations database uses Site Profile documents to determine the location of the resources to be shared. The Site Profile must be created before resources can be reserved. Follow these steps to complete the Site Profile document: 1. Select Site and click New Sites; the Site Profile is displayed. 2. Complete the Site Name fields, to indicate the physical location of the

resource. 3. Complete the Domain Name field (enter the domain name of the data-

base).

179 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . . If the domain name is not automatically populated, edit the current location document being used on the desktop. Navigate to the Mail tab and enter the domain name on the Domino Mail Domain tab. Save and close the document, close the Reservation database, reopen it, and reopen the site document. The domain field should now be populated properly.

4. The Resource Reservation Server and Resource Reservation File Name

fields should autocomplete with the name of the server hosting the database and the name of the Reservation database. 5. Click Save & Close to continue.

Resource documents can now be created and reservations can be made as needed.

Setting Up/Configuring Transaction Logging Transaction logging is available for Domino servers running release 5 or later and databases using release version 5 or later On Disk Structure (ODS). Database changes are sent to a transaction log database and then written later to the target database. Transaction logging provides the following benefits for system activities: ➤ Backup throughput is increased because transaction logs back up quicker

than normal databases. ➤ Disaster recovery is more complete in that data that was stored in the

transaction log can be supplemented to the full system recovery so data is not lost. Data that is stored in the transaction log file is written to the database when the log file is recovered from tape. ➤ Database views are stored in the log file so database views may not need

to be rebuilt. Although transactional logging is a form of backup, it does not replace a true archiving system, such as tape or optical media. In the event of a server crash, full system backups will be needed to recover. In addition, special backup software is required that specifically backs up the transactional log, so make sure that it is supported by the software vendor. Transaction logging may also cause an increase in the amount of time required to boot the server.

Transactional logging also creates a unique database instance ID (DBIID) for each database. When transactions are added to the log, the DBIID is

180 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

assigned so that the source database can be recorded. DBIID tags are assigned at each of these times: ➤ The first time transaction logging occurs ➤ In some instances when the Compact task is executed ➤ When Fixup is used to correct a corrupted database ➤ When a database is moved to a server using transaction logging Transaction logging is a powerful component of Domino. Be certain that you are familiar with its planning and implementation when preparing for the exams.

Planning the Transaction Logging Implementation Transaction logging needs to be properly planned before it can be implemented. Steps to consider before implementing include ➤ Make sure the server hardware is properly configured. Use a disk array

with at least RAID 1 support and a dedicated disk controller. ➤ Define a backup plan and use software that supports Domino servers

running transaction logging. ➤ Plan on using logging on all available databases, but remember that only

databases using the R5 ODS or later will be able to use transaction logging. You also must decide which version of logging to use. You can choose from these three versions: ➤ Circular—This version of logging uses up to 4GB of disk space and then

begins writing over the oldest log information in the database. The transaction log database should be backed up daily using this deployment version. ➤ Linear—This version of logging is similar to circular logging, but can

use more than 4GB of disk space. ➤ Archived—This version of logging creates transaction logs as needed.

Log files are not overwritten; they are archived. Ensure that the logs are being backed up regularly or the server may run out of disk space.

181 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

Setting Up Transaction Logging on the Server To set up transaction logging on the server, follow these steps: 1. Using the Domino Administrator, select the Configuration tab, select

the Server document, and click Edit Server Document. 2. Select the Transactional Logging tab. 3. In the Transactional Logging field, select either Enabled or Disabled. 4. In the Log Path field, enter the explicit path to the transaction log

database. 5. In the Logging Style field, select either Circular, Linear, or Archived. 6. Make a selection in the Use All Available Space On Log Device area

(the default selection is No); if you select Yes, the next option, Maximum Log Space, is removed as a valid selection. 7. If the Maximum Log Space area remains active, enter the amount of

space in MB to be used for the transaction log database. 8. Choose to enable or disable Automatic Fixup of Corrupt Databases. 9. Choose a Runtime/Restart Performance option; valid options are

Favor Runtime, Standard, and Favor Restart Recovery Time. 10. Choose a Quota Enforcement option; valid options are Check Space

Used in File when Adding a Note, Check Filesize when Extending the File, and Check Filesize when Adding a Note. 11. Select Save & Close to start transaction logging.

Setting Up Servers for Load Balancing and Failover Domino addresses the issue of load balancing and failover by utilizing cluster technology. A Domino cluster is a group of servers set up so that a user can attach to any server in the group and access data. Replicas are stored on all servers and load balancing is set up so that the work is shared equally among the servers so that no single server in the group is overworked. When a database in the cluster is updated, all replicas are updated so that the next time a user accesses the data, the information is updated regardless of which server

182 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

they access. Performance is usually improved and the domain can increase in size simply by adding additional servers to the cluster. Lotus lists the benefits of the Domino cluster with these points: ➤ High availability of important databases ➤ Workload balancing ➤ Scalability ➤ Data synchronization ➤ Analysis tools ➤ Ease of changing operating systems, hardware, or versions of Domino ➤ Data backup and disaster planning ➤ Easy administration ➤ Use of any hardware and operating system that Domino supports

In the event that a server crash occurs or a server’s performance is degraded due to heavy use, users are redirected to other servers in the cluster using a failover process. Domino uses a process called the Cluster Manager to monitor the cluster and direct users to the available resource with the best performance. Lotus states the following conditions exist when failover does not occur: ➤ A server crash or network outage occurs while a user has a database

open. ➤ A user chooses File, Database, Properties or File, Database, Open on a

specific database on a distinct server in the cluster. ➤ The mail router tries to deliver mail and mail routing failover has been

disabled or the parameter MailClusterFailover in the Notes.ini file is set to 0. ➤ The domain template server is unavailable because of a crash or network

outage and an attempt is made to create a new database. ➤ A server crash or network outage occurs while agents are being

processed. ➤ A server crash or network outage occurs while the Administration

Process (AdminP) is processing requests. ➤ An attempt is made to replicate with a server that has access denied by

the administrator.

183 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

Applying Policy Documents to Existing Users Policy documents are used to regulate how users can access the system and perform specific functions. Policy documents can be changed after they are assigned and are then applied to all policy users. All clients and servers participating in policy document deployment must be running a minimum of version 4.67a or greater or directory replication errors will occur.

Policy documents that can be applied to users include ➤ Archiving—Defines policy settings related to users’ ability to archive

mail. ➤ Desktop—Enforces consistent client settings. If a client setting is changed

and then the workstation logs out of the server, the settings are reset the next time the user logs into the server. ➤ Registration—Implements these policies when a new user is created dur-

ing registration. ➤ Setup—Enforces settings in the client’s location document. ➤ Security—Defines password management and ECL setup.

Types of Domino policies to consider include ➤ Explicit policies—Use this type of policy when specific groups or users in

the organization may need specific access; explicit policies define their access. Use this policy when making changes to users already defined in the domain. ➤ Organizational policies—Use this type of policy when specific settings are

required for users in a specific organization.

Migrating from a Distributed Directory to a Central Directory In the event there is a need to have a single central directory instead of a distributed directory configuration, there are several items that should be considered.

184 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

First, consider the consequences of moving to a single, central directory. How will users be affected by now having to access a single directory on a server? Can the server handle the load of all the users in the domain now accessing the server at a single location? Make sure that a high-powered server with abundant memory and disk space is used to handle the load of the migration. Second, how will it affect other servers inside and outside of the domain? Much the same as a user, if the servers are going to a single point of access for the directory, make sure the server can handle the added load of all users and servers using a single directory for authentication and server tasks. To migrate to a central directory, follow these general guidelines: ➤ If the server is being retired, follow the steps listed in this book related

to decommissioning a server covered in Chapter 14, “Managing Servers.” ➤ If a manual migration is being done, be sure that all Connection docu-

ments and Program documents are changed to reflect the new configuration. ➤ Notify all users of the planned change and carefully document the

required changes before proceeding. Ensure that a valid backup of the directory exists and has been verified. Perform the migration during offhours so users are not affected by the change. After the migration is complete, test all connections and make sure mail is routing.

185 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

Exam Prep Questions Question 1 Which server component affects how well Domino tasks, such as the indexer and the replicator, perform? ❍ A. Memory ❍ B. Disk Array Controller ❍ C. Processor ❍ D. Redundant Bit Arrays

Answer C is correct. Specific Domino tasks, such as the indexer and replicator, perform more efficiently on machines with fast processors and reduce the performance overhead.

Question 2 Which of the following incidents are not supported by failover? ❍ A. A server crash ❍ B. A network outage ❍ C. Excessive users on the system ❍ D. A server crash that occurs while a user has a database open ❍ E. None of the above

Answer D is correct. When a server crashes or a network outage occurs while a user has a database open, failover will not execute for the user.

Question 3 What is the database template name that is used to create the Welcome Page database? ❍ A. Welcome.ntf ❍ B. Bookmark.ntf ❍ C. Bookmarks (6) ❍ D. Welcome Local.ntf

186 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer C is correct. The database template name used to create the Welcome database is Bookmarks (6). The filename for the template is bookmark.ntf.

Question 4 What amount of disk space can linear transaction logging utilize on the server? ❍ A. 1GB ❍ B. < 4GB ❍ C. 3GB ❍ D. > 4GB

Answer D is correct. Linear logging is similar to circular logging but can use more than 4GB of disk space.

Question 5 How does Domino present CA keys to users in the domain? ❍ A. Via email ❍ B. Using a Web server ❍ C. SSL Transport mechanisms ❍ D. Domino Offline Services

Answer B is correct. A CA key, or Certificate Authority key, is made available to the domain via a Domino Web server.

Question 6 What server type supports application services, messaging and Domino clustering? ❍ A. Domino Hub Services ❍ B. Domino Cluster Controller ❍ C. Domino Messaging ❍ D. Domino Enterprise

Answer D is correct. Domino Enterprise Server provides support for application services, messaging services, and Domino clustering services.

187 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing . . . . . and . . .Configuring . . . . . .

Question 7 Which of the following selections does the Domino setup program create? ❑ A. Domino Directory ❑ B. Server ID ❑ C. SMTP Connection documents ❑ D. Domino log ❑ E. All of the above

Answers A, B, and D are correct. The Domino setup program creates the following items during setup: the Domino Directory, ID files, and the log file.

Question 8 How does Lotus provide users with digital signatures? ❍ A. Encrypted signature encoding ❍ B. Certificates ❍ C. Layered ID scripting ❍ D. Digital key multifaceted encryption

Answer B is correct. Lotus uses certificates to allow users and servers to be identified with a unique digital signature.

Question 9 Which of the following items are considered to be a benefit of Domino clustering? ❍ A. High availability of important databases ❍ B. Workload balancing ❍ C. Scalability ❍ D. All of the above

Answer D is correct. High availability of important databases, workload balancing, and scalability are all benefits of Domino clustering.

188 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? The Lotus Developers Domain: www-10.lotus.com/ldd. Maximizing Domino Performance White Paper: www-10.lotus.com/ldd. Upgrading to Domino 6: Performance Benefits: www.ibm.com/redbooks.

8 Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ Domino Named Network (DNN) ✓ Connection document ✓ Notes Remote Procedure Calls (NRPC) ✓ MAIL.BOX ✓ Routing tables ✓ Adjacent domain ✓ Non-adjacent domain ✓ Message tracking ✓ Mail Tracking Collector (MTC) ✓ MTSTORE.NSF ✓ Mail-In Database document

Techniques you’ll need to master: ✓ Defining the role of the DNN in message transfer ✓ Scheduling mail routing between servers using Connection documents ✓ Scheduling and restricting mail routing between adjacent and non-adjacent domains ✓ Controlling mail file size by implementing mail quotas ✓ Configuring message tracking using the Configuration document ✓ Enabling a database to receive mail using a Mail-In Database document

190 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This chapter on mail is one of the shorter chapters in the book simply because there aren’t many exam competencies related to mail listed for this particular exam. We begin with an explanation of how Notes mail routes between servers. This discussion is explored in more depth in Chapter 3, “Mail” (for Exam 620) so refer to that chapter for a more detailed review of mail routing concepts. We then discuss mail quotas and how to change them. We discussed mail quotas briefly in Chapter 3, but we expand our discussion on quotas in more detail for the purposes of this exam. This chapter finishes with a description of how to configure mail tracking and instructions on how to deploy mail-enabled applications. For the purposes of the exam, you may want to consider using both this chapter and Chapter 3 as study tools for preparing for both the 620 and 621 exams. There is some overlap in topics related to mail between these two exams, and you may find it helpful to know the “complete picture” regarding mail routing before attempting either exam.

Setting Up and Configuring Message Distribution Using Notes-Based Mail Configuring the Domino servers for mail routing involves understanding how mail routes between servers based on the server’s Domino Named Network (DNN). A DNN is a group of servers in a given Domino domain that share a common protocol and are constantly connected. Mail routing between servers in the same DNN happens automatically, without any configuration by the administrator. The administrator must create Connection documents to enable mail routing between servers that are in different DNNs. A Connection document is a document that contains all the settings necessary to schedule mail routing between servers in different DNNs. By default, Domino uses Notes Remote Procedure Calls (NRPC), also called Notes routing, to transfer mail between servers. Notes routing uses information in the Domino Directory to determine where to send mail addressed to a given user. Notes routing moves mail from the sender’s mail server to the recipient’s mail server. A user creates a mail message in the mail database. When the user sends the message, a workstation task called the MAILER transfers the message to the MAIL.BOX database on the user’s server (also known as the user’s mail server or home server). MAIL.BOX is the transfer point for all messages being routed to and from a server. The Router task polls MAIL.BOX and asks two questions about the messages waiting to be routed:

191 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . . ➤ Where this message should be delivered—To which recipients on which

servers? ➤ How this message should be delivered—Which routes and connections

should be used? The Router consults its routing tables to determine where the recipient’s mail database is stored. Routing tables are built in memory on the server when the router first starts and are refreshed every few minutes. These routing tables are built using information in various documents in the Domino Directory—Person documents, Connection documents, Domain documents, and so on. The location of the recipient’s mail database determines how the message is dispatched by the router. A recipient’s mail database can be stored in any of the following locations: ➤ On the same server as the sender’s mail database—If the sender and the

recipient share the same mail server, the message is delivered immediately and the Router task is not involved in the message transfer. The Router task is invoked only for transfer to another server. ➤ On a different server in the same DNN—If the two servers share a DNN,

the Router immediately routes the message from the MAIL.BOX file on the sender’s server to the MAIL.BOX file on the recipient’s server. ➤ On a server in a different DNN within the local Domino domain—When

servers are members of two different DNNs, the Domino Administrator must create Connection documents between the two networks. ➤ On a server in an external Domino domain—In this case, the Router must

find a Connection document between domains or must route the message using SMTP, configured to route outside of the local domain. In most cases, if the mail message is leaving the current domain, it is routed via SMTP. The Router is capable of routing both NRPC and SMTP mail. Message transfer over SMTP routing is performed as a point-to-point exchange between two servers. The sending SMTP server contacts the receiving SMTP server directly and establishes a two-way transmission channel with it. The sending server looks up the domain name of the addressee in a Domain Name Service (DNS) and transfers the message using the destination IP address provided by the DNS via an MX record. For this exam, SMTP is not listed in the required competencies; however, it’s useful to understand the basics of SMTP routing to use as a comparison with Notes routing, and so that you understand that the Router is capable of routing any type of mail message, whether internal or external, NRPC or SMTP.

Notes Routing to External Domains Although not explicitly listed in the exam competencies, the exam may make mention of Notes routing to adjacent or non-adjacent domains. An adjacent

192 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

domain is another Domino domain with which you can establish a physical connection. Non-adjacent domains are Domino domains that are not directly connected, but have an intermediary domain, to which both domains can connect. For example, if Domain A can connect to Domain B, and Domain B can connect to Domain C, then A and B are adjacent, and B and C are adjacent, but A cannot connect to C; therefore, A and C are non-adjacent and can connect only through Domain B. Sometimes, an administrator who manages multiple domains will configure routing using NRPC and Connection documents, rather than with SMTP and a DNS. To route mail to an adjacent domain, the administrator simply creates a Connection document, specifying the external domain’s server name and domain name as the target server. The process of creating a Connection document is described in detail in Chapter 3 in the “Setting Up and Configuring Message Distribution Using Schedules” section. The process used to create Connection documents between servers in different domains is no different than creating Connection documents between servers in different DNNs. The administrator can further restrict mail routing between adjacent domains using an Adjacent Domain document. For example, if you are in Domain B and want to prevent mail from an adjacent Domain A from traversing your domain to reach another adjacent Domain C, create an Adjacent Domain document that names C as the adjacent domain and denies mail from A. Adjacent Domain documents do not provide connectivity between adjacent domains, and are not required to enable connections between adjacent domains. To define routes between adjacent domains, create Connection documents. Watch out for exam questions that refer to using an Adjacent Domain document to connect two different domains. Adjacent Domain documents are used only when the administrator wants to restrict or deny mail from adjacent domains.

To create an Adjacent Domain document from the Domino Administrator, click the Configuration tab, expand the Messaging section, choose Domains, and then click Add Domain. Then complete the fields on both the Basics and Restrictions tabs. Figures 8.1 and 8.2 show an Adjacent Domain document created in Domain B’s Directory, denying mail addressed from Domain A from going to Domain C, as in the scenario described previously.

193 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

Figure 8.1 The Basics tab of the Domain document, showing “Adjacent Domain” as the Domain type and Domain C as the adjacent domain.

Figure 8.2 The Restrictions tab of the same Adjacent Domain document, showing that mail is being denied from Domain A.

194 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Administrators can enable message transfer between non-adjacent domains using a Non-adjacent Domain document. A Non-adjacent Domain document serves three functions: ➤ Specifies a routing path to the non-adjacent domain by supplying next-

hop domain information ➤ Restricts mail from other domains from routing to the non-adjacent

domain ➤ Defines the Calendar server used to enable free time lookups between

two non-adjacent domains If an administrator for Domain A wanted to route mail to non-adjacent Domain C using adjacent Domain B as the relay, he would create a Nonadjacent Domain document in the Directory. To create a Non-adjacent Domain document from the Domino Administrator, click the Configuration tab, expand the Messaging section, choose Domains, and then click Add Domain. Specify “Non-adjacent Domain” as the domain type, and complete the fields on the Basics tab. Figure 8.3 shows the Non-adjacent Domain document for the preceding scenario, routing from A to C through B.

Figure 8.3 The Basics tab of the Domain document, showing “Non-adjacent Domain” as the Domain type, and specifying the route to Domain C through Domain B.

195 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

Implementing and Changing Mail Quotas You can set two types of size limits on a user’s mail file: a warning threshold and an absolute quota size. Set a warning threshold to provide users with advance notice when their mail files approach the designated mail file quota, so they can reduce the size of their mail files before message flow is interrupted. Set a quota if you intend to establish a policy of interrupting users’ mail usage if their mail files exceed a specified size. Administrators can configure the Router to respond in several ways when a mail file exceeds its quota, each representing a higher level of enforcement. The least restrictive response is to have the Router issue automatic notifications to users when their mail files exceed the quota. Quota controls enable the Router to selectively hold or reject mail if the destination mail file has exceeded its quota. When the Router has new mail to deliver to a user whose mail file is already full, it checks the Configuration Settings document to determine the appropriate action. By default the Router continues to deliver mail, even after a mail file exceeds its quota. To change the default behavior, you must configure the Router to refuse or hold mail. If users fail to respond to notifications, you can hold pending messages in MAIL.BOX or return messages to the senders as undeliverable until the users reduce the size of their mail files. For the purposes of the exam, it’s important to remember the interface steps for setting quotas on mail databases, and how the router enforces those quotas. It’s also interesting to note that quotas were never enforced on mail databases prior to Domino R5, so it’s possible that the exam questions may try to make you think that the Router doesn’t obey mail quotas, which is false. To prepare for this topic, walk through the methods for setting quotas using the Domino Administrator client, and then examine the settings related to Router management of quotas in the Configuration Settings document for each mail server. The steps for performing all of these operations are listed in this chapter.

Administrators can set quotas and warning thresholds in one of two ways: ➤ During registration—Quotas specified during registration apply only to

new users’ mail files, not to existing users’ mail files. Figure 8.4 shows the Mail tab of the User Registration dialog box.

196 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 8.4 The User Registration dialog box, Mail tab, showing how the administrator can set a quota and/or warning threshold during registration.

➤ Using the Quotas tool in the Domino Administrator client—The administra-

tor can use this method to either set an initial quota or to change an existing quota on a mail database. To set a size quota on a mail database, perform the following steps from within the Domino Administrator: 1. Click the Files tab. 2. Select the mail databases for which you want to set quotas. 3. In the Tools pane on the right, select Database, Quotas. 4. Below “Database Size Quotas,” click “Set Database Quota to x MB”

and specify a maximum size in megabytes the selected databases can attain. 5. Optionally, below “Quota Warning Thresholds,” click “Set Warning

Threshold to x MB” and specify a size in megabytes at which a message appears in the log file (LOG.NSF). 6. Click OK. When processing is complete, a dialog box indicates how

many databases were affected and if any errors occurred. To configure how the Router responds to a mail quota, edit the Configuration document for the Domino server that stores the mail database, and perform the following steps:

197 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . . 1. Click the Router/SMTP, Restrictions and Controls, Delivery Controls

tab. 2. In the Quota Controls section, complete these fields: ➤ Over Warning Threshold Notifications—Specifies how often the

Router delivers notifications to users who exceed their warning threshold ➤ Warning Interval—Specifies how long the Router waits to send the

next over warning threshold notification ➤ Over Quota Notification—Specifies how often the Router delivers

notifications to users who exceed their quota ➤ Over Quota Enforcement—Specifies the action the Router takes when

receiving new mail for a user whose mail file is larger than the specified quota 3. If the administrator selects the Hold Mail and Retry option in the

Over Quota Enforcement field, there are additional fields to complete: ➤ Attempt Delivery of Each Message—Specifies whether the Router

delivers messages small enough to fit the available space in a destination mail file. ➤ Maximum Number of Messages to Hold Per User—Specifies the maxi-

mum number of messages that the Router will hold in MAIL.BOX for a given mail file. After the number of pending messages reaches the specified number, the Router returns a delivery failure report to the sender of each additional message in first-in, first-out order. ➤ Maximum Message Size to Hold—Specifies the maximum size, in KB,

of messages that the Router can hold in MAIL.BOX for over quota users. If a message larger than the specified size is received for the user, the Router returns a delivery failure report to the sender. A user attempting to access a mail database that has exceeded its quota receives the following message: “Cannot allocate database object—database would exceed its disk quota.”

Configuring Message Tracking Message tracking allows the administrator to track specific mail messages to determine if the intended recipients received them.

198 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The administrator enables message tracking in the Configuration document for the server. After the administrator configures the server for message tracking and restarts the server, the Mail Tracking Collector (MT Collector or MTC task) starts up automatically. The MT Collector automatically creates the Domino MailTracker Store database (MTSTORE.NSF) in the MTDATA subdirectory of the Domino data directory. The MTC task collects messaging information from raw data accumulated in special mail tracker log files (MTC files) produced by the Router. This message summary data includes information about the originators, recipients, arrival times, and delivery status of the messages processed by the server. At scheduled intervals, the MT Collector writes this information to the Domino MailTracker Store database. Administrators use the information stored in the Domino MailTracker Store database to complete mail tracking requests and to generate mail usage reports. The administrator should not edit the MailTracker Store database directly. This database is designed to act as a data repository. The data in this database is queried by the Mail Tracking interface in Domino Administrator when a tracking request is issued. If the administrator edits the information in MTSTORE.NSF directly, they risk “breaking” the functionality of the Tracking request option.

To configure a server for message tracking, perform the following steps: 1. Edit the Configuration document for the mail server or servers for

which you want to configure message tracking; then click the Router/SMTP, Message Tracking tab. 2. Complete the following fields, save and close the document, and then

restart the server: ➤ Message Tracking—Choose enabled to start the MTC task, which

starts logging mail information to MTSTORE.NSF. ➤ Don’t Track Messages for—Enter the names of users and/or groups

whose messages will not be logged and, therefore, cannot be tracked. The default (blank) means that administrators can track messages for all users and groups on all servers that are enabled for mail tracking. On servers running the ISpy task to test mail connectivity, this task sends trace messages at 5-minute intervals. To prevent the Domino MailTracker Store database from filling up with entries for these trace messages, enter the name of the ISpy Mail-In Database on the server in this field, for example, ISpy on ServerA.

199 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . . ➤ Log Message Subjects—Choose Yes to have the MTC task log mes-

sage subjects; choose No to have subjects ignored by the MTC task. ➤ Don’t Log Subjects for—Enter the names of users and/or groups

whose message subjects will not be logged and, therefore, cannot be tracked. ➤ Message Tracking Collection Interval—Enter a number that represents

how often, in minutes, you want to log message tracking activity in the MailTracker Store database. The default is 15 minutes. ➤ Allowed to Track Messages—Enter the names of servers and/or users

allowed to track messages on this server. If you leave this field blank (default), only members of the LocalDomainServers group are authorized to track messages on this server. If you add any entries to this field, you must list all servers and/or users that are allowed to track messages on this server. Watch for the exam to test your knowledge of whether “blank allows all,” or “blank allows no one”—these fields appear in both the Configuration document and the Server document. In the case of message tracking, the default of blank actually prevents administrators from using this feature, so most administrators enter the LocalDomainAdmins group at a minimum.

➤ Allowed to Track Subjects—Enter the names of servers and/or users

allowed to track messages by subject on this server. Again, in this case, blank means no one is allowed to track messages by subject. To issue a tracking request, the administrator uses the Mail, Tracking Center tab in the Domino Administrator and clicks the New Tracking Request button.

Deploying Applications Based on Routing Fundamentals The administrator may be required to provide administrative support for databases that must receive mail. For example, a developer could create an Expenses database into which employees must mail a copy of expense reports. For a database to receive mail, it must have an identity in the Domino Directory in order to be known to the Router. The administrator must create a Mail-In Database document in the Domino Directory so that the Router can deliver mail to the target database. Let’s assume that the administrator must enable the Expenses database just mentioned to receive mail. The name of the database is EXPENSE.NSF,

200 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

and it is being stored on ServerA/Acme in the Acme domain. The administrator would complete the following steps to create a Mail-In Database document in the Directory. The administrator must have at least Author access with the Create Documents privilege in the Access Control List for the Directory. 1. From the People & Groups tab of the Domino Administrator, choose

Create, Server, Mail-In Database. 2. On the Basics tab, shown in Figure 8.5, complete the Mail-In Name

field—the entry for this database in the Domino Directory. Users and applications use this name to send documents to the database; for example, ExpenseDB. 3. Choose a preference for Internet Message Storage; No Preference is

the default setting, but you can choose Prefers MIME or Prefers Notes Rich Text. 4. In the Internet Address field, add an SMTP address (in the format [email protected])

if you want Internet users to be able to send messages to the database; for example, [email protected].

5. In the Domain field, type the name of the Domino domain of the serv-

er in which the database resides; for example, Acme. 6. Complete the Server field by typing the fully distinguished hierarchical

name of the server in which the database resides; for example, ServerA/Acme. 7. In the File Name field, type the path and filename of the database rela-

tive to the Domino Directory; for example, if the database named EXPENSE.NSF is in the MAIL directory of the DATA directory, enter MAIL\EXPENSE.NSF. 8. In the Encrypt Incoming Mail field, type Yes or No. Mail sent to the

mail-in database is encrypted with the Notes certified public key entered in the “Notes Certified Public Key” field on the Administration tab. 9. Open the Administration tab. 10. In the Owners field, list the fully distinguished hierarchical name of

users allowed to modify this document. 11. In the Administrators field, list users or groups who can edit this docu-

ment. 12. Choose an option in the Foreign Directory Sync Allowed area. Yes

allows entry to be exchanged with foreign directories; for example, a

201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

cc:Mail directory, so that users on the other system can look up the Mail-In Database in the cc:Mail post office directory and send mail to it. 13. In the Notes Certified Public Key field, enter the certified public key

to use when encrypting mail sent to this database. To copy a certified public key from the Domino Directory to this field, click Get Certificates and choose a name.

Figure 8.5 The Basics tab of the Mail-In Database document for the Expenses database.

The administrator must give the name of the database to users and developers so they can enter it in the SendTo field of messages destined for the database. To test to see whether the Mail-In Database document is working, the administrator should attempt to send a mail message to the database from his own mail database. Address the memo to the name assigned to the database, in this case ExpenseDB.

Exam questions will test your knowledge of where and how to create a Mail-In Database document. Prepare for the exam by creating a Mail-In Database document for a database on a server, and then send a mail message to that database to ensure that it arrived. Ask a developer to assist you in building a view using the Domino Designer client in order to show your mailed-in document because the document may not show in any of the existing views in the database. You will need to enlist a developer’s help in order to write the correct view column and view selection formulas for the view.

202 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 Bob needs to ensure that all mail is routed between servers in the same Domino Named Network. How many Connection documents are required? ❍ A. 0 ❍ B. 1 ❍ C. 2 ❍ D. One for every pair of servers in the domain

Answer A is correct. Mail is routed immediately by the router to servers in the same Domino Named Network. The messages are immediately routed from the MAIL.BOX file on the sender’s server to the MAIL.BOX file on the recipient’s server. Because servers in a DNN share a common protocol and are always connected, you do not need to create Connection documents for mail routing.

Question 2 When is mail routed between servers that are in the same Domino Named Network? ❍ A. Immediately ❍ B. Every 5 minutes ❍ C. According to the schedule in the Connection documents ❍ D. When there are five messages pending

Answer A is correct. The router immediately routes mail to servers in the same Notes named network. The messages are immediately routed from the MAIL.BOX file on the sender’s server to the MAIL.BOX file on the recipient’s server. Because servers in a Notes named network share a common protocol and are always connected, you do not need to create Connection documents for mail routing.

203 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

Question 3 Sean needs to ensure that all mail is routed between ServerA and ServerB. The two servers are not in the same Domino Named Network. What should Sean do to schedule mail routing between the two servers? ❍ A. Create Connection documents in the Domino Directory. ❍ B. Create Connection documents in the names.nsf on his workstation. ❍ C. Create an Adjacent Domain document in the Domino Directory. ❍ D. Do nothing—the two servers will route mail automatically.

Answer A is correct. When two servers are not in the same Domino Named Network, mail routing must be configured using at least one Connection document in the Domino Directory. Adjacent Domain documents are used to restrict routing between domains, not for scheduling routing.

Question 4 Bonnie is reviewing the NOTES.INI file on her server and notices the entry “MTC” in the “ServerTasks=” line. Which of the following best describes what MTC is? ❍ A. The MTC task reads log files and writes information to MTSTORE.NSF. ❍ B. This task was used in Domino R5 and is no longer used in R6. ❍ C. The MTC task routes mail from one non-adjacent domain to another. ❍ D. The MTC task is engaged when an administrator sends a mail trace message to another server.

Answer A is correct. The Mail Tracking Collector (MTC) task reads special mail tracker log files (MTC files) produced by the Router and copies certain messaging information from them to the MailTracker Store database (MTSTORE.NSF). The MailTracker Store database is created automatically when you enable mail tracking on the server. When an administrator or user searches for a particular message, either a message tracking request or a mail report, Domino searches the MailTracker Store database to find the information.

204 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 5 Joe has been asked to configure the server so that mail can be delivered to the bug tracking database, called BUGS.NSF. What must he do to enable users to mail bug tracking reports to the database? ❍ A. He must install and configure Lotus Workflow 3.0 on the Domino server. ❍ B. He must enable the Domino Enterprise Connection Services (DECS) on the server. ❍ C. He doesn’t need to do anything. The BUGS database is automatically capable of receiving mail. ❍ D. He must create a Mail-In Database document in the Directory listing BUGS.NSF as the mail-in database.

Answer D is correct. The Mail-In Database document defines the properties and location of a database that can receive mail. Whenever you define a database as being able to receive mail, you must create a corresponding Mail-In Database document.

Question 6 How often does the MTC task log information to MTSTORE by default? ❍ A. Every 5 minutes ❍ B. Every 15 minutes ❍ C. Once per hour ❍ D. Continuously

Answer B is correct. The Mail Tracking Collector task (MTC) reads special mail tracker log files (MTC files) produced by the Router and copies certain messaging information from them to the MailTracker Store database (MTSTORE.NSF). When you enable message tracking in the Configuration document, the default collection interval is 15 minutes.

205 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail . .

Need to Know More? Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBM Redbooks, 2002. Also available on the Web at www.redbooks.ibm.com/. For references to mail, consult Chapter 9 within this redbook, “New Messaging Administration Options.” Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notes and Domino 6. Indianapolis, IN: Que Publishing, 2003. Lotus Domino 6 Technical Overview:

www-10.lotus.com/ldd/

today.nsf/3c8c02bbcf9e0d2a85256658007ab2f6/089a22f9f8a573af85256a1b 00782950?OpenDocument.

For references to mail, consult the section on

“Messaging.” Webcast: Lotus Live! Series: What’s New in Notes/ Domino 6 Administration: http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci857398,00.html. Webcast: Preparation & Test Taking Strategies with Lotus Education Managers: http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci876208,00.html.

9 Monitoring Server Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Archiving Explicit policies Organizational policies Style sheets JavaScript Libraries NON-NSF Libraries Adjacent Domain document Non-Adjacent Domain document Foreign Domain document Foreign SMTP Domain document Global Domain document

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Update Updall Fixup Compact In-place compacting Copy style compacting jconsole Distributed directories Centralized directories Hybrid directories

✓ ✓ ✓ ✓ ✓ ✓

Managing users Monitoring server tasks Monitoring/maintaining domains Monitoring/maintaining mail routing Monitoring/maintaining/repairing databases Monitoring/modifying application access control Setting up authentication Setting up/configuring/monitoring monitors Troubleshooting Administration Process problems Troubleshooting clustering problems Troubleshooting network/protocol problems Troubleshooting partitioning problems Troubleshooting port (modem) problems Troubleshooting user problems Using a Java-based Domino Console Using distributed and centralized directories Using the remote console Managing user passwords Monitoring/maintaining domain access

Techniques you’ll need to master: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Adding/moving/upgrading/deleting databases Applying policy documents to existing users Backing up/verifying and restoring databases Creating archiving policies Deploying applications based on coding Deploying applications based on design elements Deploying applications based on design elements: shared versus nonshared Deploying applications based on how attachments are handled Deploying applications based on replication fundamentals Deploying based on the NSF structure: NSF components Deploying server-based applications: HTML Distributing application design changes based on design Enabling/disabling compression Maintaining Domino server IDs Maintaining Domino user IDs

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

208 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

To ensure that the Domino domain is running at peak efficiency, a Domino administrator must understand the requirements for monitoring a server and the steps that can be taken to optimize performance. This chapter discusses how to check and make sure the server is running correctly and also instructs the reader in correcting issues that may cause a server to experience performance issues.

Adding/Moving/Upgrading/Deleting Databases This section covers the steps required to perform specific database tasks. Database maintenance is more than just running system utilities such as Fixup or Updall. It also includes adding databases, upgrading their design, moving them in the domain, and deleting them. This section covers these tasks. To add a new database to the server, complete the following tasks: 1. Launch the Domino Administrator. Open the File menu, select

Database, and then select New. 2. In the Server field, indicate the destination server; keep the default set-

ting of Local, or change it to the required destination server. Make sure that access is set up on the destination server that allows the creation of new databases from the source server. 3. In the Title field, enter a name for the database. 4. The File Name field populates automatically based on the Title field.

It can be changed if necessary to be a more descriptive filename. 5. Click the check box at the bottom of the page to select advanced tem-

plates. 6. Scroll down the window and select the database template to be used

for the database. 7. Click OK to create the new database.

An existing database can also be added to other servers in the domain by forcing new replicas to the servers. Access rights must be set equal to Create Database access in the Server document of the target server and Reader access in the database of the source server. Databases can also be replicated between servers by using the Administrator and dragging them. Select the database to be copied from the Files tab and drag it to the destination server in the left pane. The Administration Process then copies the server to the new location.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Occasionally, it’s necessary to move a database to another server. Follow these steps to move the database: 1. Launch the Domino Administrator and open the File tab. 2. Select the databases to be moved in the main view window. 3. Expand the Tools pane on the right. Select Database and then click

Move. 4. The Move Database dialog box appears. Select the Destination data-

base and server. Fill in the destination file path. 5. Two check boxes are available, Copy Access Control List and Create

Full Text Index for Searching. Select either check box if desired and click OK to move the databases. Although it is not necessary to upgrade a Lotus database to R6 format, there are distinct advantages to doing so. Lotus has added a more efficient compression format, LZ1, along with other features that an administrator should consider in moving to R6. To upgrade a database, issue the Compact command and the system upgrades the ODS to version 6. If the database needs to remain in a pre-R6 ODS format, there are three options available: ➤ Issue the Compact command with a

-R

option to retain the current ODS

structure. ➤ Make a copy of the database and rename the file extension to NS4 to

prohibit upgrading. ➤ Do not run the compact task on the database at all.

To delete a database: 1. Launch the Domino Administrator and select the File tab. Select the

database to be deleted and select Delete from the Tools pane. 2. The Confirm Database Delete dialog box appears. A check box is avail-

able to delete all replicas on all servers. Check the box and click OK to delete the database. Policy documents are used to regulate how users can access the system and perform specific functions. Policy documents can be changed after they are assigned and will then be applied to all policy users. For a complete description of the policy documents that can be applied to users and the types of Domino policies, see the “Applying Policy Documents to Existing Users,” section in Chapter 7, “Installing and Configuring.”

209

210 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Backing Up/Verifying and Restoring Databases Although it is true that a replica of a database is, in effect, a backup copy of the database, in the event that corruption of a database is replicated, be sure that a backup exists on some type of archival media, such as digital tape or another form of reliable media. Be certain that the backup software has the ability to back up open files and has been certified to back up Domino databases. Be certain that the Domino C API Toolkit is supported and that all media is verified after the backup.

Creating Archiving Policies New to Domino 6 is central mail file archiving. Archiving is beneficial for administrators and users in that it frees up database space by storing documents in an archive database. Physical database size is smaller and performance increases because the database is smaller and easier to search. The database structure is the same as the user’s database, so the views and folders are the same. The three components of mail archiving are ➤ Document selection—Selects the documents to be archived based on how

often they are accessed and whether the folder they are stored in is being accessed ➤ Copying—Chooses documents to be copied from the original database to

the archive database ➤ Mail file clean up—Reduces the size of the original database by deleting

documents after they are moved to the archival database Two types of archiving are available: ➤ Client-based—This type of archiving allows the user to archive the mail

either on the server, an archival server, or on their local workstation. ➤ Server-based—This type of archiving allows the server to store the archive

file, or allows storing of the archive file on a designated archival server. Setting up mail archiving requires defining a policy in the Domino Directory. Editor access with either the PolicyCreator role or PolicyModifier role defined for the administrator is required.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

To set up mail archiving, follow these steps: 1. Launch the Administrator client, select the People & Groups tab, and

navigate to the Settings view. 2. Click the Add Settings view and select Archive from the drop-down

menu. 3. In the Basics tab, complete the Name and Description fields. 4. Optionally, select Prohibit Archiving to prohibit archiving. Prohibit

Private Archiving Criteria is another setting, which you can use to prohibit users from creating private archives. 5. Choose an Archiving Will Be Performed On option; select either

User’s Local Workstation or Server. 6. Choose an Archiving Source Database Is On option; select either

Local, Specific Server, or Mail Server Where the File Is Located. If you choose Specific Server, a new dialog box appears at the bottom of the page allowing the administrator to choose the source server from a drop-down menu. 7. Choose a Destination Database Is On option; select either Local,

Specific Server, or Mail Server Where the File Is Located. If Specific Server is selected, a new dialog box appears at the bottom of the page allowing the administrator to choose the source server from a dropdown menu. 8. Navigate to the Selection Criteria tab and select either New Criteria,

Add Criteria, or Remove Criteria and complete the information for each tab. 9. Navigate to the Logging tab and select Log All Archiving into a Log

Database. 10. At the bottom of the page is an Include Document Links to Archived

Documents check box. Checking this field allows users to open archived documents from the log database. Leaving it deselected causes users to open the archive database itself to view archived documents. 11. If you decided to use client-based archiving, navigate to the Schedule

tab and complete the options to schedule the times that archiving will occur. In the Location section, specify Any Location or Specific Location to determine where the archiving source should be located. 12. Navigate to the Advanced tab. There is one option on this page: Don’t

Delete Documents That Have Responses. Selecting this check box

211

212 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

does not delete documents that contain responses; leaving it deselected deletes documents containing responses. 13. After completing all desired selections, click Save & Close to save the

document.

Deploying Applications Based on Coding Typically, the roles of administrator and developer are supported by separate employees in the organization. Administrators should create a process that developers can follow that allows applications to be created and deployed as efficiently as possible. Developers who are upgrading applications should take the proper steps to make sure that users don’t experience downtime while the upgrade occurs. When deploying new code in applications ➤ Be certain that any changes being made are communicated to the

administrator and scheduled using a change control process. ➤ Test all changes in a development environment and pilot the changes

with a group of users before moving it to the production environment. ➤ Communicate with the users of the application upgrade and create a for-

mal plan for dealing with issues that occur.

Deploying Applications Based on Design Elements Application design is the cornerstone of Domino and proper planning is required to ensure that the application meets the user’s requirements and performs optimally within the domain. Consider the following items when planning the deployment of a new application: ➤ Gather a set of requirements from the users and then review the

requirements to make sure that there is a common understanding of what is expected and the delivery date. Create a baseline for the users based on how they expect the application to perform and define a maintenance window for future application upgrades and enhancements.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . . ➤ Determine how the users will access the application. Plan the applica-

tion design to perform optimally based on whether users will be using a Notes client or a Web browser. ➤ If the application is going to be used by dial-up users who may have a

bandwidth limitation, be sure to consider this during the design phase. ➤ International use of an application can cause an added layer of complexi-

ty. In the event that global users will be using the application, be certain that the design is easy to understand and that the verbiage used in the application is written either in easy-to-understand English or is translated to the country in which the users reside. ➤ Don’t add unneeded layers of design to the application. Keep unneces-

sary designs out of the application and use lean coding. When making design changes to applications, be prepared to test the changes before rolling them out to the production environment. Consider these points when rolling out design element changes to Domino applications: ➤ If the application is going to be Web-based, be certain that the test plan

includes using the possible browser configurations that may be used to access the system. Test the application using Netscape and Internet Explorer as these are the most commonly used browsers. The requirements for previewing design work using a browser include ➤ Windows 95, 98, 2000, XP , or NT workstation. ➤ A database ACL must be set to at least Reader to allow a developer

to preview pages, framesets, documents, navigators, and views. To view forms, an ACL needs to be set up with Author access. Typically, Default or Anonymous user types are used for this testing process. ➤ The server must be running the HTTP task where the database is

running. ➤ The design elements being changed must not be marked with hid-

den attributes to keep them from being viewed by the browsers. ➤ Verify that the design element changes and how they affect client ver-

sions are clearly communicated to users. If the changes require a specific version of the client, be sure that all users are notified. ➤ Use the Design preview option in the Designer client or test the code in

the Web browsers before moving the changes to the production server.

213

214 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Deploying Applications Based on Design Elements: Shared Versus Nonshared Designers might not be working in the same location or might be required to work on the same database with other developers. To share design elements with other designers, Lotus has implemented the following data components: ➤ Style sheets—Used to allow the designer to control the look and feel of

various design features ➤ JavaScript libraries—Used to store and share common JavaScript pro-

grams and codes ➤ Non-NSF libraries—Used to share Non-NSF libraries across databases to

allow the designer to have increased flexibility in the design of the application There are occasions when designers will want to have absolute control over an application while it is being created or updated. To accomplish this task, they can lock out all other designers by changing the ACLs on a database, or they can lock design elements so that they cannot be changed. To provide the ability to lock design elements, follow these steps: 1. Open the database and select File, Database, and then Properties. 2. Navigate to the Design tab and select Allow Design Locking and click

the X to close the Properties window and save the change. At this point, a designer can now highlight a design element in the database and lock the element when necessary.

Deploying Applications Based on How Attachments Are Handled Users might need to access a database to download or launch an attachment. To create an attachment in a database, follow these steps: 1. Open the database in the Domino Designer client. 2. Open the page, form, or subform where the attachment should be

located.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . . 3. Select the location in the form where the attachment should reside and

place the cursor in that location. 4. Select File from the menu and choose Attachment. A file navigation

menu appears. Select the attachment and click OK. Press Escape to exit and save the new form with the attachment inserted.

Deploying Applications Based on Replication Fundamentals Database design changes can be made by each database in the domain by applying a completely new template to the database or by replicating changes made by the designer. The most efficient way to perform the upgrades is by making the changes in one database and letting them replicate throughout the domain so that there are no errors made by the designer manually making the changes in each replica. Keep in mind that based on the amount of design changes being made, the replication could take a lot of time, so schedule the changes to be made at a time when the server is not experiencing a peak amount of traffic. Items to consider when replicating a design change include ➤ Create the initial designs on a test database in a development environ-

ment so that users are not affected. Be sure that a pilot group of users is selected to test the design changes before the database moves to production. ➤ Use a master template in the design process and then apply the template

to the database. ➤ Be certain that backups are being completed and verified in the event

that databases need to be restored due to a design error.

Deploying Based on the NSF Structure: NSF Components Although Lotus does supply templates that can be used to create databases, there are times when a special application will need to be created and the provided templates will not be able to address the requirements needed for the application. In the event that this situation occurs, follow these steps to use a blank template to design the application:

215

216 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. Launch the Domino Designer client and select File, Database, New.

The New Database dialog box appears. 2. Leave the Server field set to Local, or change it to the required desti-

nation server. Be sure that access is set up on the destination server that allows the creation of new databases from the source server. 3. In the Title field, enter a name for the database. 4. The File Name field populates automatically based on the Title field.

It can be changed if necessary to be a more descriptive filename. 5. Click the check box at the bottom of the page to select advanced tem-

plates. 6. Scroll down the window and select Blank for the template to be used

for the database. 7. Click OK to create the new database.

Deploying Server-Based Applications: HTML The Domino design process provides multiple ways to include HTML data in an application. To include existing HTML code in the application, complete the following steps: 1. Convert Domino data to HTML and then use an HTML editor to

modify the code. 2. Use existing Web data by importing it directly into the application. 3. Paste existing Web data directly into a Domino page, form, or sub-

form. 4. Code HTML directly into the application.

Distributing Application Design Changes Based on Design Lotus provides the Replace Design option to distribute design changes to databases that use a template for design inheritance. Designer access in the

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

ACL of the database is required to replace the database’s design. The following components are not replaced by default using the Replace Design option: ➤ Database icon ➤ Database title and category ➤ Database ACL and encrypt database settings ➤ Using Database and About Database documents ➤ Design elements protected from updates ➤ Design elements that inherit from a template ➤ List as Advanced Template in “New Database Dialog” option ➤ Options on the Advanced tab of the File, Database Properties box except

Document Table Bitmap Optimization and Don’t Support Specialized Response Hierarchy The following components are replaced by default using the Replace Design option: ➤ Forms, fields, form actions, and event scripts ➤ Pages ➤ Views, folders, and view actions ➤ Agents ➤ Navigators ➤ Framesets ➤ Shared fields ➤ Database Properties selections, except the Advanced Template option ➤ All options on the Design tab of the File, Database Properties box,

except List as Advanced Template in ‘New Database’ Dialog ➤ Options Document Table Bitmap Optimization and Don’t Support

Specialized Response Hierarchy on the Advanced tab of the File, Database Properties box To replace the design of a database, follow these steps: 1. Select the database using either the Designer client or by choosing

File, Database, Replace Design.

217

218 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. The Replace Database Design dialog box appears. Select the template

to be used to redesign the database and click Replace to continue. 3. A Caution dialog box reminds the designer that the database views,

forms, agents, fields, and roles will be changed based on the template being used. Select Yes and the database’s design will be replaced.

Enabling/Disabling Compression To allow a minimal amount of bandwidth to be used between workstations or servers, Lotus has created the ability for network ports to compress the data being exchanged. Compression must be enabled at both ends of the data path or it doesn’t work. If a user wants to use port compression, then it must be enabled on the client as well as on the server. Compression only increases the speed at which the data is transmitted if the data is not already compressed. Precompressed data does not see a performance increase. Data compression also causes an increase in server load on the memory and the processor, so evaluate whether the extra overhead on the server is worth enabling the process. To enable compression, complete these steps: 1. Open the Domino Administrator, select the Configuration tab, and

choose the Server document for the server requiring network compression. 2. Open the Tools pane and select Server, Setup Ports. The Port Setup

dialog box appears. 3. Select the Port to be compressed, click the Compress Network Data

check box, and then click OK. A dialog box appears stating “You must restart port(s) or the server for changes to take effect.” Click OK to continue. 4. Select the Server tab and then select the Status tab. Select the port that

has compression enabled and click Restart on the Tools pane. A Restart Port verification dialog box appears. Click OK to continue. The server port will now restart and compression will be enabled.

Maintaining Domino Server IDs Periodically, certificates associated with a server ID will expire. When this occurs, the ID needs to be recertified. To recertify a server ID, the

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

administrator must have either Author access to the Domino Directory and the ServerModifier role assigned or Editor access to the directory. In addition, the administrator must have Author access or greater to the Certification log. Follow these steps to recertify a server ID: 1. Using the Administrator client, select the Configuration tab and then

select the Server document for the server to be recertified. 2. Open the Certification tab under the Tools pane and select Certify to

open the Certify dialog box. 3. Click the Server button to select the registration server and click OK. 4. Choose one of these two options: ➤ Supply Certifier ID and Password—A file navigation box appears when

this option is selected. Navigate to the required certifier ID and select OK. ➤ Use the CA Process—This option allows the administrator to recertify

the ID without having access to the certifier ID or the certifier password. A drop-down menu is provided to allow the administrator to select a CA-configured certifier from the ones available on the server. 5. Click OK. If you chose the Supply Certifier ID and Password option, a

dialog box appears requiring the certifier password. Enter the password and select OK to continue. 6. A file navigation box appears prompting for the ID to be certified.

Select the server’s ID file and click OK. 7. The Certify ID dialog box appears. The configurable options in the

box are ➤ Expiration Date—This field determines when the server will need to

be recertified. The default time is two years, but can be changed as needed. ➤ Subject Name List—This field allows the administrator to assign a

common name if desired. This is an optional field. ➤ Password Quality—A slide bar is available here to determine the

quality of password security to assign to the ID file. The default location of the slider is to the extreme left, which is no password and a value of 0. Sliding the bar to the extreme right forces a very strong password and a value of 16. Although it is true that this is optimal for servers, each time the server is loaded, a password is required at the console before the server will start.

219

220 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8. Select Certify to continue and recertify the ID. 9. A dialog box appears asking if the administrator wants to certify anoth-

er ID. Select Yes to certify more IDs or No to exit the certification process.

Maintaining Domino User IDs Follow these steps to recertify a user ID: 1. Launch the Domino Administrator and select the People & Groups

tab. Click People; in the Tools pane, select People and Recertify. 2. In the Choose a Certifier dialog box, choose one of the following

options: ➤ Server—This option is used to select the registration server. ➤ Supply Certifier ID and Password—This option is used to use a certifi-

er ID file. A dialog box is available under this option that allows the administrator to navigate to the ID on the server. ➤ Use the CA Process—Using the CA process allows the changes to be

made without having access to a certifier ID file. 3. Click OK to continue. If the option to use a certifier ID was selected, a

dialog box appears requesting the password. Enter the password and click OK to continue. 4. The Renew Certificates in Selected Entries dialog box appears. In the

New Certificate Expiration Date field, change the date to reflect the desired expiration date and select OK to continue. 5. A Recertify User dialog box appears showing the common name and

the qualifying org unit. Click OK to continue. 6. The user ID recertification is processed and a Processing Statistics dia-

log box appears displaying the results of the change process. Click OK to close the dialog box and continue.

Managing Users User mail files might need to be moved when a user changes departments or moves to another location in the country that supports his new Domino needs. Domino provides a tool that moves the user’s mail file and changes the

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Directory to reflect the new mail file location. To move a user’s mail file, follow these steps: 1. Launch the Domino Administrator and select the People & Groups

tab. Click People and using the Tools pane, select People and Move to another server. 2. The Move Users(s) to Another Server dialog box appears. The selected

user is displayed in the box along with a drop-down menu that allows the administrator to select the destination server. 3. Optional selections to be completed are ➤ Move Roaming Files into This Folder on “Server Name” ➤ Move Mail Files into This Folder on “Server Name” ➤ Link to Object Store ➤ Delete Old Replicas in Current Cluster 4. Make the required selections and click OK to complete the process of

moving the mail file.

Creating and Setting Up Roaming Users Roaming users are able to access Notes from multiple clients in the domain and retain their personal information. A roaming server is used and the user’s files are stored on this server. When a user logs onto the server as a roaming user, their information is retrieved from the server and presented to the user. When a roaming user makes changes, they are replicated to the server so that they are available when the user logs in at a later time. Roaming users are created during user registration. To define the settings for roaming users, follow these steps: 1. Launch the Domino Administrator and select the People & Groups tab. 2. Using the Tools pane, select People and Register. A dialog box appears

requiring the certifier password. Enter the password and click OK to continue. 3. The Register Person—New Entry dialog box appears. Enter the rele-

vant user information related to name and password and then select Enable Roaming for This Person. 4. Check the Advanced button and a new menu displays on the left.

Select the Roaming button to configure the Roaming settings.

221

222 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . When Roaming users are created, the files Personal Address, Bookmark, and Journal are also created and stored based on the settings on the Roaming tab.

5. Choose Put Roaming User Files on Mail Server or click the Roaming

Server button to select the location to store the files. 6. Enter the personal roaming folder name. 7. Choose a subfolder format. 8. Choose to Create Roaming Files Now or Create Roaming Files in

Background. Selecting the Create Roaming Files Now option instructs the server to execute the file creation task immediately, causing the administrator to wait until the task is completed. If the Create Roaming Files in Background option is selected, the server creates the files in a separate thread and allows the administrator to continue with the setup option. 9. You can select Roaming Replicas if a Domino cluster is available. This

field is optional and should be ignored if a Domino cluster is not installed. 10. Select a Clean-up option. 11. Click Done to create the roaming user.

Maintaining User Profiles From time to time, users change departments or leave the company. When this happens, administrators are required to perform regular maintenance on the user profile—in this case, changing how a user is defined in a group. Editing a group requires ACL access to the Domino Directory with one of the following defined security assignments: ➤ At least Editor with Create Documents privilege ➤ The UserModifier role

Follow these steps to change group membership assignments: 1. Using the Domino Administrator client, navigate to the People &

Groups tab.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . . 2. Expand the Domino Directories item and select Groups. A list of the

valid groups on the server displays in the main navigation window. Select the group that needs to be edited and then click Edit Group. 3. On the Basics tab, edit the Group Name (the assigned name of the

group) if appropriate; this should not be changed unless absolutely necessary because changing the group name also requires changing the ACLs in databases associated with this name. The maximum length for group names is 62 characters. 4. Choose a new Group Type if appropriate. The available group types are ➤ Multipurpose—Used for multiple types of users; the default selection ➤ Access Control List Only—Exclusively used to maintain database and

server authentication ➤ Mail Only—Exclusively used for mail users ➤ Server Only—Exclusively used for Connection documents and the

Administrator client’s group domain bookmarks ➤ Deny List Only—Exclusively used for denying access to the server 5. In the Category field, Administration is the only selection. 6. Edit the Description field if appropriate; this is a free form field used

to provide a description of the group. 7. In the Mail Domain field, enter the name of the mail domain used by

this group. 8. If appropriate, complete the Internet Address field; this field is used to

identify the group with an Internet address so that it can receive Internet mail. 9. Edit the Members field by adding or removing member users’ names

as appropriate. 10. Click Save & Close to save the group changes.

Changing User Names Users may also require a name change to their account information in the Domino Directory. To change a user’s name, follow these steps: 1. Launch the Domino Administrator and select the People & Groups

tab. Click People and choose the user to be changed.

223

224 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. Using the Tools pane, select People and Rename. In the People and

Rename dialog box, choose from among the following three options: ➤ Upgrade to Hierarchical ➤ Change Common Name ➤ Request Move to New Certifier 3. At the bottom of the dialog box is an Honor Old Names for Up to XX

Days option. The default value for this selection is 21 days, but the value can be changed to reflect a number from 14 to 60 days. 4. Select Change Common Name to continue. In the Choose a Certifier

dialog box, select from these options: ➤ Server—This option is used to select the registration server. ➤ Supply Certifier ID and Password—This option is used to use a certifi-

er ID file. A dialog box is available under this option that allows the administrator to navigate to the ID on the server. ➤ Use the CA Process—Using the CA process allows the changes to be

made without having access to a certifier ID file. 5. Click OK to continue. If the option to use a certifier ID was selected, a

dialog box appears requesting the password. Enter the password and click OK to continue. 6. The Certificate Expiration Date dialog box appears. The default set in

this box is two years from the current date. Change the date if required or leave it at the default and click OK to continue. 7. A Rename Person dialog box appears with fields to be completed.

Complete these fields: ➤ First Name ➤ Middle Name ➤ Last Name ➤ Qualifying Org Unit (optional) ➤ Short Name (optional) ➤ Internet Address (optional) ➤ Rename Windows NT User Account (optional) 8. Click OK. The name change is processed and a Processing Statistics

dialog box appears displaying the results of the change process. Click OK to close the dialog box and continue.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Deleting Users Deleting a user requires an administrator to have: Author access with the Create Documents privilege to the Certification log and Author access with the ability to delete documents and the UserModifier role assigned Or Editor access to the Domino Directory The following steps should be taken to delete a user from the Domino Directory: 1. Launch the Domino Administrator and select the People & Groups

tab. Click People and select the user to be deleted. 2. Select People from the Tools pane and choose Delete. The Delete

Person dialog box appears. 3. In the What Should Happen To The User’s Mail Database? section,

choose from these options: ➤ Do Not Delete the Database ➤ Delete the Mail Database on the User’s Home Server 4. Optionally, choose to Add Deleted Users To Deny Access Group. 5. If appropriate, choose to Delete User’s Windows NT/2000 Accounts,

if existing. 6. If appropriate, choose to Delete Users from This Domino Directory

Immediately. 7. Click OK to delete the user.

Using the Administration Process The Administration Process helps you manage users by automating many of the associated administrative tasks. For example, if you rename a user, the Administration Process automates changing the name throughout databases in the Notes domain by generating and carrying out a series of requests, which are posted in the Administration Requests database (ADMIN4.NSF). Changes are made, for example, in the Person document, in databases, in ACLs, and in Extended ACLs. However, the Administration Process can be used only if the database is assigned an administration server.

225

226 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Monitoring Server Tasks Domino uses events to determine when a server task is in need of attention. The database EVENTS4.NSF is used to define which system tasks need monitored and at what point a system alarm is generated. The Domino administrator defines the threshold state for each event. The Event Monitor watches the system and sends events to the database as they occur. When the threshold is reached, the action that is defined for that event is executed. If an event takes place and no event generator is defined, no action takes place. The Event Monitor loads automatically when the server starts. In previous versions of Domino, the Event Monitor was known as the Event task.

Event generators can be defined to monitor the following: ➤ Database—Database space and access as well as replication history are

monitored. ACL changes are also recorded. ➤ Domino Server—Network health, including port status, is monitored. ➤ TCP Server—TCP services are monitored and statistics are generated

reporting response time for the running services. The time is recorded in milliseconds. ➤ Mail Routing—Statistics are reported stating the time required to route a

mail message. The time is recorded in seconds. ➤ Statistics—Specified Domino statistics are monitored. ➤ Task Status—Specified Domino tasks are monitored.

Event handlers are used to determine which tasks occur when an event is triggered. EVENTS4.NSF includes predefined events that can be used to monitor the server, but the most efficient use of the handler task is when an administrator defines events specific to the domain he is monitoring. An administrator may decide to just log events and then maintain them weekly, or he may decide to be alerted immediately when an event occurs so that he can resolve the issue. The EVENTS4.NSF database includes wizards that assist administrators in creating event handlers, creating event generators, and troubleshooting common configuration errors.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . . ➤ Event Handler Wizard—Creates a new event handler that generates a

notification when a specified event occurs ➤ Database and Statistic Wizard—Creates an event generator that fires

when something happens to a server or database ➤ Mail Routing and Server Response Wizard—Creates an event generator

that generates statistics or fires an event based on the availability of a resource ➤ Troubleshooting Wizard—Identifies some common configuration errors in

the EVENTS4.NSF database and suggests possible resolutions Event handlers can also be created by using the Domino Administrator and navigating to the Configuration tab and selecting the Monitoring Configuration, Event Handler view. Each event has a Basics, Event, and Action tab that must be completed. In addition to event generators and event handlers, Domino provides other methods that allow an administrator to gather information about the health of a server. For instance, executing a show server command from the server prompt on a test server displays the following information: ➤ Server name: R6Test/R6TestOrg—R6Test ➤ Server directory: C:\r6server\data ➤ Partition: C.r6server.data ➤ Elapsed time: 21:57:45 ➤ Transactions/minute: Last minute: 0; Last hour: 0; Peak: 86 ➤ Peak # of sessions: 2 at 07/26/2003 02:28:55 PM ➤ Transactions: 357 Max. concurrent: 20 ➤ ThreadPool Threads: 40 ➤ Availability Index: 100 (state: AVAILABLE) ➤ Mail Tracking: Not Enabled ➤ Mail Journaling: Not Enabled ➤ Shared mail: Not Enabled ➤ Number of Mailboxes: 1 ➤ Pending mail:0 Dead mail: 0 ➤ Waiting Tasks: 0

227

228 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Transactional Logging: Not Enabled ➤ Fault Recovery: Not Enabled ➤ Activity Logging: Not Enabled ➤ Server Controller: Enabled

This is a typical example of tasks running on a new server with the default tasks running. This list can vary based on the tasks that have been launched by server tasks or manually by an administrator. Server information can also be found in various databases on the server including these ➤ Domino Log database ➤ Statistics database ➤ Events database

Tools available on the server to provide information on demand include ➤ Server Monitor ➤ Mail-in statistics ➤ Paging

Monitoring/Maintaining Domains Domino domains consist of a group of servers that have the same Domino Directory shared between them. Monitoring the domain is similar to monitoring a single server, but requires the administrator to keep track of replication and mail routing processes between all servers. The Domino Console can be used to monitor the domain or an administrator can check the Domino log file to verify that replication and mail routing is running properly. Examples of tasks required by an administrator include ➤ Registering users ➤ Solving replication issues ➤ Correcting mail routing issues, including dead mail ➤ Maintaining groups ➤ Adding and decommissioning servers

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Domains are defined by creating Domain documents. Multiple document types are available based on the requirements needed to route mail. The following types of documents are available: ➤ Adjacent Domain document—This document is used to route mail

between servers that are not in the same Notes named network. ➤ Non-adjacent Domain document—This document serves three functions: ➤ Supplies next-hop routing information to route mail ➤ Prohibits mail from routing to the domain ➤ Provides Calendar server synchronization between two domains ➤ Foreign Domain document—This document is used for connections

between external applications. Typical applications used would be a fax or pager gateway. ➤ Foreign SMTP Domain document—This document is used to route

Internet mail when the server does not have explicit DNS access. ➤ Global Domain document—This document is used to route mail to

Internet domains. Configuration information regarding message conversion rules are defined in the document.

Monitoring/Maintaining Mail Routing The most common task related to mail routing is making sure that mail is moving through and outside of the Domino network. A typical sign that mail routing is not working correctly is a report from a user that he is not receiving mail or cannot send mail. Suggestions for troubleshooting mail routing issues include ➤ Request a delivery failure report from the user. Examine the information

in the report to determine how the problem may be resolved. ➤ Perform a mail trace to determine where the mail is stopping along the

route and correct the problem. ➤ Check the Domino Directory and ensure that mail routing is enabled. ➤ Verify that the settings in the Connection documents are configured

properly for mail routing between servers. ➤ Make sure that the mail.box file on the server is not corrupted.

229

230 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Check the server and make sure that there is sufficient disk space to

allow the server to process the mail. ➤ Examine the Domino log to see if errors are occurring in the Mail

Routing Events section. ➤ Check the mail.box file for undeliverable mail and examine the errors

that are occurring to determine how to correct the problem.

Tracking Messages Domino provides the capability for administrators as well as users to track their messages. The tool that enables this is the Mail Tracking Collector. From time to time, users may state that mail is not being delivered in a timely fashion, or may not be reaching the intended recipient at all. When this occurs, one of the tools that can be used to determine the problem is mail tracking. The database used for this task is the MailTracker Store database, or MSTORE.NSF. The database is populated by data that is fed from the Mail Tracking Collector task, or MTC. The MTC processes log files generated by the Router task and then copies specific data to the MSTORE.NSF database. When a message-tracking request is generated, Domino uses the MSTORE.NSF database to perform the trace. When a trace is initiated, it starts at the user or Administrator client and continues through the entire domain until the route expires. When the trace is completed, the user is presented with one of the following delivery status messages: ➤ Delivered—Delivery was successful. ➤ Delivery failed—Delivery was unsuccessful. ➤ In queue—Domino has queued the message in the Router task. ➤ Transferred—The message was sent to the next defined mail hop. ➤ Transfer failed—The message could not be transferred. ➤ Group expanded—A group message sent to the server was expanded to all

recipients. ➤ Unknown—The status of the delivery is not known. Although it is true that users and administrators can track mail, users can track only their own mail.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Resolving Mail Routing Errors Mail routing errors can occur for various reasons. Server configuration errors, client configuration errors, and network issues can all be possible problems. The key to resolving the issue is to use the tools provided by Domino to correct the problem. If the MAIL.BOX database has dead or pending mail, the most common things to check first include the following: ➤ System logs detailing delivery failures and mail traces. ➤ Errors in the Directory itself, possibly related to connection configura-

tions. Also be certain that the Mail Routing field is enabled on the Basics tab of the Server document. ➤ Errors in the recipient’s address. ➤ Network configuration errors prohibiting correct routing paths. ➤ System errors, such as full disks or memory errors. ➤ Shared mail configuration errors.

Tools available to administrators to troubleshoot routing problems include the following: ➤ Delivery Failure Reports, which contain a description of why the mes-

sage failed ➤ Mail Trace from the Domino Administrator ➤ Mail routing topology maps that display routes by connections and

named networks ➤ Mail Routing status in the Domino Administrator ➤ Mail routing events in the Domino server log

Monitoring/Maintaining/Repairing Databases Application, or database, size can directly affect the manner in which a system performs. A database that has grown in size and isn’t maintained regularly causes the server to have performance issues.

231

232 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Monitoring Database Size The maximum database size on Windows and Unix servers is 64GB. To check the size of a database, follow these steps: 1. On the Domino workspace, select the database; then navigate to the

File menu, select Database, and then select Properties. 2. The Database Properties box opens. Database size is listed on the sec-

ond tab, the Info Tab, labeled with an “i.” This tab displays: ➤ The database size ➤ The number of documents in the database ➤ The database creation date ➤ The last day the database was modified ➤ The replica ID of the database ➤ The ODS version of the database ➤ % used—Displays the amount of the database in use calculated in

percent ➤ Compact—Initiates a compact on the database ➤ User Detail—Shows information related to the owner of the data-

base Additional ways to check database size are ➤ View the database size on the Files tab of the Domino Administrator ➤ Check the database size in the Domino log file ➤ View the statistics reports in the Statistics database

Using Database Maintenance Utilities Database issues can occur if they are not maintained properly. Database performance and data loss can be attributed to not performing regular database housekeeping tasks. Database usage and replication can be tracked in the Domino log file, typically named LOG.NSF. Domino has system tasks that can be scheduled at predefined times to ensure that all databases are performing at an optimum level. Key system tasks include Update, Updall, Fixup, and Compact. The following sections describe these database utilities in detail.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Update The purpose of Update is to update a database’s view indexes. Update runs automatically when the server is started and continues to run while the server is up. Update waits about 15 minutes before processing the database so that all changes in the database are finished processing. When the views are updated, it then searches the domain for databases set for immediate or scheduled hourly index updates. When Update finds a corrupted view or fulltext index, it rebuilds the full-text index and tries to solve the issue.

Updall Updall is used to rebuild corrupted views and full-text index searches, as Update does, and has various options that can be defined when launched by using a software switch. Updall is executed by default at 2:00 a.m. and, unlike Update, can be run manually. Deletion stubs are removed, and views that haven’t been used for 45 days are deleted unless they are protected by the database designer. Setting the parameter Default_Index_Lifetime_Days in the Notes.ini file enables an administrator to determine when Updall removes unused views.

Fixup Fixup is used to repair databases that were open when a server failure occurred. Fixup runs automatically when the server starts, but it can also be run from the Domino Console, when necessary. Databases are checked for data errors generated when a write command to the database was issued and a failure occurred causing a corruption in the database. When Fixup is running on a database, user access is denied until the job completes. Fixup should be run if Updall does not fix the database errors.

Compact Compact can be used to recover space in a database after documents are deleted. Deleting documents from a Domino database does not actually decrease the size of the database. A deletion stub is created and the document is removed permanently when Compact is run, and the size of the database is then reduced. Three types of compacting are available: ➤ In-place compacting with space recovery—Unused space is recovered, but the

physical size of the database remains the same. Unlike with Update and Updall, access to the database is not denied while the Compact task is running. When Compact is launched without switches or with a -b switch, in-place compacting with space recovery is the type of compacting used. The DBIID, or database instance ID used to identify the database, remains the same. In-place compacting is used for databases that have the system configured to run transaction logging.

233

234 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Use in-place compacting when possible because it is the quickest and generates the smallest amount of system activity.

➤ In-place compacting with space recovery and reduction in file size—This ver-

sion reduces the physical database size and recovers unused space, but it takes longer to complete. The DBIID is changed with this Compact version. Running Compact without a software switch option compacts databases not associated with transaction logging. ➤ Copy-style compacting—A copy is created, and when the compact is com-

plete, the original database is deleted. Because of this, there needs to be sufficient disk space available to make the copy of the database, or an error will occur and the compact will not work. During this type of compacting, a new database is created and a new DBIID is assigned. Because a new database is actually being created, this option locks out all users and servers from editing the database. Access using this version of Compact for read only can be enabled if the -L switch is used at the time it is run. Compact should be run on all databases at least weekly, if possible, but it should be run at a minimum of once a month using the format compact -B to minimize the amount of disk space. If Fixup does not correct a database problem, running Compact with the switch of -c can attempt to correct the problem.

Other Database Maintenance Tasks Databases should be monitored on a regular basis to make sure that they are performing efficiently. In addition to using the database maintenance utilities described in the preceding section, these tasks and practices can aid in maintaining strong database performance: ➤ Move the database to another server in the domain, if necessary. Make

sure that the server itself is tuned occasionally and running at peak efficiency. Defragment disk drives and run preventive maintenance tasks on the server to foresee any possible hardware problems that may occur. Also make sure that backups are scheduled to complete before nightly Domino server tasks launch. ➤ Domino 6 database design provides a significant speed improvement. If

possible, upgrade the database to version 6 if it’s running as an earlier version.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . . ➤ Implement transaction-based logging, if the hardware configuration

makes it a possible solution as this is very processor, memory, and disk access intensive. ➤ Schedule nightly system tasks to complete before users access the system

at the start of a workday. ➤ Verify that a task such as Compact or Updall isn’t stuck on a database,

expending system resources. ➤ Monitor database usage. A database used constantly by many users

might need separate replicas on other servers in the domain, to make sure that access is not creating an unneeded system load. ➤ Examine the database design to see if any improvements can be made

that would allow it to perform better. ➤ Check the Database, Enhanced tab to see if any options can be enabled

to improve performance. ➤ Create a replica of a database if Fixup, Update, and Updall don’t correct

the problem. If all else fails, restore the database from backup.

Monitoring/Modifying Application Access Control Domino provides multiple ways for administrators to monitor databases and applications in the domain. Administrators can access the Domino log file or can set up applications to automatically inform them when issues occur. Typically, when ACLs are defined, users will not experience problems unless something changes on the server or on the user’s workstation. This section of the book offers administrators ways to monitor application access. Data access control problems can cause users as well as servers to be denied access to a specific database, a server, or an entire domain. Administrators can ensure that database access is constant by making sure that Enforce a Consistent Access Control List is selected on the database ACL Advanced tab. Although enforcement of a consistent ACL does assist in maintaining ACL integrity, it’s not a complete solution. If a user replicates a copy of a database to his local machine, group membership does not replicate along with the database. If the user then wanted to share that replica with another user, the new user would not to be able to access the database because group information would not be inherited. One other thing to keep in mind is local replica security. Because a uniform ACL is not imposed on the database, a local replica should be encrypted to maintain security.

235

236 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Administrators can get a complete view of all database ACLs by accessing the Access Control List in the database catalog file, typically called CATALOG.NSF. The CATALOG.NSG database is populated by the CATALOG task. These three views are available: ➤ By Database—This is an alphabetical list of all databases in the domain,

sorted by the actual filename on the server. ➤ By Level—This is a list of all databases, sorted by access level. ➤ By Name—This is a list of all valid ACLs on the system, sorted by each

specific type.

Setting Up Authentication Domino provides for multiple types of authentication in the domain. Follow these steps to set up authentication: 1. Launch the Domino Administrator, select the Configuration tab, and

open the Server document. 2. Select Ports and choose Internet Ports. A subpage opens for Webs,

Directory, Mail, and IIOP. 3. Choose the protocol to set up authentication. Navigate to the

Authentication Options section and change the Name and Password fields to Yes. Perform the same task on all required protocol pages. 4. Click Save & Close to save the document.

Setting Up/Configuring/Monitoring Monitors As discussed previously in this chapter, Domino uses events to determine when a server task is in need of attention. The database EVENTS4.NSF is used to define which system tasks are monitored and at what point a system alarm is generated. Thresholds created by the administrator are monitored and alarms for system alerts are generated when the thresholds are met or exceeded. Lotus has provided a tool called the Domino Server Monitor for system administrators to watch the status of the servers and make sure no problems

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

exist. The Server Monitor displays statistics in real time and allows administrators to view server status in a graphical format. The Server Monitor can be set up to allow statistics to be viewed by a specific timeline, or by the state of the servers. The Server Monitor has monitoring criteria set up by default, but administrators also have the option of choosing which criteria they want to monitor and then saving those settings for later use. For the exam, remember that the Server Monitor is only available using the Domino Administrator client. The Domino Web Administrator client cannot access the Server Monitor.

Server monitoring is accessed using the Domino Administrator and navigating to the Server, Monitoring tab. The Server Monitor is displayed on this tab and can be started by clicking the green arrow. The server is stopped by clicking the red stop button. To start the server automatically, select File, Preferences, Administration Preferences. After the Administration Preferences dialog box has appeared, check the Automatically Monitor Servers at Startup check box at the bottom of the dialog box. This automatically starts the Server Monitor and does not require the administrator to manually start the monitor.

Troubleshooting Administration Process Problems The Administration Process is a tool provided by Lotus that automates various administrative tasks on the server. Examples of such tasks include user management, group management, and database management. As we have discussed earlier in this book, a server that does not have the proper hardware configuration can cause a myriad of problems. The Administration Process is a memory-intensive process and care should be taken to ensure that the server has an adequate amount of memory to execute the task. Possible problems that may need attention regarding the Administration Process are new users not being registered properly or group changes that are not propagating. To troubleshoot possible problems with the Administration Process, follow these steps: 1. Make sure that no system changes have been made at the operating

system level or to the network infrastructure that could cause communication failures within the domain.

237

238 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. Configuration errors on the server may be causing problems. Try run-

ning the Administration Process on a different server in the domain to see if the problem persists. 3. Type

show tasks at the server prompt and check to make sure that the AdminP task is running.

4. Verify that an administration server is defined in the Directory and in

all databases in the domain. If the Administration Server is not defined in the databases, the AdminP process will not be able to run against them. 5. Check the replication events in the Domino log file to make sure that

the Directory and the Administration Requests database is replicating properly in the domain.

Troubleshooting Clustering Problems This section addresses some problems that may occur related to Domino clusters. Problems that may occur can be related to authentication, database replication, or failover in the event of a server outage. When troubleshooting clustering problems, follow these steps: 1. Make sure that the Cluster Replicator task is running on all of the

servers in the cluster. 2. Ensure that the database exists on all servers in the cluster and that the

replica IDs are the same. 3. Check the log files to see if errors are occurring related to the replica-

tion task. Check to see if there is an excessive amount of replication requests queued that may hint at a server performance issue. 4. Examine the Cluster Database Directory and make sure that the data-

bases are enabled for replication. 5. Make sure there is only one copy of the database on each cluster. 6. Verify that the ACLs in the databases are set correctly to allow servers

to communicate. The User type for servers must be set to Server or Server group.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . . 7. Check the Server documents on all servers in the cluster and make sure

that each server is assigned a valid, unique IP address and that all IP addresses related to the Cluster Manager are defined properly. 8. Verify that all servers in the cluster are running.

Troubleshooting Network/Protocol Problems Network problems can manifest themselves as users unable to access servers, servers unable to communicate, or mail unable to route inside or outside of the domain. Check these items when communication problems are occurring: ➤ Verify that the server is able to communicate with other network devices

by launching a Web browser and accessing a Web site. Ping a network device such as another server or a router and also run a trace route to ensure that the network is available and that the network hardware is working properly. ➤ Perform a mail trace from the client as well as the server to make sure

that there is not an error. ➤ Check the Domino Directory for save/replication errors. Verify that all

of the information in the Server documents related to network information and port information is set up correctly. ➤ Check the Domino log for possible errors that may be occurring.

Troubleshooting Partitioning Problems Typical problems that can appear when running Domino on a partitioned server include partitions in use and communication infrastructure/setup issues. Here are some guidelines for troubleshooting partitioning problems: ➤ Only one server can be running per partition. If an error occurs stating

that a partition is already in use, verify that a server process is not already running on the server. A server reboot may be required to correct this issue.

239

240 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Verify that the server is running in the event that users are receiving an

error that the server is unreachable. ➤ If a port-mapping server is sharing the same network card as the desti-

nation server, make sure that the server is running. ➤ Verify that information in the NOTES.INI file related to port-mapping

is set up correctly. ➤ Verify that all the information related to the communications set up for

the server is correct in the Domino Directory.

Troubleshooting Port (Modem) Problems There will be occasions when a dial-up connection is needed on the server for specific tasks. In the event that modem problems are occurring, follow these steps to troubleshoot the problem: 1. Enable call logging in the Domino log file. 2. Check the messages in the log file to determine the cause. Check the

Miscellaneous view for problems that may be occurring. Check the Phone Calls view to see if errors are being logged. 3. Install a handset on the modem line to determine if there is a dial tone

and that a voice call can be made on the line. If call waiting is enabled on the line, disable it. 4. Check the documentation for the modem to determine further trou-

bleshooting ideas. 5. Reboot the server to see if the problem corrects itself. 6. If the server is using the modem to dial out, ensure the phone number

information is set up correctly. 7. Verify that the information in the Domino Directory is set up correctly

related to ports in the Server document and User Preferences. Also verify that the information in Connection documents using the modem exists and is configured properly.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Troubleshooting User Problems Troubleshooting user problems can be challenging if the administrator does not have a complete understanding of possible issues and how they can be corrected. When considering troubleshooting user problems, the following list includes items that should be considered by an administrator: ➤ Tracking user mail messages and resolving mail routing problems ➤ Correcting server access problems by users and servers ➤ Fixing connection issues for servers and users ➤ Maintaining databases and how they are accessed ➤ Correcting issues related to workstation problems ➤ Verifying that an actual technical problem is occurring and that user

training is not required to solve the issue. The information here is just a summary of the topic of troubleshooting user problems. For a detailed discussion of this topic and each of the items in the preceding list, see Chapter 18, “Resolving User Problems.”

Using a Java-Based Domino Console One of the tools available to maintain a server is the Domino Console. The Domino Console is an application that enables administrators to send commands to the server as if they were using the console on the server itself. The Domino Console is installed when the Domino server is installed or when the Administrator client is installed. The Console is a Java application and can also be loaded as a Windows Service when running Windows 2000 or Windows XP.

Launching jconsole The application provided by Lotus to run the Domino Console is called jconsole. To start the Domino Console manually, change to either the client or server directory and run the jconsole executable. The Domino server must be running. If you are running a server controller, the Domino Console starts automatically.

241

242 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . You can launch the Console in four ways: 1. Launch the jconsole application by selecting the program icon in the server or admin client directory when the server is already running. 2. Create a shortcut or execute nserver -jc at the command prompt to run the server controller, the Domino server, and the Console. 3. Create a shortcut or execute nserver -jc -c at the command prompt to run the server controller and the Domino server. 4. Create a shortcut or execute nserver -jc -s at the command prompt to run the server controller and the Console. 5. Create a shortcut or execute nserver -jc -c -s to run the server controller by itself.

As mentioned earlier, the Domino Console enables administrators to send commands to the server as if they were using the console on the server itself. Typical commands such as show server and show tasks can be sent to the server and then are displayed in the Console window. The Console window also displays server events, such as AdminP processes, as they are launched. A sample Console window is shown in Figure 9.1.

Figure 9.1 The Domino Console allows administrators to execute commands on the server and to monitor the server in real time.

Using jconsole The Console has predefined commands available via the File menu or the Commands button at the bottom of the Console.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

The following options are available using the File menu: ➤ Open Server ➤ Disconnect ➤ Show Users ➤ Show Processes ➤ Broadcast—Sends a message to all server users ➤ Local Logging ➤ Stop Server ➤ Kill Server ➤ Quit Controller ➤ Refresh Server List ➤ Exit the Console Program

The Commands button has the typical commands that an administrator would use to manage the server, as well as an option to create and save custom commands. You can configure the Console to show the following views: ➤ Header—Specifies the user, platform type, server name, and release num-

ber ➤ Bookmarks—Includes the available icons Connect Local Server,

Connected Servers, and Domain ➤ Event Filter—Displays one of the following at the bottom of the Console

of the events monitored: Fatal, Failure, Warning (High), Warning (Low), Normal, and Unknown ➤ Secure Password—Is an empty field used by the administrator to secure

the Console ➤ Connected Servers—Lists the servers available to the Console ➤ Domain—Provides a hierarchical graphical view of the domain structure

available to the Console ➤ Debug Output Window—Launches an active Debug window used for

troubleshooting ➤ Look and Feel—Changes the theme used to display the Console window

243

244 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

An example of the Console window with these commands is shown in Figure 9.2.

Figure 9.2 Lotus has provided commonly used commands for administrators to assist them in using the Domino Console.

Exiting from jconsole To stop the Console, select Exit from the File menu (Alt+Q). After you have selected to shut down the Console, you are presented with a dialog box to either shut down the Console itself or shut down the Console and the server controller simultaneously. Three additional buttons are available on the Web Administrator: Logout, Preferences, and Help. Although the Domino Console is a powerful tool, it is still limited in its uses. You still need either the Domino Administrator client or the Web Administrator client to maintain the server.

Using Distributed and Centralized Directories Domino provides multiple options when presenting directories in the domain. The key point to remember is that the Domino Directory is accessed by all

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

users as well as servers, so care should be taken to ensure that access is optimal. Three ways to provide directory access are ➤ Distributed—This method assumes that each server has a replica copy of

the directory on each server in the domain. This method is optimal when many users are on the network or the communications infrastructure may have many points of congestion. ➤ Centralized—This method uses the administration server as the central

point for the directory and configuration directories. Configuration directories host Server, Connection, and Configuration Setting documents. Typically, a second server also has these directories for disaster recovery in the event that the registration server fails. ➤ Hybrid—This method uses a combination of distributed and centralized

directories. Local users may use the centralized directory while remote users would have a local copy of the directory on their server so that bandwidth would not be an issue.

Using the Remote Console The Domino Web Administrator allows remote administration using only a browser client. Although the Web Administrator is essentially the same as the Administrator client, the navigation is slightly different, so make sure you are familiar with it. To use the Web Administrator, the following browser configurations are required: ➤ Microsoft Internet Explorer 5.5 or greater on Windows 98, 2000, XP, or

NT4 ➤ Netscape Navigator 4.7 or greater on Windows 98, 2000, XP, or NT4 Even though Release 6 does support the Web Administrator client on NT4, you must also install the Microsoft Windows Management Instrumentation Software Development Kit (WMI SDK) before the task will work properly. We recommend migrating to Windows 2000 or XP before installing the Domino application because Microsoft support for NT4 is scheduled to expire over the next 18 months. Even though Release 6 supports the Web Administrator client on NT4, you must also install the Microsoft Windows Management Instrumentation Software Development Kit (WMI SDK) before the task will work properly. We recommend migrating to Windows 2000 or XP before installing the Domino application because Microsoft support for NT4 is scheduled to expire over the next 18 months. To check the expiration schedule of software platforms, Microsoft provides this link: http://www.microsoft.com/windows/lifecycle.mspx.

245

246 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Here are some keys things to remember about the differences between the Web Administrator and the Web client: ➤ The Messaging tab on the Web client now has a task tool that enables

you to issue Tell, Start, Stop, and Restart commands on the mail server tasks. ➤ The Messaging tab on the Web client also has a task tool that enables

you to issue Tell, Start, Stop, and Restart commands on the replication server tasks. ➤ The Mail tab on the Web client displays mail statistics differently than in

the Administrator client. Mail routing, retrieval, DNSBL (DNS blacklist filter), and destination routing statistics are available on this tab. ➤ Server Monitor and performance charts are not available in the Web

client. AdminP, CA (Certificate Authority), and the HTTP task must all be running on the Domino server for the Web Administration client functionality to operate. In addition, the WEBADMIN.NSF database ACLs need to be configured to allow administrators to access the server. When the WEBADMIN.NSF database is created, these default ACLs are created: ➤ Administrators and full access administrators, the Named server, and

LocalDomainServers are set as Manager. ➤ Default, OtherDomainServers, and Anonymous are all set to No Access.

The HTTP task updates the WEBADMIN.NSF database with ACL changes generated from the modification of the Domino Directory’s Server document about every 20 minutes. You can also force an immediate update for administrator access by editing the Security tab on the Server document. Editing the ACLs in the WEBADMIN.NSF database also permits immediate access. Select a user, define the user as a manager, and then add the roles required for the managers to have access. After the ACL access has been defined, you need to define the authentication method that will be used to access the server. The two options are to define an Internet password in the Person document or to define an SSL certificate. When you have finished the configuration, make sure that the HTTP task is running on the server and then enter the URL of your server followed by /webadmin.nsf; for example, http://r6test.test.com/webadmin.nsf, or https:// r6test.test.com/webadmin.nsf if SSL authentication is enabled.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

The first screen that is presented is a server status screen. This is helpful for a quick glimpse of server health, but you must access the other tabs to actually perform maintenance activities.

Managing User Passwords When new users are registered, a password is required to be assigned. Password quality is determined by a slide bar to determine the quality of password security to assign to the ID file. The default location of the slider is to the extreme left, which is no password and a value of 0. Sliding the bar to the extreme right forces a very strong password and a value of 16. Although it is true that this is optimal for servers, each time the server is loaded, a password is required at the console before the server will start. Passwords for Internet users are defined in Person documents in the Domino Directory. The passwords can be changed manually or by using a Security Settings policy document. Users can be required to change their passwords, and standards can be set to determine the type and quality of password required. Domino provides password synchronization for users that are Web users as well as Notes client users. Domino allows administrators to ➤ Allow users to change their passwords based on security policies ➤ Force users to change their passwords within a specific amount of time ➤ Allow users to access the servers without having to enter a password ➤ Lock out users ➤ Require users to verify their passwords

Monitoring/Maintaining Domain Access Domains are used to define user groups that share the same Domino Directory. Setting up a domain depends on the configuration of the Domino network. Typically, a single domain exists for a company and all users and servers are registered in this domain. This works well for small- and medium-sized companies. A large company may need to deploy multiple domains in order to keep distinct users and groups segmented from other

247

248 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

parts of the company. Domains may also need to be segmented based on how a company’s network infrastructure is defined. A remote group may need a local domain with their own Directory if they are only able to communicate over a modem back to the company’s home network and are primarily independent, so they do not have a need to be constantly connected. Domains are defined by creating Domain documents, as described earlier in this chapter (see “Monitoring/Maintaining Domains”). Domain access is supported by using groups or user authentication defined in the Domino Directory. Users must be authenticated to the Directory before they are able to access the domain. After they have access to the domain, Lotus has created levels of security that prohibit the user from accessing data unless they are authorized. Examples of this include: ➤ A user may be prohibited from accessing the domain using a Web client

if the administrator has not defined his access in the Directory. ➤ A user might be able to authenticate to the domain via the directory, but

he might not be able to access all the databases in the domain because he does not have ACL access. ➤ A user may be completely prohibited from the domain by entering the

username in a Deny Access list. Domain access can be monitored in real time at the Domino Console or checked manually in the Domino Log database. Attempts to access the domain are included with the username as well as the time the access attempts occurred. Administrators can then determine if the user has incorrect access or is simply attempting to access prohibited data. After the determination has been made, they can contact the user to approve access to the resource or can lock out the user entirely if they suspect malicious behavior.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Exam Prep Questions Question 1 Which of the following options can be used to keep a database from upgrading to the R6 ODS database format? ❍ A. Compact the database with a -N option. ❍ B. Copy the database and rename the file extension with .NS4. ❍ C. Rename the database filename. ❍ D. Edit the Notes.ini file and add the line R6_Database_Version = 0.

Answer B is correct. The following steps can be taken to ensure that a database retains its ODS database format: ➤ Issue the Compact with a

-R

option to retain the current ODS structure.

➤ Make a copy of the database and rename the file extension to NS4 to

prohibit upgrading. ➤ Do not run the compact task on the database at all.

Question 2 Which of the following selections are not valid policy document types that can be applied to users? ❍ A. Archiving ❍ B. Desktop ❍ C. Registration ❍ D. Setup ❍ E. Security ❍ F. All of the above are valid

Answer F is correct. The valid policy document types that can be applied to users include: ➤ Archiving—Defines policy settings related to users’ ability to archive

mail. ➤ Desktop—Enforces consistent client settings. If a client setting is changed

and then the workstation logs out of the server, the settings are reset the next time the user logs into the server.

249

250 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Registration—Implements these policies when a new user is created dur-

ing registration. ➤ Setup—Enforces settings in the client’s location document. ➤ Security—Defines password management and ECL setup.

Question 3 What is a primary requirement for data port compression to work properly? ❍ A. The communication driver must be RPC level 3 compliant. ❍ B. The server must have a compression client loaded. ❍ C. Compression must be enabled at both ends of the data stream. ❍ D. CRC error checking must be established before transmitting data.

Answer C is correct. Compression must be enabled at both ends of the data path or it will not work.

Question 4 What is the maximum size of a database on Windows and Unix servers? ❍ A. The only limitation is the size of the server. ❍ B. 100GB ❍ C. 1TB ❍ D. 64GB

Answer D is correct. The maximum database size on Windows and Unix servers is 64GB.

Question 5 Which of the following choices are valid options when renaming a user? ❍ A. Migrate to Hierarchical ❍ B. Change Common Name Length ❍ C. Request Move to New Certifier ❍ D. Qualify User for Web Access

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Answer C is correct. The available options when renaming a user are ➤ Upgrade to Hierarchical ➤ Change Common Name ➤ Request Move to New Certifier

Question 6 Which database is used to define what system tasks are monitored? ❍ A. MONITOR.NSF ❍ B. EVENTTASKS.NSF ❍ C. LOG.NSF ❍ D. EVENTS4.NSF

Answer D is correct. The database EVENTS4.NSF is used to define which system tasks will be monitored and at what point a system alarm is generated.

Question 7 What view is used in the Domino log file to display possible problems with users and servers connecting with modems? ❍ A. Modem calls ❍ B. Phone call ❍ C. Data calls ❍ D. Dial-up calls

Answer B is correct. Check the Phone Calls view to see if errors are being logged.

Question 8 Where are passwords defined for Domino users who access the server using a Web browser? ❍ A. INTERNET.NSF ❍ B. The Domino Directory ❍ C. PASSWORDS.NSF ❍ D. The Domino Catalog

251

252 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer B is correct. Passwords for Internet users are defined in Person documents in the Domino Directory.

Question 9 Which database is used to determine who can use the Domino Web Administrator to access the server? ❍ A. ADMIN.NSF ❍ B. ACCESS.NSF ❍ C. WEBADMIN.NSF ❍ D. ADMINWEB.NSF

Answer C is correct. Access using the Domino Web Administrator is maintained by the database WEBADMIN.NSF.

Question 10 What are domains used for? ❍ A. For mail storage ❍ B. To define users sharing the same Domino Directory ❍ C. For replication scheduling and error checking ❍ D. For application performance balancing

Answer B is correct. Domains are used to define user groups that share the same Domino Directory.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Need to Know More? The Lotus Developers Domain: www-10.lotus.com/ldd. Upgrading to Domino 6: Performance Benefits: www.ibm.com/redbooks.

253

10 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ Replication ✓ Pull ✓ Push ✓ Source server ✓ Target server ✓ Connection document ✓ Streaming replication ✓ Extended Access Control List (xACL)

Techniques and concepts you’ll need to master: ✓ Using client commands to force replication ✓ Scheduling replication of databases between servers using Connection documents ✓ Planning applications based upon how selective replication settings can affect the documents distributed to different replicas ✓ Understanding streaming replication ✓ Understanding how a server’s access level in the database ACL affects replication ✓ Understanding how an Extended ACL affects replication ✓ Using replication to distribute design changes ✓ Identifying the tools used for monitoring replication

256 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Replication involves the synchronization of data between two replica copies of a database. Replicas can be stored either locally or on the Domino server. Replication between two server-based databases is called server-to-server replication. Replication involving a local database is called workstation-toserver replication. This chapter focuses mainly on server-to-server replication, which is typically administered and scheduled by the Domino Administrator. Workstation-to-server replication is usually forced or scheduled by the user, and the Notes client performs all of the work involved in pushing and pulling the data to the server-based replica. Several of the topics in this chapter are also addressed in Chapter 5, “Replication.” As with the mail topic, you may want to consider reading both chapters on replication before taking either Exam 620 or Exam 621, for a more complete understanding of this subject area. Any duplication of topics between both chapters has been carefully noted in the appropriate section. For the purposes of the exam, it is important to remember that replication never happens automatically, as is the case with mail routing. Replication must either be forced or scheduled with a Connection document. You should memorize all of the console commands to force replication, and be familiar with all of the fields on the Connection document that relate to replication and its schedule. The best way to understand replication is to study the case studies included in this chapter, which are similar to the case studies in Chapter 5. For the exam, you’ll need to understand the impact of different database security features on replication, such as the Access Control List (ACL) and Readers and Authors fields. You will also need to focus on learning all about the Extended ACL (xACL), which is new to R6. You can prepare for the exam by practicing many of the techniques in this chapter with a minimum of two servers and an Administration client. Replication can’t be tested or learned in a single server environment.

Setting Up and Configuring Replication Through Force This topic was covered extensively in Chapter 5, so I’ve chosen to repeat a summary of the most important points here in this chapter. Replication never happens automatically, and must either be forced or scheduled by the user or administrator. Administrators usually schedule server-toserver replication in order to avoid having to be present to manually force

257 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

replication using commands; however, there are many times when administrators may want to force replication immediately. It is useful for administrators to know how to force replication immediately, so that documents can be distributed to different replicas without delay. Replication can be forced by the administrator in a number of different ways—using the Notes client and using the Administrator client. Using the Notes client to force server-to-server replication limits the administrator to manually replicating one database at a time, but this method is useful if for some reason the administrator doesn’t have access to the Administrator client. Using the Domino Administrator client, the administrator can access the remote console and force replication using console commands. This method is faster, and allows the administrator to force replication of databases, directories of databases, or every database in common with a server or a server group.

Forcing Replication Using the Notes Client The administrator can force server-to-server replication using the Notes client by performing the following steps: 1. Open a database or select a database from the workspace. 2. Choose File, Replication, Replicate. 3. Select one of the following choices: ➤ Choose Replicate via Background Replicator to allow replicate to

operate as a background workstation task, replicating with the last server with which replication was successful. ➤ Choose Replicate with Options to be presented with a dialog box

whereby the administrator can choose the server with which to replicate, as well as which documents will replicate, and whether to send or receive or both. 4. Choose OK to initiate replication. Many users use the Replicator page to force replication of several databases at once. This interface can be activated using the Replicator page bookmark button. Unfortunately, this interface is designed to force workstation-to-server replication, not server-to-server replication. Database replicas are automatically added to this page upon local replica creation. If the administrator wants to force server-to-server replication of several databases at once, he must use the Administrator client.

258 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Forcing Replication Using the Domino Administrator Client The Domino Administrator client gives the administrator access to the remote console. Using the remote console to force replication allows the administrator to use a command-line interface for forcing replication between one or more servers, for one or more databases. Activate the live remote console on the Administrator client by performing the following steps: 1. From the Domino Administrator, click the Server, Status tab. 2. Open the Server Console view. 3. (Optional) Click the Live button to turn on the Live console. Turning on the Live console enables the administrator to view console commands in real time, as they are processed by the server. It is helpful to have the Live console interface turned on before issuing console commands, to see the results that follow the initiation of the command. If you forget to turn on the Live console before issuing a command, you will simply receive the following message: “Command has been executed on remote server. Use Live console option, in future, to view responses from the server.”

The administrator can use the following commands at the console to force replication: ➤ Replicate (Rep)—Forces two-way replication whereby the initiating server

(also known as the source server) pulls updates, changes, and deletions to the target server, and then gives the other server the opportunity to pull changes from it. This type of replication is also referred to as pullpull replication. Pull-pull replication is two-way replication that involves the Replica task on both servers. ➤ Pull—Forces one-way replication whereby the source server pulls

updates, changes, and deletions from the target server. ➤ Push—Forces one-way replication whereby the source server pushes

updates, changes, and deletions from the target server. The syntax of the three commands is as follows: Replicate servername [databasename] or Rep servername [databasename] Pull servername [databasename] Push servername [databasename]

259 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

For the servername parameter, the administrator should specify the server’s full hierarchical name. If the server name is more than one word, enclose the entire name in quotes. You can also substitute a server group in place of a server name. If you specify a server group, the initiating server (the server at which you enter this command) replicates with each server in the list in the order in which the servers are listed in the group document. If you don’t specify a database name, the Replica task replicates every database replica that the two servers have in common. To force replication of a particular database replica, specify the database name after the server name. You also have the option of specifying a directory instead of a database name. Remember that replication synchronizes changes, additions, and deletions for three different types of documents: the ACL document, Design documents, and Data documents, in that order.

Here is a list of examples of the console commands, along with an explanation of what each command would accomplish. For each of the commands, assume that the administrator is using the console on ServerA/Acme. ➤ Rep ServerB/Acme—Replicates all replicas in common between

ServerA/Acme and ServerB/Acme. ➤ Pull ServerC—Pulls all updates, changes, and deletions from

ServerC/Acme to ServerA/Acme, for all replicas in common. Note that the common name of the server is used instead of the fully distinguished name, which will work, but we don’t know whether ServerC is a server or a server group. ➤ Rep AllServers names.nsf—Forces two-way replication between

ServerA/Acme and every server listed in the server group called “AllServers,” for only the Domino Directory database (NAMES.NSF). ➤ Push ServerB/Acme apps\support.nsf—Pushes all updates, changes, and

deletions from ServerA/Acme to ServerB/Acme, for the Support database, which is located in the \apps directory within the Domino data directory.

260 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . For the exam, remember that when issuing replication commands through the console, it is important to understand which server is initiating the command. The server at which you issue the console command is the initiator, also known as the source server. The server or server group listed in the command itself is the destination server, also known as the target server. The exam questions test your ability to read and understand which server is the source; for example, if the question indicates that the administrator is using the console on ServerA, the command “Rep ServerA/Acme” would have no effect because a server can’t replicate with itself. Be certain that you read the question carefully so that you know which server is the source server. Then, you can easily eliminate answer choices that don’t make sense.

Setting Up and Configuring Replication Through Scheduling Again, this topic is repeated from Chapter 5, so much of the material in this section is repeated and summarized from that chapter. Domino has the facility to allow the administrator to schedule replication through a Connection document. A Connection document is a document that contains all of the settings necessary to schedule replication between servers. Connection documents can also be used to schedule mail routing. When replication is scheduled, the server’s Replica task carries out replication with no prompting or initiation from the administrator. For the purposes of the exam, it is important to remember that replication never happens automatically, as is the case with mail routing. If servers are in the same Domino Named Network (DNN), mail routing happens automatically and the administrator never needs to create a Connection document to get mail routing working. Replication never happens automatically, and must be either forced or scheduled. Be careful to watch for exam questions that try to confuse you into thinking that replication is automatic. Connection documents are used to connect servers for replication and for mail routing. A single connection can be created to schedule the transfer of mail as well as the replication of documents. If a single connection is created, both mail and replication will follow the same schedule. Where mail and replication follow different schedules, the administrator should consider creating separate connections. It is often easier to troubleshoot replication problems if the scheduling of replication is automated through connections that do not include the routing of mail. This chapter outlines the steps required to create connections for replication. Mail connections were discussed in Chapter 3, “Mail” and in Chapter 8, “Mail.”

To create a Connection document, perform the following steps from within the Domino Administrator:

261 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . . 1. Click the Configuration tab. 2. Click Server and then click Connections, or Click Replication and then

Connections. 3. Click the Add Connection button to create a new connection. To edit

an existing connection, select the connection you want to edit and then click Edit Connection. To set basic options, choose from among these options on the Basics tab: ➤ Connection Type—Indicates how the servers will connect—for example,

via network connection (LAN) or via dial-up ➤ Usage Priority—Forces the server to use the network information in the

current Connection document to make the connection (if you choose Normal) ➤ Source Server—Specifies the name of the calling server (the server initiat-

ing the replication request) ➤ Source Domain—Specifies the name of the calling server’s domain ➤ Use the Port(s)—Specifies the name of the network port (or protocol)

that the calling server uses ➤ Destination Server—Specifies the name of the target or destination server ➤ Destination Domain—Specifies the name of the target server’s domain

To configure replication and/or mail routing settings, choose from among these options on the Replicating/Routing tab: ➤ Replication Task—Choose Enabled for scheduled replication. ➤ Replicate Databases of Priority—If the administrator chooses to set a repli-

cation priority for a database, replication of databases of different priority can be scheduled at different times. A priority of Low, Medium, or High is set for each database in that database’s Replication Settings dialog box. ➤ Replication Type—Four different types of replication exist. The type you

choose affects the direction of replication as well as which of the servers performs the work of the replication. ➤ Pull Pull—Replication is bidirectional, whereby the source server initi-

ates replication and pulls documents from the target server. The source server then signals the target server’s Replica task to pull documents in the opposite direction. Both servers are involved in the replication.

262 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Pull Push (default)—Replication is bidirectional, whereby the source

server’s Replica task performs all of the work, pushing and pulling documents to and from the target server. The target server’s Replica task is never engaged. ➤ Pull Only—Replication is one-way, whereby the source server pulls doc-

uments from the target. ➤ Push Only—Replication is one-way, whereby the source server pushes

documents to the target. ➤ Files/Directory Paths to Replicate—These are the names of specific data-

bases or directories of databases that you want to replicate. You can list either database names or directories. ➤ Files/Directory Paths to NOT Replicate—These are the names of specific

databases or directories of databases that should be excluded from replication. You can list either database names or directories. ➤ Replication Time Limit—This is the amount of time, in minutes, that

replication has to complete. This setting is usually used only for dial-up connections. To schedule the replication, choose from among these options on the Schedule tab: ➤ Schedule—Enables or suspends the schedule by choosing Enabled or

Disabled, respectively. ➤ Connect at Times—Indicates times or a time range during which you

want the source server to initiate replication. This field can contain a single time entry, a list of times separated by commas, or a time range separated by the dash. Use this field in conjunction with the Repeat Interval field to determine how many times per day a server attempts to initiate replication. ➤ Repeat Interval of—Specifies the number of minutes between replication

attempts. If you specify a repeat interval of 0, the server connects only once. ➤ Days of Week—Specifies the days of the week to use this replication

schedule; the default has all days of the week selected.

263 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . . If you specify a time range during which a source server attempts replication, the next replication attempt is made at the specified interval after which the replication has completed. For example, let’s say you specify a Connect at Times range of 7:00 a.m. to 11:00 p.m., with a Repeat interval of 60 minutes. The source server attempts to replicate at 7:00 a.m. and is successful in initiating the replication. The total time of the replication between servers takes 7 minutes. The source server then attempts to call the target server again at 8:07 a.m. For more examples of scheduled replication timing, consult the document titled “Scheduling Server-to-Server Replication” in the Lotus Domino Administration Help database. The exam may have a scenario question asking about the timing of scheduled replication.

Streaming Replication Streaming replication is new to Domino R6. Streaming replication allows the replicator task to send multiple changes in one request, and to replicate smaller documents first. This method of replication has two distinct advantages: 1. It is faster than replication that is nonstreaming. 2. It allows users to access and use documents that are replicated first,

while replication continues until all documents are available. Streaming replication requires no additional configuration by the administrator, but it is only used when the replication type is Pull-Pull or Pull only. For this reason, many administrators are revising their Connection documents after upgrading to R6 and changing the replication type to Pull-Pull. During Pull-Pull replication, both the source and the target server’s Replica tasks are involved in doing the work of replication. Administrators should ensure that each server participating in Pull-Pull replication has enough server resources to perform the task properly. Streaming replication won’t increase replication performance if one of the servers doesn’t have enough server resources to do the pulling in a timely way.

Planning Applications Based on the Impact of Replication on Document Distribution Administrators might encounter times when they don’t want replication to synchronize every document in every replica. Administrators can apply replication settings to selectively replicate a subset of documents to different replicas.

264 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

For example, the Acme Company has a database called Product Ideas on ServerA/Acme, which it uses to post information about ideas for new products. The database displays suggestions made by customers (as opposed to employee ideas) in a view called Customer Suggestions. Acme has two servers at satellite sales offices: ServerEast/Acme and ServerWest/Acme. The satellite sales offices are only interested in customer suggestions and not in other product ideas; therefore, Acme wants to replicate only the contents of the Customer Suggestions view to these servers. To accomplish this limited distribution of the data, the administrator must first plan and diagram which servers will store subsets of the data, and what that subset will be. He can then customize replication settings for multiple replicas of a database from one central source replica and then replicate these custom settings to the appropriate replicas. This approach to customizing replication allows for centralized replication management. Changing centrally administered replication settings requires two replications for the changes to take effect: the first replication to replicate the new settings from the source server to the target servers and a second replication to replicate based on the new settings. The second replication doesn’t occur until the source database is updated in some other way; to force the new settings to take effect if the source database isn’t updated, clear the replication history.

To change replication settings for multiple replicas, perform the following steps: 1. Ensure you have Manager access in the ACL of the central source

replica, and ensure that the central source replica has Manager access in the ACL of all destination replicas. 2. Open the central source replica, and then choose File, Replication,

Settings to modify existing replication settings. Choose the Advanced section. 3. To specify a destination server, click the computer icon next to “When

Computer,” specify the name of the destination server, select Add Server, and then click OK. 4. To specify a source server, click the computer icon next to “Receives

from,” specify the name of a source server, select Add Server, and then click OK. 5. To delete a server, click either computer icon, select a server, select

Delete Server, and then click OK.

265 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . . 6. To have the specified destination replica receive a subset of documents,

click “Documents in Specified Views or Folders” or “Documents by Selection Formula” or “Selected Documents.” 7. To specify which nondocument elements the replica should receive,

select appropriate options under “Receive These Elements from Other Replicas.” You must select “Replication Formula.” 8. Repeat steps 3 through 7 for each additional destination/source server

combination. Click OK. Figure 10.1 shows the Advanced tab of the Replication Settings dialog box.

Figure 10.1 The Advanced tab of the Replication Settings dialog box.

For the purposes of studying for the exam, make sure that you have studied each tab of the Replication Settings dialog box, with a special focus on the Advanced tab. Try to set up selective replication between servers by attempting a scenario like the one described previously.

Understanding How the ACL Affects Replication Again, much of the information in this particular section is repeated from Chapter 5; however, to help practice for the exam we’ve created different case study examples. These case studies supplement the material from Chapter 5 and help test your ability to understand how a server’s access level in the Access Control List affects replication.

266 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

For a server to replicate changes to documents in a database, that server must have sufficient access in the replica’s ACL. Servers must be listed explicitly or within a group in the ACL, with an access level that is appropriate for the documents the server is allowed to propagate to other replicas. A server is usually assigned one of these levels of access: ➤ Editor access to replicate changes to documents ➤ Designer access to replicate changes to design elements such as views,

forms, and agents ➤ Manager access to replicate ACL changes

Guidelines for Assigning Server Access to Databases The best way to explain the different access levels assigned to servers is to use a case study or a series of examples. These examples will help you prepare for the exam by using scenarios similar to the scenarios used in many of the exam questions. Don’t attempt to memorize the different scenarios; rather, use them to test your understanding of how server access in the ACL affects replication. Again, during the exam, you may find it helpful to draw diagrams of the servers and databases and label the diagrams with the server’s access level, to help you arrive at the correct answer. Let’s assume that there are two servers in our examples—ServerA/Acme and ServerB/Acme. Let’s examine the implications of creating an ACL that lists the different servers with different levels of access. We’ll refer to a database in this example called the Product Support database. This database is used by the Help Desk to share ideas about how to support Acme’s many product offerings. The ACL of the database contains references to servers and to a group for the administrators (LocalDomainAdmins), as well as to a group containing the company’s Domino developers (CorpDesigners). The ACL also makes reference to a group of Help Desk technicians (HelpDesk).

Scenario 1: Both Servers Have Manager Access Here is the ACL listing for this scenario: ServerA/Acme: Manager ServerB/Acme: Manager LocalDomainAdmins: Manager CorpDesigners: Designer HelpDesk: Author

267 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

In this scenario, both servers are capable of replicating any changes to ACL, Design, or Data documents in any direction. For example, if Bob Jones/Acme in the LocalDomainAdmins group added a new group to the ACL on ServerB’s replica, ServerB/Acme could successfully replicate that ACL change to ServerA/Acme. If Susan Brown/Acme in the CorpDesigners group added a new view to ServerA’s replica, ServerA/Acme could replicate that new design element to ServerB/Acme. Data documents could be changed, added, or deleted by the Help Desk users on either server and would replicate successfully to the other server.

Scenario 2: One Server Has Manager Access and the Other Has Editor Access Here is the ACL listing for this scenario: ServerA/Acme: Manager ServerB/Acme: Editor LocalDomainAdmins: Manager CorpDesigners: Designer HelpDesk: Author In this scenario, ServerA/Acme is the only server capable of replicating the ACL and the Design documents. For example, if Bob Jones/Acme in the LocalDomainAdmins group added a group to the ACL on ServerB’s replica, that ACL change would not replicate to ServerA/Acme. If Susan Brown/Acme in the CorpDesigners group created a new shared agent on ServerA’s replica, ServerA/Acme could replicate that new agent to ServerB/Acme. But if she made that same change on ServerB’s replica, the change couldn’t replicate to ServerA/Acme. In this scenario, all ACL and design changes need to be made on ServerA/Acme in order to have them replicate to ServerB/Acme. But the Help Desk users could continue to create, edit, and delete documents on either server’s replica, and all Data document changes would successfully replicate between servers.

Scenario 3: One Server Has Manager Access and the Other Has Reader Access Here is the ACL listing for this scenario: ServerA/Acme: Manager ServerB/Acme: Reader LocalDomainAdmins: Manager CorpDesigners: Designer HelpDesk: Author

268 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

In this scenario, replication of changes, additions, and deletions can happen in only one direction: from ServerA/Acme to ServerB/Acme. If any documents are changed, added, or deleted by administrators, designers, or users on ServerB/Acme, the documents will not replicate to ServerA/Acme. In this scenario, ServerB/Acme has effectively become a “read-only” server. All changes, additions, and deletions would need to be made on ServerA/Acme in order to propagate to ServerB/Acme.

Scenario 4: Both Servers Have Reader Access Here is the ACL listing for this scenario: ServerA/Acme: Reader ServerB/Acme: Reader LocalDomainAdmins: Manager CorpDesigners: Designer HelpDesk: Author In this case, the administrators, designers, and Help Desk users could all make changes to the ACL, Design documents, and Data documents, respectively, on either ServerA/Acme or ServerB/Acme. But neither server would be able to propagate any changes to the other server. Over time, the two replicas would become very unsynchronized, because neither server would be able to replicate any changes. This isn’t a likely scenario because there would be no replication between the two replicas.

Scenario 5: One Server Has Manager Access and the Other Has No Access Here is the ACL listing for this scenario: ServerA/Acme: Manager ServerB/Acme: No Access LocalDomainAdmins: Manager CorpDesigners: Designer HelpDesk: Author This scenario produces the same result as Scenario 4—replication would not proceed between the two servers. The administrators, designers, and Help Desk users could all make changes to the ACL, Design documents, and Data documents, respectively, on either ServerA/Acme or ServerB/Acme. But neither server would be able to propagate any changes to the other server. Over time, the two replicas would become very unsynchronized, because neither

269 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

server would be able to replicate any changes. This scenario is no more likely than the previous one because there would be no replication between the two replicas.

Understanding Changes to xACL Replication An Extended Access Control List (xACL) is an optional directory access-control feature available for a Domino Directory or an Extended Directory Catalog. The extended ACL is new to Domino R6 and can only be accessed using the ACL dialog box using a Notes 6 Client or a Domino Administrator 6 client. The xACL can restrict or refine a user’s access to the database, but it cannot be used to increase the access the database ACL allows. The xACL can be used to set access for the following: ➤ All documents with hierarchical names at a particular position in the

directory name hierarchy; for example, all documents whose names end in OU=East/O=Acme ➤ All documents of a specific type; for example, all group documents ➤ A specific field within a specific type of document ➤ A specific document

An Extended ACL allows the administrator to extend access in the following ways: ➤ Delegate Domino administration; for example, allow a group of admin-

istrators to manage only documents named under a particular Organizational Unit. ➤ Set access to precise portions of the directory contents. ➤ Set access to documents and fields easily and globally at one source,

rather than requiring the administrator to control access through features such as multiple Readers and Authors fields. ➤ Control the access of users who access the directory through any sup-

ported protocol: Notes (NRPC), Web (HTTP), LDAP, POP3, and IMAP. To enable extended access for a Domino Directory or Extended Directory Catalog, perform the following steps:

270 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. Open the database, and choose File, Database, Access Control. 2. Click Advanced, and then select Enable Extended Access. 3. At this prompt, click Yes to continue: “Enabling extended access con-

trol enforces additional security checking. See Domino Administrator Help for more details. Do you want to continue?” 4. At this prompt, which appears only if the advanced database ACL

option “Enforce a Consistent Access Control List Across All Replicas” is not yet enabled, click Yes: “Consistent access control must be enabled first. Do you want to enable it now?” 5. At this prompt, click OK: “If more than one administrator manages

extended access control for this database, enable document locking on the database to avoid conflicts.” 6. Click OK in the Access Control List dialog box. 7. At this prompt, click OK: “Enabling extended access control restric-

tions. This may take a while.” Look at the status bar on the client to see the status of this process. Enabling an Extended ACL for a Directory or a Directory Catalog has some effects on the way in which that Directory replicates: ➤ To ensure that the database replicates properly, extended access requires

the use of the advanced database ACL option “Enforce a Consistent Access Control List Across All replicas.” This option forces the ACL of every replica to be identical. If a change is made to the ACL of a replica on any server, that change replicates to other servers in order to maintain the same ACL on every replica. ➤ After an administrator enables extended access, changes cannot be made

to a replica of the database on a server running an earlier Domino release because the changes can’t replicate to a Domino R6 server. If you enable extended access, administrators must make directory changes only to a replica on a Domino R6 server.

Replicating Design Changes There are two ways to update design changes from one database to another: ➤ Use a database design template (this database is not a replica). ➤ Use replication to update design elements from one replica to another.

271 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

Most administrators rely on both methods to distribute design changes around to the servers in the company. Typically, a designer creates a design template that is not a replica in order to implement and test design changes. After the designer is satisfied with the design changes, these changes are transferred over to a production version of the database using the Refresh Design method. When the administrator invokes the Refresh Design command either manually or by scheduling the Design task, only the Design documents are transferred from the Master Design template to the production database. This transfer happens only in one direction, and does not affect the ACL of the database or the Data documents. After design changes have successfully migrated from the template to the production database, the administrator can then use replication to transfer design changes from that first production replica to other replicas. The administrator can either force replication manually or can schedule replication through the use of Connection documents. There are two major differences between the Design Refresh and replication: 1. Replication transfers the ACL, Design documents, and Data docu-

ments, not just Design documents as in a Design Refresh. 2. Replication can be bidirectional, whereas the Design Refresh can occur

in only one direction. Remember that if a server needs to replicate design changes to another replica, the source server must have at least Designer access in the ACL of the database. Watch out for exam questions that test your knowledge of replication as it involves design elements. Most of these types of questions involve some kind of Access Control List scenario. Refer to the scenarios earlier in this chapter to confirm your understanding of which documents transfer via replication based on ACL settings.

Monitoring and Maintaining Replication This topic was covered in detail, along with supporting screen shots in Chapter 5. Rather than repeat the entire topic here, we simply summarize the monitoring and maintenance tasks that relate to replication, and refer you to Chapter 5 for detailed explanations. Because replication never occurs automatically and must always be forced or scheduled, the administrator must also devote some time to monitoring replication, and making adjustments as required. The Domino

272 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Administrator client offers many tools and interfaces to assist the administrator in these maintenance efforts. The following list summarizes those tools: ➤ Monitor Replication History—Choose File, Replication, History to view a

history of successful replications with other servers. If you have Manager access to a database, you can clear the database replication history if you think the database doesn’t contain all the documents that it should or if the database replication history is not synchronized with that of other replicas. Normally, you would clear this setting only if you suspect time/date problems with server or client clocks. ➤ View the Replication Events View in the Log File—The server log

(LOG.NSF) contains detailed information about the replication of server-based databases, such as the number of documents added, deleted, and modified; the size of the data exchanged; and the name of the replica that this database replicated with. ➤ Use an Event Generator to Monitor Replication—A database event genera-

tor can monitor database use and ACL changes. If an administrator creates a database event generator and checks the Monitor Replication field, they can choose to be notified if replication doesn’t occur within a specified time period. ➤ View Replication Schedules—You can see a graphical representation of the

replication schedules of the servers in your Domino system. To view replication schedules from the Domino Administrator, select the Replication tab. ➤ Replication-Topology Maps—View a replication-topology map to display

the replication topology and identify connections between servers. To view replication topology maps from the Domino Administrator, click the Replication tab. Use this graphical view to verify that each server is connected for replication.

273 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

Exam Prep Questions Question 1 Bob is setting up scheduled replication between ServerA and ServerC. He has specified a Connect at Times range of 9:00 a.m. to 11:00 p.m., with a repeat interval of 60 minutes. Give the first and second replication times, assuming the following: The first replication connection was successful. The first replication took 12 minutes to complete. ❍ A. 9:00 a.m., 11:00 a.m. ❍ B. 9:00 a.m., 10:00 a.m. ❍ C. 9:00 a.m., 10:12 a.m. ❍ D. 9:12 a.m., 10:12 a.m.

Answer C is correct. If the first replication connection was successful and completed in 12 minutes, the second replication would occur 60 minutes after the completion of the first replication.

Question 2 Acme Company has just rolled out an inventory-tracking database to allow its IT department to track equipment within the organization. Acme has decided to create three replicas across three servers to allow IT staff across the country to access the database. Replicas are created on the following servers: Server1/Acme, Server2/Acme, and Server3/Acme. John, the Domino administrator, wants to make sure that he sets the ACL correctly to allow documents in the tracking database to replicate across servers. He wants all ACL changes to be made on Server1/Acme. He wants all design changes to be made on Server1/Acme or Server2/Acme. Users should be able to add, edit, and delete documents on any of the three servers. Data documents should then replicate around to the other replicas. How should he grant access to the three servers in the ACL of the tracking database? ❍ A. Server1/Acme: Reader; Server2/Acme: Manager; Server3/Acme: Reader ❍ B. Server1/Acme: Author; Server2/Acme: Manager; Server3/Acme: Author ❍ C. Server1/Acme: Manager; Server2/Acme: Designer; Server3/Acme: Editor ❍ D. All three servers should have Manager access in the ACL.

274 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer C is correct. If Server1/Acme and Server3/Acme had either Reader or Author access in the ACL, neither server would be capable of replicating additions, changes, or deletions made by users on those servers. A server must have a minimum of Editor access to replicate Data document changes. Granting Manager access would allow ACL changes to be made on all replicas, when the question specified that those types of changes were to be made only on Server1/Acme. Granting Designer access to Server2/Acme ensures that design changes could be made and propagated by either Server1 or Server2.

Question 3 Which of the following options are valid types of replication as listed in the Replication Connection document? ❑ A. Push Only ❑ B. Pull Only ❑ C. Push Wait ❑ D. Replicate

Answers A and B are correct. Four types of replication can be scheduled in a Connection document: pull-pull, push-pull, pull only, and push only. Push Wait is a type of mail connection choice, and Replicate doesn’t exist as an option for scheduled replication, although it is one of the commands an administrator can issue at the console for forced replication.

Question 4 Amanda wants to force one-way replication from ServerA to ServerB. Assuming that she’s using the console on ServerB, what command would she issue? ❍ A. Push ServerB ❍ B. Push ServerA ❍ C. Pull ServerA ❍ D. Pull ServerB

Answer C is correct. By issuing Pull ServerA at ServerB’s console, the administrator forces a one-way replication from the target server to the server where she is using the console. This command forces one-way replication of all replicas in common between the two servers. An optional parameter

275 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

allows replication of a single database from the server you are on to the specified server. For example, Pull Server1 ADMIN4.NSF forces a one-way replication of ADMIN4.NSF from Server1 to the server the administrator is using.

Question 5 Warren wants to view an updated replication-topology map for his domain. Which task must be running on the server in order to generate a topology map? ❍ A. MTC ❍ B. Maps ❍ C. Design ❍ D. Catalog

Answer B is correct. To view the replication topology of a Domino environment using the Domino Administrator client, the MAPS task must be running on the server. The topology information is refreshed every night at midnight. (Though you only read a summary of this topic in this chapter, the cross-reference to Chapter 5 pointed you toward complete information; keep in mind how closely the information in these chapters is related, as you study for the exam.)

Question 6 Which one of the following can the Domino administrator use to view detailed information about replication of a database between two servers? ❍ A. admin4.nsf ❍ B. log.nsf ❍ C. noteslog.nsf ❍ D. names.nsf

Answer B is correct. The Domino Directory (names.nsf) stores information about replication connections but doesn’t track replication information. There is no database called noteslog.nsf. The Administration Requests database (admin4.nsf) tracks information about requests processed by AdminP. The AdminP process can be used to create replicas on servers but doesn’t track information about replication activity.

276 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 7 Which of the following types of replication support streaming replication? ❑ A. Pull-Pull ❑ B. Pull-Push ❑ C. Pull Only ❑ D. Push Only

Answers A an C are correct. Streaming replication is only supported by the Pull-Pull and Pull Only replication types.

277 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication . . . . . .

Need to Know More? Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notes and Domino 6. Indianapolis, IN: Que Publishing, 2003. What’s in Store for the Domino R6 Database:

www-10.lotus.com/

ldd/today.nsf/8a6d147cf55a7fd385256658007aacf1/acc8a09b7e3e624f8525 6af700621c8a?OpenDocument.

Webcast: Lotus Live! Series: What’s New in Notes/ Domino 6 Administration: http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci857398,00.html. Webcast: Preparation & Test Taking Strategies with Lotus Education Managers: http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci876208,00.html.

11 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Authentication ID file Basic name-and-password authentication Session-based name-and-password authentication ID backup and recovery Mail-in database Password verification Issued Certificate List (ICL) Certificate Revocation List (CRL) Agent Agent log Activity logging Role

Techniques and concepts you’ll need to master: ✓ ✓ ✓ ✓ ✓ ✓ ✓

Understanding each layer of the Domino security model Setting up authentication for Notes and Web clients Backing up and recovering user ID files Managing user passwords Using the ICL and CRL Configuring access to the server Configuring access to the application using the ACL, roles, and Authors and Readers fields ✓ Designing a secure application, and understanding the difference between design elements that control security versus design elements that simply deter a user from finding data ✓ Configuring, monitoring, and maintaining agent access ✓ Troubleshooting a user’s access to an application

280 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

As with other chapters covering Exam 621, there are a few topics in this chapter that are also mentioned in Chapter 6, “Security.” Again, you might want to read both Chapter 6 and Chapter 11 before attempting either Exam 620 or Exam 621, in order to get the full picture of security. We specifically point out when there is a topic that appears in both chapters, and indicate whether the topic is dealt with in more or less detail in this chapter. If you’ve already read Chapter 6, you’ll be able to use this chapter as a review of some subject areas, and you can test your understanding of those subjects as you read. One reason that Lotus has chosen to test your knowledge of security on two different exams is that security is a huge subject area that spans many parts of the Domino product. It would have been impossible to outline the entire security model in only one chapter. Remember that five basic layers make up the Domino security model: 1. Physical security 2. Network and operating system security 3. Authentication 4. Server access 5. Database (application) access

As with Chapter 6, we take a “top-down” approach to security in this chapter, starting with authentication and moving into server security, database security, and finally security for documents and design elements within the database. We do not discuss the first two layers—physical or network and operating system security. Refer to Chapter 6 for a discussion of those two layers.

Setting Up Authentication Authentication was covered in detail in Chapter 6, so we briefly review that topic here. An ID file is a file that uniquely identifies a certifier, server, or user within the Domino security environment, using certificates stored on the ID. Authentication refers to the process by which ID files are checked to see if they are trusted; that is, that they have a certificate in common. Domino uses the information contained in IDs to control the access that users and servers have to other servers and applications. One of the administrator’s responsibilities is to register and protect IDs and to make sure that

281 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

unauthorized users do not use them to gain access to the Domino environment. Three different types of ID files can be generated by the administrator, using the Domino Administrator client: ➤ Certifier ID—Used as a “stamp” to register a new server or user IDs ➤ Server ID—Used to identify each unique server in the organization ➤ User ID—Used to identify each unique person in the organization

To set up authentication between servers and users within a company, the administrator must create ID files. During the first server setup, the first certifier IDs are created, along with the ID file for the first server and first administrator. The certifier ID for the organization is created, and is used to create other OU certifiers, depending on the naming scheme that the administrator will use. The administrator then uses a certifier ID to register every other server and user within the organization. Each ID file will contain a certificate for the top-level organization certifier, so that every server and user in the organization will have a certificate in common, and can authenticate. For a more detailed description of how to register both servers and users, refer to Chapters 2 and 7, both titled “Installing and Configuring.” Web users don’t use Notes ID files to authenticate with the Domino server—they simply use their name and an Internet password, both of which are stored in a Person document in the Domino Directory for the server’s domain. This type of Web authentication is called name-and-password authentication. To set up name-and-password authentication for Web clients, one of two methods can be used: ➤ Basic name-and-password authentication uses the name and password

recorded in the user’s Person document in the Directory. ➤ Session-based name-and-password authentication is a more sophisticated

authentication model that uses cookies to track user sessions. A session is the time during which a Web client is actively logged onto a server with a cookie. The administrator has two options when enabling sessionbased authentication in the Server document: ➤ Single Server—Causes the server to generate a cookie that is honored

only by the server that generated it ➤ Multiserver—Generates a cookie that allows single sign-on with any

server that shares the Web SSO Configuration document

282 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Setting Up and Configuring ID Backup and Recovery To recover from loss of, or damage to, an ID file, administrators must keep backup copies of server and user ID files in a secure place; for example, on a disk stored in a locked area. Losing or damaging an ID file or forgetting the password to an ID has serious consequences. Without an ID, users cannot access servers or read messages and other data that they encrypted with the lost ID. To prevent problems that occur when users lose or damage ID files or forget passwords, administrators can set up Domino to recover ID files. This process is called ID backup and recovery. Before ID files can be recovered, an administrator must perform the following steps to set up for recovery: ➤ An administrator who has access to the certifier ID file(s) must specify

recovery information for those files. ➤ A mail-in database must be created to store recoverable copies of all ID

files. ➤ The user ID files themselves must be made recoverable. There are three

ways to enable this feature: ➤ At registration, administrators create the ID file with a certifier ID

that contains recovery information. ➤ Administrators export recovery information from the certifier ID

file and have the user accept it. This is usually accomplished through the use of Notes mail messages. ➤ Users authenticate to their home server after an administrator has

added recovery information to the certifier. This method applies only for servers using the server-based certification authority.

Specifying Recovery Information for a Certifier ID File and Creating a Mail-In Database to Store Backup ID Files Domino stores ID recovery information in the certifier ID file. The information stored includes the names of administrators who are allowed to recover IDs, the address of the mail or mail-in database where users send an

283 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

encrypted backup copy of their ID files, and the number of administrators required to unlock an ID file. For an administrator to eventually recover a backup copy of an ID file, these IDs must be stored somewhere safe. When the administrator enables recovery for certifier IDs, he is automatically prompted to create a mail-in database to use as the storage container for ID file copies. A mail-in database is a database that can receive mail because it is known to the Router via a Mail-In Database document in the Directory. The administrator should perform the following steps before anyone loses or corrupts an ID, ideally before registering users. 1. From the Domino Administrator, click the Configuration tab, and then

click Certification. 2. Click Edit Recovery Information. 3. In the Choose a Certifier dialog box, click Server and select the regis-

tration server name from the Domino Directory. 4. Choose the certifier for which you are creating recovery information.

If you are using a server-based certification authority, click Use the CA Process and select a certifier from the drop-down list. You must be a Certificate Authority (CA) administrator for the certifier in order to change ID recovery information. If you are not using a server-based certification authority, click Supply Certifier ID and Password. If the certifier ID path and filename does not appear, click Certifier ID, select the certifier ID file, and enter the password. 5. Click OK. The Edit Master Recovery Authority List dialog box

appears (see Figure 11.1). 6. Enter the number of recovery authorities that are required to recover

an ID file. It is recommended that you choose at least three. 7. Click Add and select the names of the administrators who are the des-

ignated recovery authorities. 8. Choose whether you want to use an existing mailbox for recovery

information or create a new one. 9. If you have a mail or mail-in database already set up for recovery infor-

mation, click I Want to Use an Existing Mailbox. Click Address and select the database from the Domino Directory.

284 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 11.1 The Edit Master Recovery Authority List dialog box.

10. If you want to create a new database to store recovery information,

click the Address button, then choose I Want to Create a New Mailbox. In the Create New Mailbox dialog box, enter the name of the server on which the database is to be created and the database title. You can use the filename that is created from the database title, or you can create a new one. Click OK. 11. If you are using a server-based certification authority, you must enter

the following console command to start the CA process with the new recovery information, or refresh it if it is already running: load ca

12. Enter this console command to process the request to add recovery

information to the certifier: tell adminp process all

The CA process is discussed briefly later in this chapter.

Making User ID Files Recoverable If the administrator performs the preceding steps before registering users, a copy of every user ID is mailed to the mail-in database every time a user is registered. The new user ID automatically contains the recovery information inherited from the certifier ID with which it was registered. If there were user ID files that existed within the company before recovery information was specified for the certifiers, then those ID files must be

285 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

updated with the new recovery information, and a copy of the ID must be mailed to the mail-in database. This process involves both the administrator and the user. The administrator must initiate a mailout that exports the new recovery information to each user. Then, the user must accept the recovery information and mail a copy of their ID file back to the database. The administrator performs the following steps to send recovery information to the user: 1. From the Domino Administrator, click the Configuration tab, and then

click Certification. Click Edit Recovery Information. 2. In the Choose a Certifier dialog box, if the correct server name does

not appear, click Server and select the registration server name from the Domino Directory. 3. Choose the certifier for which you are creating recovery information.

If you are using a server-based certification authority, click Use the CA Process and select a certifier from the drop-down list. If you are not using a server-based certification authority, click Supply Certifier ID and Password. If the certifier ID path and filename do not appear, click Certifier ID and select the certifier ID file and enter the password. 4. Choose Export, and then enter the certifier ID’s password twice 5. Complete the To field with the names of the users whose ID files you

want to update and back up, and enter a Subject and Body with instructions for the user (or accept the default instructions); then click Send. The user completes the following steps to accept recovery information in the ID file: 1. After the administrator sends the recovery information, open the mes-

sage in the mail database. 2. Choose Actions, Accept Recovery Information from the menu bar, and

then enter the password for the ID file. Domino automatically sends the encrypted backup ID file to the mail-in database specified by the administrator. The backup ID is encrypted with the administrator’s public key. You can store multiple copies of the ID file in the centralized mail or mailin database. Domino creates a new document every time an ID file is backed up. When attempting to recover an ID file, you should use the most recent backup. If this fails, you can try to use the older versions.

286 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Recovering an ID File If a user loses or damages an ID file or forgets a password, the user can work with administrators to recover the ID file from backup. Some of the recovery steps are performed by the user, whereas others are performed by the administrator. The user completes the following steps: 1. Contact the administrator to obtain the password(s) needed to recover

the ID. The recovery password is randomly generated and unique to each recoverable ID file and administrator. If the user can’t access the user ID file, the administrator must provide the user with a copy of the backup ID from the mail-in database. Then, the user can proceed with recovery to unlock the password, if necessary. 2. When the user first logs in to Notes and the Password dialog box

appears, do not enter the password; simply click OK. 3. Click Recover Password in the Wrong Password dialog box. 4. Select the user ID file to recover in the Choose ID File to Recover

dialog box. 5. Enter the password(s) given to you by your administrator(s) in the

Enter Passwords dialog box, and repeat until all passwords have been entered, at which time the user is prompted to enter a new password for the user ID. 6. Enter a new password for the user ID, and confirm the password when

prompted. The user should immediately replace all backups and copies of the user ID file with the newly recovered user ID file; otherwise, the user will need to perform the recovery steps for each copy of the ID, which is time-consuming.

The administrator performs the following steps: 1. When contacted by the user, detach the encrypted backup of the user’s

ID file from the mail or mail-in database to the local hard drive. 2. If the user’s ID file is damaged, send a copy of the ID file from the

centralized mail or mail-in database to the user. 3. From the Domino Administrator, click the Configuration tab, and

choose Certification, Extract Recovery Password.

287 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . . 4. Enter the password to the administrator’s ID file. 5. Specify the ID file you want to recover. This is the same ID you

detached in Step 1. 6. Give the user the recovery password that is displayed. Users and administrators usually exchange the recovery password over the phone, because users who can’t access their ID files also can’t access their mail.

Managing User Passwords Administrators can manage user passwords by enabling a feature called password verification so that a Notes user can authenticate with a server only after providing the correct password that is associated with the user ID. If an unauthorized user obtains an ID and learns the ID’s password, the authorized owner of the ID can immediately change the password thus preventing the unauthorized user from continuing to use the ID with the old password to authenticate with servers. The next time the unauthorized user tries to use the ID with the old password to access a server, the server verifies the password, determines that the password entered does not match the new password, and denies the unauthorized user access to the server. Also, if the administrator sets up password verification, he can require users to change the passwords on their IDs on a regular basis. As the time for the required password change approaches, a prompt appears to remind the user to change the password. When users change the password, the current ID and Person document are updated with the new password. If a user has multiple ID files, the user must change the password in each of them to match the new password. Each time a user changes a password, the user must specify a unique password. Notes keeps a record of up to 50 passwords that have been previously used. If the administrator enables password history checking through the use of a Security Settings document, he can configure the number of new passwords that must be used before a given password can be reused. Password verification during authentication will not work for Internet users because they do not have Notes user IDs (unless their Notes and Internet passwords have been synchronized).

288 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Password verification relies on the Administration Process to update documents in the Domino Directory. When you enable password verification for a user, the Administration Process creates a “Set Password Information” request in the Administration Requests database. This request enables password-checking by entering values in the Check Password, Required Change Interval, and Grace Period fields in the Administration section of the user’s Person document. The first time the user logs onto a server that requires password verification, the Administration Process generates a “Change User Password in Domino Directory” request in the Administration Requests database. This request enters a corresponding password digest in the Password Digest field in the Administration section of the Person document. It also records the date the user provided the password in the Last Change Date field in the Administration section of the Person document. To authenticate with servers that are enabled for password verification, the user must provide the password that corresponds to the digest. From that point forward, when a user changes a password, the Administration Process generates a new “Change User Password in Domino Directory” request in the Administration Requests database. This request updates the Password Digest and Last Change Date fields in the Person document. Administrators can enable password verification through the use of a Security Policy Settings document, which allows them to enable this feature for multiple users, or they can enable password verification for individuals using the Domino Directory. Administrators also have the option of locking out a user’s ID, which prevents the user from authenticating with the server. To enable password verification for individual users, perform the following steps: 1. Ensure that password verification is enabled on the servers with which

the users authenticate. This setting is enabled on the Server document, Security tab, Security Settings section, Check Passwords on Notes IDs field. 2. From the Domino Administrator, click People & Groups. 3. Select each Person document for which you want to enable password

checking. 4. Choose Actions, Set Password Fields, and then click Yes to continue. 5. In the Check Notes Password field, select Check Password. 6. Complete the following fields, and then click OK:

289 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . . ➤ Required Change Interval—Enter the length of time, in days, that a

password can be in effect before it must be changed. The default is zero. ➤ Allowed Grace Period—Enter the length of time, in days, that users

have to change an expired password before being locked out. The default is zero.

Using the ICL and the CRL Instead of managing ID files using the Domino Administrator client and traditional certifier ID files, administrators can set up a Domino certifier that uses a server task, the CA process, to manage and process certificate requests. The CA process runs as an automated process on Domino servers that are used to issue certificates. When setting up a Notes or Internet certifier, administrators can link it to the CA process on the server in order to take advantage of CA process activities. Only one instance of the CA process can run on a server; however, the process can be linked to multiple certifiers. The CA process offers the following advantages: ➤ Provides a unified mechanism for issuing Notes and Internet certificates. ➤ Supports the registration authority (RA) role, which you use to delegate

the certificate approval/denial process to lower-echelon administrators in the organization. ➤ Does not require access to the certifier ID and ID password. After you

enable certifiers for the CA process, you can assign the registration authority role to administrators, who can then register users and manage certificate requests without having to provide the certifier ID and password. ➤ Simplifies the Internet certificate request process through a Web-based

certificate request database. ➤ Issues certificate revocation lists, which contain information about

revoked or expired Internet certificates. ➤ Creates and maintains the Issued Certificate List (ICL), a database that

contains information about all certificates issued by the certifier. ➤ Is compliant with security industry standards for Internet certificates; for

example, X.509 and PKI.

290 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Issued Certificate List (ICL) Each certifier has an Issued Certificate List (ICL) that is created when the certifier is created or migrated to the CA process. The ICL is a database that stores a copy of each unexpired certificate that it has issued, certificate revocation lists, and CA Configuration documents. Configuration documents are generated when you create the certifier and sign it with the certifier’s public key. After you create these documents, you cannot edit them. CA Configuration documents include the following: ➤ Certificate profiles, which contain information about certificates issued

by the certifier. ➤ CA Configuration document, which contains information about the cer-

tifier itself. ➤ RA/CA association documents, which contain information about the RAs

who are authorized to approve and deny certificate requests. There is one document for each RA. ➤ ID file storage document, which contains information about the certifi-

er ID. Another CA Configuration document, the Certifier document, is created in the Domino Directory when you set up the certifier. This document can be modified. For the purposes of the exam, it’s important to remember that the CA process is an alternative way to manage ID files. Learn what the acronyms ICL and CRL mean, and don’t confuse them with other Domino terms such as ICM, which stands for Internet Cluster Manager, and has nothing to do with the CA process. We could create an entire chapter on how the CA process works; instead, this exam simply requires you to have an understanding that the process exists as an alternative to the traditional certifier ID management system, and assumes that you understand the basic terms and concepts involved in the CA process.

Certificate Revocation List (CRL) A Certificate Revocation List (CRL) is a time-stamped list identifying revoked Internet certificates; for example, certificates belonging to terminated employees. The CA process issues and maintains CRLs for each Internet certifier. A CRL is associated with a certifier, is signed by that certifier, and resides in the certifier’s ICL database. A copy of the CRL is also stored in the Domino Directory, where it is used to assert certificate validity by entities that require certificate authentication.

291 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

You configure the CRL when you create a new Internet certifier. You can specify the length of time for which a CRL is valid and the interval between publication of new CRLs. After CRLs are configured, the certifier issues them on a regular basis and they operate unattended. Using CRLs, you can manage the certificates issued in your organization. You can easily revoke a certificate if the subject of the certificate leaves the organization or if the key has been compromised. HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been revoked, and is, therefore, no longer trusted by the certifier. When you use Internet Site documents to configure Internet protocols on Domino, you can also enable CRL-checking for each protocol. There are two kinds of CRLs: regular and nonregular. For regular CRLs, you configure a duration interval—the time period for which the CRL is valid— and the interval at which new CRLs are issued. Each certifier issues a CRL at the specified time, even if no certificates have been revoked since the last CRL was issued. This means that if an administrator revokes a certificate, it appears in the next scheduled CRL issued by the certifier. The CRL duration period should be greater than the time period between each CRL issuance. This ensures that the CRL remains valid. Otherwise, the CRL could expire before a new one is issued.

Setting Up and Configuring Server Access This particular topic was covered extensively in Chapter 6. We take the time here to offer a condensed version of the points made in that chapter, to refresh your memory. For a complete description of each point, you may want to read through this section of Chapter 6 again. An administrator can configure the following settings to control access to the Domino server: ➤ Secure the Server Console—The administrator can password-protect the

server console to force administrators to know the console password to enter console commands. After the console has been password-protected, administrators can’t use the Load, Tell, Exit, Quit, and Set Configuration server commands until they enter the password. Console security remains in effect until the password is cleared by entering a second Set Secure command with the same password.

292 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Restrict Administrator Access to the Server—You can specify various access

levels for different types of administrators in your organization. For example, you might want to give only a few people high administrative access, whereas all of the administrators on your team are designated as database administrators. Administrators are listed either as individuals or as members of groups in the different administrator fields on the Security tab of the Server document located in the Domino Directory. The different types of administrators are as follows: full-access administrators, administrators, database administrators, full remote console administrators, view-only administrators, and system administrators. ➤ Allow and Deny Access to the Server Through Fields on the Server

Document—To control user and server access to other servers, Domino uses the settings specified on the Security tab in the Server document. The following fields control access to the server: ➤ Access Server—Lists groups and individuals who are authorized to

access the server. If the Access Server field is left blank, all users and servers that can authenticate can access the server. ➤ Not Access Server—Lists users, servers, and groups who are denied

access to the server. The default value for this field is blank, which means that all names entered in the Access Server field can access the server. Remember that names entered in the Not Access Server field take precedence over names entered in the Access Server field. For example, if you enter a group name in the Access Server field and enter the name of an individual member of this group in the Not Access Server field, the user will not be able to access the server. Typically, the Domino administrator lists a Deny Access group in this field to deny access to servers within the company for people who have left the company. See the discussion about groups and group types later in this chapter.

➤ Create Databases and Templates—Lists specific servers, users, and

groups who are allowed to create databases with the File, Database, New command. Typically, this capability is restricted to administrators or designers. The default value for this field is blank, which means that all users can create new databases. ➤ Create New Replicas—Lists specific servers, users, and groups who

are allowed to create replicas using the File, Replication, New Replica command. The default value for this field is blank, which means that no one can create new replicas.

293 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . . ➤ Create Master Templates—Lists specific servers, users, and groups

who are allowed to create Master Design templates. Servers, users, and groups who cannot create new databases or replicas on the server cannot create or update templates. The default for this field is blank, which means that no one can create Master Design templates on the server. ➤ Control Access to a Specific Network Port—Administrators can use a port

access list to allow or deny Notes user and Domino server access to a specific network port. If the administrator uses both a port access list and a server access list, users and servers must be listed on both to gain access to the server. Access to a specific port is controlled using server NOTES.INI settings: Allow_Access_portname = names Deny_Access_portname = names

Troubleshooting Common Server Access Problems This section is worth repeating from Chapter 6, to remind you of the different scenarios that illustrate situations in which users and servers can have difficulty accessing Domino servers. The following sections illustrate these potential problems. Each section lists a common error resulting in a server access problem and documents the solutions to those problems.

The Administrator Can’t Enter Commands at the Server If an administrator can’t run the workstation program on the server, run standalone server programs, or use the Load, Tell, or Set Configuration commands, the console has likely been password-protected. The administrator needs to use the Set Secure command at the console or use the Domino Administrator client to clear the password. The administrator must know the password to clear it. An administrator might also fail to enter commands at the console because he isn’t listed as an administrator in the Administrator fields in the Server document, or he might be listed as a view-only administrator, with limited access to enter console commands.

294 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Users Can’t See a New Server in the List of Servers If users can’t see a new server when they try to add, create, copy, or replicate a database, the administrator should make sure that the Domino Directory contains a Server document for the new server and that the information in the document is accurate and correctly spelled. If no Server document exists, the administrator should register the new server and ensure that the Server document gets added to the Directory and then replicated to other servers in the domain. If a Server document exists and contains accurate information for the new server, the administrator can check the log file on both the user’s home server and the inaccessible server to see if there are network problems.

The Server Is Not Responding The message “Server not responding” might appear when you install a client or try to open any database on a particular server. Here are some strategies for resolving this problem, listed in the order in which they should be attempted: 1. Check that the Domino server and the network are running. 2. Check whether the server has been renamed or recertified. When a

user tries to open a database on a server that has been recertified or renamed, the message “Server not responding” might appear. 3. If the client and server are using NetBIOS, make sure that the protocol

is configured properly and that it’s running on the workstation and server. The workstation and the server must use the same version of NetBIOS, and the server must be enabled for sufficient NetBIOS sessions.

Adding Security to an Application This section describes the many security features that can be used to secure an application. Some of these features are actually implemented by designers as opposed to administrators; however, in order for administrators to support and troubleshoot application access, they must have a basic understanding of most database security features. The exam tests your ability to remember which element is controlled by each security feature. Pay special attention to the features that involve design elements, such as agents, view access, and form access.

295 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Designing a Secure Application—Security Versus Deterrence An application developer can further restrict access to design elements within an application using the Domino Designer. Application design security takes effect once users gain access to an application. Some of these design features provide true security to the application by restricting access to data. Other features conveniently manipulate the user interface to “hide” certain parts of the interface, without actually restricting access to that element. The first technique provides true security, whereas the second technique deters the user from finding the information easily. The following is a list of true security features, with a brief explanation of what each feature does and how it is configured. Some of these features are explored in more depth later in the chapter. ➤ Read Access Lists for Forms—On the Security tab of the Form Properties

box, designers can specify which Notes and Internet/intranet users can read documents created with a specific form. When this property is enabled, a $Readers field is created on the document, storing the name of the creator or editor of the document. The $Readers field acts in the same way as the Readers field—it controls read access to the document. If a user, group, or role is listed in the $Readers field, only that user, group, or role can read the document. Figure 11.2 shows the Security tab of the Form Properties box.

Figure 11.2 The Form Read Access List on the Form Properties box.

➤ Readers fields—Designers can add a field of type Readers to control read

access to the document. If a user, group, or role is listed in the Readers

296 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

field, only that user, group, or role can read the document. If the Readers field is empty, then everyone can read the document. ➤ Authors fields—Designers can add a field of type Authors to control edit

access to the document. If a user, group, or role has Author access in the ACL and is listed in the Authors field, only that user, group, or role can edit the document. If the Authors field is empty, then only someone with Editor access or higher in the ACL can edit the document. Users with Editor access and above can always edit documents, and are not affected by the Authors field. ➤ Signed fields—Designers can enable signing on a field to verify that the

Notes user who originated the data is the author and that no one has tampered with the data. When the document is saved, a digital signature is generated from the ID file of the user saving the document, and stamped in the Signed field. ➤ Encrypted fields—Designers can control read access at the field level with

encrypted fields. For a field value to be encrypted, the designer must enable encryption for that field, and must apply an encryption key to it. He must then distribute the key to every user who must encrypt and decrypt the data in the encrypted field(s). ➤ Edit Access Lists for Sections—Designers can use controlled-access sections

to control a section of fields on a document for editing. To edit the fields in a section, a user must be in the authorized editors list for that section. The following settings serve to conveniently manipulate the user interface to deter the user from finding information, but the techniques do not secure the information from the user: ➤ Read Access Lists for Views—Designers can control who has access to a

view using a View Read Access List, located on the Security tab of the View Properties box. The view access list restricts access to the view itself, not to the documents in the view. If a user can’t find the documents in the view, he can build himself a private view to see the documents. A view access list conveniently hides certain views from some users. ➤ Hidden fields—Designers can control which Notes and Internet/intranet

users can view data in a document or page. Hiding is used extensively by designers to selectively show and hide text, buttons, actions, and so forth. This convenient manipulation of the user interface allows designers to present data for different clients based on different conditions, but

297 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

hiding does not secure the data. If a user can read a document, he can view the contents of any field on that document using the Document Properties box. ➤ Create Access Lists for Forms—Using the Form Properties box, the design-

er has the option of choosing who can use the form to create documents. This list of creators conveniently prevents unauthorized users from using the form to enter document data; however, if the user has at least Author access to the database, he can add or edit documents in the database by copying and pasting or by importing, which circumvents the use of the form.

Setting Up and Configuring Agent Access Agents are design elements that automate processing within an application. Administrators generally don’t create or write agent code, but they are responsible for ensuring that agents run properly within databases on servers. The administrator controls the settings for the following: ➤ Who Can Create Agents Within a Database—The administrator can con-

trol which users get to create agents using the privileges within the Access Control List for the application. The following access levels and privileges are required to create different types of agents: ➤ Private Agents—Users need Reader access or higher and must have

the Create Private Agents privilege. ➤ Private Agents Using LotusScript and Java—Users need Reader access

or higher and must have the Create Private Agents and Create LotusScript/Java Agents privileges. ➤ Shared Agents Using Simple Actions and Formulas—Users must have

Designer access or higher. ➤ Shared Agents Using LotusScript or Java Agents—Users must have

Designer access or higher and must have the Create LotusScript/Java Agents privilege. ➤ Who Can Run Agents on the Server—To control the types of agents users

can run on a server, administrators must set up restrictions for server agents. Agent restrictions are controlled through fields on the Server document. To set up agent restrictions from the Domino Administrator, click the Configuration tab, and open the Server document. Click the Security tab,

298 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

and in the Programmability Restrictions section, complete one or more of these fields, and then save the document: ➤ Run Unrestricted Methods and Operations—Enter the names of users and

groups who are allowed to select, on a per agent basis, one of three levels of access for agents signed with their ID. Users with this privilege select one of these access levels when they are using Domino Designer 6 to build an agent: restricted mode, unrestricted mode, or unrestricted mode with full administration rights. ➤ Sign Agents to Run on Behalf of Someone Else—Enter the names of users

and groups who are allowed to sign agents that will be executed on anyone else’s behalf. The default is blank, which means that no one can sign agents in this manner. ➤ Sign Agents to Run on Behalf of the Invoker of the Agent—Enter the names

of users and groups who are allowed to sign agents that will be executed on behalf of the invoker, when the invoker is different from the agent signer. This setting is ignored if the agent signer and the invoker are the same. This is used currently only for Web agents. The default is blank, which means that everyone can sign agents invoked in this manner. ➤ Run Restricted LotusScript/Java Agents—Enter the names of users and

groups who are allowed to run agents created with LotusScript and Java code, but excluding privileged methods and operations, such as reading and writing to the file system. Leave the field blank to deny access to all users and groups. ➤ Run Simple and Formula Agents—Enter the names of users and groups

who are allowed to run simple and formula agents, both private and shared. Leave the field blank to allow all users and groups to run simple and formula agents, both private and shared. ➤ Sign Script Libraries to Run on Behalf of Someone Else—Enter the names of

users and groups who are allowed to sign script libraries in agents executed by someone else. For the purposes of backward compatibility, the default value is to leave the field empty, to allow all. Unrestricted Java and LotusScript agents can potentially violate security because of the potential for the code to access the file system. Only a limited number of trusted users should have unrestricted rights.

It’s important to understand how agent restrictions are applied as well as whose access rights are checked when the agent is run in the system. For

299 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

exam purposes, read these next few paragraphs carefully, as this topic is often misunderstood because it crosses over into the realm of Domino design. Domino checks the server security restrictions in the Server document differently depending on whether the agent is ➤ Running locally or on the server ➤ Started from the Web or the Notes client

Local Agents An agent runs locally during the following conditions: ➤ It runs within a Notes client database. ➤ You choose “Local” from the “Run on” list for a scheduled agent. ➤ A user starts the agent from the Actions menu in the Notes client, from

the Agent, Run menu in Designer, from the “When Documents Have Been Pasted” trigger, or from calling the agent by agent.run. When an agent runs locally, Notes does not check security restrictions, unless you have set the Enforce ACL option. To enforce a consistent ACL, refer to the topic “Securing Applications with Consistent ACLs” later in this chapter.

Server-based Agents An agent runs on the server when it is running in a database stored on a server and it is started by one of the following agent triggers: ➤ Before new mail arrives ➤ After new mail arrives ➤ If documents have been created or updated ➤ On any schedule ➤ Called by an agent via agent.runonserver (the agent being called must

reside on the server) If the agent is running on a server, Domino checks all security restrictions.

Agents Running from the Notes Client or the Web Client Agents run in the Notes client or on the Web based on the rights of the effective user. The effective user’s rights determine what the agent can accomplish within the database.

300 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The effective user depends on the environment in which the agent runs. When a user runs an agent from the Notes client, the agent runs with the rights of the effective user, which is the current user ID. For example, Joe Smith/Acme runs an agent in a database POLICIES.NSF. Joe has Reader access to the database. The agent code calls a method that edits all of the documents in the database. When Joe invokes the agent, his access rights are checked within the database ACL, and because he has only Reader access, no documents will be changed by the agent. A scheduled agent runs with the access rights of the person who last saved the agent, also known as the signer. The designer has the option to override the agents signer by specifying that the agent should run on behalf of someone else, as per the name listed on the Security tab of the Agent Properties box. When a Web user runs an agent, the agent also runs using the rights of the effective user. However, you can set up the agent so that Domino checks the invoker’s rights to access the database instead of the effective user’s rights. Checking the invoker’s rights can provide more security. To have Domino verify the invoker’s access to the database, click on the Security tab of the Agent Properties box and enable the Run as Web User check box. When Run as Web User is checked, Domino prompts Web users for their name and password when they attempt to run the agent. Domino uses the login information to check for the invoker’s rights in the database ACL. The exam will likely test your ability to recognize when an agent is run using the rights of the invoker, as opposed to the rights of the signer of the agent. Watch for questions that outline a scenario whereby the signer of the agent doesn’t have enough access to execute the agent code in the system, either in the database ACL or in the agent restrictions in the Server document.

Monitoring and Maintaining Agents Whenever an agent won’t run, administrators can check the Agent log to see when the agent last ran and whether it completed. For additional information, they can check the server console or the Miscellaneous events in the log file (LOG.NSF) for messages from the Agent manager.

Logging for Agents in LOG.NSF To enable agent logging in the log file (LOG.NSF), edit the NOTES.INI file to include the Log_AgentManager setting, which specifies whether or not the start of agent execution is recorded in the log file and displayed on the server console. It’s important to monitor the server console or log for information from the Agent manager because error and warning messages are generated by the Agent manager on behalf of the agent.

301 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Using Agent Server Console Commands Administrators can use the following server commands to troubleshoot agents: Tell amgr schedule

This command shows the schedule for all agents scheduled to run for the current day. In addition, the command shows the agent trigger type, the time the agent is scheduled to run, the name of the agent, and the name of the database on which the database runs. Tell amgr status

This command shows a snapshot of the Agent manager queues and displays the Agent manager settings in the Server document. Tell amgr debug

This command displays either the current debug settings for the Agent manager or lets you set new ones. When using this command to set debug values, you can use the same flags used by the Debug_AMgr command in the NOTES.INI file.

Reviewing the Agent Log The Agent log is a view in a database that shows the last time an agent ran and describes if the agent completed or not. To review the Agent log, follow these steps: 1. In the database, choose View, Agents. 2. In the Design view that lists all the agents, choose the agent. 3. Choose Agent, Log.

Activity Logging Administrators can monitor agent activity using activity logging. Agent activity logging generates a record for each Domino server-based agent that runs successfully. The record shows the name of the agent, the name of the database that contains the agent, the amount of time it took to run the agent, and the name of the person who last saved the agent. The record does not show the types of activities the agent performed. Domino does not generate activity logging records for agents that run on a Web server, for agents that you run manually from a client, or for agents that are scheduled to run locally on a client.

302 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Activity logging is configured by editing the Configuration Settings document. To edit the document, follow these steps: 1. From the Domino Administrator, click the Configuration tab; then

expand Server and click Configurations. 2. In the Results pane, select the Configuration Settings document you

want, and click Edit Configuration. 3. On the Configuration Settings document, click the Activity Logging

tab. 4. Select Activity Logging Is Enabled. 5. In the Enabled Logging Types field, select the types of activity you

want to log and click Save & Close.

Setting Up and Configuring Database Access Using the ACL Every database has an Access Control List (ACL) that specifies the level of access that users and servers have to that database. Only someone with Manager access can create or modify the ACL. Although the names of access levels are the same for users and servers, those levels assigned to users determine the tasks that they can perform in a database. Those assigned to servers determine which information within the database the servers can replicate.

To control the access rights of Notes users, select the access level, user type, and access-level privileges for each user or group in a database within the ACL by choosing File, Database, ACL. Access levels assigned to users in a database ACL control which tasks users can perform in the database. Accesslevel privileges enhance or restrict the access level assigned to each name in the ACL. For each user, group, or server added in the ACL, you select the user type and access level in the User Type and Access drop-down lists. To further refine the access, you select a series of access privileges by selecting or deselecting the various check boxes located on the right side of the Basics tab of the ACL. If the application designer created roles, assign them to the appropriate users, groups, or servers listed within the ACL. Here is a listing of the seven access levels in the ACL, from lowest to highest, along with a brief description of what each level means:

303 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . . ➤ No Access—Denies access to the database. The error message that

appears to the user is “You are not allowed to access this database.” The exception to the No Access level is the Public Access level. If the designer of the database creates Public Access forms and documents are created with these forms, the documents are marked as Public. Anyone in the ACL with Public Access can read or write Public documents. The Public Access level is granted by checking the Read or Write Public Documents check box in the ACL. This technology is used in the mail database where Calendar documents get marked as Public documents so that access to those documents can be controlled separately from access to mail messages. Be careful when selecting the Public access option—you should check with the database designer to see if Public Access forms were used in the database so that access to those documents can be properly set in the ACL.

➤ Depositor—Allows the writing or adding of documents only. Users can-

not read, edit, or delete documents, with the exception of Public documents. ➤ Reader—Allows the reading of documents only. Users cannot add, edit,

or delete documents. ➤ Author—Allows users to read documents and to edit documents in

which they are listed in an Authors field (see the topic later in this chapter regarding Authors fields). Optionally, users may create or delete documents. ➤ Editor—Allows the creating, reading, and editing of all documents. This

is the highest level of access to the document data, but does not grant access to Design documents or to the ACL. ➤ Designer—Includes all the rights of Editors, as well as access to create,

edit, and delete all Design documents in the database, such as forms, shared views, navigators, and so on. ➤ Manager—Includes all the rights of designers, as well as the ability to

modify the ACL and delete the database from the server using the client user interface commands (File, Database, Delete).

Securing Applications with Consistent ACLs Administrators can ensure that an ACL remains identical on all database replicas on servers, as well as on all local replicas that users make on workstations or laptops by enforcing a consistent ACL. Selecting this setting on a replica whose server has Manager access to other replicas keeps the Access Control List the same across all server replicas of a database. If a user replicates a database locally, the database ACL recognizes that user’s access because it is known to the server and enforces the access on the local

304 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

replica. If a consistent ACL is not enforced, then the user has Manager access to their local replica. Enforcing a consistent Access Control List does not provide additional security for local replicas. To keep data in local replicas secure, users should locally encrypt the database.

To enforce or disable a consistent Access Control List for multiple databases, administrators should perform the following steps from the Domino Administrator: 1. Click the Files tab, and select one or more databases from the Domino

data directory. 2. Click Tools, Database, Manage ACL, and then click Advanced. 3. Select the Modify Consistent ACL Setting option. 4. To enforce a consistent ACL, select Enforce a Consistent Access

Control List Across All Replicas of This Database. 5. To disable a consistent ACL, select Do Not Enforce a Consistent

ACL. 6. Click OK.

Securing Applications with Roles Roles are one of the most misunderstood topics in the Domino system. In Chapter 6, we discussed roles within the Domino Directory. In this chapter, we discuss roles in general, within any application. A database designer typically uses roles to assign special access to database design elements and database functionality. A role defines a set of users and/or servers. Roles are similar to groups that you can set up in the Domino Directory; however, unlike groups, roles are specific to the database in which they are created. It’s important to remember that a role isn’t always associated with a security element; a role may simply be used to selectively hide or show information. To successfully use roles within a database, these three steps must be followed: 1. The role must be created within the database ACL—Roles are typically cre-

ated in the ACL by either the administrator or the designer. You must have Manager access to the database to create roles. To create a role,

305 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

choose File, Database, Access Control, and then click Roles. To create a role, click Add, and type a name for the role. Follow a similar process to rename or delete roles with the Rename and Delete buttons, and then click OK twice. 2. The role must be assigned to entries within the ACL—After roles have been

created, someone with Manager access must assign the role to groups, people, or servers within the ACL. To assign a role, select an entry in the ACL and place a check mark next to the role name in the lowerright corner of the ACL dialog box. 3. The role name must be referenced by the designer within the application

itself—Designers can use the role in dozens of ways within the application. They can use the role name to restrict access to forms, views, and documents; they can use the role to hide text and buttons; and they can use the role name in code to calculate who is a member of a certain role in order to restrict functionality within the database. For administrators to understand how to assign roles to entries in the ACL, the designer should provide documentation to indicate how the role was used within the application. Without the documentation, the administrator must guess at how the role works, or must start digging into the design of the application himself to see where the role is referenced. It’s important to note that there are no predefined role names within Domino. There is no functionality that is inherently associated with the role name itself. For example, if a designer creates a role called “Supervisor” and assigns that role to his own name or to a group within the ACL, he hasn’t accomplished anything with the role. Only when the designer then references the role name within the design elements of the application does the role take on any significance. When referencing role names through code, designers must enclose the role name within square brackets; for example, “[Supervisor].” On the exam, don’t confuse roles with groups. Groups are defined within the Domino Directory, and can be referenced from any database or application within the domain. Roles are defined and referenced within a single database. Roles have no scope beyond the current database. For example, if a role called “ProductMgr” was created in POLICIES.NSF, that role could not be referenced through code by the designer within another database called PRODUCTS.NSF. Watch out for exam questions that try to trick you into thinking that roles are able to control functionality across databases.

Securing Applications with Authors Fields and Readers Fields The designer uses Authors and Readers fields to control access to individual documents within the application. Authors fields are used to control who can

306 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

edit a document for those users listed with Author access in the database ACL. Readers fields are used to control who can read a document, and apply to all levels of access within the ACL. Authors and Readers fields were covered in detail in Chapter 6. Refer to “Securing Applications with Authors Fields” and “Securing Applications with Readers Fields” in Chapter 6 for a complete explanation of these two topics.

Troubleshooting User Access Problems Users can encounter many problems when attempting to access Domino resources. In this section, we highlight several access control scenarios that will likely be similar to those presented in questions on the exam. Rather than memorizing each scenario, you should try to understand the reason behind the user problems, and be able to articulate how to solve the problem. Some of these same scenarios were also presented in Chapter 6.

Users Report That They Can’t Access the Database There are several things that might prevent a user from accessing an application: ➤ The server storing the database may be temporarily down—In this case, the

administrator must troubleshoot why the server is down or unavailable and restart it or fix the networking problem that may be causing the access problem. ➤ Users don’t have the appropriate access to the server—If the user is encoun-

tering the error “You are not authorized to access the server,” he is likely being denied access to the server. The administrator should check the Server document, Security section for that server to check the values in the Access Server and Not Access Server fields. ➤ Users don’t have the appropriate access in the database ACL—Administrators

should check the database ACL to make sure users have the necessary access to the database. ➤ The server is continuously updating a full-text index and is too busy to service

requests for data access—If a database is large and active, database performance can be slow if the server updates a full-text index too frequently.

307 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Administrators can change the full-text index update frequency and time, if necessary.

Users Can’t Find a New Server in the List of Servers If users can’t find a new server when they try to add, create, copy, or replicate a database, administrators should ensure that the Domino Directory contains a Server document for the new server and that the information in the document is accurate and correctly spelled. If no Server document exists, create one and then make sure that the new Server document replicates to all servers in the domain. If a Server document exists and contains accurate information for the new server, check the log file on both the user’s home server and the inaccessible server to see if there are network problems.

Users Complain That They Can’t Seem to “See” All the Documents in the Database If users cannot locate or read documents in a database, they likely have been excluded from reading a document because they aren’t listed in the Readers field for those documents. If the user needs to be able to read certain documents, that user needs to find out how to get added to the Readers field— likely through the use of a role or group.

A User Complains That He Can’t Edit a Document That He Created in the Database If a user has Author access in the database and cannot edit a document that he originally created, that user likely isn’t listed in an Authors field on that document. The user should look at the database documentation or consult with the designer or manager of the database. Perhaps the database has been architected to prevent users from editing their own documents for business reasons that support the business rules for the application. Or, perhaps the designer has omitted the Authors field by mistake, in which case the designer will need to add an Authors field to the form(s) and run agents in the database to populate the Authors fields on existing documents. When the user’s full hierarchical name has been stored in the document, that user should be able to edit that document.

308 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Users Complain That They Can’t Create Agents in the Database If a user can’t create agents in a particular database, the administrator should check the database ACL to see if the user has the access level required to create agents in that database. To create personal agents, a user must have at least Reader access to the database, with the Create Private Agents privilege enabled. To create shared agents, a user must have at least Designer access. If the designer wants to create agents that use either LotusScript or Java code, the Create LotusScript/Java Agents privilege also must be enabled.

Users Complain That They Don’t Have the Correct Access Level Within the Database It’s possible to assign users or servers more than one level of access to a database. The following list describes access level conflicts and resolutions. ➤ A name is listed in an ACL individually and as a member of a group—The

access level assigned to the individual name takes precedence over the access level for the group, even if the individual access level is lower than the group level. ➤ A name is included in two or more groups—The name receives the access of

the group with the highest access. ➤ A name appears in an ACL and in access lists associated with forms, views, or

sections—The ACL controls database access; design element access lists refine this access to a lower level. For example, if a user has Author access to a database but is not listed in the access list for a form in the database, the user cannot use the form to create a document. You’ll likely encounter exam scenarios that test your ability to understand the preceding bullet points. To summarize, remember that a user always gets the access associated with their individual name in the ACL, if listed as an individual, or the highest of the group access levels, if they are listed in more than one group. The highest of group access rules applies even if one of the groups is granted No Access. Don’t confuse the Domino ACL security rules with other products with which you may have experience. For example, in the Microsoft world, the No Access level takes precedence over all others—not so in Domino.

309 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Exam Prep Questions Question 1 Which of the following options must be enabled in the client’s browser for session-based authentication to be successful? ❍ A. Cookies ❍ B. ICM ❍ C. JavaScript ❍ D. Java

Answer A is correct. Domino session-based authentication requires that requesting browsers be able to support and accept cookies. The cookies are used to track users’ sessions.

Question 2 Which of the following options can provide security for a user who has had their ID file and password stolen? ❍ A. No security option in Domino can prevent someone from using a stolen ID file if they know the password to that ID. ❍ B. Enabling the StolenIDFile server task. ❍ C. Enabling the Compare Digital Certificates option on the Server document. ❍ D. Enabling the Check Passwords on Notes IDs option on the Server document.

Answer D is correct. The Domino administrator can enable password verification so that a Notes user can authenticate with a server only after providing the correct password that is associated with the user ID. If an unauthorized user obtains an ID and learns the ID’s password, the owner of the ID can use password verification to change the password and prevent the unauthorized user from continuing to use the ID to authenticate with servers.

310 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 3 John designed a view within an application with a view access list that restricted access to the view. Which of the following describes who can access the view in the application? ❍ A. Only users listed in the view access list ❍ B. Only users listed in the database ACL with at least Reader access, who are also listed in the view access list ❍ C. Only users with Designer access in the ACL ❍ D. Only users with at least Author access in the ACL, who are also listed in the view access list

Answer B is correct. Adding usernames to a read access list for a view design element limits the view to being available for only those users. Users must also have at least Reader access in the database ACL to see the view. A view access list can never grant access to a view for a user who doesn’t have at least Reader access to the database; view access lists can only refine, not enhance a user’s database access level.

Question 4 Monty, the Domino administrator for Acme Company, was asked to recover a password from an ID file that was backed up with recovery information within his mail-in database of user ID files. Which of the following keys did Monty use to decrypt the password for the ID file, thereby generating the required unlocking key for the user? ❍ A. The user’s private key ❍ B. The user’s public key ❍ C. The administrator’s private key ❍ D. The administrator’s public key

Answer C is correct. Each user’s Notes ID file contains a recovery password that is randomly generated and encrypted with the administrator’s public key. The administrator must then decrypt the password with his private key.

311 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Question 5 Susan is listed in the ProductEditors group in the Domino Directory. The ProductEditors group is listed in the ACL of PRODUCTS.NSF with Editor access. Susan is complaining that she has only reader access to the database. Which of the following could explain why she doesn’t have Editor access? ❍ A. The ACL of the database has become corrupted. ❍ B. Susan is listed in another group in the ACL with Reader access. ❍ C. Susan is listed in the ACL as an individual with Reader access. ❍ D. None of the above.

Answer C is correct. The access level assigned to the individual name takes precedence over the access level for the group, even if the individual access level is lower than the group level. Answer B isn’t correct because the user would always get the highest of group access if she was listed in more than one group.

Question 6 Rick is listed in both the Access Server field and the Not Access Server field in the Server document for ServerA/Acme. What will happen when Rick tries to access a database on ServerA? ❍ A. Rick will be allowed to access the server. ❍ B. Rick will be denied access to the server. ❍ C. The ACL of the database will determine whether Rick can access the server. ❍ D. It is not possible to save the Server document with the same name in both the Access and Not Access fields.

Answer B is correct. The Not Access Server field takes precedence over the Access Server field. If someone is denied access to the server, the database ACL for the database he is trying to access is never checked.

312 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 7 Sylvie, a designer, is trying to decide whether to hide some text on a form by referencing either a group name or a role name. Which of the following statements about groups and roles is true? ❍ A. Both groups and roles are defined within the database ACL. ❍ B. Both groups and roles are defined within the Domino Directory. ❍ C. Roles are defined within the Directory, whereas groups are defined in the database ACL. ❍ D. Groups are defined within the Directory, whereas roles are defined in the database ACL.

Answer D is correct. Groups are created and maintained within the Domino Directory. Roles are database specific—they are created and assigned within the database, and have context for that one database only.

Question 8 Susan created a document in PRODUCTS.NSF but now she cannot seem to edit the document. She has confirmed that she has Author access in the ACL. She wants to be able to edit all of the documents that she creates in the database. Which of the following best describes what the problem is? ❍ A. Susan’s name was not included in a Readers field on the document. ❍ B. Susan’s name was not included in an Authors field on the document. ❍ C. Susan should have been granted Editor access to the database in order to edit her own documents. ❍ D. None of the above.

Answer B is correct. Authors fields control editing for users listed with Author access in the database ACL. If Susan was grated Editor access in the ACL, she would be able to edit every document in the database.

313 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security . . . .

Need to Know More? Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBM Redbooks, 2002. Also available on the Web at www.redbooks.ibm.com/. For references to security, consult Chapter 10, “Security.” Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notes and Domino 6. Indianapolis, IN: Que Publishing, 2003. Policy-based System Administration with Domino 6:

www-10.lotus.

com/ldd/today.nsf/8a6d147cf55a7fd385256658007aacf1/d78ede75b351cf81 00256be9005b7d35?OpenDocument.

Lotus Domino 6 Technical Overview:

www-10.lotus.com/ldd/

today.nsf/3c8c02bbcf9e0d2a85256658007ab2f6/089a22f9f8a573af85256a1b 00782950?OpenDocument.

For references to security, consult the section “New Security Features.” Accessing and Protecting the File System:

www-10.lotus.com/ldd/

today.nsf/f01245ebfc115aaf8525661a006b86b9/a115026680fd744985256b34 000f4c1b?OpenDocument.

Webcast: Lotus Live! Series: What’s New in Notes/ Domino 6 Administration: http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci857398,00.html.

Webcast: Preparation & Test Taking Strategies with Lotus Education Managers: http://searchdomino.techtarget.com/ webcastsTranscriptSecurity/1,289693,sid4_gci876208,00.html.

PART III Exam 622 12 Managing Non-Notes and Notes Clients 13 Setting Up Server Monitoring 14 Managing Servers 15 Managing Users and Groups 16 Monitoring Server Performance 17 Resolving Server Problems 18 Resolving User Problems

12 Managing Non-Notes and Notes Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ Smart Upgrade kits ✓ Incremental installers ✓ Policy documents ✓ HTTP server task

Techniques you’ll need to master: ✓ Applying policy documents to new users ✓ Setting up browser clients ✓ Setting up version reporting and updating client software

318 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Lotus has provided multiple options for accessing the Domino server. Users can access the server by using a Domino client or by using a Web browser if the Domino designer has Web-enabled the application. This chapter discusses accessing the server using a Web browser.

Applying Policy Documents to New Users A policy document is a form that is used to define a set of standards and settings. Domino policy documents are used to regulate how users can access the system and perform specific functions. Policy documents are applied to new users when they are registered. Policy documents can be changed after they are assigned and will then be applied to all policy users. All clients and servers participating in policy document deployment must be running a minimum of version 4.67a or greater or directory replication errors will occur.

Policy documents that can be applied to users include ➤ Archiving—Defines policy settings related to the user’s ability to archive

mail. ➤ Desktop—Enforces consistent client settings. If a client setting is changed

and then the workstation logs out of the server, the settings are reset the next time the user logs into the server. ➤ Registration—Implements these policies when a new user is created dur-

ing registration. ➤ Setup—Enforces settings in the client’s location document. ➤ Security—Defines password management and ECL setup.

Types of Domino policies available are ➤ Explicit policies—Use this type of policy when specific groups or users in

the organization need specific access; explicit policies define their access. Use this policy when making changes to users already defined in the domain. ➤ Organizational policies—Use this type of policy when specific settings are

required for users in a specific organization.

319 . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . .Non-Notes . . . . . .and . . Notes . . . Clients . . . .

Setting Up Browser Clients Browser users access the Domino server using one of the following approved Internet clients: ➤ Microsoft Explorer 5.5 or greater ➤ Netscape Navigator 4.7 or greater

To allow browser clients to access the server, the following steps must be performed by the Domino administrator: ➤ The HTTP server task must be running on the server. Make sure that

HTTP is either configured to launch in the Notes.ini file or is manually loaded using the “Load HTTP” command at the console. ➤ Decide how users will find the server with the browser client. Using a

TCP/IP address is discouraged; the maintenance required to inform users when an IP address has changed is time-consuming and prone to errors. Establish a defined DNS name and provide the address to the users for server access. Select the type of access you will require for users, HTTP or HTTPS, and configure it as required. ➤ Using the Administrator client, open and configure the following docu-

ments: ➤ Web Server Configurations—Verify that the Basics tab is correctly

configured with all domain and Internet information pertinent to your network infrastructure requirements. ➤ Internet Sites—Select Web, IMAP, POP3, LDAP, SMTP Inbound,

or IIOP types to configure, based on the requirements of the communications protocol in place for the Internet site. ➤ File Identifications—Edit as needed; this is similar to Windows file

type association. ➤ Edit user’s Internet password in their Person document as needed. If the

user does not have an Internet password, create one. If a password exists and the user does not know it, change the password and inform the user of the new password. When studying for the exam, make sure that you are aware of the browser requirements as well as the protocols that are available for setting up the server. Be certain to spend time actually examining the configuration documents and how they can be set up based on the requirements of the deployment. The author has attempted to capture the information that could be presented regarding configuring a server for HTTP access, but based on the complexity of the configurations, real-world experiences in setting up various configurations are important aids to preparing for the exam.

320 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Setting Up Version Reporting and Updating Client Software Policy documents and configuration documents can also be used to update workstation clients and provide version control. IBM Lotus Notes Smart Upgrade monitors users as they log in and then alerts users when an upgrade is available. As client upgrades become available, Smart Upgrade will instruct the user that they need to upgrade their client software and guide them through the process. The following steps allow an administrator to use the Smart Upgrade utility: 1. Create a database with the Domino Administrator client using the

database template Smupgrade.ntf. 2. Complete the Smart Upgrade Database Link field on the Basics tab of

the server configuration document, specifying the database name. 3. Smart Upgrade kits, or incremental installers, are available at the Lotus

Developer Domain Web site. The kits are used by administrators to allow users to update their Domino workstation client to a more current version than they are currently running. The first step in making the kit available to users is to download the latest available kit and save it to the server. 4. After downloading and extracting the file, create a Smart Upgrade

database using the supplied template. In the Smart Upgrade database, create and configure a kit document and attach the upgrade kit using the paperclip icon on the Data tab. 5. Open the desktop policy settings document and modify the Basics tab,

specifying the client release version to upgrade and the upgrade deadline date. If necessary, modify a master policy document that will assign users and groups to the desktop policy document. After these steps have been completed and a user accesses his home server, the Smart Upgrade utility checks the client version that accessed the server and compares it with the release version specified in the kit document of the Smart Upgrade database. If all conditions are met regarding security restrictions, the user is prompted to upgrade the client. If a user refuses to upgrade the client and the grace period is reached, an Update Now button appears and the client must be upgraded or access to the server is denied.

321 . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . .Non-Notes . . . . . .and . . Notes . . . Clients . . . . To prepare for possible exam questions related to the Smart Upgrade utility and kit documents, take time in your development environment to download the files and run an upgrade. At a bare minimum, download the files and read the documentation related to the steps and processes involved in running the utility and study these steps.

322 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 What version of Domino is required for clients and servers to participate in policy documents deployment? ❍ A. 5.x only ❍ B. 6.x only ❍ C. 3.x or greater ❍ D. 4.7 or greater

Answer D is correct. All clients and servers participating in policy document deployment must be running a minimum of version 4.67a or greater or directory replication errors will occur. However, not all policies will work with clients not running version 6, so testing is required to ensure compatibility.

Question 2 What database template is used to create the Smart Upgrade database? ❍ A. Upgrade.ntf ❍ B. Datakit.ntf ❍ C. StdNotesKits.ntf ❍ D. Smartkit.ntf

Answer C is correct. The template used for the Smart Upgrade database is Smupgrade.ntf.

Question 3 What is another name for the Smart Upgrade kit? ❍ A. Upgrade deployment database ❍ B. Incremental installer ❍ C. Smart kit installer ❍ D. Client maintenance release

323 . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . .Non-Notes . . . . . .and . . Notes . . . Clients . . . .

Answer B is correct. Smart Upgrade kits are also known as incremental installers.

Question 4 What is the purpose of the archiving policy? ❍ A. Automatically backs up mail across the entire domain ❍ B. Allows an assigned delegate to back up another user’s mailbox ❍ C. Defines policy settings related to a user’s ability to archive mail ❍ D. Saves copies of all system documents in a central storage database to assist with disaster recovery

Answer C is correct. Archiving defines policy settings related to the user’s ability to archive mail.

Question 5 What happens if the grace period during which a user can upgrade his or her client expires? ❍ A. Nothing, the user can continue to operate as before, but only has reader access. ❍ B. The user is refused access to the server. ❍ C. The server shuts down as a security control to prevent unsecured access. ❍ D. The user is presented with an Update Now button and must select it before they can proceed.

Answer D is correct. If a user refuses to upgrade the client and the grace period is reached, an Update Now button appears. The client must be upgraded or access to the server is denied.

Question 6 When setting up the server to allow Internet browser access, which of the following fields is valid on the Internet Sites tab? ❍ A. IIS ❍ B. NNTP ❍ C. MMC ❍ D. IMAP

324 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer D is correct. Web, IMAP, POP3, LDAP, SMTP Inbound, or IIOP are the available fields to configure on the Internet Sites tab.

Question 7 How is the upgrade kit added to the Smart Upgrade database? ❍ A. Using explicit policy documents ❍ B. Using the Update task ❍ C. Using the paperclip icon on the Data tab ❍ D. Installing and running a setup program available for download at www.notes.net

Answer C is correct. In the Smart Upgrade database, you create and configure a kit document and attach the upgrade kit using the paperclip icon on the Data tab.

Question 8 Which server process must be running in order for Web clients to access the server? ❍ A. Fixup ❍ B. Compact ❍ C. HTTP ❍ D. Web loader

Answer C is correct. The HTTP task must be running on the server.

325 . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . .Non-Notes . . . . . .and . . Notes . . . Clients . . . .

Need to Know More? The Lotus Developers Domain: www-10.lotus.com/ldd. Upgrading to Domino 6: Performance Benefits: www.ibm.com/redbooks.

13 Setting Up Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ EVENTS4.NSF ✓ STATREP.NSF ✓ Event Monitor ✓ Agent view ✓ Log_AgentManager ✓ Event generators ✓ Event handlers ✓ Agent logging

Techniques you’ll need to master: ✓ Creating event generators ✓ Creating event handlers ✓ Enabling agent logging ✓ Identifying mechanisms for collecting server information ✓ Starting the Statistics Collectors task

328 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Creating Event Generators Event generators are used to gather information about tasks or statistics on the server using probes defined by the administrator. Domino uses events to determine when a server task is in need of attention. The database EVENTS4.NSF is used to define which system tasks will be monitored and at what point a system alarm is generated. The Domino administrator defines the threshold state for each event. The Event Monitor watches the system and sends events to the database as they occur. When the threshold is reached, the action that is defined for that event is executed. If an event takes place and no event generator is defined, no action takes place. The Event Monitor loads automatically when the server starts. In previous versions of Domino, the Event Monitor was known as the Event task.

Event generators can be defined to monitor the following: ➤ Database—Database space and access as well as replication history are

monitored. ACL changes are also recorded. ➤ Domino server—Network health, including port status, is monitored. ➤ TCP server—TCP services are monitored and statistics are generated

reporting response time for the running services. The time is recorded in milliseconds. ➤ Mail routing—Statistics are reported stating the time required to route a

mail message. The time is recorded in seconds. ➤ Statistics—Specified Domino statistics are monitored. ➤ Task status—Specified Domino tasks are monitored. Be sure that you know and understand all the event generators and event handlers available to the administrator. One or more of them will probably be addressed in the exam and they are key to troubleshooting and tuning system performance.

329 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting . . . . Up . . Server . . . . Monitoring . . . . . .

Creating Event Handlers Event handlers are used to determine what task will occur when an event is triggered. EVENTS4.NSF includes predefined events that can be used to monitor the server, but the most efficient use of the handler task is when an administrator defines events specific to the domain they are monitoring. An administrator may decide to just log events and then maintain them weekly, or he may decide to be alerted immediately when an event occurs so that he can resolve the issue. The EVENTS4.NSF database includes a wizard that assists administrators in creating the following event handlers: ➤ Event Handler Wizard—Creates a new event handler that generates a

notification when a specified event occurs ➤ Database and Statistic Wizard—Creates an event generator that fires

when something happens to a server or database ➤ Mail Routing and Server Response Wizard—Creates an event generator

that generates statistics or fires an event based on the availability of a resource ➤ Troubleshooting Wizard—Identifies some common configuration errors in

the EVENTS4.NSF database and suggests possible resolutions Event handlers can also be created by using the Domino Administrator, navigating to the Configuration tab, and selecting the Monitoring Configuration, Event Handler view. Each event has a Basics, Event, and Action tab that must be completed.

Enabling Agent Logging If a database contains agents, it has a view called the Agent log. The purpose of this view is to show the last time an agent ran and if there were errors or if the agent was successful. To view the Agent log, select View, then Agents from the menu to see the Agent view. The Agent view lists the agents in a single location so that the administrator can verify that the correct agents are enabled and defined on the system. Right-click the agent, and select log from the menu to see the run history. Agent logging can be enabled for the LOG.NSF database by including the Log_AgentManager setting in the Notes.ini file. The miscellaneous view in the server log may also have messages detailing problems that agents are experiencing. This allows agent

330 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

results to be recorded in the LOG.NSF database as well as displaying results on the server console. The following commands can be issued at the server console to assist in agent troubleshooting: ➤ Tell amgr schedule—Displays the agent schedule. Administrators can

check the agents that are scheduled to run and reschedule them for a different time when the server is not overloaded with requests to improve server performance. ➤ Tell amgr status—Displays an agent status report. The status report per-

mits administrators to determine if agents are running properly and if they are executing at the proper time. ➤ Tell amgr debug—Displays the agent debug setting. This setting allows

administrators to examine the debug settings used to troubleshoot failing agents.

Identifying Mechanisms for Collecting Server Information In addition to event generators and event handlers, Domino provides other methods that allow an administrator to gather information about the health of a server. For instance, executing a show server command from the server prompt on a test server displays the following information: Server name: R6Test/R6TestOrg—R6Test Server directory: C:\r6server\data Partition: C.r6server.data Elapsed time: 21:57:45 Transactions/minute: Last minute: 0; Last hour: 0; Peak: 86 Peak # of sessions: 2 at 07/26/2003 02:28:55 PM Transactions: 357 Max. concurrent: 20 ThreadPool Threads: 40 Availability Index: 100 (state: AVAILABLE) Mail Tracking: Not Enabled Mail Journaling: Not Enabled Shared mail: Not Enabled Number of Mailboxes: 1

331 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting . . . . Up . . Server . . . . Monitoring . . . . . .

Pending mail:0 Dead mail: 0 Waiting Tasks: 0 Transactional Logging: Not Enabled Fault Recovery: Not Enabled Activity Logging: Not Enabled Server Controller: Enabled This is a typical example of tasks running on a new server with the default tasks running. This list can vary based on the tasks that have been launched by server tasks or manually by an administrator. Server information can also be found in various databases on the server, including these ➤ Domino log ➤ Statistics database ➤ Events database

Tools available on the server to provide information on demand include ➤ Server monitor ➤ Mail-in statistics ➤ Paging

Starting the Statistics Collectors Task Statistics are gathered on the Domino server using the Statistics Collector task. In previous versions of Domino, this was known as the Collector task, but it still functions in the same manner. The Collector task can gather data for a single server or multiple servers in the domain. The default database used by the Collector task is STATREP.NSF. Using the Administrator client, select the Configuration tab and follow these steps to create a Server Statistic Collection document: 1. Select the Server Statistic Collection view in the Monitoring

Configuration panel. 2. Select the server and then click New Statistics Collection.

332 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. Select the Collecting server on the Basics tab and then select the server

to be collected. The valid selections are ➤ All servers in the domain. ➤ All servers that are not explicitly listed to be collected. ➤ “From the following servers” multiple servers can be selected with

this view. 4. Select the Options tab. This page allows the administrator to define

which database will be used to collect the statistics, the interval and alarm time, and the available filters. 5. Click Save & Close after configuration is complete. Lotus has provided events, agent logging and monitoring, and statistics gathering as tools to assist an administrator in troubleshooting server and performance issues. When studying for the exam, be sure that you are aware of the options available and have created event handlers in your development environment.

333 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting . . . . Up . . Server . . . . Monitoring . . . . . .

Exam Prep Questions Question 1 Which database is used to define the system tasks that are monitored? ❍ A. LOG.NSF ❍ B. STATREP.NSF ❍ C. EVENTS4.NSF ❍ D. R6EVENTS.NSF

Answer C is correct. The database EVENTS4.NSF is used to define which system tasks will be monitored and at what point a system alarm is generated.

Question 2 Which database is used by the Collector task? ❍ A. DOMLOG.NSF ❍ B. COLLECT.NSF ❍ C. STATREP.NSF ❍ D. STATCOLLECT.NSF

Answer C is correct. The default database used by the Collector task is STATREP.NSF.

Question 3 What does the command Tell amgr schedule perform? ❍ A. Generates an agent schedule diagram ❍ B. Displays the agent schedule ❍ C. Tells the agent manager to shut down as scheduled ❍ D. Clears the agent schedule and resets the counters

Answer B is correct. The command schedule.

Tell amgr schedule

displays the agent

334 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 4 Which of the following selections can be monitored by event generators? Choose all that apply. ❑ A. User client versions ❑ B. Database space ❑ C. Network health ❑ D. Domain search index age

Answers B and C are correct. Database space and access, replication history, and network health, including port status are monitored.

Question 5 What Notes.ini setting must be set to enable agent logging in the LOG.NSF database? ❍ A. AGENT_Logging=True ❍ B. Log_AgentEnable ❍ C. Agent_Manager=1 ❍ D. Log_AgentManager

Answer D is correct. Agent logging can be enabled for the LOG.NSF database by including the Log_AgentManager setting in the Notes.ini file.

Question 6 What does the command Tell amgr status do when executed at the server prompt? ❍ A. Routes all administrative mail to the Adminmail.box database ❍ B. Displays an agent status report ❍ C. Stops the agent manager status task ❍ D. Instructs the agent manager to poll all servers for user login status

Answer B is correct. When the command Tell amgr status is executed at the server prompt, an agent status report is displayed on the screen.

335 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting . . . . Up . . Server . . . . Monitoring . . . . . .

Question 7 Which of the following system tasks is used to collect statistics? ❍ A. StatCollect task ❍ B. Collection task ❍ C. Statistics Collector task ❍ D. Statrep Demand task

Answer C is correct. Statistics are gathered on the Domino server using the Statistics Collector task.

Question 8 What is the purpose of the Troubleshooting Wizard? ❍ A. Identifies common configuration errors in the EVENTS4.NSF database ❍ B. Identifies common configuration errors in the STATREP.NSF database ❍ C. Suggests problem resolutions for the LOG.NSF database ❍ D. Analyzes white space errors in database and informs administrators when to execute the compact command

Answer A is correct. The Troubleshooting Wizard identifies some common configuration errors in the EVENTS4.NSF database and suggests possible resolutions.

336 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? The Lotus Developers Domain: www-10.lotus.com/ldd. Upgrading to Domino 6: Performance Benefits: www.ibm.com/redbooks.

14 Managing Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ Transaction logging ✓ Activity logging ✓ Policy documents ✓ Administrator access ✓ Network names ✓ Directory deployment configurations

Techniques you’ll need to master: ✓ Analyzing activity data ✓ Applying policy documents to existing users ✓ Automating server tasks ✓ Changing administrator access ✓ Changing server access ✓ Configuring Domino network names ✓ Creating security policies ✓ Decommissioning a server ✓ Defining a backup process ✓ Defining Domino domains ✓ Enabling transaction logging ✓ Identifying a registration server ✓ Identifying supported protocols ✓ Implementing distributed and centralized directories ✓ Recertifying a server ID ✓ Searching for server references in a domain ✓ Setting up authentication with other Domino organizations

338 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Analyzing Activity Data The key to analyzing data on a Domino server is the ability to log the information. This process is known as activity logging. To set up activity logging on the Domino server, follow these steps: 1. Select the Configuration tab on the Domino Administrator. 2. Select the Server tab and select Configurations in the task pane. Select

Edit Configuration in the results pane to open the document. 3. Open the Activity Logging tab and select the Activity Logging Is

Enabled check box to open the selection criteria available for the Activity Logging tab. 4. Select the enable logging type to be logged. Valid selections include ➤ Domino.AGENT ➤ Domino.HTTP ➤ Domino.IMAP ➤ Domino.LDAP ➤ Domino.POP3 ➤ Domino.SMTP.Session ➤ Domino.SMTP.Message ➤ Domino.Notes.Database ➤ Domino.Notes.Passthru ➤ Domino.Notes.Session ➤ Domino.REPLICA ➤ Domino.MAIL 5. Select a time for the checkpoint interval (choose either Log

Checkpoint at Midnight or Log Checkpoint for Prime Shift). If Log Checkpoint at Midnight is selected in step 5 of the procedure for setting up activity logging on the Domino server, the session activity for the selected options will be added to the log at midnight. If Log Checkpoint for Prime Shift is selected, the session activity for the selected options will be logged at the start and the end of the work shift.

339 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . . 6. Select the Activity Trends tab, and then select the Basics tab (see

Figure 14.1). 7. In the Activity Trends Basic Configuration section, select the Enable

Activity Trends Collector check box. 8. In the Activity Trends Collector Database path, enter the name of the

database to be used. The default name is ACTIVITY.NSF. 9. Enter the time to run the task in the Time of Day to Run Activity

Trends Collector field. 10. Select the days of the week to run the task. 11. In the Activity Trends Data Profile Option section, “Use Defaults” is

selected by default. Deselecting the Use Defaults check box provides the following options: ➤ Trends Cardinal Interval ➤ Observation Time Bucket Seconds ➤ Maximum Observation List Size ➤ Trends History Interval

Figure 14.1 The Activity Trends tab is used to determine when the collector will gather information.

340 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12. Select the Retention tab. To change the default retention period, dese-

lect the Use Defaults check box and change the retention time. 13. Select the Proxy Data tab. A free form box is available to enter a list of

databases that can be searched for activity data when requested by Administrator clients. 14. Click Save & Close when all selections have been made.

After the document has been saved, navigate to the Server tab in the Administrator client, navigate to the Analysis tab, and select Analyze from the Tools pane on the right. After the Analyze tab has been opened, select Activity to open the Server Activity Analysis dialog box (see Figure 14.2). Select the activity types to log (all are selected by default) and the start and end dates. The final step is to select the log database (if you plan to use anything except for the Activity Analysis database). Click OK to save your changes. The Activity Analysis database opens automatically so that collected data can be viewed.

Figure 14.2 The Server Activity Analysis dialog box is used to select the activity types to log. Policy documents make management of the Domino domain easier and provide consistency when multiple administrators are involved. Be sure that you understand how policy documents are created and the types available when studying for the exam.

341 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . .

Applying Policy Documents to Existing Users Policy documents are used to regulate how users can access the system and perform specific functions. Policy documents can be changed after they are assigned and the modified documents will then be applied to all policy users. All clients and servers participating in policy document deployment must be running a minimum of version 4.67a or greater or directory replication errors will occur.

Policy documents that can be applied to users include ➤ Archiving—Defines policy settings related to a user’s ability to archive

mail. ➤ Desktop—Enforces consistent client settings. If a client setting is

changed and then the workstation logs out of the server, the settings are reset the next time the user logs into the server. ➤ Registration—Implements these policies when a new user is created dur-

ing registration. ➤ Setup—Enforces settings in the client’s location document. ➤ Security—Defines password management and ECL setup.

Types of Domino policies to consider include ➤ Explicit policies—Use this type of policy when specific groups or users in

the organization need specific access; explicit policies define their access. Use this policy when making changes to users already defined in the domain, such as when making changes to groups. ➤ Organizational policies—Use this type of policy when specific settings are

required for users in a specific Organizational Unit (OU), such as when making changes to a department. Policies can be assigned to existing users by editing the Person document. To change policies, a user’s ACL level needs to be set to at least Editor, or Author level with the UserModifier role assigned. Navigate to the Administration tab and complete the Policy Management section to assign policies to the user. Click Save & Close to update the Person document.

342 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Policies can also be added to users and groups by using the Administrator client. Select the People & Groups tab and under the Tools pane, select either People or Groups and click Assign Policy. Make the desired changes and then click OK to make the change.

Automating Server Tasks Server tasks can be automated in one of two ways, either by assigning them in the Notes.ini file to run when the server starts or by creating a program document. Compacting databases or running system utilities are examples of programs used in Program documents. To create a Program document, open the Domino Administrator and navigate to the Configuration tab. Select Servers, Programs, and select Add Program. Complete these fields on the Basics section of the Basics tab: ➤ Program Name ➤ Command Line ➤ Server to Run On ➤ Comments (used to assist the administrator to define the purpose of the

Program document) The Basics tab also has a section where the Schedule is defined. The valid fields in this section are ➤ Enabled/Disabled ➤ Run at Times ➤ Repeat Interval of ➤ Days of Week

Select the criteria needed for this document and click Save & Close. Entering Show Schedule at the server prompt shows all tasks, including programs that are enabled on the server. Lotus has broken the Domino Administrator out from a single user to multiple users that have varying access to perform different tasks. To prepare for the exam, study the different types of administrators and test them in your development environment.

343 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . .

Changing Administrator Access Domino allows for multiple levels of administrators. They include ➤ Full access administrator—All levels of access to the system, including

operating system and Domino system configuration access. This is the highest level of access available on the Domino system. ➤ Administrator—Access at this level is the same as a database administra-

tor and full-console administrator access. ➤ Full console administrator—View-only access to the Domino Console.

This level of administrator is not able to make changes to the system configuration. ➤ System administrator—Limited to the restrictions of operating system

administrator only Administrator access, or defining how an administrator can change server configurations, is set using the Domino Administrator client. Select the Configuration tab, and then open the Server document. Navigate to the security page and add or change users to groups as needed. Full access administrators, administrators, and database administrators have full access to delete databases even if they are not explicitly listed as managers in the ACL of the database. Take care when defining these users to ensure that only properly authorized users are able to delete databases.

Full access administrators can be prevented from accessing the server by adding the line SECURE_DISABLE_FULLADMIN=1 in the Notes.ini file. This does not act the same as a deny user list, however, and if a user is explicitly defined in the Domino Directory or a database with specific access, that setting will override the setting in the .ini file. Options for setting up full access administrators include ➤ Generate a full admin ID file that can only be used by full access admin-

istrators. ➤ Generate a certifier ID with OU-level full administrator access and cer-

tify users. ➤ Don’t assign anyone and only add users to the Full Access Administrator

field as needed.

344 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding how users and servers access the Domino domain is key for anyone studying to be a certified administrator. As you prepare for the exam, be sure that you understand how to change server access and the access control types that are available.

Changing Server Access Server access is enabled by completing the information in the Server Access section on the Security tab of the Server document. Modification of the fields on the Security tab allow an administrator to change access to the server. Available server access control types include ➤ Access Server—This field is used to define users and groups who can

access the server. ➤ Not Access Server—This field defines users and groups who are prohibit-

ed from accessing the server. This field is typically used for users who have left the company or may have been moved to a different Domino domain. ➤ Create Database & Templates—This field defines users who can create

new database and template files and can also execute copy commands. ➤ Create New Replicas—This field defines users who can create new replicas

of databases or template files. ➤ Create Master Templates—This field defines users who can create master

templates. Master templates have a template name defined in the database properties. If this field is left undefined, no users will have the ability to create master templates. ➤ Allowed to Use Monitors—This field defines users and groups who are

permitted to use monitors on the server. ➤ Not Allowed to Use Monitors—This field defines users who cannot use

monitors on the server. ➤ Trusted Servers—This field defines which servers can access the server.

Configuring Domino Network Names A Notes named network is a group of servers that have the same network name and use the same port type to communicate. The network name is used

345 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . .

to identify these servers as a group. Domino network names are defined on the Ports tab of the Server document. To create a Notes named network, complete the information on the Notes Network Ports tab under the Notes Network section. The default name for networks is Network1, but this can be changed during registration or by editing this field. The maximum allowable networks are 31. Servers in the same Notes network can route mail without requiring Connection documents.

Creating Security Policies Policy documents are used to maintain consistent standards in the domain. Security policy documents are used to maintain execution control lists and password data on Notes and Internet passwords. Editor access to the Domino directory and PolicyCreator and PolicyModifier roles are required to create security policies. To create a security policy, follow these steps: 1. Using the Administrator client, navigate to the People & Groups tab

and select the Settings view. 2. Select the Add Settings button in the main view and choose the

Security option from the drop-down list. The Basics tab will now be displayed. 3. Complete the Name and Description fields on the Basics tab. 4. Navigate to the Password Management tab. Change these settings as

needed based on the configuration for the server: ➤ Allow users to change Internet password over HTTP ➤ Update Internet password when Notes client password changes ➤ Check Notes password ➤ Enforce password expiration ➤ Required change interval ➤ Allowed grace period ➤ Password history ➤ Required password quality 5. Navigate to the Execution Control List tab and complete these steps as

required for the specific server configuration: ➤ Admin ECL—Select Edit to used a predefined Admin ECL setting

or select New to create a new set of criteria to be used.

346 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Update Mode—Choose Refresh or Replace. ➤ Update Frequency—Choose When Admin ECL changes, Once Daily,

or Never. 6. Complete the desired changes, and then click Save & Close to save the

document.

Decommissioning a Server A server is decommissioned when it is no longer needed in the domain or when the users and databases are being consolidated to another server and the server is being permanently retired. Domino uses a tool called the Decommission Server Analysis tool to assist administrators in determining the impact on removing a server from the domain. When the tool is run, a database is generated that compares the existing server with the new server, so that the administrator has an idea what needs to be changed on the new server to guarantee a smooth transition. However, the database is meant to be a starting point and should not be considered an all-inclusive guide for all points that should be considered when using the tool. For the Decommission Server Analysis tool to operate, both servers must be in the same domain and their hierarchical names must be consistent. You must properly prepare for the server decommissioning process. Before decommissioning a server, be certain you have taken care of the following items: ➤ Make sure that system backups are complete and verified. ➤ Verify that database formulas do not have explicit server reference infor-

mation. ➤ Update configuration information in the directory that may have the

existing server name defined in it, such as Connection and Program documents. ➤ Document all cross certificates and make sure that all certifier IDs are

available to cross certify the new server. ➤ If the existing domain has Connection documents to external domains,

be certain to notify the other domain administrators of the planned change. ➤ Notify users of the change. ➤ Verify that all protocols and named networks are set up correctly.

347 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . . ➤ Be certain that both servers contain matching databases with the same

replica ID. ➤ Verify that all mail routing configuration information is correct and in

place. When you have verified that all of the preceding tasks have been performed, you can run the Decommission Server Analysis tool. Be sure that administrator access is properly defined on both the source and target servers. If the access is not defined properly, the decommission process may fail or the report may not contain the correct information.

Complete the following steps to run the Decommission Server Analysis tool: 1. Using the Administrator, select the Server tab and then choose the

Analysis tab. 2. Navigate to the Tools pane and Analyze tab. Select Decommission

Server. 3. A dialog box appears. Verify that the source server to be commissioned

is correct. 4. Select the target server that will replace the existing server. 5. The default name for the Results database is DECOMSRV.NSF. If the

name of the database needs to be changed, select the Results Database button and select a new database. 6. The default setting for writing to the database is Append. Using this

setting, if an existing database is in place, the tool will write the information to the end of the database. If Overwrite is selected, new results will be created and the previous information will be deleted. 7. Select OK to use these settings and continue with the analysis.

When the tool has completed the analysis, the database should open to the Reports view. Examine the reports and correct any discrepancies before completing the decommissioning of the server.

Defining a Backup Process Domino is versatile in that it provides two ways to back up your data. The typical method of backups can be used, such as tape or digital media, or

348 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

transaction logging can be used. When using a traditional version of backing up the server, you should consider the following: ➤ Verify that the backup utility can back up open files. Domino keeps the

LOG.NSF,NAMES.NSF,MAIL.BOX, and the server ID file open at all times. If the backup software being used will not backup open files, create a Program document that will stop the server, run the backup routine, and then restart the server to make sure these files are archived. ➤ Keep an archived version of the server ID file, administrator ID files,

and all certifier IDs stored in a secure location. ➤ Maintain an up-to-date copy of the Domino Directory on a local work-

station.

Defining Domino Domains Domains are defined by creating Domain documents. Multiple document types are available based on the requirements needed to route mail. The following types of documents are available: ➤ Adjacent domain document—This document is used to route mail between

servers that are not in the same Notes named network. ➤ Nonadjacent domain document—This document serves three functions: ➤ Supplies next-hop routing information to route mail ➤ Prohibits mail from routing to the domain ➤ Provides Calendar server synchronization between two domains ➤ Foreign domain document—This document is used for connections

between external applications. A typical application used is a fax or pager gateway. ➤ Foreign SMTP domain document—This document is used to route

Internet mail when the server does not have explicit DNS access. ➤ Global domain document—This document is used to route mail to

Internet domains. Configuration information regarding message conversion rules are defined in the document.

349 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . .

Enabling Protocols Domino supports various protocols that are enabled on the Ports tab of the server document. The following protocols can be enabled: ➤HTTP—Used for Web access ➤ IIOP—Used to allow Java code to run on the server ➤ LDAP—Used for addressing services ➤ POP3—Used to access Internet mail, typically used by clients such as

Netscape Navigator ➤ IMAP—Used to access Internet mail, typically used by clients such as

Microsoft Outlook ➤SSL—Used to provide data encryption and security

Select a protocol based on the intended use when changing the Server document settings.

Enabling Transaction Logging Transaction logging is available for Domino servers running release 5 or later and databases using release version 5 or later On Disk Structure (ODS). Database changes are sent to a transaction log database and then written later to the target database. Transaction logging offers benefits for the following system activities: ➤ Backup throughput is increased because transaction logs back up quicker

than normal databases. ➤ Disaster recovery is more complete in that data that was stored in the

transaction log can be supplemented to the full system recovery so data is not lost. Data that is stored in the transaction log file is written to the database when the log file is recovered from tape. ➤ Database views are stored in the log file so database views may not need

to be rebuilt. Although transactional logging is a form of backup, it does not replace a true archiving system, such as tape or optical media. In the event of a server crash, full system backups will be needed to recover. In addition, special backup software is required that specifically backs up the transactional log, so make sure that it is supported by the software vendor.

350 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Transactional logging also creates a unique database instance ID (DBIID) for each database. When transactions are added to the log, the DBIID is assigned so that the source database can be recorded. DBIID tags are assigned at the following times: ➤ The first time transaction logging occurs ➤ In some instances when the Compact task is executed, such as reducing

file size ➤ When fixup is used to correct a corrupted database ➤ When a database is moved to a server using transaction logging

Transaction Logging Versions You can choose from three different versions of transaction logging, including Circular, Linear, and Archived. Here are descriptions of each of these transaction logging versions: ➤ Circular—This version of logging uses up to 4GB of disk space and then

begins writing over the oldest log information in the database. The transaction log database should be backed up daily using this deployment version. ➤ Linear—This version of logging is similar to circular logging, but can use

more than 4GB of disk space. ➤ Archived—This version of logging creates transaction logs as needed.

Log files are not overwritten; they are archived. Ensure that the logs are being backed up regularly or the server might run out of disk space

Implementing Transaction Logging Transaction logging needs to be properly planned before it can be implemented. Steps to complete before implementing transaction logging include ➤ Make sure the server hardware is properly configured. Use a disk array

with at least RAID 1 support and a dedicated disk controller. ➤ Define a backup plan and use software that supports Domino servers

running transaction logging. ➤ Plan to use logging on all available databases, but remember that only data-

bases using the R5 ODS or later will be able to use transaction logging. ➤ Decide which version of logging to use (Circular, Linear, or Archived).

351 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . .

To set up transaction logging on the server, follow these steps: 1. Using the Domino Administrator, select the Configuration tab, select

the Server document, and then click Edit Server Document. 2. Select the Transactional Logging tab. 3. In the Transactional Logging field, select either Enabled or Disabled. 4. In the Log Path field, enter the explicit path to the transaction log

database. 5. In the Logging Style field, select either Circular, Linear, or Archived. 6. The default selection for the Use All Available Space On Log Device is

No. If you use the default selection, in the Maximum Log Space field, enter the amount of space in megabytes to be used for the transaction log database. If you select Yes in the Use All Available Space On Log Device field, the next option, Maximum Log Space, is removed as a valid selection. 7. Choose Enabled or Disabled in the Automatic Fixup Of Corrupt

Databases field. If Automatic Fixup is not enabled, administrators will need to manually perform database maintenance when errors occur. 8. In the Runtime/Restart Performance field, choose from the valid

options in the drop down menu: Favor Runtime, Standard, and Favor Restart Recovery Time. 9. In the Quota Enforcement field, choose from these valid options: ➤ Check Space Used in File when Adding a Note ➤ Check Filesize when Extending the File ➤ Check Filesize when Adding a Note 10. Select Save & Close to start transaction logging.

Identifying a Registration Server Domino uses a Registration server to define changes made to the Directory and then replicates the changes to all servers in the domain. By using a single instance of the Directory for all changes, consistency is maintained throughout the domain.

352 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A registration server is defined using the Administrator client. To do so, follow these steps: 1. Click the File menu and select Preferences. 2. Select Administration Preferences from the submenu. 3. From the available selections, click Registration. This tab allows an

administrator to select a registration server. 4. Select the Registration Server button. 5. Select the server to be used as the registration server and click OK.

Click OK again to close the Administration Preferences dialog box. The registration server is now set.

Implementing Distributed and Centralized Directories Domino provides multiple options when presenting directories in the domain. The key point to remember is that the Domino Directory is accessed by all users as well as servers, so care should be taken to ensure that user and server access is optimized for the best throughput. Three ways to provide directory access are ➤ Distributed—This method assumes that each server has a replica copy of

the directory on each server in the domain. This method is optimal when many users are on the network or the communications infrastructure may have many points of congestion. ➤ Centralized—This method uses the administration server as the central

point for the directory and configuration directories. Configuration directories host Server, Connection, and Configuration Setting documents. Typically, a second server also has these directories for disaster recovery purposes in the event that the registration server fails. ➤ Hybrid—This method uses a combination of distributed and centralized.

Local users may use the centralized directory, whereas remote users would have a local copy of the directory on their server so that bandwidth would not be an issue.

353 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . .

Recertifying a Server ID Periodically, certificates associated with a server ID expire. When this occurs, the ID needs to be recertified. To recertify a server ID, the administrator must have either Author access to the Domino directory and the ServerModifier role assigned or Editor access to the directory. In addition, the administrator must have Author access or greater to the certification log. The following steps allow a server ID to be recertified: 1. Using the Administrator client, select the Configuration tab and select

the Server document for the server to be recertified. 2. Open the Certification tab under the Tools pane and select Certify; the

Choose a Certifier dialog box appears. 3. Click the Server button to select the Registration server and click OK. 4. In the Registration Server dialog box, choose an option to determine

how you will register the server. The options include ➤ Supply Certifier ID and Password—If you choose this option, a file

navigation box appears. This option is used if a certifier ID is used to authorize access to the domain. Navigate to the required certifier id and select OK. ➤ Use the CA Process—This option allows the administrator to recertify

the ID without having access to the certifier ID or the certifier password, by using a Certificate Authority (CA), instead. If you choose this option, use the drop-down box it provides to select a CAconfigured certifier from the ones available on the server. 5. After you’ve selected one of the two options, click OK. If Supply

Certifier ID and Password is chosen, a dialog box appears requiring the certifier password. Enter the password and click OK to continue. 6. A file navigation box appears prompting for the ID to be certified.

Select the server’s ID file and click OK; the Certify ID dialog box appears. 7. In the Expiration Date field, choose a setting to determine when the

server will need to be recertified. The default time is two years, but can be changed as needed. 8. In the Subject Name List field, type a common name for the ID if

desired (this field is optional). This is used to identify the user in the Directory.

354 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. In the Password Quality field, use the slide bar to determine the quali-

ty of password security to assign to the ID file. The default location of the slider is to the extreme left, which is No Password and a value of 0. Sliding the bar to the extreme right forces a very strong password and a value of 16. Although it is true that this is optimal for servers, each time the server is loaded, a password will be required at the console before the server will start. 10. Select Certify to continue and recertify the ID; a dialog box appears

asking if the administrator wants to certify another ID. 11. Select Yes to certify more IDs or No to exit the certification process.

Searching for Server References in a Domain Domino provides the ability to search for files across multiple servers using a tool called Domain Search. Database information that is searchable includes documents, files, and file attachments. Setting up Domain Search requires a server to be designated as the indexing server. This server creates a master index that contains all of the results from search queries run in the domain. The database that is used by Domain Search is Domain Catalog. The databases in the domain are then searched by the indexing server using a search spider. Based on the size of the domain, this task could take a few hours, a few days, or a few weeks. Indexing is an intensive task and proper consideration should be taken to make sure that the indexing server is adequately configured to handle the work. Multiple processors, disk arrays with high-speed access, and large amounts of RAM are recommended for the indexing server. Lotus recommends a dedicated indexing server if more than six servers in the domain will be participating in the Domain Search, but use this as a “rule of thumb” only based on the configuration of the domain. When a user’s search is performed, the indexing server accesses the Domain Catalog and returns search results that are valid based on the user’s access restrictions. Proper planning is the most important consideration when setting up the Domain Search. Indexing unnecessary files, such as Administration Requests databases, catalogs, and libraries, adds no value to the search and wastes space.

355 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . .

When setting up the Domain Search program, set the search spider to run at a time when server use is low, typically at night. Follow these steps to set up the Domain Search: 1. Create the Domain Catalog on the indexing server. Create a new data-

base using the CATALOG.NTF as the database template. 2. Using the Domino Administrator, open the Configuration tab and

select the server to be used as the indexing server. Click Edit Server to open the Server document. 3. Navigate to the Server Tasks tab, choose the Domain Indexer tab, and

select enabled for the Domain Catalog field. In the Limit Domain Wide Indexing to the Following Servers field, select the servers to add to the search. 4. Click Save & Close to save the document. 5. This task requires a server restart before it starts. Restart the server

when possible and then verify that the Directory Indexer task has started by issuing a show tasks command at the server prompt.

Setting Up Authentication with Other Domino Organizations For Domino organizations to be capable of exchanging data, they must share a common certificate. This is accomplished by using an organization certifier ID file. Cross certifying a user or server ID with an organizational certifier guarantees that both IDs have a common certificate. Domino uses two types of certifier IDs related to organizations: ➤ Organization certifier ID—The default name for this ID file is CERT.ID.

This ID file is created when the server is deployed. This ID typically includes the company name and is the highest point on the hierarchy tree. ➤ Organization unit certifier IDs—This level of organizational certifier is

typically used to delineate the next level on the hierarchy tree, usually identifying county or department names.

356 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Creating a New Organization Certifier ID To create a new organization certifier ID, follow these steps: 1. Using the Administrator client, select the Configuration tab and open

the Tools pane. Select Registration, and then click Organization from the menu; the Register Organization Certifier dialog box appears. 2. Enter the organization name and choose a country code (the latter is

optional). 3. In the Certifier Password field, enter a new password that will be

required when certifying IDs for the new organization. 4. Use the Password Quality slider to determine the quality of password

security to assign to the ID file. The default location of the slider is to the extreme left, which is no password and a value of 0. Sliding the bar to the extreme right forces a very strong password and a value of 16. Although it is true that this is optimal for servers, each time the server is loaded, a password will be required at the console before the server will start. 5. In the Security Type field, choose North American or International. 6. In the Mail Certification Requests To field, choose Administrator. 7. Optionally, add a location and comments. 8. Click Register to create the new certifier ID.

Creating a New Organizational Unit ID To create a new Organizational Unit ID, complete these steps: 1. Using the Administrator client, select the Configuration tab and select

the Server document for the server to be recertified. 2. Open the Certification menu selection under the Tools pane and select

Organization Unit; the Register Organization Certifier dialog box appears. 3. Click the Server button to select the Registration server and click OK.

You are then presented with two options: ➤ Supply Certifier ID and Password—A file navigation box appears when

this option is selected. Navigate to the required certifier ID and select OK. If you choose this option, go to step 4.

357 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . . ➤ Use the CA Process—This option allows the administrator to recertify

the ID without having access to the certifier ID or the certifier password. A drop-down box is provided to allow the administrator to select a CA-configured certifier from the ones available on the server. 4. If you chose Supply Certifier ID And Password in step 3, a dialog box

appears requiring the certifier password. Enter the password and select OK; the Register Organizational Unit Certifier dialog box appears. 5. Select the registration server, and then select the certifier ID. 6. Select Set ID file to define the location for the new certifier ID being

created. 7. Complete the Organizational field by entering a name for the new

Organizational Unit. 8. Complete the Certifier password field by entering a new password. 9. Use the Password Quality slider to determine the quality of password

security to assign to the ID file. The default location of the slider is to the extreme left, which is No Password and a value of 0. Sliding the bar to the extreme right forces a very strong password and a value of 16. Although it is true that this is optimal for servers, each time the server is loaded a password will be required at the console before the server will start. 10. In the Security Type field, choose North American or International. 11. In the Mail Certification Requests To field, choose Administrator. 12. Optionally, enter a location and/or comments. 13. Click Register to create the new ID file.

358 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 What role is required for an administrator to be able to recertify a server ID? ❍ A. ID Modifier ❍ B. ServerModifier ❍ C. Server ID Moderator ❍ D. Mod_Ser_Complete

Answer B is correct. To recertify a server ID, the administrator must have either Author access to the Domino directory and the ServerModifier role assigned or Editor access to the directory.

Question 2 Which of the following are valid options available when setting up activity logging? Choose all that apply. ❑ A. Domino.Agent ❑ B. Domino.IMAP ❑ C. Domino.POP3 ❑ D. Domino.SMTP.POP4

Answers A, B, and C are correct. Valid selections available when setting up activity logging include Domino.AGENT, Domino.IMAP, and Domino.POP3.

Question 3 Which of these configuration types of providing access to the Domino Directory is valid? Choose all that apply. ❑ A. Circular ❑ B. Distributed ❑ C. Decentralized ❑ D. Hybrid

359 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . .

Answers B and D are correct. The three valid configuration types to access the Domino Directory are Distributed, Centralized, and Hybrid.

Question 4 Which of the following statements is true regarding transactional logging? ❍ A. While transactional logging is enabled, normal system backups are not required. ❍ B. Transactional logging is available for all versions of Domino running version 4.6.3 or later. ❍ C. Transaction logging requires database ODS version 5 or later. ❍ D. Any user can run transaction logging on their personal mailbox to conserve disk space.

Answer C is correct. Transaction logging is available for Domino servers running release 5 or later and databases using release version 5 or later ODS.

Question 5 What steps can be taken in the Notes.INI file to prohibit Full access administrators from accessing the server? ❍ A. Add the line SECURE_ADMINSTRATOR_LOGIN=1. ❍ B. Encrypt the NOTES.INI file with private key encryption. ❍ C. Delete the Catalog task from the Server@Run list. ❍ D. Add the line SECURE_DISABLE_FULLADMIN=1.

Answer D is correct. Adding the line SECURE_DISABLE_ FULLADMIN=1 in the Notes.ini file tells the server to ignore the Full Administrators field in the Domino Directory and explicit access for full administrators will need to be defined in database and applications.

Question 6 What versions of transaction logging allows for databases greater than 4GB in size? ❍ A. Spiral ❍ B. Circular ❍ C. Linear ❍ D. Metrical

360 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer C is correct. Linear transaction logging is similar to circular logging, but can use more than 4GB of disk space.

Question 7 What is the default name of the database used for activity logging? ❍ A. ACTIVITY.NSF ❍ B. COLLECTION.NSF ❍ C. ACTIVITYSTAT.NSF ❍ D. ACTIVITY.LOG

Answer A is correct. The default database name used for activity logging is ACTIVITY.NSF.

Question 8 Regarding password quality, which of the following statements are true? Choose all that apply. ❑ A. Password quality is selected by choosing radio buttons with preset levels defined. ❑ B. The strongest password selection has a value of 15. ❑ C. Values are set using a slide bar. ❑ D. A value of 0 signifies no password is defined.

Answers C and D are correct. Password quality is set using a slide bar to determine the quality of password security to assign to the ID file. The default location of the slider is to the extreme left, which is no password and a value of 0. Sliding the bar to the extreme right forces a very strong password and a value of 16.

Question 9 What is the purpose of a Program document? ❍ A. Automation of server tasks ❍ B. Mail routing ❍ C. Database replication ❍ D. File purging

361 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing . . . . . . Servers . . . .

Answer A is correct. Server tasks can be automated in one of two ways, either by assigning them in the Notes.ini file to run when the server starts or by creating a Program document.

Question 10 What is the purpose of the IIOP protocol? ❍ A. Provide communications channels to IIS servers. ❍ B. Allow java code to run on the system. ❍ C. Generate SMTP mail. ❍ D. Regulate Web server authentication.

Answer B is correct. The IIOP protocol allows java code to run on the Domino server.

362 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? The Lotus Developers Domain: www-10.lotus.com/ldd. Upgrading to Domino 6: Performance Benefits: www.ibm.com/redbooks.

15 Managing Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ Group management ✓ User management ✓ Administrative process ✓ Notes ID expiration ✓ Roaming users

Techniques you’ll need to master: ✓ Changing a user’s group membership ✓ Changing a user’s location in the hierarchy ✓ Changing a user’s name ✓ Deleting groups ✓ Deleting users ✓ Extending a Notes ID’s expiration date ✓ Managing groups ✓ Modifying Person documents ✓ Moving a user’s mail file ✓ Renaming groups ✓ Setting up roaming users

364 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This chapter covers the tasks required to manage users and groups in the Domino domain. Creating new users and setting up roaming users are key topics that are covered here and that should be studied for the exam.

Changing a User’s Group Membership When users change departments or leave the company, administrators are required to perform maintenance on the user profile to change how the user is defined in a group. Editing a group requires ACL access to the Domino Directory with one of the following defined security assignments: At least Editor with Create Documents privilege Or The UserModifier role Follow these steps to change group membership assignments: 1. Using the Domino Administrator client, navigate to the People &

Groups tab. 2. Expand the Domino Directories item and select Groups. A list of the

valid groups on the server displays in the main navigation window. Select the group that needs to be edited and then click Edit Group and open the Basics tab. 3. Do not edit the group name (the assigned name of the group) unless

absolutely necessary; changing the group name also requires changing the ACLs in databases associated with this name. The maximum length for group names is 62 characters. 4. Edit the group type by selecting from the available types, described as

follows: ➤ Multipurpose—Used for multiple types of users. Multipurpose is the

default selection. ➤ Access Control List Only—Exclusively used to maintain database and

server authentication. ➤ Mail Only—Exclusively used for mail users. ➤ Server Only—Exclusively used for Connection documents and

Administrator clients to group domain bookmarks. ➤ Deny List Only—Exclusively used for denying access to the server.

365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing . . . . . Users . . . .and . . Groups . . . . You cannot change the group’s Category setting; Administration is the only selection.

5. If you choose to do so, you can add a description of the group to the

Description free form field. 6. In the Mail Domain field, enter the name of the mail domain used by

this group. 7. Identify the group with an Internet address by adding the address to

the Internet address field; after you have done so, the group can receive Internet mail. 8. In the Members field, add, delete, or change the names in the list of

users to define the members of the group. 9. Click Save & Close to save the group changes.

Changing a User’s Location in the Hierarchy Users may change departments or move to other company subsidiaries, requiring an administrator to change their location in the hierarchy. Moving a user changes the Organizational Unit (OU) assigned to the user, so the user ID requires recertification. Domino enables administrators to move users to other locations by using the Administration Process (AdminP). Administrators can use AdminP to change a user’s name, assign a new Organizational Unit, or add the user’s information to a completely new organization. Moving a user requires the original certifier as well as the certifier for the new location. The administrator must have the certifier and Editor access to the Administration Requests database in order to move a user. Follow these steps to move a user in the domain: 1. Launch the Domino Administrator and select the People & Groups

tab. Click People and choose the user to be changed. 2. Using the Tools pane, select People and Rename. A dialog box appears

with the following three choices:

366 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Upgrade to Hierarchical ➤ Change Common Name ➤ Request Move to New Certifier 3. To change the number of days that the old user name and information

will be honored, edit the entry option at the bottom of the Honor Old Names for Up to XX Days dialog box. The default option for this selection is 21 days, but the value can be changed to reflect a number from 14 to 60 days. 4. To move the user, click the Request Move to New Certifier button; the

Choose a Certifier dialog box appears. Choose from among the following options: ➤ Choose the Server option to select the registration server. ➤ Choose the Supply Certifier ID and Password option to use a certi-

fier ID file. A dialog box is available under this option that enables you to navigate to the ID on the server. ➤ Use the CA Process option to make the changes without having

access to a certifier ID file. 5. After you have selected one of the preceding options, click OK to con-

tinue. If you selected the option to use a certifier ID, a dialog box titled “Lotus Notes” appears requesting the password. Enter the password and click OK to continue. 6. A dialog box now allows the administrator to assign a new certifier ID.

Select the ID and click OK to continue. 7. The Rename Person dialog box appears. The Primary Name

Information displays and a check box is presented with the following text: Allow the primary name to be changed when the name is moved. This is optional, and all systems must be running Domino versions 5.04 or greater to support this option. Select OK to continue; the change is processed and a Processing Statistics dialog box appears displaying the results of the change process. 8. Click OK to close the dialog box and return to the Administrator

client.

367 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing . . . . . Users . . . .and . . Groups . . . .

Changing a User’s Name Users may also require a name change to their account information in the Domino Directory. To change a user’s name, follow these steps: 1. Launch the Domino Administrator and select the People & Groups

tab. Click People and choose the user to be changed. 2. Using the Tools pane, select People and Rename. In the People and

Rename dialog box, select the Change Common Name option; the Choose a Certifier dialog box appears. At the bottom of the People and Rename dialog box is the Honor Old Names for Up to XX Days option. The default option for this selection is 21 days, but the value can be changed to reflect a number from 14 to 60 days.

3. As in step 4 of the preceding list of steps (see “Changing a User’s

Location in the Hierarchy”), select an option for choosing a certifier, and then click OK to continue. If you choose the option to use a certifier ID, a dialog box appears requesting the password. Enter the password and click OK to continue. 4. The Certificate Expiration Date dialog box appears. The default set in

this box is two years from the current date. Change the date if required or leave it at the two year default and click OK to continue. 5. The Rename Person dialog box appears with fields to be completed.

Complete these fields: ➤ First Name ➤ Middle Name ➤ Last Name ➤ Qualifying Org Unit (optional) ➤ Short Name (optional) ➤ Internet Address (optional) ➤ Rename Windows NT User Account (optional) 6. After you have completed the fields required for this user, click OK.

The name change is processed and the Processing Statistics dialog box appears displaying the results of the change process. 7. Click OK to close the dialog box and continue.

368 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Deleting Groups Groups can be deleted from the Domino Directory, but only after the administrator has taken the proper steps to prepare for the deletion. Deleting a group can have extremely detrimental effects on the domain, as server and user access will change based on the group deletion. Make sure that all domain administrators and users are prepared for the deletion of the group by sending an email to the affected users before the group is deleted. Deleting a group requires an administrator to have the following access: Author access with the ability to delete documents and the GroupModifier role Or Editor access to the Directory To delete a group, follow these steps: 1. Launch the Domino Administrator and select the People & Groups

tab. Click Groups and select the group to be deleted; a Delete Group dialog box appears. 2. Choose from these options in the Delete Group dialog box: ➤ Delete Group’s Windows NT/2000 Accounts, if Existing. ➤ Delete Groups from This Domino Directory Immediately. 3. After selecting either of these options, click OK to delete the group.

Deleting Users Deleting a user requires an administrator to have the following access: Author access with the Create Documents access to the certification log And Author access with the ability to delete documents and the UserModifier role assigned Or Editor access to the Domino Directory The following steps should be taken to delete a user from the Domino Directory:

369 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing . . . . . Users . . . .and . . Groups . . . . 1. Launch the Domino Administrator and select the People & Groups

tab. Click People and select the user to be deleted. 2. Select People from the Tools pane and choose Delete. The Delete

Person dialog box appears, prompting you to choose an option to determine what should happen to the user’s mail database. The available options are ➤ Do Not Delete the Database ➤ Delete the Mail Database on the User’s Home Server ➤ Add Deleted Users to Deny Access Group (optional) ➤ Delete User’s Windows NT/2000 Accounts, if Existing ➤ Delete Users from This Domino Directory Immediately 3. Complete the required selections and click OK to delete the user.

Extending a Notes ID’s Expiration Date A Notes ID’s Expiration Date is used to manage when an ID will no longer be able to access a server. Typically user ID expiration dates are set for an extended amount of time, such as ten years, so that administrators are not required to constantly recertify IDs. Extending the date on a Notes user ID requires the ID to be recertified. Complete these steps to change the expiration date of an ID: 1. Launch the Domino Administrator and select the People & Groups

tab. Click People and using the Tools pane, select People, and then select Recertify. 2. In the Choose a Certifier dialog box, choose an option (see step 4 in

stepped procedure outlined in “Changing a User’s Location in the Hierarchy,” earlier in the chapter), and then click OK to continue. If the option to use a certifier ID was selected, a dialog box appears requesting the password. Enter the password and click OK to continue. 3. The Renew Certificates in Selected Entries dialog box appears. In the

New Certificate Expiration Date field, change the date to reflect the desired expiration date and then click OK to continue. 4. The Recertify User dialog box appears showing the common name and

the qualifying org unit. Click OK to continue.

370 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. The user ID recertification is processed and the Processing Statistics

dialog box appears displaying the results of the change process. Click OK to close the dialog box and continue.

Managing Groups Group management is used by administrators to add or delete users and servers from groups and to create new groups as needed. Group management tasks are performed using the Administrator client. To manage groups, follow these steps: 1. Launch the Domino Administrator and select the People & Groups

tab. 2. Click Groups and select the required group. Using the Tools pane,

select Groups, and then select Manage. The Manage Groups dialog box appears (see Figure 15.1).

Figure 15.1 Domino users, groups, or servers data types can be added or removed from groups using the Manage Groups tool.

3. To add a data type to a group, select the data type from the People and

Groups section on the left. Expand the destination group under the Group Hierarchies section on the right. Click Add to add the data type to the target group. 4. To remove a data type from a group, expand the group under the Group

Hierarchies section, select the data type to be deleted, and click Remove. 5. Click Done when finished.

371 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing . . . . . Users . . . .and . . Groups . . . .

Modifying Person Documents User management includes adding and deleting users, recertifying user IDs and moving users in the domain. The Administrator client is used for user management. The Person document contains all of the information related to the user that determines access and rights related to how the user interacts with the domain. When changes such as the name or title are made to the user’s information, the changes are recorded in the Person document. To edit the Person document, follow these steps: 1. Launch the Domino Administrator and select the People & Groups tab. 2. Click People and choose the user to be modified, and then select Edit

Person. 3. Make the changes desired to the Person document and select Save &

Close to save the changes.

Moving a User’s Mail File User mail files may need to be moved when a user changes departments or moves to another location in the country that supports his new Domino needs. Domino provides a tool that moves the user’s mail file and changes the Directory to reflect the new mail file location. To move a user’s mail file, follow these steps: 1. Launch the Domino Administrator and select the People & Groups

tab. Click People and using the Tools pane, select People, and then select Move To Another Server to produce the Move Users(s) To Another Server dialog box. The selected user is displayed in the dialog box along with a drop-down box used to select the destination server. 2. Choose from these available options: ➤ Move Roaming Files into This Folder on “Server Name” ➤ Move Mail Files into This Folder on “Server Name” ➤ Link to Object Store ➤ Delete Old Replicas in Current Cluster 3. Click OK to complete the process of moving the mail file.

372 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Renaming Groups Groups can be renamed using the Administrator client. Editing a group requires ACL access to the Domino Directory with one of the following defined security assignments: At least Editor with Create Documents privilege Or The UserModifier role Care should be taken when renaming a group, because renaming a group affects users and their access within the domain. In the event that a group needs to be renamed, notify the users and system administrators who communicate with the server.

Follow these steps to rename a group: 1. Using the Domino Administrator client, navigate to the People &

Groups tab. 2. Expand the Domino Directories item and select Groups. A list of the

valid groups on the server displays in the main navigation window. Select the group that needs to be edited and then click Edit Group. 3. On the Basics tab, change the name of the group and click Save &

Close to save the group using the new name.

Setting Up Roaming Users Roaming users are able to access Notes from multiple clients in the domain and retain their personal information. A roaming server is used to store the user’s files. When a user logs on to the server as a roaming user, the user’s information is retrieved from the server and presented to the user. When a roaming user makes changes, the user is replicated to the server so that the server is available when the user logs in at a later time. Roaming users are unique to Domino. In preparing for the exam, you should study the concepts surrounding how to define them. Set up roaming user configurations in a development domain to ensure that you understand all of the processes.

373 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing . . . . . Users . . . .and . . Groups . . . .

Roaming users are created during user registration. To define the settings for roaming users, follow these steps: 1. Launch the Domino Administrator and select the People & Groups

tab. 2. Using the Tools pane, select People, then select Register. A Lotus

Notes dialog box appears requiring the certifier password. Enter the password and click OK to continue. 3. The Register Person—New Entry dialog box appears. Enter the rele-

vant user information related to name and password, and then select Enable Roaming For This Person. 4. Click the Advanced button and a new menu displays on the left. Select

the Roaming tab to configure the Roaming settings; the Roaming tab is shown in Figure 15.2.

Figure 15.2 When roaming users are created, the files Personal Address, Bookmark, and Journal are also created and stored based on the settings here in the Roaming tab.

5. Complete these fields to set up Roaming: ➤ Put Roaming User Files on Mail Server, or click the Roaming

Server button to select the location to store the files. ➤ Enter the personal roaming folder in the Personal Roaming Folder

text box. ➤ Choose a subfolder format from the Sub-Folder Format drop-down

list.

374 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Create Roaming Files Now or Create Roaming Files in

Background. ➤ Roaming replicas are available if a Domino cluster is available. ➤ Select a Clean-up option from the Clean-Up Option drop-down

list. 6. Select the required options and click Done to create the roaming user. Typically, the exam may contain questions related to moving users to new servers or changing where a user may exist in the hierarchy. Be sure while studying that you understand examples of creating users and groups and that you test your understanding of the process in a development environment.

375 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing . . . . . Users . . . .and . . Groups . . . .

Exam Prep Questions Question 1 Which ACL access is required to the Domino Directory to allow an administrator to edit a group? ❑ A. Editor with the Create Documents privilege ❑ B. Editor with Document Copy privilege ❑ C. UserModifier role ❑ D. ModifyUser role

Answers A and C are correct. Editing a group requires ACL access to the Domino Directory with one of the following defined security assignments: At least Editor with Create Documents privilege Or The UserModifier role

Question 2 Which Domino task is used to move users to other servers or domains? ❍ A. Catalogger ❍ B. AdminP ❍ C. Userlocater ❍ D. Filer

Answer B is correct. Domino users are moved to other servers or domains by using the Administration Process (AdminP).

Question 3 When moving a user, which two things are required to complete the move to a new server? ❑ A. The original certifier ❑ B. The user’s public key ❑ C. A replica copy of the NAMES.NSF database ❑ D. The certifier for the new server location.

376 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answers A and D are correct. Moving a user requires the original certifier as well as the certifier for the new server location.

Question 4 When changing a user’s name, which of the following statements is true about date expiration on the user ID? ❍ A. The default time for certificate expiration is 10 years. ❍ B. The certificate expiration time cannot be changed. ❍ C. The default time for certificate expiration is two years. ❍ D. The certificate expiration time is based on the server certificate expiration parameter.

Answer C is correct. The default time for the certificate expiration time is two years from the current date, but can be changed to any number.

Question 5 When are roaming users created? ❍ A. During nightly batch system processing ❍ B. During registration ❍ C. During NAMES.NSF domainwide replication ❍ D. During server launch

Answer B is correct. Roaming users are created during user registration.

Question 6 What does an administrator select to set up roaming for a user? ❍ A. Set Roaming=1 in the NOTES.INI file. ❍ B. Select Enable Roaming for This Person on the registration page for a new user. ❍ C. Define the group RoamingUsers in the Domino Directory. ❍ D. Set the RoamingUsers task to launch at server startup in the server’s configuration document.

Answer B is correct. Select Enable Roaming for This Person in the Register Person—New Entry dialog box.

377 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing . . . . . Users . . . .and . . Groups . . . .

Question 7 Which files are created for roaming users to retain their roaming information? ❍ A. Roamer, Filer, and Journal ❍ B. Personal Address, Bookkeeper, and Replicator ❍ C. Personal Address, Bookmark, and Journal ❍ D. Addresser, Personal Bookmarks, and Journal

Answer C is correct. When roaming users are created, the files Personal Address, Bookmark, and Journal are also created and stored based on the settings on the Roaming tab.

Question 8 Which tab in the group document is used to change the name of a group? ❍ A. The Groups Definition tab ❍ B. The Basics tab ❍ C. The IIOP tab ❍ D. The Security tab

Answer B is correct. Change the name of the group on the Basics tab of the group document and click Save & Close to save the group using the new name.

378 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? The Lotus Developers Domain: www-10.lotus.com/ldd. Upgrading to Domino 6: Performance Benefits: www.ibm.com/redbooks.

16 Monitoring Server Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ Domino console ✓ jconsole ✓ Domino Web Administrator ✓ WEBADMIN.NSF ✓ Real-time statistics ✓ Individual statistics ✓ Bundled statistics ✓ Statistics profile

Techniques you’ll need to master: ✓ Using the Domino console ✓ Using the Domino Web Administrator ✓ Viewing real-time statistics ✓ Viewing statistics with Server Monitor

380 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Using the Domino Console One of the tools available to maintain a server is the Domino console. The Domino console is an application that enables administrators to send commands to the server as if they were using the console on the server itself. The Domino console is installed when the Domino server is installed or when the Administrator client is installed. The console is a Java application and can also be loaded as a Windows Service when running Windows 2000 or Windows XP. The application provided by Lotus to run the Domino console is called jconsole. To start the Domino console manually, change to either the client or server directory and run the jconsole executable. The Domino server must be running. If you are running a server controller, the Domino console starts automatically. You can launch the console in four ways:

➤ Launch the jconsole application by selecting the program icon in the server or admin client directory when the server is already running.

➤ Create a shortcut or execute nserver --jc at the command prompt to run the server controller, the Domino server, and the console.

➤ Create a shortcut or execute nserver --jc --c at the command prompt to run the server controller and the Domino server.

➤ Create a shortcut or execute nserver --jc --s at the command prompt to run the server controller and the console.

As mentioned earlier, the Domino console enables administrators to send commands to the server as if they were using the console on the server itself. Typical commands such as show server and show tasks can be sent to the server and then are displayed in the console window. The console window also displays server events, such as Adminp processes, as they are launched. A sample console window is shown in Figure 16.1. Options available using the console’s File menu are as follows: ➤ Open Server ➤ Disconnect ➤ Show Users ➤ Show Processes ➤ Broadcast (send a message to all server users) ➤ Local Logging ➤ Start Server

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . . ➤ Stop Server ➤ Kill Server ➤ Quit Controller ➤ Refresh Server List ➤ Exit the Console Program

Figure 16.1 The console has predefined commands available via the file menu or the Commands button at the bottom of the Console.

The Commands button has the typical commands that an administrator would use to manage the server, as well as an option to create and save custom commands. You can configure the console to show a number of views, including the following: ➤ Header—Specifies the user, platform type, server name, and release

number ➤ Bookmarks—Includes the available icons Connect Local Server,

Connected Servers, and Domain ➤ Event Filter—Displays one of the following at the bottom of the console

of the events monitored: Fatal, Failure, Warning (High), Warning (Low), Normal, and Unknown

381

382 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Secure Password—Is an empty field used by the administrator to secure

the console ➤ Connected Servers—Lists the servers available to the console ➤ Domain—Provides a hierarchical graphic view of the domain structure

available to the console ➤ Debug Output Window—Launches an active debug window used for trou-

bleshooting ➤ Look and Feel—Changes the theme used to display the console window

An example of the console window displaying some of the server commands is shown in Figure 16.2.

Figure 16.2 You can use server commands to control the console view.

To stop the console, select Exit from the file menu Alt+Q. After you have selected to shut down the console, you are presented with a dialog box to either shut down the console itself or shut down the console and the server controller simultaneously. Three additional buttons are available on the Web Administrator: Logout, Preferences, and Help. Although the Domino console is a powerful tool, it is still limited in its uses. You still need either the Domino Administrator client or the Web Administrator client to maintain the server.

Using the Domino Web Administrator The Domino Web Administrator allows remote administration using only a browser client. Although the Web Administrator is essentially the same as

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

the administrator client, the navigation is slightly different, so make sure you are familiar with it. To use the Web Administrator, the following browser configurations are required: ➤ Microsoft Explorer 5.5 or greater on Windows 98, 2000, XP and NT4 ➤ Netscape 4.7 or greater on Windows 98, 2000, XP, and NT4 ➤ Netscape 4.7 on Linux OS version 7 or later

Support for NT4 Even though Release 6 does support the Web Administrator client on NT4, you must also install the Microsoft Windows Management Instrumentation Software Development Kit (WMI SDK) before the task will work properly. We recommend migrating to Windows 2000 or XP before installing the Domino application because Microsoft support for NT4 is scheduled to expire over the next 18 months.

Access using the Domino Web Administrator is maintained by the database WEBADMIN.NSF. Make sure you are familiar with this database and the requirements needed to configure the database to facilitate proper admin access. Also note that Macintosh browsers are not supported.

Here are some keys things to remember about the differences between the Web Administrator and the Web clients: ➤ The Messaging tab on the Web client now has a task tool that enables

you to issue Tell, Start, Stop, and Restart commands on the mail server tasks. ➤ The Replication tab on the Web client also has a task tool that enables

you to issue Tell, Start, Stop, and Restart commands on the replication server tasks. ➤ The Mail tab on the Web client displays mail statistics differently than

in the administrator client. Mail routing, retrieval, DNSBL (DNS blacklist filter), and destination routing statistics are available on this tab. ➤ Server Monitor and performance charts are not available in the Web

client. AdminP, CA (Certificate Authority), and the HTTP task must all be running on the Domino server for the Web administration client functionality to operate. Additionally, the WEBADMIN.NSF database ACLs need to be configured to allow administrators to access the server.

383

384 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

When the WEBADMIN.NSF database is created, these default ACLs are created: ➤ Administrators and Full Access Administrators, the Named server, and

LocalDomainServers are set as Manager. ➤ Default, OtherDomainServers, and Anonymous are all set to No Access.

The HTTP task updates the WEBADMIN.NSF database with ACL changes generated from the modification of the Domino Directory’s Server document about every 20 minutes. You can also force an immediate update for administrator access by editing the Security tab on the Server document. Editing the ACLs in the WEBADMIN.NSF database also permits immediate access. Select a user, define the user as a manager, and then add the roles required for the mangers to have access. After the ACL access has been defined, you need to define the authentication method that will be used to access the server. The two options are to define an Internet password in the Person document or to define an SSL certificate. When you have finished the configuration, make sure that the HTTP task is running on the server and then enter the URL of your server followed by /webadmin.nsf—for example, http://r6test.test.com/webadmin.nsf, or https:// r6test.test.com/webadmin.nsf if SSL authentication is enabled. The first screen that is presented is a server status screen. This is helpful for a quick glimpse of server health, but you must access the other tabs to actually perform maintenance activities.

Viewing Real-Time Statistics To maintain a server running at peak performance, you need to monitor how tasks are being performed and issues that need attention. Domino allows for tracking of real-time statistics, which enable administrators to analyze server information as it is occurring. Real-time monitoring is set up with the Domino Administration client. A statistics profile is used to gather information about how the server is performing and possible problems that are occurring. Select the Server tab and then the Performance tab. Under Statistics Charts, select Real-Time Statistics and then click the Add button. A dialog box appears that enables you to select the domain and server, as well as the type of statistics to gather.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

This dialog box enables you to gather one of two types of statistics: individual or bundled. Individual statistics enable you to select what to monitor. As you add these statistics, they appear immediately in the Performance tab. This capability is important if you are troubleshooting a problem and need to watch the performance on a specific statistic. Bundled statistics enable you to group sets of statistics and then label them for easy access and use. Bundled statistics show only after you have given the bundle a name and clicked the OK button on the dialog box. At the Performance tab, you now can save the statistics as a statistics profile. Select the paper icon next to the Statistics Profile box and choose Save As. Enter a name and click OK to save your profile. The Add Statistics tab is shown in Figure 16.3.

Figure 16.3 Use the Add Statistics feature to create a statistics profile of your system.

Viewing Statistics with Server Monitor Viewing statistics with Server Monitor can be accomplished only using the Domino Administrator client. The Web Administrator does not support Server Monitor or performance charting.

385

386 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Server Monitor can be configured with the following parameters: ➤ View Statistics Either By Timeline or By State ➤ Show Past Error States Only ➤ Task Status ➤ Task Errors ➤ View a Single Server or a Group of Servers

Select the paper icon next to the Statistics Profile box and choose Save As. Enter a name and click OK to save your profile.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Exam Prep Questions Question 1 Which task automatically starts when the server console loads? ❍ A. Updall ❍ B. Domino Console ❍ C. Fixup ❍ D. HTTP

Answer B is correct. If you are running a server controller, the Domino console starts automatically. Answers A, C, and D are incorrect because these features do not start automatically when the server console loads.

Question 2 What are the correct default ACLs when the WEBADMIN.NSF database is created? Choose all that apply. ❑ A. Administrator: Reader ❑ B. LocalDomainServers: Manager ❑ C. OtherDomainServers: Editor ❑ D. Administrators: Manager

Answers B and D are correct. Administrators and Full Access Administrators, the Named server, and LocalDomainServers are set as Manager. Default, OtherDomainServers, and Anonymous are all set to No Access.

Question 3 Which parameter is valid when configuring Server Monitor? ❍ A. View Statistics by TimeSlice ❍ B. Task Priority ❍ C. Task Errors ❍ D. Show Past Error States and Future Possible errors

Answer C is correct. The only valid parameter from this list is Task Errors.

387

388 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 4 Which of these procedures are correct when launching the console? ❑ A. Launching the jconsole application by selecting the program icon in the server or admin client directory when the server is already running ❑ B. Creating a shortcut or executing nserver --jq at the command prompt to run the server controller, the Domino server, and the console ❑ C. Creating a shortcut or executing nserver --jc --c at the command prompt to run the server controller and the Domino server ❑ D. Creating a shortcut or executing nserver --jc --t at the command prompt to run the server controller and the console

Answers A and C are correct. You can launch the console in one of four ways: 1. Launch the jconsole application by selecting the program icon in the

server or admin client directory when the server is already running. 2. Create a shortcut or execute

nserver --jc at the command prompt to run the server controller, the Domino server, and the console.

3. Create a shortcut or execute

nserver --jc --c at the command prompt to run the server controller and the Domino server

4. Create a shortcut or execute

nserver --jc --s

at the command prompt

to run the server controller and the console.

Question 5 Which of the following statements is correct? ❍ A. The Names.nsf database maintains control of who can use the Web Administrator. ❍ B. All versions of computing platforms can use the Web Administrator. ❍ C. The Webadmin.NSF database controls who can access the server with the Web Administrator. ❍ D. The Webadmin database is automatically configured when the server is launched.

Answer C is correct. Access using the Domino Web Administrator is maintained by the database WEBADMIN.NSF. Make sure you are familiar with this database and the requirements needed to configure the database to facilitate proper admin access. Also note that Macintosh browsers are not supported.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . Server . . . . Performance . . . . . . .

Question 6 Which statement is true about setting up real-time statistics? ❍ A. The administrator and the Web Administrator have the capability to define real-time statistics. ❍ B. Real-time statistics are predefined and cannot be changed. ❍ C. Real-time monitoring is set up with the Domino Administration client. ❍ D. Macintosh computers are the most efficient at setting up real-time statistics using the upgraded client for OSX.

Answer C is correct. Real-time monitoring is set up with the Domino Administration client.

Question 7 Which of the following browser configurations enable the Web Administrator to access the server? Choose all that apply. ❑ A. Microsoft Explorer 5.5 or greater on Windows 98, 2000, XP, and NT4 ❑ B. Netscape 4.7 or greater on Windows 95, 98, 2000, XP, and NT4, or Linux version 7 or greater ❑ C. Microsoft Explorer 5.5 or greater on Windows 98, 2000, XP, and NT4, and Macintosh Netscape 5.6 or greater ❑ D. Netscape 4.7 or greater on Windows 98, 2000, XP, and NT4, or Linux version 7 or greater

Answers A and D are correct. Microsoft Explorer 5.5 or greater is required on Windows 98, 2000, XP, and NT4, and when using Netscape 4.7 or greater on Windows 98, 2000, XP, and NT4 or Linux version 7 or greater.

Question 8 What types of statistics are available to configure? ❑ A. Bundled ❑ B. Embedded ❑ C. Distinct ❑ D. Individual ❑ E. Discretionary

Answers A and D are correct. The two types of statistics that are configurable are individual and bundled.

389

390 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? The Lotus Developers Domain: www-10.lotus.com/ldd.

17 Resolving Server Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ Administration Process ✓ AdminP ✓ Agent Manager ✓ Event triggers

Techniques you’ll need to master: ✓ Monitoring application size ✓ Monitoring server tasks ✓ Recovering from a server crash ✓ Solving Agent Manager issues ✓ Solving authentication and authorization issues ✓ Troubleshooting Administration Process problems ✓ Troubleshooting replication problems ✓ Troubleshooting mail routing issues ✓ Using event triggers to troubleshoot problems

392 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

In this chapter, we cover issues that administrators may have to contend with when troubleshooting server problems. We look at how to resolve replication issues, mail routing issues, and authentication issues as part of the troubleshooting process, along with other possible problems that may occur. This information is an important part of your preparation for Exam 622.

Monitoring Application Size Application, or database, size can directly affect the manner in which a system performs. A database that has grown in size and isn’t maintained regularly causes the server to have performance issues. The maximum database size on Windows and Unix servers is 64 gigabytes. To check the size of a database, select the database on the Domino Workspace. Navigate to the File menu, select Database, and then select Properties to open the database properties. Database size is listed on the Info tab (the second tab, labeled with an “i”). This tab displays ➤ The database size. ➤ The number of documents in the database. ➤ The database creation date. ➤ The last day the database was modified. ➤ The replica ID of the database. ➤ The ODS version of the database. ➤ % used—This button displays the amount of the database in use calcu-

lated in percent. ➤ Compact—This button initiates a compact on the database. ➤ User Detail—This button shows information related to the owner of the

database. Here are some additional ways to check database size: ➤ View the database size on the Files tab of the Domino Administrator ➤ Check the database size in the Domino log file ➤ View the statistics reports in the Statistics database

393 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . Server . . . . Problems . . . . .

Monitoring Server Tasks As previously discussed in this book, Domino offers multiple ways to monitor server tasks. These include ➤ Using the Domino console ➤ Using the Domino Administrator ➤ Using the Domino Web Administrator ➤ Examining the server log, miscellaneous view ➤ Setting up statistics monitoring

Recovering from a Server Crash Even the best maintained server will crash occasionally. The one thing that always allows an administrator to recover from a catastrophic system failure is the use of a reliable, tested backup system. Always make sure to use reliable media, test the backup system, and regularly verify backups to be sure they are accurate and complete. Common causes of server crashes include ➤ Inadequate hardware—A slow CPU and minimal amounts of memory

may allow a server to be deployed and Domino to be installed, but after users access the server and system tasks launch, the server will experience slowdowns and possibly crash the server. ➤ Defective hardware—Bad network cards, failing disk drives or drive

arrays, or defective memory can cause server crashes. ➤ Software patches or upgrades—Security patches and operating system

upgrades are notorious for overwriting DLL files and system files that Domino uses for running the server. Loading a patch or an upgrade may cause a software conflict and cause the server to crash. ➤ Domino applications—Databases that have become corrupted are a com-

mon reason for server problems that may lead to a system crash. Typically, after a server crashes, a system reboot allows the server to restart and fires system utilities such as “fixup” to correct any database issues that occurred when the server went down. In the event that the server will not restart, you may need to place a call to Lotus tech support to determine what caused the crash. Before placing the call, gather the following information if possible:

394 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Domino software version ➤ Operating system version and a list of all installed patches and upgrades ➤ List of installed programs on the server and their versions ➤ Network configuration ➤ A record of any errors on the server screen ➤ An NSD (Notes System Diagnostics) file if available

An NSD file might be generated when the server crashes and can be valuable for recovering from the crash. Lotus tech support can analyze the NSD file to determine the cause of the crash and provide possible solutions. This file is not created at every server crash.

Before contacting Lotus tech support, you also should gather any available system files that can assist Lotus in troubleshooting the problem. These include, but are not limited to ➤ System files such as any autoexec or config file ➤ Notes.ini file ➤ Server log files if available

Solving Agent Manager Issues The Agent Manager is a Domino task that manages agent execution on the server. Agents can be resource intensive, depending on what task they are running, so it’s important that they are managed efficiently. The Agent Manager serves this function but may not always run properly. In order to fine-tune how Agent Manager operates, you can edit the Notes.ini file with the following settings: ➤ AMgr_DocUpdateAgentMinInterval—This setting is used to determine

the delay time before a document updates and runs an agent in response to the document update. The default time is 30 minutes. ➤ AMgr_DocUpdateEventDelay—This setting is used to determine the

amount of time that the Agent Manager will delay the execution of the same agent that will run and update documents. This is effective in keeping document updates from running during the times when the server is most active, such as in the morning or just after lunch. The default time is 5 minutes.

395 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . Server . . . . Problems . . . . . ➤ AMgr_NewMailAgentMinInterval—This setting is used to determine the

minimum amount of time that needs to pass before the same agent will run and process mail events. The default is 0 minutes. ➤ AMgr_NewMailEventDelay—This setting is used to determine the

amount of time that the Agent Manager will delay the arrival of a new document and the running of an agent as a response to the update. The default time is 1 minute. ➤ DominoAsynchronizeAgents—This setting is used to manage Web agents

that are executed by browser clients so that they can run simultaneously. Setting this parameter to 1 allows multiple agents to run concurrently. ➤ AMgr_SchedulingInterval—This setting is used to dictate the amount of

time that the Agent Manager scheduler task will pause before running. The default is 1 minute and the valid values are 1 minute to 60 minutes. ➤ AMgr_UntriggeredMailInterval—This setting dictates how much time

should pass before the Agent Manager checks for untriggered mail. The default time is 60 minutes. In addition, these commands can be entered at the server prompt to troubleshoot Agent Manager issues: ➤

tell amgr schedule—This

➤

tell amgr status—This

➤

tell amgr debug—This

command displays the agent manager schedule.

command asks the server to generate a status report about the Agent Manager. command displays the current state of the Agent

Manager debugger.

Solving Authentication and Authorization Issues There are multiple reasons why users or servers may be experiencing problems authenticating to the server. Troubleshooting authentication and authorization issues involves the following processes: ➤ Verifying that the Domino Directory is set up correctly ➤ Verifying that the server’s ID file is not the problem ➤ Determining potential causes of user problems

The following sections describe these processes in detail.

396 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Knowing how to verify that a Domino Directory is set up correctly is a key skill for a Domino administrator. Make sure that you understand the information on this topic presented here as you prepare for the exam. Spend some time in your development environment to fully understand how the Directory is set up and configured.

Verifying Correct Domino Directory Setup Follow these steps when troubleshooting authentication issues to verify that the Domino Directory is set up correctly: 1. Be certain all information related to the server configuration is proper-

ly defined. Verify that the server name, Notes named networks, and domain names are correct with no typos. Also, be certain that all group information and usernames are correct. 2. Verify that the network information is configured correctly. Be sure

that all ports are enabled properly as required. 3. The Server document may be damaged or corrupted. Back up the

Domino Directory if possible, or make sure that a valid archived copy exists and restore it to a safe location. Create a new Server document in the Directory, copy the original Server document’s public key into the new Server document, and delete the original document to see if the problem is corrected. If the new Server document does not correct the problem, use the Directory that was restored from tape. Remember that any changes that were made to the Directory since it was archived will need to be re-created.

4. Validate that the public key in the server ID matches the public key. 5. Check the Domino Directory for save or replication conflicts and cor-

rect them if they exist. 6. Corrupted database views may be preventing access. Rebuild the views

using the Updall task first and then use the fixup task if necessary to resolve the corrupted views. 7. Replace the design of the Domino Directory with the PUBNAMES.

NTF template if appropriate. If the Directory was modified with a custom template, replace the design with the custom template instead of the default template.

397 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . Server . . . . Problems . . . . .

Verifying Server ID You can verify that the server’s ID file is not the problem by checking these items: ➤ The server ID itself may be damaged. Stop the server, rename the old

server ID file with a .old extension, replace the server ID from a known good backup, and restart the server. ➤ Missing or corrupted certificates could hinder access. Verify that the

server ID file has all expected certificates and if any are missing, recertify as needed with the appropriate certifier. ➤ Verify that the server’s public key matches the public key stored in the

Domino Directory’s Server document.

Troubleshooting User Problems If a user is having problems accessing the server, check these items to search out the source of the problem: ➤ Check for typos or errors in the user’s Person document in the

Directory. ➤ Determine that the user has all of the proper certifications needed to

access the server. ➤ Verify that the user’s client is configured properly, including network

configurations and connections.

Troubleshooting Administration Process Problems Lotus has provided the Administration Process to assist administrators in automating system tasks and scheduling them to run at times when the system is not experiencing heavy use. Make sure that you understand how the Administration Process works and how to troubleshoot it when studying for the exams.

The Administration Process (AdminP) is a Domino task that runs on the server to execute housekeeping, maintenance, and administrative tasks. For example, AdminP processes requests for a user’s name to be changed, a new Organizational Unit to be assigned, or a user’s information to be added to a

398 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

completely new organization in the hierarchy. As we have discussed previously in this book, a server that does not have the proper hardware configuration can cause a myriad of problems. The Administration Process is a memoryintensive process and care should be taken to ensure that the server has an adequate amount of memory to execute the task. To troubleshoot possible problems with the Administration Process, follow these steps: ➤ Make sure that no system changes have been made at the operating sys-

tem level or to the network infrastructure that could cause communication failures within the domain. ➤ Configuration errors on the server may be causing problems. Try run-

ning the Administration Process on a different server in the domain to see if the problem persists. ➤ Type

at the server prompt and check to make sure that the AdminP task is running. show tasks

➤ Verify that an Administration Server is defined in the Directory and in

all databases in the domain. If the Administration Server is not defined in the databases, the AdminP process cannot run against them. ➤ Check the replication events in the Domino log file to make sure that

the Directory and the Administration Requests database is replicating properly in the domain.

Troubleshooting Replication Problems Database replication errors can be common, but can also be very frustrating to correct. Suggestions for troubleshooting replication problems include: ➤ Make sure that the replica IDs are the same between the two databases

that are replicating. Remember that replication is dependent on the replica IDs and not on the database names. ➤ Check the Connection documents for the servers and make sure that the

replication task is enabled. Verify that the replication scheduled is properly defined. ➤ Verify that replication is not disabled in the database properties. ➤ Check the ACLs for the database and verify that the access is properly

set to allow replication to occur between the databases.

399 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . Server . . . . Problems . . . . . ➤ Make sure that the server has sufficient disk space to allow the databases

to add the documents. ➤ Check the Domino Log database for possible errors that are occurring. ➤ Examine the database’s replication history to determine the last time the

database successfully replicated to determine when the problems started occurring.

Troubleshooting Mail Routing Issues A typical sign that mail routing is not working correctly is a report from a user that they are not receiving mail or cannot send mail. Suggestions for troubleshooting mail routing issues include ➤ Request a delivery failure report from the user. Examine the information

in the report to determine how the problem may be resolved. ➤ Perform a mail trace to determine where the mail is stopping along the

route and correct the problem. ➤ Check the Domino Directory and ensure that mail routing is enabled. ➤ Verify that the settings in the Connection documents are configured

properly for mail routing between servers. ➤ Make sure that the mail.box file on the server is not corrupted. ➤ Check the server and make sure that there is sufficient disk space to

allow the server to process the mail. ➤ Examine the Domino log to see if errors are occurring in the Mail

Routing Events section. ➤ Check the mail.box file for undeliverable mail and examine the errors

that are occurring to determine how to correct the problem. In addition, an administrator can issue the command tell router show to determine whether mail is backed up on the server and the last error message logged.

400 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Using Event Triggers to Troubleshoot Problems Event handlers are used to determine which tasks launch when a predetermined event occurs on the server. Such an event is known as an event trigger. The events database EVENTS4.NSF includes predefined events that can be used to monitor the server, but the most efficient use of the handler task is when an administrator defines events specific to the domain they are monitoring. An administrator may decide to just log events and then maintain them weekly. Alternatively, administrators may decide to be alerted immediately when an event occurs so that they can resolve the issue. The EVENTS4.NSF database includes a wizard that assists administrators in creating the following event handlers: ➤ Event Handler Wizard—Creates a new event handler that generates a

notification when a specified event occurs ➤ Database and Statistic Wizard—Creates an event generator that fires

when something happens to a server or database ➤ Mail Routing and Server Response Wizard—Creates an event generator

that generates statistics or fires an event based on the availability of a resource ➤ Troubleshooting Wizard—Identifies some common configuration errors in

the EVENTS4.NSF database and suggests possible resolutions Event handlers can also be created by using the Domino Administrator and navigating to the Configuration tab and selecting the Monitoring Configuration, Event Handler view. Each event has a Basics, Event, and Action tab that must be completed. The following events provide assistance in troubleshooting problems: ➤ Agent—This event monitors tasks related to the execution of agents on

the server. ➤ Mail—This event monitors tasks related to mail processing. ➤ Replica—This event monitors database activities associated with replica-

tion. ➤ POP3—This event monitors Internet mail activities. ➤ SMTP—This event monitors activities related to SMTP communications.

401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . Server . . . . Problems . . . . .

Exam Prep Questions Question 1 Which of the following options are available to administrators to monitor the Domino server? ❑ A. Using the Domino console ❑ B. Using HP OpenView ❑ C. Examining the server log, miscellaneous view ❑ D. Using the Web Administrator

Answers A, C, and D are correct. Domino offers multiple ways to monitor server tasks. These include: ➤ Using the Domino console ➤ Using the Domino Administrator ➤ Using the Domino Web Administrator ➤ Examining the server log, miscellaneous view ➤ Setting up statistics monitoring

Question 2 What is the maximum size possible for a database on Windows and Unix servers? ❍ A. 100 gigabytes ❍ B. 64 gigabytes ❍ C. 1 terabytes ❍ D. None of the above

Answer B is correct. The maximum database size on Windows and Unix servers is 64 gigabytes.

402 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 3 Which command is issued at the server prompt to generate a status report concerning the Agent Manager? ❍ A. show agent report ❍ B. tell agent manager show status ❍ C. tell amgr status ❍ D. show agent manager status report ❍ E. None of the above

Answer C is correct. The command tell amgr status asks the server to generate a status report about the Agent Manager.

Question 4 Which of the following items could cause database replication problems? ❍ A. The databases might have different names. ❍ B. The server task “Replica Check” might not be running. ❍ C. The replica IDs do not match. ❍ D. The database might need to be compacted.

Answer C is correct. Make sure that the replica IDs are the same between the two databases that are replicating. Remember that replication is dependent on the replica IDs and not on the database names.

Question 5 What is the purpose of event handlers? ❍ A. They are used to determine holidays in calendaring and scheduling. ❍ B. They are used to generate system records in the EVENTS.NSF database. ❍ C. They are used to determine which tasks launch when an event is triggered. ❍ D. They are used to perform an orderly shutdown of the server if a critical system failure occurs.

Answer C is correct. Event handlers are used to determine which tasks launch when an event is triggered.

403 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . Server . . . . Problems . . . . .

Question 6 Which of the following statements are true about the Administration Process? ❑ A. It is very memory intensive. ❑ B. It can be launched by a user. ❑ C. An Administration Server must be defined in the Directory for the process to be able to launch. ❑ D. Running the process quarterly is adequate for maintaining the administrative tasks.

Answers A and C are correct. The Administration Process is a memoryintensive process and care should be taken to ensure that the server has an adequate amount of memory to execute the task. An Administration Server must be defined in the Directory and in all databases in the domain. If the Administration domains are not defined in the databases, the AdminP process cannot run against them.

Question 7 What is the purpose of an NSD file? ❍ A. To assist in troubleshooting the reason for a system crash ❍ B. To generate a listing of all Non Standard Domains accessing the network ❍ C. To compile a report of all available Notes users accessing the server ❍ D. To generate a report showing a list of Internet users accessing the server using a Web client

Answer A is correct. An NSD file can be generated when the server crashes and can be valuable for Lotus tech support to analyze the crash and provide possible solutions. This file is not created at every server crash.

404 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 8 Which of the following selections are possible solutions for troubleshooting mail routing issues on the server? ❑ A. Set up the Failed_Mail statistics generator in the EVENTS.NSF database. ❑ B. Examine a delivery failure report. ❑ C. Execute a mail trace. ❑ D. Check the Domino Directory and make sure mail routing is enabled.

Answers B, C, and D are correct. The following items can assist in troubleshooting mail routing issues: ➤ Request a delivery failure report from the user. Examine the information

in the report to determine how the problem may be resolved. ➤ Perform a mail trace to determine where the mail is stopping along the

route and correct the problem. ➤ Check the Domino Directory and ensure that mail routing is enabled.

405 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . Server . . . . Problems . . . . .

Need to Know More? The Lotus Developers Domain: www-10.lotus.com/ldd. Upgrading to Domino 6: Performance Benefits: redbooks.

www.ibm.com/

18 Resolving User Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ FIXUP ✓ UPDATE ✓ UPDALL ✓ COMPACT ✓ MTC ✓ MSTORE.NSF ✓ CATALOG.NSF

Techniques you’ll need to master: ✓ Tracking user mail messages ✓ Troubleshooting routing problems ✓ Troubleshooting server access problems ✓ Troubleshooting connection problems ✓ Troubleshooting data access control problems ✓ Troubleshooting database issues ✓ Troubleshooting workstation problems

408 Chapter 18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Tracking User Mail Messages Domino provides the capability for administrators as well as users to track their messages. The tool that enables this is the Mail Tracker Collector. From time to time, users might state that mail is not being delivered in a timely fashion or that it might not be reaching the intended recipient at all. When this occurs, a mail-tracking tool can be used to determine the problem. The database used for this task is the MailTracker Store database, or MSTORE.NSF. The database is populated by data that is fed from the Mail Tracker Collector task, or MTC. The MTC processes log files generated by the Router task and then copies specific data to the MSTORE.NSF database. When a message-tracking request is generated, Domino uses the MSTORE.NSF database to perform the trace. When a trace is initiated, it starts at the user or administrator client and continues through the entire domain until the route expires. When the trace is completed, the user is presented with one of the following delivery status messages: ➤ Delivered—Delivery was successful. ➤ Delivery failed—Delivery was unsuccessful. ➤ In queue—Domino has queued the message in the Router task. ➤ Transferred—The message was sent to the next defined mail hop. ➤ Transfer failed—The message could not be transferred. ➤ Group expanded—A group message sent to the server was expanded to all

recipients. ➤ Unknown—The status of the delivery is not known. Although it is true that users and administrators can track mail, users can track only their own mail.

Troubleshooting Routing Problems Mail routing errors can occur for various reasons. Server configuration errors, client configuration errors, and network issues can all be possible problems. The key to resolving the issue is to use the tools provided by Domino to correct the problem. If the MAIL.BOX database has dead or pending mail, the most common things to check first are these:

409 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . User . . . Problems . . . . . ➤ System logs detailing delivery failures and mail traces. ➤ Errors in the Directory itself, possibly related to connection configura-

tions. Also make sure that the Mail Routing field is enabled on the Basics tab of the Server document. ➤ Errors in the recipient’s address. ➤ Network configuration errors prohibiting correct routing paths ➤ System errors, such as full disks or memory errors ➤ Shared mail configuration errors

Tools available to administrators to troubleshoot routing problems include these: ➤ Delivery Failure Reports, which contain a description of why the mes-

sage failed ➤ Mail Trace from the Domino Administrator ➤ Mail routing topology maps that display routes by connections and

named networks ➤ Mail Routing status in the Domino Administrator ➤ Mail routing events in the Domino server log

Troubleshooting Server Access Problems Server access problems can occur when a user tries to access the server or when the server attempts a connection with another server and is denied. The following section will aid you in troubleshooting Directory problems. Some of these are extreme measures, and you should always make sure that you have a recent, verified backup of the Directory file before attempting this procedure.

The following sections discuss some typical errors related to server access that can occur and their possible solutions.

410 Chapter 18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Directory Errors Directory errors are the most common types of errors that cause server access problems. If users are not authorized to access the server, you should verify that the Domino Directory does not have errors or corrupted Server documents. Typical Directory errors to look for are listed here: ➤ Incorrect server and domain names or misspelled names would prohibit

access. ➤ Verify that the information regarding the server and domain information

is correct and that there are no spelling errors. ➤ Configuration errors related to Notes Networks. At least one Notes

Network must be enabled. ➤ Verify that all fields in the server access section of the Security tab in the

Server document are set correctly. Pay special attention to the Deny Access and Not Access Server fields to make sure they are configured correctly. ➤ Ensure that the public keys in the server ID file and the public key

match. Copy both keys to a separate text file and verify that they match. ➤ Check groups to verify that no spelling errors exist and that the users

are assigned to the correct groups. Verify that the group types are set correctly in the Group Type field on the Basics tab. ➤ Make sure there are no save and replication conflicts in the Directory.

Open the Directory and check the main view pane to see if conflicts have occurred. If they have, validate which document is correct and delete the incorrect document. ➤ You also should verify that the Server document is not corrupted by cre-

ating a new version and using it instead of the original one. Make sure that you copy the server’s public key from the old document to the new one. Views in the Domino Directory also might need attention. Poor performance or errors displaying the database are examples of corrupted database views. Views can be rebuilt by issuing the following commands at the Domino console or at the server prompt: Load updall names.nsf -r

➤ Fixup should be used if the database is in R4 or R5 format or greater

and if transaction logging is not enabled. The command to execute at the server is Load fixup names.nsf.

411 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . User . . . Problems . . . . . ➤ Entering

Fixup -j using the -j switch is appropriate when transaction logging is running on the server. The command to enter at the server console is Load fixup names.nsf.

Finally, here are other techniques for troubleshooting Directory errors: ➤ Restore the Directory from a backup tape, or create a new replica copy

and use it. ➤ Replace the design of the database with the PUBNAMES.NTF tem-

plate file. ➤ If a passthru server is defined on the basics and the Security tab in the

Server document, make sure there are no configuration errors.

Other Techniques for Troubleshooting Server Access Problems Not all server access problems are related specifically to Directory errors. Here are some other techniques for troubleshooting server access problems: ➤ Make sure that the server is using the correct server ID and that it isn’t

corrupted. Activity such as ID recertification, in which the ID is accessed, can cause corruption. If you suspect that the ID is corrupt, take down the server, rename the server.id file, and restore it from a valid backup. ➤ Verify that the user’s certificates are valid and not expired and that the

server has all of the expected certificates installed. ➤ Verify that the server’s network connections are operational. Launch a

browser, perform a ping from the server, and so on.

Troubleshooting Connection Problems Connection problems in the Domino environment can cause replication, routing, and access issues. These errors can manifest themselves as errors indicating the system’s incapability to find routes to servers, mail delivery errors, or the failure of data to be updated in databases across the domain. System messages such as “TCP/IP host unknown” or “Remote system not

412 Chapter 18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

responding” might also be displayed in the Domino log. To troubleshoot connection issues, take the following steps: ➤ Verify that there are no save and replication errors on any Server docu-

ment. ➤ Make sure that all Connection documents are in place. If a Connection

document is missing, create it and then retest to see if the problem has been corrected. Although it is true that using IP addresses in Connection documents allows the Domino infrastructure to operate properly, the most effective method is to use DNS entries. Using DNS entries allows for more consistent maintenance, in that a server can be moved to a new network segment and the Domino server documents will not need to be changed to reflect the new IP address.

➤ Verify that all settings for Connection documents are valid and that

there are no spelling errors or incorrect network settings. Check the information on the Basics tab of the Server document, and make sure that all of the server and domain information is accurate. ➤ Test connections at the Domino console using the

trace command. Using the trace command, you can execute a trace to a specific server and optionally choose the port to use.

➤ If DNS names are being used instead of IP addresses, verify that the

Host file on the server contains the correct IP addresses and that there are no conflicts with the DNS table entries. Using OS tools such as ping might also determine whether the communications paths are resolving correctly.

Troubleshooting Data Access Control Problems Data access control problems can cause users as well as servers to be denied access to a specific database, a server, or an entire domain. Administrators can ensure that database access will be constant by making sure that Enforce a Consistent Access Control List is selected on the database ACL Advanced tab.

413 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . User . . . Problems . . . . . Although enforcement of a consistent ACL does assist in maintaining ACL integrity, it’s not a complete solution. If a user replicates a copy of a database to his local machine, group membership does not replicate along with the database. If the user then wanted to share that replica with another user, the new user would not to be able to access the database because group information would not be inherited. One other thing to keep in mind is local replica security. Because a uniform ACL is not imposed on the database, a local replica should be encrypted to maintain security.

Administrators can get a complete view of all database ACLs by accessing the Access Control List in the database catalog file, typically called CATALOG. NSF. The CATALOG.NSG database is populated by the CATALOG task. These three views are available: ➤ By Database—This is an alphabetical list of all databases in the domain,

sorted by the actual filename on the server. ➤ By Level—This is a list of all databases, sorted by access level. ➤ By Name—This is a list of all valid ACLs on the system, sorted by each

specific type.

Troubleshooting Database Issues Database issues can occur if the database is not maintained properly. Database performance and data loss can be attributed to not performing regular database housekeeping tasks. Database usage and replication can be tracked in the Domino log file, typically named LOG.NSF. Domino has system tasks that can be scheduled at predefined times to ensure that all databases are performing at an optimum level. Key system tasks include these: ➤ Update—The purpose of Update is to update a database’s view indexes.

Update runs automatically when the server is started and continues to run while the server is up. Update waits about 15 minutes before processing the database so that all changes in the database are finished processing. When the views are updated, it then searches the domain for databases set for immediate or scheduled hourly index updates. When Update finds a corrupted view or full-text index, it rebuilds the full-text index and tries to solve the issue. ➤ Updall—Updall is useful for rebuilding corrupted views and full-text

index searches, as is Update. Updall has various options that can be defined when launched by using a software switch. Updall is executed by default at 2:00 a.m. and, unlike Update, can be run manually. Deletion

414 Chapter 18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

stubs are removed, and views that haven’t been used for 45 days are deleted unless they are protected by the database designer. Setting the parameter Default_Index_Lifetime_Days in the Notes.ini file enables an administrator to determine when Updall removes unused views. ➤ Fixup—Fixup is used to repair databases that were open when a server

failure occurred. Fixup runs automatically when the server starts, but it can also be run from the Domino Console, when necessary. Databases are checked for data errors generated when a write command to the database was issued and a failure occurred causing a corruption in the database. When Fixup is running on a database, user access is denied until the job completes. Fixup should be run if Updall does not fix the database errors. ➤ Compact—Compact can be used to recover space in a database after docu-

ments are deleted. Deleting documents from a Domino database does not actually decrease the size of the database. A deletion stub is created and the document is removed permanently when Compact is run, and the size of the database is then reduced. Three types of compacting are available: ➤ In-place compacting with space recovery—Unused space is recovered,

but the physical size of the database remains the same. Unlike with Update and Updall, access to the database is not denied while the Compact task is running. When Compact is launched without switches or with a -b switch, in-place compacting with space recovery is the type of compacting used. The DBIID, or database instance ID (used to identify the database), remains the same. In-place compacting is used for databases that have the system configured to run transaction logging. Use In-place compacting when possible because it is the quickest and generates the smallest amount of system activity.

➤ In-place compacting with space recovery and reduction in file size—This

version reduces the physical database size and recovers unused space, but it takes longer to complete. The DBIID is changed with this Compact version. Running Compact without a software switch option compacts databases not associated with transaction logging. ➤ Copy-style compacting—A copy is created, and when the compact is

complete, the original database is deleted. Because of this, there

415 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . User . . . Problems . . . . .

needs to be sufficient disk space available to make the copy of the database, or an error will occur and the compact will not work. During this type of compacting, a new database is created and a new DBIID is assigned. Because a new database is actually being created, this option locks out all users and servers from editing the database. Access using this version of Compact for read only can be enabled if the -L switch is used at the time it is run. Compact should be run on all databases at least weekly, if possible, but it should be run at a minimum of once a month using the format compact -B to minimize the amount of disk space. If Fixup does not correct a database problem, running Compact with the switch of -c can attempt to correct the problem.

Databases should be monitored on a regular basis to make sure that they are performing efficiently. Other possible solutions besides running these database utilities include the following: ➤ Move the database to another server in the domain, if necessary. Make

sure that the server itself is tuned occasionally and running at peak efficiency. Defragment disk drives and run preventive maintenance tasks on the server to foresee possible hardware problems. Also make sure that backups are scheduled to complete before nightly Domino server tasks launch. ➤ Domino 6 database design provides a significant speed improvement. If

possible, upgrade the database to version 6 if it’s running as an earlier version. ➤ Implement transaction-based logging, if the hardware configuration

makes it a possible solution, because this is very processor, memory, and disk access intensive. ➤ Schedule nightly system tasks to complete before users access the system

at the start of a work day. ➤ Verify that a task such as Compact or Updall isn’t stuck on a database,

expending system resources. ➤ Monitor database usage. A database used constantly by many users

might need separate replicas on other servers in the domain, to make sure that access is not creating an unneeded system load. ➤ Examine the database design to see if any improvements can be made

that would allow it to perform better.

416 Chapter 18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Check the Database, Enhanced tab to see if any options can be enabled

to improve performance. ➤ Create a replica of a database if Fixup, Update, and Updall don’t correct

the problem. If all else fails, restore the database from backup.

Troubleshooting Workstation Problems Users might be experiencing problems even though the server and networks are working properly. Items to check when a workstation can’t access the Domino network include these: ➤ Verify that the workstation can access other network devices. Submit a

ping or trace route from the OS level to make sure that no network issues need to be addressed. ➤ The user at the workstation might not have the privileges to access the

server. Verify that the user is using the correct ID file and that the server the user is attempting to access from the workstation is correct. ➤ Check Connection documents at the workstation to ensure that they are

set up correctly. Verify that there are no spelling errors and that the server information is correct. ➤ Make sure that the location selected at the workstation is correct. ➤ Verify that all certificates are in place and up-to-date. ➤ Check the account information in the workstation, and ensure that all

account and port information is correct.

417 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . User . . . Problems . . . . .

Exam Prep Questions Question 1 What type of mail can users track? ❍ A. Mail for the entire domain ❍ B. Mail for only the users on their server ❍ C. Their own mail ❍ D. Mail for groups that they belong to

Answer C is correct. Although it is true that users and administrators can track mail, users can track only their own mail.

Question 2 What database does the Mail Tracker Collector use? Choose all that apply. ❍ A. TRACK.NSF ❍ B. POSTAL.NSF ❍ C. MSTORE.NSF ❍ D. DOMLOG.NSF

Answer C is correct. The tool that enables this to occur is the Mail Tracker Collector. The database used for this task is the MailTracker Store database, or MTSTORE.NSF.

Question 3 Which of the following is used to troubleshoot routing problems? ❍ A. Delivery Failure Reports ❍ B. Mail Store tracking views ❍ C. Server Address Book Dynamic Tracking reports ❍ D. Mail Routing tracking templates

Answer A is correct. Delivery Failure Reports are one of the tools available to administrators to troubleshoot routing problems.

418 Chapter 18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 4 Which of the following is true about Copy-style compacting? Choose all that apply. ❑ A. A copy of the database is created. ❑ B. All replicas in the domain are backed up to the database store. ❑ C. The original database is deleted. ❑ D. NAMES.NSF updates the DBIID in the database store tracking view.

Answers A and C are correct. When Copy-style compacting is used, a copy is created. When the compact is complete, the original database is deleted.

Question 5 Which of the following is true about Updall? Choose all that apply. ❑ A. The Default run time is 2:00 a.m. ❑ B. It can be run at any time. ❑ C. It rebuilds corrupted views. ❑ D. It rebuilds full-text search indexes.

Answers A, B, C, and D are correct. Updall is executed by default at 2:00 a.m. and, unlike Update, can be run manually at any time. Its purpose is to rebuild corrupted views and full-text search indexes.

Question 6 How often should Compact be run, at a minimum? ❍ A. Yearly ❍ B. Quarterly ❍ C. Weekly ❍ D. Monthly

Answer D is correct. Compact should be run on all databases weekly, if possible, but it should be run, at a minimum, once a month.

419 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . User . . . Problems . . . . .

Question 7 Which of the following is true about in-place compacting with space recovery? ❍ A. Access to the database is denied. ❍ B. The database ACL is changed to add anonymous access. ❍ C. Access to the database is not denied. ❍ D. Anonymous access is deleted during the copy process.

Answer C is correct. While in-place compacting with space recovery is running, access to the database is not denied to the user.

Question 8 How can an administrator improve database performance on the server? ❍ A. Ensure that the cache is running only on the MSTORE.NSF database. ❍ B. Adjust the database cache. ❍ C. Delete the Names.nsf database. ❍ D. Increase the physical size of the server log.

Answer B is correct. Monitor the database cache and adjust it as necessary to improve database performance.

Question 9 Which of the following is true about the Update task? ❍ A. It can be run at any time by any user. ❍ B. It runs only monthly. ❍ C. It runs automatically when the server starts. ❍ D. It checks disk space information and sends notifications when the space is low.

Answer C is correct. Update runs automatically when the server is started and continues to run while the server is up.

420 Chapter 18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 10 What database is useful when a complete view of all database ACLs in the domain is needed? ❍ A. DOMLOG.NSF ❍ B. ACLVIEW.NSF ❍ C. CATALOG.NSF ❍ D. DATABASE ACLVIEW.NSF

Answer C is correct. Administrators can get a complete view of all database ACLs by accessing the Access Control List in the database catalog file, typically called CATALOG.NSF.

421 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving . . . . . User . . . Problems . . . . .

Need to Know More? The Lotus Developers Domain: www-10.lotus.com/ldd. Upgrading to Domino 6: Performance Benefits: www.ibm.com/redbooks.

PART IV Sample Exams 19 Practice Exam 620 20 Answer Key for 620 21 Practice Exam 621 22 Answer Key for 621 23 Practice Exam 622 24 Answer Key for 622

19 Practice Exam 620

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

All Lotus Notes exams are difficult and require a broad working knowledge of the subject, as indicated by the competencies for that exam. The exam questions are very rarely precise, and students should take note of the following considerations when choosing an answer from the four choices: ➤ All choices can be correct. Choose the most precise. ➤ All choices can be incorrect. Choose the least incorrect. ➤ After choosing an answer, apply the answer back to the question. The

answer must answer the question. This might sound redundant, but quite often, when applying what at first glance appears to be the correct answer back to the question, you realize that the answer is not correct for the question the way it is written. ➤ Questions and answers usually apply to the default behavior of Notes,

not to workarounds or very advanced development, unless specified in the question and answer. ➤ Look for similar questions or questions that relate to the same topic.

Sometimes one question may provide hints for answering another question. ➤ Read all questions carefully because a word such as must or not can make

a huge difference in the correct answer. The following questions and answers are for Exam 620, “Notes Domino 6 System Administration Operating Fundamentals.” The questions cover the five core competencies required for this exam and are similar to the questions you will encounter when taking Domino exams. Each question has four possible answers. Read each of the choices and choose the one that best answers the question.

426 Chapter 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 1 Eric has set a database quota of 50MB on the mail files for the users in his organization. What could Eric do so that his users are informed when the size of their mail file approaches the database quota? ❍ A. Set the Database Quota Warning to 45MB and enable Quota Warning Notifications. ❍ B. Set the Warning Threshold to 45MB and enable Over Quota Notifications. ❍ C. Set the Warning Threshold to 45MB and enable Over Warning Threshold Notifications. ❍ D. This cannot be done because database quotas do not apply to mail files.

Question 2 Kevin has created a new welcome page for the users in his organization. He has just changed the default welcome page in the Desktop Policy Settings document. Patty is one of the users in this organization. When will the new welcome page become effective for Patty? ❍ A. The next time she authenticates with her home server ❍ B. After the Policy task runs on her home server ❍ C. After her Notes ID has been recertified ❍ D. Immediately

Question 3 Marcia recently made a change to a scheduled Java agent. The agent is scheduled to run daily at 2:00 a.m. However, the agent will not run. What might be the problem? ❍ A. The Updall task is scheduled to run at 2:00 a.m., by default. Scheduled agents cannot run while this server task is running. ❍ B. Marcia’s name is included in the Run Unrestricted Methods and Operations field of the Server document. However, her name is not included in the Run Restricted LotusScript/Java Agents field. ❍ C. Marcia’s name is included in the Run Unrestricted Methods and Operations field of the Server document. However, the group RunRestrictedAgents, of which she is a member, is included in the Run Restricted LotusScript/Java Agents field. ❍ D. Neither Marcia nor any group that she is a member of is included in the Run Restricted LotusScript/Java Agents field of the Server document.

427 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 620 . .

Question 4 Design changes were recently made to a database on server East/Acme. For these design changes to replicate properly to the database replica on server West/Acme, what minimum access levels are required? ❍ A. The database replica on server East/Acme must give server West/Acme at least Reader access, and the database replica on server West/Acme must give server East/Acme at least Designer access. ❍ B. The database replica on server East/Acme must give server West/Acme at least Designer access, and the database replica on server West/Acme must give server East/Acme at least Reader access. ❍ C. The database replica on server East/Acme must give server West/Acme Manager access, and the database replica on server West/Acme must give server East/Acme at least Designer access. ❍ D. The database replicas on both servers must have a minimum of Designer access.

Question 5 Network compression is possible for which of the following Notes/Domino connections? ❍ A. A connection between a Domino Release 5 server and a Notes Release 6 client workstation ❍ B. A connection between a Domino Release 6 server and a Notes Release 5 client workstation ❍ C. A connection between a Domino Release 6 server and another Domino Release 6 server ❍ D. All of the above

428 Chapter 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 6 Which of the following is a true statement related to the Extended Access Control List? ❍ A. The Extended ACL can be used to increase the level of access of the user listed in the database ACL. ❍ B. The Extended ACL can be used to apply restrictions to the access that the database ACL allows a user. ❍ C. The Extended ACL is used to provide full-access administrators with access to all databases residing on a server. ❍ D. All of the above

Question 7 Kathy recently made some design changes to fix a problem with the Invoice.nsf database on server East/Acme. She contacted Curtis, the Domino administrator, to request that these design changes be replicated to the database replica located on server West/Acme. These two servers are scheduled to replicate each morning at 5:00 a.m. What can Curtis do to replicate these changes as quickly as possible? ❍ A. Design changes can be replicated only via scheduled replication. These changes will be replicated at 5:00 a.m., during the next scheduled replication. ❍ B. Update the Connection document for servers East/Acme to West/Acme by changing the Replication Type to Immediate and entering Invoice.nsf in the field Files/Directories to Replicate. ❍ C. From the East/Acme server console, force replication between servers East/Acme and West/Acme by entering the command Pull West/Acme Invoice.nsf. ❍ D. From the East/Acme server console, force replication between servers East/Acme and West/Acme by entering the command Push West/Acme Invoice.nsf.

429 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 620 . .

Question 8 Tara is an administrator for the Acme Corporation. She can use the remote console to execute the show tasks command for server East/Acme. However, she cannot execute the replicate command to initiate replication between servers East/Acme and West/Acme. What might be Tara’s problem? ❍ A. She is listed as a view-only administrator in the Server document for East/Acme. ❍ B. The Replicate task cannot be performed from the remote console. ❍ C. The replicate command is not a valid server command. The commands pull or push should have been used instead. ❍ D. She is listed in the Not Access Server field in the Server Access section of the Server document for East/Acme.

Question 9 Helena is listed as a full-access administrator for server East/Acme. What rights does Helena have on this server? ❍ A. Manager access, with all roles and access privileges enabled, to all databases on the server, regardless of the database ACL settings ❍ B. The capability to create agents that run in unrestricted mode with full administration rights ❍ C. Access to all documents in all databases, regardless of Reader Names fields ❍ D. All of the above

Question 10 Which of the following is the abbreviated format of the hierarchical name Randy Smith/Purchasing/East/Acme? ❍ A. Randy Smith/Purchasing/East/Acme ❍ B. CN=Randy Smith/OU=Purchasing/OU=East/O=Acme ❍ C. */Purchasing/East/Acme ❍ D. Randy Smith

430 Chapter 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 11 In Notes/Domino, what do users and servers use to authenticate with one another? ❍ A. A passthru server ❍ B. Their public and private keys ❍ C. The Access Control List (ACL) ❍ D. The Extended Access Control List (xACL)

Question 12 Which method can be used to assign an explicit policy to a user? ❍ A. You can assign an explicit policy to a user by updating the Person document. ❍ B. You can assign an explicit policy to a user with the Assign Policy tool. ❍ C. You can assign an explicit policy to a user during user registration. ❍ D. All of the above.

Question 13 Carmen is listed in the Run Restricted LotusScript/Java Agents field of the Server document. However, she is not listed in the Run Unrestricted Methods and Operations field. Which LotusScript features will Carmen be able to use in her agents that she runs on the server? ❍ A. She will not be able to run any LotusScript agents on the server. ❍ B. She will be able to run any LotusScript agents on the server, even those using restricted features. ❍ C. She will be able to run only LotusScript agents that do not use restricted features. ❍ D. She will be able to run only LotusScript agents that access the file system.

431 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 620 . .

Question 14 In a central directory architecture, where is the primary Domino Directory stored? ❍ A. On the Directory servers ❍ B. In the Configuration directory ❍ C. On every server in the domain ❍ D. In the Notes.ini of the administration server

Question 15 Which of the following is not a valid administrator type for a server? ❍ A. Full-access administrator ❍ B. Domain administrator ❍ C. System administrator ❍ D. Full remote console administrator

Question 16 A replica of the Payroll.nsf database on server East/Acme was recently created on server West/Acme. Users have created new documents in both replicas. During scheduled replication, all of the new documents created on server East/Acme are successfully replicating to server West/Acme. However, only certain document types from the replica on server West/Acme are replicating to server East/Acme. What could be preventing the other documents from replicating? ❍ A. The documents that are not replicating have a Readers field. Server West/Acme is not included in the Readers field. ❍ B. The ACL for the database replica on server East/Acme has the entry for West/Acme set to Reader access. ❍ C. The documents that are not replicating have a Readers field. Server East/Acme is not included in the Readers field. ❍ D. The ACL for the database replica on server West/Acme has the entry for East/Acme set to Reader access.

432 Chapter 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 17 Lois has been asked to create a new group in the Domino Directory (names.nsf). What minimum ACL settings must she have in names.nsf to create this group? ❍ A. Manager access ❍ B. Editor access with the GroupCreator Role assigned ❍ C. Author access, the Create Documents privilege enabled, and the GroupCreator Role assigned ❍ D. Reader access, the Create Documents privilege enabled, and the GroupCreator Role assigned

Question 18 Kim is able to create new documents in the HelpDesk.nsf database. She can open these documents from a view, but she cannot edit them. Why can she not edit the documents that she has created? ❍ A. She has Editor access in the ACL, but her name is in a Readers field in the documents, preventing her from editing them. ❍ B. She has Author access in the ACL. Users with Author access in a database can never edit documents; they can only create new documents. ❍ C. She has Author access in the ACL with the Create Documents privilege enabled. She also needs to have the Edit Documents privilege enabled for her ACL entry. ❍ D. She has Author access in the ACL with the Create Documents privilege enabled, but her name is not included in an Authors field in the documents.

Question 19 Fran is in the ACL of the JobPosting.nsf database with an access level of No Access. However, she is a member of two groups that are also in the ACL. The Reviewer group has an access level of Reader, and the Approver group has an access level of Author. The default access to this database is Editor. What access level will Fran have to this database? ❍ A. No Access ❍ B. Author ❍ C. Reader ❍ D. Editor

433 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 620 . .

Question 20 Tom has set up name-and-password access and created Person documents for his users who will be accessing Notes databases over the Internet. Under what circumstances will Domino authenticate these users? ❍ A. When they attempt to do something for which access is restricted ❍ B. When session-based authentication is enabled ❍ C. When anonymous access is not allowed on the server ❍ D. All of the above

Question 21 How are the policy settings that are related to a user resolved to determine the effective policy for the user? ❍ A. If a user has any explicit policies assigned, they represent the effective policy for the user and the organizational policy settings documents are ignored. ❍ B. If organizational policies exist, they represent the effective policy for all users and any explicit policy settings documents are ignored. ❍ C. Explicit policy settings are resolved first, followed by organizational policy settings. ❍ D. Organizational policy settings are resolved first, followed by explicit policy settings.

Question 22 Which of the following is not a valid Policy Settings document? ❍ A. Registration Policy Settings document ❍ B. Administration Policy Settings document ❍ C. Desktop Policy Settings document ❍ D. Archive Policy Settings document

434 Chapter 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 23 In the hierarchical name CN=Randy Smith/O=Acme/C=US, what do each of the components represent? ❍ A. Randy Smith is the common name component, Acme is the organization component, and US is the country component. ❍ B. Randy Smith is the corporate name component, Acme is the organization component, and US is the company component. ❍ C. Randy Smith is the common name component, Acme is the organization component, and US is the company component. ❍ D. Randy Smith is the corporate name component, Acme is the Organizational Unit component, and US is the country component.

Question 24 Using a design template on her local machine, Nancy performed a Refresh Design to the HelpDesk.nsf database located on server East/Acme. When will the design changes take effect? ❍ A. Immediately. ❍ B. Never. A Refresh Design cannot be performed from a local design copy. ❍ C. After the Designer task runs on server East/Acme. ❍ D. After the Replicator task runs on server East/Acme.

Question 25 When Jim registered the users in his organization, he set the password quality scale to 4. For security reasons, he has decided to begin registering new users with a password quality scale of 8 and wants to increase the password quality scale to 8 for existing users. In addition, he wants to allow users to use the same password to log into both Notes and the Internet. How could Jim accomplish this? ❍ A. Recertify the IDs of his existing users with a password quality scale of 8, and enable the Synchronize Internet Password with Notes Password option in the Person documents. ❍ B. Create a security policy settings document with the password quality scale set to 8 and the Synchronize Internet Password with Notes Password field set to Yes.

435 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 620 . . ❍ C. Create a registration policy settings document with the password quality scale set to 8 and the Synchronize Internet Password with Notes Password field set to Yes. ❍ D. This cannot be done. After users have been registered, their password quality scales cannot be altered. Jim would have to reissue new IDs to the existing users.

Question 26 Ron is receiving complaints from users accessing the HelpDesk.nsf database from the Internet. They are able to open documents, but they cannot edit them. These same users can edit these documents when using the Notes Client. The Anonymous ACL entry for this database is set to No Access, and the default ACL entry is set to Reader. Why might these users be unable to edit these documents from the Internet? ❍ A. The Anonymous ACL entry controls access to the database for all Internet users. The access level for this entry should be set to Editor. ❍ B. The default ACL entry controls access to the database for all Internet users. The access level for this entry should be set to Editor. ❍ C. The Maximum Internet Name and Password field in the ACL is set to Reader. This field should be set to Editor. ❍ D. The Maximum Internet Name and Password field in the ACL is set to No Access. This field should be set to Editor.

Question 27 What does the Certificate Revocation List (CRL) contain? ❍ A. A list of Notes IDs that have expired ❍ B. A list of server IDs that have expired ❍ C. The list of users in the Deny Access group ❍ D. A list of revoked Internet certificates

436 Chapter 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 28 Which of the following is not a valid delivery status for a mail-tracking request? ❍ A. Delivered ❍ B. Delivery pending ❍ C. Delivery failed ❍ D. In queue

Question 29 Marcia is setting up mail routing failover for a mail server, which is in a cluster. Which of the following is not an option in the Cluster Failover field? ❍ A. Disabled ❍ B. Enabled for All Transfers in This Domain ❍ C. Enabled for Last Hop Only ❍ D. Enabled for First Hop Only

Question 30 Which of the following is not a tool that Domino provides for monitoring mail? ❍ A. Message Tracking ❍ B. Mail Usage Reports ❍ C. Mail Probes ❍ D. Shared Mail

437 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 620 . .

Question 31 Jessica has created an Archive Policy Settings document and assigned this policy to the users in her organization. She has indicated that the archive databases should reside on the mail server. Jessica has also created an Archive Criteria Policy Settings document. However, users are not able to create their archive databases. What is most likely the problem? ❍ A. The users must be given Create access on the mail server to create an archive database. ❍ B. Archive Policy Settings documents and Archive Criteria Policy Settings documents are mutually exclusive. You cannot create an Archive Criteria Policy Settings documents if an Archive Policy Settings document already exists. ❍ C. A user’s mail archive database cannot reside on the same server as that user’s mail database. ❍ D. Mail archive databases can be stored only on a user’s local drive.

Question 32 Where does Domino store mail usage reports? ❍ A. Domino Server Log database (log.nsf) ❍ B. Monitoring Results database (statrep.nsf) ❍ C. Reports database (reports.nsf) ❍ D. Mail Tracker Store database (mtstore.nsf)

Question 33 Kevin has assigned a secondary name server in the Location documents of the users in his organization. Under which of the following circumstances will the secondary name server be used? ❍ A. The user’s home server is down. ❍ B. The user’s home server is not running TCP/IP. ❍ C. The name of the user’s home server cannot be resolved over TCP/IP. ❍ D. All of the above.

438 Chapter 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 34 Tara is using the Policy Synopsis tool to determine the effective policy for Pat, a user registered in her domain. Which of the following is a valid Report Type selection in the Policy Synopsis tool? ❍ A. Summary Only ❍ B. Hierarchical ❍ C. Organizational ❍ D. Security

Question 35 During new user registration, which of the following pieces of information is not included in the document that is stored in the certification log? ❍ A. Name and license type ❍ B. Certification and expiration dates ❍ C. Name, license type, and ID number of the registration server ❍ D. Name, license type, and ID number of the certifier ID used to create the user ID

Question 36 Rachel is listed in the ACL of the Appraisal.nsf database with the access level of Reader. She is also a member of the group Reviewers, which has an access level of Author. The [ADMIN] access role has been assigned to the Reviewers group. An Authors field includes the [ADMIN] access role in each of the documents in the database. What best describes the access that Rachel will have to this database? ❍ A. ACL access roles override individual ACL entries. She will have Author access to the database and will be able to edit any document in the database. ❍ B. ACL access roles override individual ACL entries. She will have Author access to the database and will be able to edit only those documents in the database that she has created. ❍ C. Individual ACL entries override group ACL entries. She will have Reader access to the database and will not be able to edit any of the documents. ❍ D. Group ACL entries override individual ACL entries. However, ACL access roles cannot be used in Authors fields. She will have Author access to the database but will not be able to edit any of the documents.

439 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 620 . .

Question 37 Ron is considering setting up a cluster for the Domino Release 6 servers that contain his organization’s critical Lotus Notes applications. Which Domino Release 6 server license type supports Domino clustering? ❍ A. Domino Application Server ❍ B. Domino Enterprise Server ❍ C. Domino Messaging Server ❍ D. All of the above

Question 38 Jeff is attempting to access the Payroll.nsf database from a Web browser. The server that Payroll.nsf resides on has been set up for anonymous access. The Anonymous entry in the database ACL is set to Reader access level, and the default ACL entry has the access level set to Editor. Jeff is not listed in the ACL as an individual entry, but he is a member of a group listed in the ACL with Author access. The Maximum Internet Name and Password property in the Advanced ACL properties has been set to No Access. What level of access will Jeff have for this database when using a Web browser? ❍ A. No Access ❍ B. Reader ❍ C. Author ❍ D. Editor

Question 39 Gretchen requires access to the Lotus Notes databases used by everyone in her company. She is also a Lotus Notes developer who must make design changes to several databases supported by her department. Whenever she creates a new version of a database, she needs to sign all of the design elements in the database with a server ID. What Notes/Domino client software should be installed on her workstation? ❍ A. Notes client only ❍ B. Notes client and Domino Administrator client only ❍ C. Domino Designer client and Domino Administrator client only ❍ D. Notes client, Domino Designer client, and Domino Administrator client

440 Chapter 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 40 Jenny, a Lotus Notes developer for the Acme Company, is able to create new databases on server East/Acme. However, she is unable to create database replicas on this server. What would prevent her from creating database replicas? ❍ A. She is not listed in the Create Databases and Templates field in the Server Access section of the Server document. ❍ B. She is not listed in the Create New Replicas field in the Server Access section of the Server document. ❍ C. She does not have full-access administrator rights on the server. Only full-access administrators can create database replicas on a server. ❍ D. She does not have database administrator rights on the server. Only database administrators can create database replicas on a server.

Question 41 The database Survey.nsf is no longer needed on server East/Acme. Of the following, who would not be able to delete this database from the server? ❍ A. Anyone listed in the database ACL with an access level of Manager ❍ B. Anyone listed in the database ACL with an access level of Designer or above ❍ C. Anyone with full-access administrator rights on the server, regardless of access level in the database ACL ❍ D. Anyone with database administrator rights on the server, regardless of access level in the database ACL

441 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 620 . .

Question 42 The Products.nsf database on server West/Acme has the Anonymous ACL entry set to Reader access. The default ACL entry is set to Editor access. The Maximum Internet Name and Password property in the Advanced ACL properties has been set to Author access. Users receive an “Authorization failure” message when attempting to access this database from a Web browser. What is the most likely problem? ❍ A. The access level assigned to the default ACL entry cannot be greater than the Anonymous ACL entry. ❍ B. The access level assigned to the default ACL entry cannot be greater than the access level assigned to the Maximum Internet Name and Password property. ❍ C. The access level assigned to the Maximum Internet Name and Password property cannot be greater than the Anonymous ACL entry. ❍ D. Server West/Acme has not been set up to allow anonymous access.

Question 43 Dan is listed in the Access Server field in the Server Access section of the Server document for East/Acme. He is also a member of a group that is listed in the Not Access Server field. Dan’s name is listed as an individual ACL entry in the Payroll.nsf database with an access level of Reader. Will he be able to access the Payroll.nsf database on server East/Acme? ❍ A. Yes, because his individual entry in the Server Access section overrides the group entry ❍ B. Yes, because the Access Server field overrides the Not Access Server field, regardless of whether a user is listed individually or as a member of a group ❍ C. No, because the Not Access Server field overrides the Access Server field, regardless of whether a user is listed individually or as a member of a group ❍ D. Yes, because a database ACL overrides the security settings on the Server document

442 Chapter 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 44 How are Server documents created in the Domino Directory? ❍ A. Server documents are created during the server registration process. ❍ B. After a server has been registered, the Server document must be manually created by the system administrator assigned to the server. ❍ C. After a server has been registered, the Server document must be manually created by the full-access administrator assigned to the server. ❍ D. A Server document is created when the Register [servername] command is run from the server console.

Question 45 Mary has encrypted a mail message that she is sending to Andy. What best describes how Mary and Andy’s public/private keys are used with Notes mail encryption? ❍ A. The mail message is encrypted with Andy’s private key and decrypted with Andy’s public key. ❍ B. The mail message is encrypted with Andy’s public key and decrypted with Andy’s private key. ❍ C. The mail message is encrypted with Mary’s private key and decrypted with Mary’s public key. ❍ D. The mail message is encrypted with Mary’s public key and decrypted with Andy’s private key.

Question 46 How many Connection documents are required to route mail between two servers if the servers reside in different Notes Named Networks within the same Domino domain? ❍ A. No Connection documents are required because the servers are in the same Domino domain. ❍ B. One Connection document is required, but each of the servers must be listed in both the Source Server and Destination Server fields of the Connection document. ❍ C. Two Connection documents are required. A Connection document is required for each server so that mail routes in both directions. ❍ D. Four Connection documents are required. Two Connection documents are required for each server—one to send mail and another to receive mail.

443 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 620 . .

Question 47 Kathy has set up server PASS1/Acme as a passthru server to enable access to databases on servers APP1/Acme and APP2/Acme by remote users in her organization. These users now can access databases on server APP1/Acme by connecting to server PASS1/Acme. However, they cannot access the databases residing on server APP2/Acme. What should Kathy look for in the Server documents for these servers? ❍ A. Ensure that these users are listed in the Access This Server field (by name, group, or wildcard entry) in the Passthru Use section of the Server document for APP2/Acme. ❍ B. Ensure that these users are listed in the Route Through field (by name, group, or wildcard entry) in the Passthru Use section of the Server document for PASS1/Acme. ❍ C. Ensure that server APP2/Acme is listed in the Destinations Allowed field in the Passthru Use section of the Server document for PASS1/Acme. ❍ D. All of the above.

Question 48 Which of the following activities is not performed by Domino when you register a new server? ❍ A. A server ID is created for the new server and it is certified with the certifier ID ❍ B. A Server document for the new server is created in the Domino Directory ❍ C. Connection documents are created for the new server to all other servers registered in the domain ❍ D. The new server name is added to the LocalDomainServers group in the Domino Directory

444 Chapter 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 49 Sarah, a Domino administrator, wants to manually shut down and restart the router on server West/Acme to troubleshoot server and messaging problems. Which commands would she enter at the console to do this? ❍ A. To shut down the router, she would enter tell router stop. To restart the router, she would enter tell router restart. ❍ B. To shut down the router, she would enter tell router quit. To restart the router, she would enter tell router restart. ❍ C. To shut down the router, she would enter tell router quit. To restart the router, she would enter load router. ❍ D. To shut down the router, she would enter unload router. To restart the router, she would enter load router.

Question 50 Matt is upgrading his Domino servers from Release 5 to Release 6. He is considering migrating from a distributed directory architecture to a central directory architecture. Which of the following statements is not true regarding the Domino Directory architecture in Release 6? ❍ A. In a central directory architecture, there can be only one Directory server within a domain. ❍ B. In a central directory architecture, the Domino Directory replica that resides on a Directory server contains the entire contents of the Domino Directory. ❍ C. In a central directory architecture, a configuration directory is a selective replica of the Domino Directory that contains only documents used for Domino configuration. ❍ D. A central directory architecture and a distributed directory architecture can be combined in a single domain.

20 Answer Key for 620

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. C

18. D

35. C

2. A

19. A

36. C

3. D

20. D

37. B

4. A

21. D

38. A

5. C

22. B

39. D

6. B

23. A

40. B

7. D

24. A

41. B

8. A

25. B

42. D

9. D

26. C

43. C

10. A

27. D

44. A

11. B

28. B

45. B

12. D

29. D

46. C

13. C

30. D

47. D

14. A

31. A

48. C

15. B

32. C

49. C

16. C

33. D

50. A

17. C

34. A

446 Chapter 20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 1 Answer C is correct. The Warning Threshold should be set to a value that allows users to take action to reduce the size of their mail file before it reaches the database quota size. The Over Warning Threshold Notifications field in the Configurations Settings document must also be set to either Per Message or Per Time Interval. Answer A is incorrect because there are no such settings as Database Quota Warning or Quota Warning Notifications. Answer B is incorrect because enabling the Over Quota Notifications field in the Configurations Settings document would only send a message to a user who has exceeded the database quota (not the warning threshold). Answer D is incorrect. Database quotas are often used for mail files.

Question 2 Answer A is correct. After the Desktop Policy Settings document has been changed, any changes to the settings become effective the next time users authenticate with their home server. Answer B is incorrect because there is no such server task as Policy. Answer C is incorrect. Desktop Policy Settings do not require recertification of users. Answer D is incorrect. When a change is made to the Desktop Policy Settings document, the change becomes effective for a user the next time that user authenticates with his home server.

Question 3 Answer D is correct. To run agents on a server, the signer of the agent must be listed in either the Run Unrestricted Methods and Operations field or the Run Restricted LotusScript/Java Agents field. Answer A is incorrect. When scheduling an agent to run on a server, there is no restriction for choosing a time outside of the execution of the Updall server task. Answer B is incorrect because the Run Unrestricted Methods and Operations field allows the users included in this field to run any agent.

447 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 620 . .

Being a member of this field takes precedence over the Run Restricted LotusScript/Java Agents field. Answer C is incorrect because the Run Unrestricted Methods and Operations field takes precedence over the Run Restricted LotusScript/Java Agents field. The Run Unrestricted Methods and Operations field allows the users included in this field to run any agent, while the Run Restricted LotusScript/Java Agents field allows the users included in this field to run only LotusScript or Java agents that do not perform restricted operations (manipulation of system time, file I/O and operating system commands).

Question 4 Answer A is correct. To receive design changes from East/Acme (the source server), the database replica on West/Acme (the destination server) must give East/Acme at least Designer access, and the database replica on East/Acme must give West/Acme at least Reader access. Answer B is incorrect. Although West/Acme could indeed access the design changes on East/Acme with Designer access, if East/Acme had only Reader access to the database replica on West/Acme, it could not replicate those design changes. Answers C and D are incorrect. These access levels would be sufficient for replicating the design changes. However, the question asked for the minimum access levels required.

Question 5 Answer C is correct. Network compression can be enabled between two Domino Release 6 servers or a Domino Release 6 server and a Notes Release 6 client workstation. For compression to work, the network ports on both sides of the connection must be enabled. Answer A is incorrect because network compression cannot be enabled for the Domino Release 5 server. Answer B is incorrect because network compression cannot be enabled for the Notes Release 5 client workstation. Answer D is incorrect because answers A and B are incorrect.

448 Chapter 20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 6 Answer B is correct. An Extended ACL is used to restrict access to database objects (documents, fields, and so on) that a user would otherwise have from the access level assigned in the database ACL. Answer A is incorrect because you cannot use the Extended ACL to give a user a higher level of access to a database than the access level assigned in the database ACL. Answer C is incorrect. A full-access administrator does have access to all databases residing on the server. However, this administrator type is assigned in the Server document, not via the Extended ACL for a database. Answer D is incorrect because answers A and C are not correct.

Question 7 Answer D is correct. The most expedient way to replicate these changes is via one-way (push) forced replication. Answer A is incorrect because design changes can be replicated using either scheduled or forced replication. Answer B is incorrect because there is no such replication type as Immediate. Also, a forced one-way replication would be the quickest method for replicating these changes. Answer C is incorrect because this would only pull changes from the database replica on server West/Acme. The design changes made on the database replica on server East/Acme would not be replicated.

Question 8 Answer A is correct. View-only administrators can use the remote console to issue only a subset of server commands (those that provide system status information, such as show tasks and show server). Answer B is incorrect. The the remote console.

replicate

server command can be executed from

Answer C is incorrect because replicate is a valid server command. Answer D is incorrect. If she was listed in the Not Access Server field, she would not have been able to run the show tasks server command.

449 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 620 . .

Question 9 Answer D is correct. A full-access administrator for a server has all of the rights that are listed.

Question 10 Answer A is correct. The abbreviated format is the full hierarchical name, which includes each of its components, but without the component indicator. In this case, Acme is the organization, East is the first-level Organizational Unit, Purchasing is the second-level Organizational Unit, and Randy Smith is the common name. Answer B is incorrect because this is the canonical format of the hierarchical name. Note that the component indicators (CN=, OU=, and O=) are included with their respective components. Answer C is incorrect because the abbreviated format for a specific hierarchical name would not include the wildcard character (*). The wildcard format is used in ACL entries to grant access to all users or servers of a specific organization or organizational unit. Answer D is incorrect because this is only the common name component of the hierarchical name.

Question 11 Answer B is correct. Notes/Domino authentication uses the public and private keys of the client and the server in a challenge/response interaction. Answer A is incorrect because a passthru server is an intermediary server that acts as a “stepping stone” to gain access to a destination server. When using a passthru server, authentication still must take place between the client and the server. Answer C is incorrect because the ACL controls access to a database, not the server. Answer D is incorrect because the Extended ACL is used to further restrict access to users in specific databases.

450 Chapter 20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 12 Answer D is correct. These are all methods that can be used to manually assign an explicit policy to a user.

Question 13 Answer C is correct. If the signer of the agent is not listed in the Run Unrestricted Methods and Operations field, LotusScript features that perform restricted operations (manipulation of system time, file I/O, and operating system commands) cannot be used when the agent is run on the server. Answer A is incorrect because a LotusScript agent that does not perform any restricted operations can be run on the server if the signer of the agent is listed in the Run Restricted LotusScript/Java Agents field. Answer B is incorrect because the signer of a LotusScript agent running on a server must be listed in the Run Unrestricted Methods and Operations field if the agent performs restricted operations. Answer D is incorrect because a LotusScript agent that accesses the file system (a restricted operation) cannot be run on a server if the signer of the agent is not listed in the Run Unrestricted Methods and Operations field.

Question 14 Answer A is correct. The primary Domino Directory contains the entire contents of the Domino Directory and is stored only on the directory servers in the domain. Answer B is incorrect because the configuration directory is a selective replica of the Domino Directory, containing only a subset of the documents in the primary Domino Directory. Answer C is incorrect because in a central directory architecture, only the directory servers have a replica of the primary Domino Directory. The other servers have the configuration directory, which contains only a subset of the documents in the primary Domino Directory. Answer D is incorrect because the primary Domino Directory is not a Notes.ini setting.

451 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 620 . .

Question 15 Answer B is correct. The various administrator types for a server are assigned in the Administrators section on the Security tab of the Server document. Domain Administrator is not a valid administrator type. Answers A, C, and D are incorrect because these are valid administrator types.

Question 16 Answer C is correct. A Readers field in a document controls access to that document. If a document contains a Readers field, a server must be listed in the Readers field or that server will not have access to that document, regardless of the access level assigned to the server in the database ACL. Without access to the document, the server cannot replicate the document. Answer A is incorrect. All documents are replicating successfully from server East/Acme to server West/Acme, meaning that server West/Acme must be included in any Readers fields on the documents. Answers B and D are incorrect because at least some of the new documents are being replicated successfully to both servers. During replication, the source server could not add new documents to the destination server with only Reader access in the database ACL.

Question 17 Answer C is correct. To create new groups in the Domino Directory (names.nsf), a user must have at least Editor access or Author access with the GroupCreator role. Answers A and B are incorrect. Although either of these access levels would allow a user to create new groups, the question asked for the minimum access required. Answer D is incorrect because a user with Reader access in the ACL cannot create new documents.

452 Chapter 20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 18 Answer D is correct. A user with Author access in the database ACL can open and read any document shown in a view. With the Create Documents privilege enabled, the user can also create new documents. However, to edit a document in the database, even if the user created it, the document must have an Authors field and the user must be specified in the Authors field. Answer A is incorrect because a user with Editor access in the database ACL can edit any document shown in a view. A Readers field controls access to the document, not the capability to edit it. Answer B is incorrect because if a user with Author access is specified in an Authors field on the document, that user can edit the document, even if the document was not originally created by the user. Answer C is incorrect because Edit Documents is not an optional ACL privilege.

Question 19 Answer A is correct. An explicit ACL entry for a user always takes precedence over the default and group entries, even if these entries have a higher access level. Answer B is incorrect. If a user is not listed explicitly in the ACL and is a member of more than one group listed in an ACL, the highest access level is used. However, the explicit entry takes precedence in this case. Answer C is incorrect because the access level of the explicit ACL entry for this user takes precedence. Answer D is incorrect because the access level of the default ACL entry is used only if there is no explicit entry for the user and the user is not a member of any group listed in the ACL.

Question 20 Answer D is correct. These are all circumstances in which Domino will authenticate a user accessing a Notes database over the Internet.

453 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 620 . .

Question 21 Answer D is correct. An organizational policy automatically applies to all users registered in a particular Organizational Unit. These settings are resolved first. An explicit policy assigns default settings to individual users or groups. These settings are resolved after the organizational policy settings. Answer A is incorrect. Organizational policy settings apply to all users registered in a particular Organizational Unit. Explicit policy settings override specific settings for a user or group, but the organizational policy settings are not ignored. Answer B is incorrect. Organizational policy settings are applied first to users registered in a particular Organizational Unit. Explicit policy settings assigned to the users then override specific settings. Answer C is incorrect because organizational policy settings are resolved first, followed by any explicit policy settings that are assigned.

Question 22 Answer B is correct. This is not a valid Policy Settings document. The valid Policy Settings documents are Registration, Setup, Desktop, Security, and Archive. Answers A, C, and D are incorrect because these are all valid Policy Settings documents.

Question 23 Answer A is correct. This is the canonical format of the hierarchical name. In the canonical format, each component of the hierarchical name includes the component identifier, followed by the component name. The component identifiers are: CN=, representing the common name; OU=, representing an Organizational Unit; O=, representing the organization; and C=, representing the country. Answers B, C, and D are incorrect because corporate name and company are not valid hierarchical name components.

454 Chapter 20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 24 Answer A is correct. Refresh Design is a manual process that immediately updates the design of the database with modifications in the design template. Answer B is incorrect because the Refresh Design process can be performed with Local selected as the server in the Refresh Database Design dialog box. A design template with the correct template name must be stored on the local machine. Answer C is incorrect because, in this case, the design of a specific database is being updated manually from a local design template, via the Refresh Design process. The Designer server task, which runs at 1:00 a.m. by default, updates the design of all databases that inherit their designs from master templates stored on the server. Answer D is incorrect. The Replicator task replicates design changes to other replicas of the database, but when the design of a specific replica is refreshed manually via Refresh Design, those changes take effect immediately.

Question 25 Answer B is correct. The next time these users change their passwords, they will be required to choose a password with a password quality scale rating of 8 or higher, and their Notes passwords will be synchronized with their Internet passwords. Answer A is incorrect. Although recertifying these users with the higher password quality scale would accomplish part of his goal, there is no Synchronize Internet Password with Notes Password option in the Person document. Answer C is incorrect because registration policy settings impact only users who are being registered. The existing users would not be impacted. Answer D is incorrect because the password quality scale rating for existing registered users can be changed either by recertifying them or via security policy settings.

455 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 620 . .

Question 26 Answer C is correct. Because these users can edit documents when using a Notes Client but can only read documents when accessing the database from the Internet, the Maximum Internet Name and Password field in the Advanced ACL properties must be set to Reader. Internet users accessing a database using name and password authentication will not receive an access level higher than the access level selected in the Maximum Internet Name and Password field. Answers A and B are incorrect because Internet users accessing a database using name and password authentication will receive the same level of access to the database as they would when using a Notes Client (but no higher than the access level selected in the Maximum Internet Name and Password field). Answer D is incorrect because if the Maximum Internet Name and Password field was set to No Access, the Internet users would not have been able to access the database to read documents.

Question 27 Answer D is correct. A Certificate Revocation List is a time-stamped list of revoked Internet certificates. Answers A and B are incorrect because a CRL does not list expired Notes user/server IDs. It contains a list of Internet certificates that have been revoked. Answer C is incorrect because Deny Access groups are used to control access to servers by Notes and Internet clients. A CRL lists revoked Internet certificates.

Question 28 Answer B is correct. Delivery Pending is not a valid delivery status that can be reported on a mail-tracking request. Answers A, C, and D are incorrect because these are all valid delivery statuses that can be reported on a mail-tracking request.

456 Chapter 20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 29 Answer D is correct. Enabled for First Hop Only is not a valid option for the Cluster Failover field. Answers A, B, and C are incorrect because these are all valid options for the Cluster Failover field.

Question 30 Answer D is correct. Shared mail is a space-saving feature, not a mailmonitoring tool. When shared mail is implemented, mail messages that are addressed to multiple recipients store only a single copy of the message in a shared mail database. Answers A, B, and C are incorrect because these are all tools that Domino provides for monitoring mail.

Question 31 Answer A is correct. If you allow private archiving, you must give the user Create access on the destination server to create an archive database. Answer B is incorrect because you create an Archive Criteria Policy Settings document from within an Archive Policy Settings document. Both Archive and Archive Criteria Policy Settings documents are used to set up mail file archiving. Answers C and D are incorrect. Mail archive databases are often stored on mail servers.

Question 32 Answer C is correct. Domino stores mail usage reports in the Reports database (reports.nsf). Answers A and B are incorrect. Although these are databases used by Domino, they do not store the mail usage reports.

457 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 620 . .

Answer D is incorrect. Domino uses the data stored in the Mail Tracking Store database (mtstore.nsf) to create mail usage reports. However, the actual mail usage reports are stored in the Reports database (reports.nsf).

Question 33 Answer D is correct. The secondary name server would be used under each of these circumstances.

Question 34 Answer A is correct. The Report Type options available in the Policy Synopsis tool are Summary Only (the default) and Detailed. Answers B, C, and D are incorrect because these are not valid report types in the Policy Synopsis tool.

Question 35 Answer C is correct. When a new user is registered, the certification log stores the name, license type, and ID number of the certifier ID, not the registration server. Answers A, B, and D are incorrect. All of this information is stored in the certification log document during new user registration.

Question 36 Answer C is correct. Individual ACL entries always override group ACL entries. Answers A and B are incorrect because ACL access roles do not override ACL entries. Answer D is incorrect because group ACL entries do not override individual ACL entries.

458 Chapter 20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 37 Answer B is correct. The Domino Enterprise Server and Domino Utility Server are the Domino Release 6 server license types that support Domino clustering. Answer A is incorrect because The Domino Application Server is a Domino Release 5 server license type that does not support Domino clustering. Answer C is incorrect. Although the Domino messaging server is a valid server license type for Domino Release 6, this server type does not support Domino clustering. Answer D is incorrect because answers A and C are incorrect.

Question 38 Answer A is correct. Internet users accessing this database cannot have an access level higher than the level assigned in the Maximum Internet Name and Password property. Answers B, C, and D are incorrect. For Internet users, the access level assigned in the Maximum Internet Name and Password property overrides the access levels for the ACL entries.

Question 39 Answer D is correct. She will need all three clients installed on her workstation to perform all of these tasks. Answers A, B, and C are incorrect. She could not perform all of the tasks listed unless all three clients were installed.

Question 40 Answer B is correct. The user must be listed in the Create New Replicas field (by individual, group, or wildcard) for that user to create database replicas on the server. Answer A is incorrect because the Create Databases and Templates field controls who can create new copies of databases and templates. To create a new replica of a database, she would need to be listed in the Create New Replicas field.

459 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 620 . .

Answers C and D are incorrect. Although these administrator levels have rights to create new database replicas on the server, users listed in the Create New Replicas field also can create database replicas.

Question 41 Answer B is correct. Users with Designer access or below in the database ACL cannot delete the database. Answers A, C, and D are incorrect. Users with an access level of Manager in a database ACL can delete the database from the server. Full-access administrators and database administrators for a server also have rights to delete any database on the server.

Question 42 Answer D is correct. If the settings in the Server document do not allow anonymous access to the server, users attempting to access the database anonymously via a Web browser will receive an “Authorization failure” message. Answers A, B, and C are incorrect because these ACL entries and properties have no restrictions for assigning access levels greater than or less than one another.

Question 43 Answer C is correct. If a user is listed in the Not Access Server field (by individual, group, or wildcard), the user will not be able to access the server. The Not Access Server field takes precedence over the Access Server field in the Server document as well as the database ACL. Answers A and B are incorrect. The Not Access Server field always takes precedence over the Access Server field, regardless of whether the name is included as an individual, group, or wildcard. Answer D is incorrect. When attempting to access a database, a user must first authenticate with the server that the database resides on. If the user is denied access to the server, there is no need to check the database ACL.

460 Chapter 20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 44 Answer A is correct. During the server registration process, a Server document is created for the server and placed in the Domino Directory. Answers B and C are incorrect because Server documents are automatically created and placed in the Domino Directory during the server registration process. Answer D is incorrect because Register is not a valid console command.

Question 45 Answer B is correct. The sender of an encrypted mail message uses the public keys of the recipients to encrypt the message. The recipients then decrypt the message with their own private key, which is stored in their Notes ID. Answers A and C are incorrect because private keys are used for decrypting mail messages, not for encrypting them. Answer D is incorrect because the public key of the recipient (Andy) is used to encrypt the mail message, not the public key of the sender (Mary).

Question 46 Answer C is correct. A Connection document for each server is required for routing mail in both directions between these two servers. Answer A is incorrect because these servers reside in different Notes Named Networks. If these server were in the same Notes Named Network, no Connection documents would be required. Answer B is incorrect because the Source Server and Destination Server fields can contain only one server entry each. They are not multivalue fields. Answer D is incorrect because only one Connection document for each server is required to route mail in both directions between the two servers.

Question 47 Answer D is correct. These are all settings that could impact access to these servers.

461 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 620 . .

Question 48 Answer C is correct. Connection documents to other servers in the domain must be created after the new server has been registered. Answers A, B, and D are incorrect because Domino performs all of these tasks during the server registration process.

Question 49 Answer C is correct. The console command tell router quit disables mail routing on the server. The console command load router starts the Router task and begins routing and delivering mail. Answers A, B, and D are incorrect because the commands tell router stop, tell router restart, and unload router are not valid console commands.

Question 50 Answer A is correct. Although it is entirely possible for a domain using the central directory architecture to have only one directory server, this is not the typical implementation. In fact, for failover reasons, at least one other server in the domain should store a primary Domino Directory. Answers B, C, and D are incorrect. A central directory architecture includes one or more directory servers that contain a full replica of the primary Domino Directory. Other servers in the domain have a configuration directory. This is a selective replica of the Domino Directory that contains only documents used for Domino configuration. A single domain can use a hybrid directory architecture, with some servers using the central directory model while other servers use the distributed directory architecture.

21 Practice Exam 621 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

464 Chapter 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 1 Multiuser installation is available for which of the following clients? ❍ A. Notes Client ❍ B. Domino Designer Client ❍ C. Domino Administrator Client ❍ D. All of the above

Question 2 Which of the following is not a true statement about streaming replication? ❍ A. Documents are replicated by their size, in ascending order. ❍ B. During replication, Notes Client users can begin working with documents as soon as they appear, even if the database hasn’t finished replicating. ❍ C. Streaming replication works only for Lotus Notes/Domino Release 6 clients and servers. ❍ D. Streaming replication works only for server-to-server replication, not for client-to-server replication.

Question 3 Which of the following is not a true statement about clustering Domino servers? ❍ A. All servers in the cluster must use TCP/IP and be on the same Notes Named Network. ❍ B. All servers in the cluster must be in the same Domino domain and share a common Domino Directory. ❍ C. A server can be a member of multiple clusters. ❍ D. Each server in the cluster must have a hierarchical server ID.

465 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 621 . .

Question 4 In the event of a server crash or media failure, Lori would like to be able to recover the Payroll.nsf database on server East/Acme as quickly as possible. She would also like to be able to recover updates to the Assignments view of this database. What would Lori do to accomplish this? ❍ A. Enable transaction logging in the database properties for Payroll.nsf ❍ B. Enable view logging in the Server document for server East/Acme ❍ C. Enable transaction logging in the Server document for server East/Acme and enable the setting Include Updates in Transaction Log in the Assignments view properties for Payroll.nsf ❍ D. Enable transaction logging in the Server document for server East/Acme and enable the setting Include Updates in Transaction Log in the database properties for Payroll.nsf

Question 5 Lynda, a Domino Administrator, would like to issue server and client certificates using Domino Certificate Authority (CA) with a CA key ring. What does she need for issuing certificates in this manner? ❍ A. Access to the CA key ring file and the password for the CA key ring. In the ACL for the Domino Certificate Authority database, she needs Editor access with the Delete Documents privilege and the [CAPrivlegedUser] role assigned. ❍ B. Access to the CA key ring file and the password for the server or client that the certificate is being issued for. In the ACL for the Domino Certificate Authority database, she needs Editor access with the Delete Documents privilege and the [CAPrivlegedUser] role assigned. ❍ C. Access to the CA key ring file and the password for the CA key ring. In the ACL for the Domino Certificate Authority database, she needs Depositor access with the Create Documents privilege and the [CAPrivlegedUser] role assigned. ❍ D. Access to the CA key ring file and the password for the CA key ring. In the ACL for the Domino Directory database, she needs Editor access with the Delete Documents privilege and the [CAPrivlegedUser] role assigned.

466 Chapter 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 6 Gene has been receiving complaints from users about performance for some of the larger databases on server West/Acme. He is considering enabling database properties to optimize database performance. Which of the following is not a database property that can be used to optimize database performance? ❍ A. Don’t Maintain Unread Marks ❍ B. Show Response Documents in a Hierarchy ❍ C. Maintain LastAccessed Property ❍ D. Don’t Allow Headline Monitoring

Question 7 Which of the following is a potential benefit of creating an additional MAIL.BOX database on a Domino Mail Server? ❍ A. Creating an additional MAIL.BOX database might eliminate many of the access conflicts that could otherwise occur when using only one MAIL.BOX database. ❍ B. Creating an additional MAIL.BOX database might result in a large performance improvement compared to using only one MAIL.BOX database. ❍ C. In the event of corruption of a MAIL.BOX database, having an additional MAIL.BOX database provides for failover. ❍ D. All of the above.

Question 8 Where does Domino store server mail rules? ❍ A. In the Server document ❍ B. In the Notes.ini file ❍ C. In the Configuration Settings document ❍ D. In the Security Policy Settings document

467 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 621 . .

Question 9 Amanda, a Notes application developer, made several design changes in a design template for the HelpDesk.nsf database. She has submitted the design template to Peter, the Domino Administrator, for implementation on a production Domino server. After performing a Refresh Design using the design template, Peter notices that all of the design changes were made to the HelpDesk.nsf database on the production server, except for a new view that was being added. Which of the following circumstances could have prevented the new view from being added? ❍ A. The replication settings for the database have the view excluded. ❍ B. Amanda created the new view as a private view rather than a shared view. ❍ C. Manager access is required to perform a Refresh Design. Peter did not have Manager access to the database. ❍ D. Designer access or above is required to perform a Refresh Design. Peter did not have at least Designer access to the database.

Question 10 Domino stores certain information in a certifier ID file that is set up for ID Recovery. Which of the following would not be stored in the certifier ID file? ❍ A. The names of administrators who are allowed to recover IDs ❍ B. The number of administrators required to unlock an ID file ❍ C. The private keys of users who have mailed in encrypted backup copies of their ID files ❍ D. The mail-in database address where users send encrypted backup copies of their ID files

Question 11 Leanne has been assigned the administration level of View-Only Administrator for server East/Acme. Which of the following server commands could she issue from the remote console? ❍ A. Show Server ❍ B. Restart Server ❍ C. Start Port ❍ D. Stop Port

468 Chapter 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 12 Which of the following is a benefit of Transaction Logging? ❍ A. Quicker recovery from server crashes and media failures ❍ B. Increased database performance ❍ C. Increased server performance ❍ D. All of the above

Question 13 Which of the following is not a true statement related to cluster failover? ❍ A. Cluster failover will work for Notes clients running Release 4.5 or later. ❍ B. Cluster failover will work only for Notes clients and Domino servers running Release 6. ❍ C. Cluster failover will work for a Notes Release 5 client accessing a database on a Domino Release 6 server. ❍ D. When a server that belongs to a cluster is not responding, the Cluster Manager determines the most available server containing a replica of the database being accessed.

Question 14 Colleen was recently promoted to a supervisor position in her department and now needs the capability to update documents in the JobPosting.nsf database and gain access to several restricted views. She has submitted a request to have her access to the database changed to the same access level as that of the other supervisors in her department, who are members of the DeptSupervisors group. Colleen is currently listed in the database ACL individually with Reader access and no access role assignments. The DeptSupervisors group is listed in the ACL with Editor access and is assigned to the Approver access role that controls access to the restricted views in the database. What can be done to give Colleen the same level of access to this database as the other supervisors in her department? ❍ A. Assign the Approver access role to her individual ACL entry ❍ B. Change the access level of her individual ACL entry to Editor ❍ C. Add her name to the DeptSupervisors group ❍ D. Add her name to the DeptSupervisors group and remove her individual ACL entry

469 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 621 . .

Question 15 Mike has set up cross-domain configuration documents to enable an administration server in the ACME1 domain to import and export administration requests to and from an administration server in the ACME2 domain. Which of the following administration tasks cannot be performed via cross-domain processing? ❍ A. Delete a person in the Domino Directory ❍ B. Rename a person in the Domino Directory ❍ C. Add a server in the Domino Directory ❍ D. Delete a server in the Domino Directory

Question 16 Which of the following is not a true statement about LZ1 (Lempel-Zev class 1) compression? ❍ A. The LZ1 algorithm is used for compressing attachments in Notes Domino 6. ❍ B. The Huffman algorithm is a quicker and more efficient compression method than the LZ1 algorithm. ❍ C. When using a Notes/Domino 6 client with a Domino 5 server, attachments are automatically recompressed on the server using the Huffman algorithm. ❍ D. LZ1 compression is enabled and disabled in the Advanced tab of Database Properties.

Question 17 Sandy wants to use License Tracking to monitor the number of active Notes users in the ACME domain. What information does the administration process update in the UserLicenses.nsf database when License Tracking is enabled? ❍ A. For a new user, a User License document is created in the database. ❍ B. For users with existing User License documents, their documents are updated with the new time and date they accessed a server within the domain. ❍ C. For a user who has not accessed any server in the domain for one full year, the User License document for that user is deleted from the database. ❍ D. All of the above.

470 Chapter 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 18 Several of the views for the database JobPosting.nsf appear to be corrupt in the database replica residing on server East/Acme. These same views look fine in the database replica residing on server West/Acme. Which of the following would not be a recommended approach for attempting to fix the corruption in this database? ❍ A. Delete the database from the server East/Acme and create a new copy of the database from the database replica on the server West/Acme ❍ B. Delete the database from the server East/Acme and create a new replica of the database from the database replica on the server West/Acme ❍ C. Run UPDALL and FIXUP on the database replica on the server East/Acme ❍ D. Press Ctrl+Shift+F9 to rebuild all of the views in the database replica on the server East/Acme

Question 19 What is the ICL database used for in the CA Process? ❍ A. For tracking Internet certificates revoked by a certifier using the CA Process ❍ B. For tracking Internet and Notes certificates issued by a certifier using the CA Process ❍ C. For tracking only Internet certificates issued by a certifier using the CA Process ❍ D. For tracking only Notes certificates issued by a certifier using the CA Process

Question 20 Which of the following is not a valid client software installation method/type for Lotus Notes/Domino? ❍ A. Single-user client installation ❍ B. Multiuser installation ❍ C. Shared installation ❍ D. Single Copy Template installation

471 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 621 . .

Question 21 Ron has learned that Web users are not being required to authenticate when accessing documents in the Payroll.nsf database on server East/Acme. The access level for the default ACL entry is set to Editor. What could he do to ensure that Web users are authenticated before accessing this database? ❍ A. Set the access level of the default ACL entry to Authenticate ❍ B. Add the entry Anonymous to the database ACL with an access level of Authenticate ❍ C. Add the entry Anonymous to the database ACL with an access level of No Access ❍ D. Add the entry Anonymous to the database ACL with an access level of Editor

Question 22 Who can set quotas for databases on a server? ❍ A. Those assigned as a Quota Administrator in the Server document ❍ B. Those assigned as a Database Administrator in the Server document ❍ C. Those assigned the access level of Administrator in the database ACLs ❍ D. All of the above

Question 23 Helena would like to restrict access to certain documents in the Payroll.nsf database so that only members of the DeptManagers group can access those documents. Which of the following is the best solution for accomplishing this? ❍ A. Add a Readers field to the restricted documents and include the DeptManagers group in the Readers field. ❍ B. Add an Authors field to the restricted documents and include the DeptManagers group in the Authors field. ❍ C. Give the DeptManagers group Editor access in the database ACL, and change the access level of all other entries in the database ACL to No Access. ❍ D. In each of the views that display the restricted documents, create a view access list in View Properties and include the DeptManagers group in the view access list.

472 Chapter 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 24 Charlie, a Domino Administrator, has been asked by management to create and deploy a new corporate welcome page as the default welcome page for the Notes users in his organization. He also wants to prevent Notes users from selecting or creating a different welcome page than the default welcome page that he is deploying. Charlie has finished creating the new welcome page on a local welcome page database. What additional steps must he perform? ❍ A. Copy the welcome page database to a server. In the desktop policy settings document(s) assigned to the organizational/explicit policies, create a database link to this welcome page database in the Corporate Welcome Pages database field. In the Home Page Selection field, enable the option Do Not Allow Users to Change Their Home Page. ❍ B. In the desktop policy settings document(s) assigned to the organizational/explicit policies, create a database link to the local welcome page database in the Corporate Welcome Pages database field. In the Home Page Selection field, enable the option Do Not Allow Users to Change Their Home Page. ❍ C. Copy the welcome page database to a server. In the organizational/explicit policy document(s), create a database link to this welcome page database in the Corporate Welcome Pages database field. In the Home Page Selection field, enable the option Do Not Allow Users to Change Their Home Page. ❍ D. In the organizational/explicit policy documents, create a database link to the local welcome page database in the Corporate Welcome Pages database field. In the Home Page Selection field, enable the option Do Not Allow Users to Change Their Home Page.

Question 25 Which of the following is a true statement about access roles in a database ACL? ❍ A. Roles can be assigned to ACL entries to increase the level of access to specific forms, views, documents, and so on. ❍ B. Roles can be assigned to ACL entries to allow access to specific forms, views, documents, and so on. ❍ C. A user must have an access level of Designer or above in the database ACL to be able to assign an access role to an ACL entry. ❍ D. ACL access roles do not work for users accessing the database from a Web browser.

473 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 621 . .

Question 26 Steve, a supervisor in the Marketing department, would like to set up his Notes calendar to display calendar entry types in different colors. Which of the following is not a requirement for changing calendar entry types to display in different colors? ❍ A. He must be connected to his mail server. ❍ B. His mail server must be a Domino 6 server. ❍ C. He must be using a Notes 6 client. ❍ D. He must be using a Domino Designer 6 client to make this design change.

Question 27 Which of the following is not a true statement about the Domino Console? ❍ A. The Domino Console is a Java-based console. ❍ B. When you start a Server Controller, the Domino Console starts by default. ❍ C. The Domino Console can be used to open and manage Notes databases. ❍ D. Commands can be sent to multiple servers using the Domino Console.

Question 28 Patty created an organizational policy for the users in the Sales/Acme Organizational Unit. She would like to assign an explicit policy to Randy, a temporary contractor whom she recently registered in Sales/Acme. Which of the following methods can Patty use to assign the explicit policy? ❍ A. Add the explicit policy to Randy’s Person document ❍ B. Use the Policy Synopsis tool to assign the explicit policy to Randy ❍ C. Add the explicit policy to Randy’s Notes.ini file ❍ D. All of the above

474 Chapter 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 29 Which of the following is a true statement about network compression? ❍ A. Network compression can be enabled only on Domino Release 5 and Domino Release 6 servers. ❍ B. Network compression works only for data transmitted between two Domino Release 6 servers. ❍ C. Network compression is enabled in Advanced Database Properties for a database. ❍ D. Network compression does not compress encrypted data.

Question 30 The HelpDesk.nsf database was added to the server West/Acme, and a replica of this database was added to the server East/Acme. The database replica on the server West/Acme has an ACL entry for East/Acme with an access level of Designer. The database replica on the server East/Acme has an ACL entry for West/Acme with an access level of Editor. During scheduled pull-pull replication, what information will be replicated between these database replicas? ❍ A. Nothing will be replicated. Schedule replication requires that a server have an access level of Manager in the ACL of the database it is replicating with. ❍ B. During scheduled replication, all changes (documents, design, and ACL) are replicated, regardless of the ACL access levels assigned to the servers. ❍ C. Documents will replicate to and from replicas on both servers. No ACL changes will be replicated. Design changes will replicate from the server East/Acme to West/Acme, but not from the server West/Acme to East/Acme. ❍ D. Documents will replicate to and from replicas on both servers. No ACL changes will be replicated. Design changes will replicate from the server West/Acme to East/Acme, but not from the server East/Acme to West/Acme.

Question 31 Sharon is trying to determine why a document is not replicating. She has found the reference to the document in the log file. Which of the following tools could Sharon use to locate and review the document properties for this document?

475 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 621 . . ❍ A. Use the Design Synopsis tool in the Domino Administrator client to search for the document by Universal Note ID (UNID) ❍ B. Use the Find Note tool in the Domino Administrator client to search for the document by Note ID ❍ C. Use the Design Synopsis tool in the Notes client to search for the document by Note ID ❍ D. Use the Design Synopsis tool in the Notes client to search for the document by Universal Note ID (UNID)

Question 32 Kevin, a Domino Administrator, has noticed that the mail files on the server East/Acme have become quite large. Which of the following might Kevin consider for managing the size of his users’ mail files? ❍ A. Set up Shared Mail on server East/Acme ❍ B. Create an Archive policy settings document and assign the policy to mail users ❍ C. Set up a mail file quota for the mail files on the server East/Acme ❍ D. All of the above

Question 33 Eric has just created the new Payroll.nsf database on the server East/Acme. He would like to ensure that the ACL for this database remains identical on all replicas. What can Eric do to accomplish this? ❍ A. Enable the Advanced ACL property Enforce a Consistent Access Control List Across All Replicas of This Database for the Payroll.nsf database on the server East/Acme ❍ B. In the Security Setting section of the Server document for the server East/Acme, add Payroll.nsf to the field Enforce a Consistent Access Control List Across All Replicas ❍ C. In the Replication section of the Server document for the server East/Acme, add Payroll.nsf to the field Enforce a Consistent Access Control List Across All Replicas ❍ D. In the Replication section of the Configuration Settings document for the server East/Acme, add Payroll.nsf to the field Enforce a Consistent Access Control List Across All Replicas

476 Chapter 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 34 Which Domino server type does not support partitioned servers? ❍ A. Domino Utility Server ❍ B. Domino Messaging Server ❍ C. Domino Enterprise Server ❍ D. Domino Application Server

Question 35 Marcia, a Notes Developer, is designing the Request form in the HelpDesk.nsf database on server East/Acme. This form will contain fields that will connect to an external relational database. What steps must she first perform to connect these fields to the external database? ❍ A. Create a Data Source Resource on server East/Acme. Create a Data Connection Resource in the HelpDesk.nsf database. Enable the property Allow Connections to External Databases Using DCRs in the database properties for HelpDesk.nsf. ❍ B. Create a Data Connection Resource in the HelpDesk.nsf database. Enable the property Allow Connections to External Databases Using DCRs in the database properties for HelpDesk.nsf. ❍ C. Create a Data Source Resource in the HelpDesk.nsf database. Enable the property Allow Connections to External Databases Using DCRs in the database properties for HelpDesk.nsf. ❍ D. Create a Data Source Resource on the server East/Acme. Create a Data Connection Resource in the HelpDesk.nsf database. Enable the property Allow Connections to External Databases Using DCRs in the form properties for the Request form.

Question 36 What are the valid server commands for forced replication? ❍ A. Pull-push, push-only, and pull-only ❍ B. Pull-push, pull-pull, pull-only, and push-only ❍ C. Replicate, pull, and push ❍ D. Replicate, pull-push, push-only, and pull-only

477 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 621 . .

Question 37 Tara, a Notes Developer with Designer access in the JobReview.nsf database, has changed the Appraisal form in this database by adding a Readers field with the computed value [Review]. However, she intended for the value in the Readers field to be [Reviewer] for the [Reviewer] access role. Now when Appraisal documents are saved in this database, users no longer have access to the documents. Tara has created an agent to correct the Readers field, but she does not have access to these documents, either. The Readers field in these documents must be corrected. How can this be accomplished? ❍ A. Tara could change her access level to Manager. This will allow her to access all the documents in the database, regardless of Readers fields. ❍ B. Tara must contact an administrator with Full Access Administration to the server that this database resides on and have this person run the agent. ❍ C. Tara must correct the Appraisal form design by changing the computed value of the Readers field to [Reviewer]. This will correct the problem without having to run the agent. ❍ D. All of these methods could be used to gain access to the documents to resolve the problem.

Question 38 Which of the following is not included in the ID file for a Notes user? ❍ A. The owner’s name ❍ B. A private key ❍ C. A Notes certificate ❍ D. The location of the user’s mail file

478 Chapter 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 39 Kim has been informed by the users of the Orders.nsf database that documents deleted from the database replica on the server East/Acme have been reappearing. She has noticed that these documents seem to reappear after replicating with the database replica on the server West/Acme. What might be causing these documents to reappear? ❍ A. The purge interval settings for the database replica on the server East/Acme are causing the deletion stubs to be removed before replication with the database replica on the server West/Acme. ❍ B. The replication setting Temporarily Disable Replication has been enabled for the database replica on the server East/Acme. ❍ C. The replication setting Temporarily Disable Replication has been enabled for the database replica on the server West/Acme. ❍ D. The replication setting Do Not Send Deletions Made in the Replica to Other Replicas has been enabled for the database replica on the server West/Acme.

Question 40 Kathy, a Domino Administrator for the AcmeCorp domain, and Carmen, a Domino Administrator for the AcmeToys domain (a subsidiary company), want to crosscertify their domains so that all users and servers in both organizations can authenticate with one another. What steps should they take to accomplish this? ❍ A. The AcmeCorp organization certifier must obtain a cross-certificate for the AcmeToys organization certifier and store it in the AcmeCorp Domino Directory. Also, the AcmeToys organization certifier must obtain a cross-certificate for the AcmeCorp organization certifier and store it in the AcmeToys Domino Directory. ❍ B. The AcmeCorp organization certifier must obtain a cross-certificate for the AcmeToys organization certifier and store it in the AcmeCorp Domino Directory. Then the AcmeToys organization certifier must recertify all the users and servers to obtain a copy of the AcmeCorp organization certificate. ❍ C. The AcmeCorp organization certifier must obtain a cross-certificate for the AcmeToys organization certifier and store it in the AcmeCorp Domino Directory. Then the AcmeCorp organization certifier must recertify all the users and servers to obtain a copy of the AcmeToys organization certificate. ❍ D. In the Security section of the Configuration Settings document in the AcmeCorp Domino Directory, include /AcmeToys in the Cross-Certify with These Domains field. Also, in the Security section of the Configuration Settings document in the AcmeToys Domino Directory, include /AcmeCorp in the Cross-Certify with These Domains field.

479 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 621 . .

Question 41 Fran is setting up the server East/Acme as a passthru server for members of the SalesReps group to access databases on the server West/Acme. Which of the following settings in the Passthru Use section of the Server document for the server East/Acme would allow users in the SalesReps group to connect to the server West/Acme via passthru? ❍ A. The Access This Server field contains SalesReps. The Route Through field is blank. The Destinations Allowed field contains West/Acme. ❍ B. The Access This Server field contains West/Acme. The Route Through field contains SalesReps. The Destinations Allowed field is blank. ❍ C. The Access This Server field is blank. The Route Through field is blank. The Destinations Allowed field contains West/Acme. ❍ D. The Access This Server field contains SalesReps. The Route Through field is blank. The Destinations Allowed field is blank.

Question 42 Tom, a Domino Administrator for the ACME domain, is considering migrating from a distributed directory architecture to a central directory architecture. Which of the following is a benefit of a central directory architecture? ❍ A. Each server in the domain will contain a replica of the primary Domino Directory, making replication more efficient. ❍ B. Servers that store a Configuration Directory often require more powerful machines. ❍ C. Administrators will be able to manage the Domino Directory with more administrative control. ❍ D. A central directory architecture requires less network bandwidth to support remote primary directory lookups.

480 Chapter 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 43 What are the requirements for using the Remote Debugger to debug an agent from a client workstation? ❍ A. The agent must be a LotusScript agent. Remote debugging must be enabled in the agent. The rdebug task must be running on the server where the database resides. The agent must be running on the server. ❍ B. The agent must be a LotusScript or JavaScript agent. The rdebug task must be running on the server where the database resides. The agent must be running on the server. ❍ C. The agent must be a LotusScript or Formula agent. Remote debugging must be enabled in the agent. The agent must be running on the server. ❍ D. The agent must be a LotusScript agent. Remote debugging must be enabled in the agent. The rdebug task must be running on the server where the database resides. The agent must be running on the client workstation.

Question 44 The Projects.nsf database on the server West/Acme is currently accessed by employees using the Notes client. Their access to this database is controlled by the default ACL entry, which is set to Editor. Management now wants this database to be available to employees to access from home using a Web browser. Employees are required to authenticate whether accessing the database from the Notes client or a Web browser. Anonymous access should not be permitted. What should the ACL settings be in this database to meet these requirements? ❍ A. Set the access level of the Anonymous ACL entry to Authenticate, and set the Maximum Internet Name and Password property in the Advanced ACL properties to Editor ❍ B. Set the access level of the Anonymous ACL entry to No Access, and set the Maximum Internet Name and Password property in the Advanced ACL properties to Editor ❍ C. Set the access level of the Anonymous ACL entry to No Access, set the access level of the Default ACL entry to Authenticate, and set the Maximum Internet Name and Password property in the Advanced ACL properties to No Access ❍ D. Ensure that the Anonymous entry does not exist in the ACL, and set the Maximum Internet Name and Password property in the Advanced ACL properties to Authenticate

481 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 621 . .

Question 45 Which of the following issues should be considered before enabling Extended Access for a Domino Directory? ❍ A. The Advanced ACL setting Enforce a Consistent Access Control List Across All Replicas should be enabled to ensure that the database replicates properly. ❍ B. After Extended Access is enabled, changes should not be made to replicas of the Domino Directory on servers running Domino Release 5 or earlier because the changes will not replicate to a Domino 6 server. ❍ C. After Extended Access is enabled, the database ACL and the Extended ACL are enforced for anonymous LDAP searches of the directory. ❍ D. All of the above.

Question 46 What replication types are available for scheduled replication? ❍ A. Pull-push, pull-pull, and push-pull ❍ B. Pull-pull, push-only, and pull-only ❍ C. Pull-push, pull-pull, push-only, and pull-only ❍ D. Pull-push, push-pull, push-only, and pull-only

Question 47 Which of the following can a Domino Administrator use to communicate with a Server Controller? ❍ A. The Domino Console from a Domino server ❍ B. The remote console in the Domino Administrator client ❍ C. The remote console in the Web Administrator ❍ D. All of the above

482 Chapter 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 48 Which of the following is not a true statement about electronic signatures used in documents of a Lotus Notes database? ❍ A. An electronic signature can be used to sign specific fields in a document. ❍ B. An electronic signature can be used to sign sections of a document. ❍ C. An electronic signature is used to encrypt documents so that only users with access to the encryption key can view the contents of the documents. ❍ D. An electronic signature is used to verify that the person who originated the data in a document is the author of that data and that no one has tampered with the data.

Question 49 Gretchen would like to manage the size of mail files of the users in her organization. She has set the quota for mail files to 50MB. Several users have exceeded the quota size, but the router continues to deliver mail to them. Why might the router be continuing to deliver their mail rather than withholding it? ❍ A. The router is still configured with its default behavior, which is to continue to deliver mail after the quota has been exceeded. The router should be configured to refuse or hold mail when the quota has been exceeded. ❍ B. These users have been assigned Manager access in the ACL of their mail files, which overrides quota enforcement. Their ACL access level should be set to Designer or below if mail file quotas are to be enforced. ❍ C. The Quota task is not running on the server where these users’ mail files reside. ❍ D. Exceeding a mail file quota triggers a notification message. Mail file quotas are not enforceable.

483 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 621 . .

Question 50 The default access level in the ACL of the Domino Directory for the ACME domain is set to Reader. The Administrator and Server groups have an access level of Manager. Jeff, a Domino Administrator for this domain, would like to allow the users registered in this domain to update only certain personal information fields in the Work/Home section of their Person documents. What could Jeff do to accomplish this? ❍ A. Change the default access level to Author ❍ B. Change the default access level to Editor ❍ C. Create an extended Access Control List and enable Write access to the specific fields for the default ACL entry ❍ D. Change the default access level to Author and create an extended Access Control List to restrict the default ACL entry to Write access for the specific fields

22 Answer Key for 621 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. A

18. A

35. A

2. D

19. B

36. C

3. C

20. D

37. B

4. C

21. C

38. D

5. A

22. B

39. A

6. B

23. A

40. A

7. D

24. A

41. B

8. C

25. B

42. C

9. B

26. D

43. A

10. C

27. C

44. B

11. A

28. A

45. D

12. A

29. D

46. C

13. B

30. C

47. D

14. D

31. B

48. C

15. C

32. D

49. A

16. B

33. A

50. D

17. D

34. D

486 Chapter 22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 1 Answer A is correct. The multiuser installation is available only for the Notes client. Answers B and C are incorrect because multiuser installation is not supported for either the Domino Administrator or Domino Designer clients. Answer D is incorrect because answers B and C are not correct.

Question 2 Answer D is correct. Streaming replication works for client-to-server replication if both the client and the server are running Notes Domino Release 6. Answers A and B are incorrect because these are features of streaming replication. Answer C is incorrect because streaming replication is a new feature of Notes Domino 6. It does not work for earlier releases or in mixed-release client/server environments.

Question 3 Answer C is correct. A server can be a member of only one cluster at a time. Answers A, B, and D are incorrect because these are all requirements for Domino clustering.

Question 4 Answer C is correct. Transaction logging is enabled in the Server document for databases that reside on the server. View logging is enabled in the view properties for specific views in a database with transaction logging enabled. Answer A is incorrect because, although you could disable transaction logging in the database properties for a specific database, transaction logging must be enabled in the Server document. Answer B is incorrect because view logging is enabled in the view properties of a database, not in the Server document. Answer D is incorrect because the setting Include Updates in Transaction Log is a setting in the view properties, not the database properties.

487 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 621 . .

Question 5 Answer A is correct. These are the requirements for using the CA Process with a CA key ring to issue server and client certificates. Answer B is incorrect because access to the server or client password is not required. Answer C is incorrect because Editor access with the Delete Documents privilege and the [CAPrivlegedUser] role is required. Answer D is incorrect because these ACL settings are required for the Domino Certificate Authority database, not the Domino Directory database.

Question 6 Answer B is correct. The setting Show Response Documents in a Hierarchy is a view property, not a database property. Answers A, C, and D are incorrect because these are all valid database properties. Enabling these settings can optimize database performance.

Question 7 Answer D is correct. These are all potential benefits of creating an additional MAIL.BOX database.

Question 8 Answer C is correct. Server mail rules are created and maintained in the Configuration Settings document. Answers A, B, and D are incorrect. Although these are all valid documents in the Domino Directory, none of them store server mail rules.

488 Chapter 22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 9 Answer B is correct. The administrator would not have access to a private view in the design template that was created by another user. Therefore, while performing the Refresh Design, this view would not have been available to the administrator. Answer A is incorrect because replication settings in the database would have no impact on the Refresh Design process. Answers C and D are also incorrect. An access level of Designer or Manager is required to perform a Refresh Design on a database. However, because other design elements were updated during the Refresh Design process, the administrator had sufficient access in the database ACL.

Question 10 Answer C is correct. A user’s private key is stored in the user’s Notes ID file. The certifier ID file does not contain the users’ private keys. Answers A, B, and D are incorrect because all of this information is stored in a certifier ID file that is set up for ID recovery.

Question 11 Answer A is correct. View-Only administrators can issue commands that display system status information. Answers B, C, and D are incorrect because View-Only administrators cannot issue commands that could impact the server’s operation.

Question 12 Answer A is correct. Database recovery is quicker and more reliable when transaction logging is enabled. Data that was not written to a database during a server crash or media failure can be recovered from the transaction logs. Also, consistency checks are not required for databases using transaction logging. Answers B and C are incorrect. Although database recovery and server restarts are quicker and more reliable when transaction logging is enabled, there is no runtime performance increase for databases with transaction logging enabled or for the server(s) on which these databases reside. Answer D is incorrect because answers B and C are not correct.

489 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 621 . .

Question 13 Answer B is correct. Cluster failover works for Notes Domino Release 4.5 or later. Answer A is incorrect because cluster failover works for Notes clients running Release 4.5 or later. Answer C is incorrect because cluster failover works in a mixed client/server environment. Answer D is incorrect because this is the process that Domino uses during a failover event.

Question 14 Answer D is correct. Her individual ACL entry must be removed so that access to the database is controlled by the ACL entry of the group that she is being added to. Answers A and C are incorrect because she would still have only the access level of Reader in the ACL. Individual ACL entries take precedence over group ACL entries. Answer B is incorrect because she would still not have the necessary access role assigned to her for accessing the restricted views.

Question 15 Answer C is correct. Servers are added to the Domino Directory during the server registration process. Answers A, B, and D are incorrect because these are all administration tasks that can be performed via cross-domain processing.

Question 16 Answer B is correct. The LZ1 algorithm is a quicker and more efficient compression method than the Huffman algorithm. Answer A is incorrect because, when enabled, the LZ1 (Lempel-Zev class 1) compression algorithm is used for compressing attachments in Notes Domino 6. Answer C is incorrect because LZ1 compression is not supported on a Domino 5 server. The attachments would be recompressed using the Huffman compression algorithm. Answer D is incorrect because the setting Use LZ1 Compression for Attachments in the database properties is used to enable or disable LZ1 compression for a database.

490 Chapter 22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 17 Answer D is correct. All this information is updated by the administration process when License Tracking is enabled.

Question 18 Answer A is correct. A new copy of a database is created with a new replica ID. This would not allow the database on server X to replicate with the original database replica residing on server Y. Answers B, C, and D are incorrect because these are all methods that an administrator might pursue to resolve a database corruption problem.

Question 19 Answer B is correct. The Issued Certificate List (ICL) tracks both Notes and Internet certificates issued by the Certificate Authority (CA) Process. Answer A is incorrect because the ICL tracks the certificates issued by the CA Process. The Certificate Revocation List (CRL) identifies Internet certificates that have been revoked. Answers C and D are incorrect because the ICL tracks both Notes and Internet certificates issued by the Certificate Authority (CA) Process.

Question 20 Answer D is correct. Single Copy Template is not a client installation type. This is a new space-saving feature in Notes Domino 6 that stores design information in a single template rather than in each database that uses that template. Answers A, B, and C are incorrect because these are all valid Lotus Notes/Domino client software-installation methods/types.

Question 21 Answer C is correct. With an ACL entry of Anonymous set to No Access, Web users are authenticated when attempting to access this database. Answers A and B are incorrect because Authenticate is not a valid ACL access

491 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 621 . .

level. Answer D is incorrect because Web users would be given the access privileges of the Anonymous ACL entry. They would have an access level of Editor without being authenticated.

Question 22 Answer B is correct. Users listed in the Database Administrator field in the Server document can set database size quotas for databases on that server. Answer A is incorrect because Quota Administrator is not a valid administration level in the Server document. Answer C is incorrect because Administrator is not a valid ACL access level. Answer D is incorrect because answers A and C are not correct.

Question 23 Answer A is correct. A Readers field in a document can be used to restrict access to the document. The entries in a Readers field can be individual names, groups, or access roles. Answer B is incorrect because an Authors field cannot be used to restrict access to a document. An Authors field is used in combination with the ACL access level of Author. A user with Author access must be listed in an Authors field of a document to edit the document. Answer C is incorrect because, although an access level of No Access would prevent other users from accessing the restricted documents, these users would not have access to any documents in the database. Answer D is incorrect because a view access list restricts access to the view, not the documents displayed in the view. This solution would not prevent a user from creating a private view to display the restricted documents.

Question 24 Answer A is correct. These are the necessary steps for deploying the default welcome page. Answer B is incorrect because the default welcome page must reside on a server that the users have access to. The users would not have access to the administrator’s local welcome page database referenced by the database link. Answers C and D are incorrect because a database link to the welcome page database is created in a desktop policy settings document, not an organizational or explicit policy document.

492 Chapter 22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 25 Answer B is correct. An ACL access role can be added to form/view access lists, Reader/Author fields, and so on to allow access to the ACL entries assigned to that access role. However, access roles cannot be used to increase the level of access that a user would otherwise have to the database according to the access level assigned in the database ACL. Answer A is incorrect because an access role cannot be used to increase the level of access that a user would otherwise have to the database, according to the access level assigned in the database ACL. Answer C is incorrect because the access level of Manager is required in the database ACL to assign an access role to an ACL entry. Answer D is incorrect because ACL access roles work for users accessing a database from either a Notes client or a Web browser.

Question 26 Answer D is correct. Setting up the Notes calendar to display calendar entry types in different colors does not require a design change. The Notes 6 client is used to make these changes. Answers A, B, and C are incorrect because these are all requirements for changing calendar entry types to display in different colors.

Question 27 Answer C is correct. The Domino Console cannot be used to open or manage Notes databases. Answers A, B, and D are incorrect because these are all features/behaviors of the Domino Console.

Question 28 Answer A is correct. An explicit policy can be assigned to a user in the user’s Person document, during user registration, or by using the Assign Policy tool. Answer B is incorrect because the Policy Synopsis tool is used to generate reports that show effective policies for users, not for assigning policies. Answer C is incorrect because the Notes.ini file does not provide a means of assigning policies. Answer D is incorrect because answers B and C are not correct.

493 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 621 . .

Question 29 Answer D is correct. Encrypted data is not compressed during network compression. Answer A is incorrect because network compression does not work for Domino Release 5 servers. Network compression requires a pure Notes Domino 6 server-to-server or client-to-server connection. Answer B is incorrect because network compression will also work for a Notes Release 6 client to a Domino Release 6 server. Answer C is incorrect because network compression is enabled for a server or client network port, not in the properties for a database.

Question 30 Answer C is correct. During replication, the source server needs an access level of Manager to update ACL changes in the database replica on the destination server. Also, to receive design changes from West/Acme, the database replica on East/Acme needs to give West/Acme at least Designer access. Answer A is incorrect because an access level of Manager is not a requirement for replicating documents or design changes. Answer B is incorrect because, to replicate documents, design changes, and/or ACL changes, both the source and destination servers must have adequate access levels in the ACLs of the database replicas. The source server must have an access level of at least Designer to replicate design changes and an access level of Manager to replicate ACL changes. Answer D is incorrect because, to receive design changes from West/Acme, the database replica on East/Acme needs to give West/Acme at least Designer access. Because the database replica on West/Acme has given an access level of Designer to East/Acme, the design changes will replicate from East/Acme to West/Acme.

Question 31 Answer B is correct. The Find Note tool in the Domino Administrator client can be used to search for a document in the database using either the Notes ID or the Universal Note ID (UNID) of the document. Answers A, C, and D are incorrect because the Design Synopsis tool is used for generating reports about the database design.

494 Chapter 22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 32 Answer D is correct. Each of these solutions could be used to manage the size of the users’ mail files.

Question 33 Answer A is correct. When the Advanced ACL property Enforce a Consistent Access Control List Across All Replicas of This Database is enabled, the ACLs of all replicas of this database will remain identical. Answers B, C, and D are incorrect because the setting Enforce a Consistent Access Control List Across All Replicas does not exist in either the Server document or the Configuration Settings document.

Question 34 Answer D is correct. Domino Application Server is a server type for Domino Release 5. This server type does not support partitioned servers. Answers A, B, and C are incorrect because these are all Domino Release 6 server types that support partitioned servers.

Question 35 Answer A is correct. These are the steps that must be completed before connecting the fields to the external database. Answer B is incorrect because a Data Source Resource must also be created on the server East/Acme. Answer C is incorrect because the Data Source Resource must be created on the server, not in the database. Answer D is incorrect because the property Allow Connections to External Databases Using DCRs is a database property, not a form property.

Question 36 Answer C is correct. These are the valid server commands for performing forced replication. Answers A, B, and D are incorrect because pull-push, pull-pull, pull-only, and push-only are not valid server commands.

495 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 621 . .

Question 37 Answer B is correct. An administrator with Full Access Administration rights for a server has access to all documents in all databases residing on the server, regardless of Readers fields. Answer A is incorrect because, with an ACL access level of Designer, she could not update the ACL for this database. Also, even if her ACL access level was changed to Manager, the Readers field would prevent her from accessing the documents. Answer C is incorrect because changing the form design would not change the existing documents. The computed value in the Readers field of an existing document would remain unchanged until the document is saved. Answer D is incorrect because answers A and C are not correct.

Question 38 Answer D is correct. The location of a user’s mail file is stored in the Notes.ini file and in the user’s Location document, but not in the Notes ID file. Answers A, B, and C are incorrect because all of these items are stored in a user’s Notes ID file.

Question 39 Answer A is correct. The replication setting Remove Documents Not Modified in the Last: x Days (the purge interval) removes deletion stubs as well as documents from the database. If replication does not occur more frequently than the purge interval, documents deleted from a database replica can be replicated back from other replicas. Answers B and C are incorrect because, although this is a valid replication setting, the deleted documents could not be replicated back to the database replica on the server East/Acme if replication was disabled. Answer D is incorrect because enabling this replication setting on the database replica on server West/Acme would prevent only deletion stubs in the West/Acme replica from replicating to the East/Acme replica. The problem is that documents deleted from the replica on East/Acme are not being deleted from the replica on West/Acme. These documents are then replicated back to the East/Acme replica.

496 Chapter 22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 40 Answer A is correct. These are the steps to perform for cross-certifying two domains. Answers B and C are incorrect because recertification of users and servers is not necessary when cross-certifying domains. Answer D is incorrect because there is no such field as Cross-Certify with These Domains in the configuration Settings document.

Question 41 Answer B is correct. The Route Through field must contain the SalesReps group (or a wildcard entry that includes this group). A blank in the Destinations Allowed field allows clients to access any server that is set up as a passthru destination. Because the server East/Acme is not the passthru destination, it doesn’t matter what was entered in the Access This Server field in the Server document for East/Acme. Answers A, C, and D are incorrect because a blank in the Route Through field indicates that the server cannot be used as a passthru server.

Question 42 Answer C is correct. A central directory architecture enables administrators to manage the Domino Directory with more administrative control, compared to a distributed directory architecture. Answer A is incorrect because, in a central directory architecture, some servers contain a full replica of the primary Domino Directory, while other servers contain a Configuration Directory (a smaller, selective replica of the Primary Domino Directory). Replication of the Domino Directory is typically more efficient because of the smaller Configuration Directories. Answer B is incorrect because servers that store a Configuration Directory typically require less powerful machines. Answer D is incorrect because a central directory architecture requires more network bandwidth to support remote primary directory lookups.

Question 43 Answer A is correct. These are the requirements for using the Remote Debugger to debug an agent from a client workstation. Answers B and C are

497 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 621 . .

incorrect because the Remote Debugger cannot be used to debug Formula or JavaScript agents. Answer D is incorrect because the agent must be running on the server to use the Remote Debugger to debug the agent. To debug an agent running on the workstation, use the Debug LotusScript debugging tool instead.

Question 44 Answer B is correct. If the database ACL includes the Anonymous ACL entry with an access level of No Access, users accessing the database from a Web browser will be authenticated. Because the employees require an ACL access level of Editor, the Advanced ACL property Maximum Internet Name and Password must be set to at least Editor for them to use the database from a Web browser. Answers A and C are incorrect because Authenticate is not a valid ACL access level. Answer D is incorrect because Authenticate is not a valid setting for the Advanced ACL property Maximum Internet Name and Password.

Question 45 Answer D is correct. Each of these issues should be considered and/or resolved before enabling Extended Access for a Domino Directory.

Question 46 Answer C is correct. Replication schedules for servers are defined in Connection documents. The valid replication types are pull-push, pull-pull, push-only, and pull-only. Answers A and D are incorrect because push-pull is not a valid replication type. Answer B is incorrect because pull-push is also a valid replication type.

Question 47 Answer D is correct. Each of these methods can be used to communicate with a server controller.

498 Chapter 22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 48 Answer C is correct. Encryption keys (not electronic signatures) are used to encrypt documents. Answers A, B, and D are incorrect because these are all true statements about electronic signatures.

Question 49 Answer A is correct. The default setting in the Over Quota Enforcement field in the Quota Controls section for the Router is Deliver Anyway (Don’t Obey Quotas). Answer B is incorrect because ACL access levels do not override quota enforcement. Answer C is incorrect because there is no such server task as Quota. Answer D is incorrect because quotas are enforceable if the router is configured correctly.

Question 50 Answer D is correct. Changing the default access level to Author would give users author access to their own Person documents. The Extended ACL could then restrict users’ access to these documents further by allowing these users Write access to only specific fields within the Person document. Answers A and B are incorrect because users would be able to edit every editable field within their Person documents, not just the specific fields. Answer C is incorrect because users would still have only an access level of Reader. The Extended ACL cannot give a user more access to the database than he would otherwise have in the database ACL.

23 Practice Exam 622 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

500 Chapter 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 1 Adam, a Domino Administrator, has upgraded the Domino servers in his organization from Release 5 to Release 6. He would now like to upgrade the Notes client workstations for all the users in his organization from Release 5 to Release 6. Which of the following methods could Adam use to upgrade these workstations? ❍ A. Deploy Smart Upgrade to these workstations by using a desktop policy settings document to force an upgrade of the Notes client from Release 5 to Release 6. ❍ B. Configure the home server(s) for these users to use Smart Upgrade to automatically upgrade their Notes clients from Release 5 to Release 6. ❍ C. Manually upgrade the Notes client by installing the Notes Release 6 upgrade from a CD or network location on each of the workstations. ❍ D. All these installation methods can be used to upgrade the Notes client workstations from Release 5 to Release 6.

Question 2 Pete is creating a Server Statistic Collection document to collect and report statistics on several Domino Release 6 servers within the ACME domain. In which of the following databases is the Server Statistic Collection document stored? ❍ A. In the LOG.NSF database ❍ B. In the EVENTS4.NSF database ❍ C. In the STATLOG.NSF database ❍ D. In the STATREP.NSF database

Question 3 Which of the following server console commands can be used to start the Statistic Collector task? ❍ A. load collect ❍ B. load stats ❍ C. tell collect start ❍ D. tell stats collect

501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 622 . .

Question 4 Sean is creating a Server Console Configuration document to customize the Domino server console. Which of the following is not a customizable setting for the Domino server console? ❍ A. Text color for failure events ❍ B. Text color for fatal events ❍ C. Alarm tune for fatal events ❍ D. Background color of the server console

Question 5 Which of the following actions can an event handler perform when a specific event occurs? ❍ A. Log the event to a specified database ❍ B. Prevent the event from being logged to the server console ❍ C. Forward the event to another program for additional processing ❍ D. All of the above

Question 6 When a roaming user logs on, which files are replicated from the roaming user server to the user’s machine? ❍ A. desktop.dsk, journal.nsf, and bookmark.nsf ❍ B. journal.nsf, bookmark.nsf, and names.nsf ❍ C. notes.ini and names.nsf ❍ D. desktop.dsk and notes.ini

502 Chapter 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 7 Natalie is using the Domino Administrator server console to monitor events. What will occur if she sets a stop trigger for a particular event? ❍ A. The event handler for this event will be disabled immediately. ❍ B. The event handler for this event will be disabled the next time the event occurs. ❍ C. The console will pause and display only that event plus the 10 following lines of text when the event occurs. ❍ D. The console will highlight the text for that event only. Other events will continue to display in regular text.

Question 8 Conner has determined that agent logging is not enabled for the server South/Acme. How would he enable agent logging for this server? ❍ A. In the Notes.ini file for the server, set the Log_AgentManager value to 1 or 2 ❍ B. At the server console, enter the command Tell amgr log ❍ C. At the server console, enter the command Load amgr log ❍ D. In the Agent Manager section of the Server document, select Enabled for the Allow Agent Logging field

Question 9 The server ID for the server South/Acme has a certificate that is about to expire. Carolyn is using the original certifier to recertify this server ID. What is the minimum access that she must have to the Domino Directory and Certification Log databases to recertify this server ID? ❍ A. Author access with the Create Documents privilege and the [Certifier] role in the Domino Directory. Also, at least Author access with the Create Documents privilege in the Certification Log database. ❍ B. Manager access in the Domino Directory. Also, at least Author access with the Create Documents privilege and the [Certifier] role in the Certification Log database. ❍ C. Author access with the Create Documents privilege and the [ServerModifier] access role in the Domino Directory. Also, Manager access and the [Certifier] role in the Certification Log database.

503 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 622 . . ❍ D. Author access with the Create Documents privilege and the [ServerModifier] role in the Domino Directory. Also, at least Author access with the Create Documents privilege in the Certification Log database.

Question 10 While reviewing the Certificate Expiration view in the Domino Directory, Patty has noticed that one of her users has a Notes ID that is due to expire in the next few weeks. How can she extend the expiration date for this Notes ID? ❍ A. In the Notes Certificate section of the user’s Person document, change the Certificate Expiration field to the new date. ❍ B. Recertify the user’s Notes ID and change the Expiration Date field to the new date. ❍ C. From the user’s Notes client, choose Tools, User ID, Certificates, and change the Certificate Expiration field to the new date. ❍ D. All of these methods can be used to extend the expiration date for a Notes ID.

Question 11 What feature in Domino displays real-time statistics and provides a visual representation of the status of servers and server tasks? ❍ A. Domino Server Monitor ❍ B. Domino Server Analyzer ❍ C. Domino Server Controller ❍ D. Domino Statistic Collector

Question 12 Which of the following is not a valid type of event generator document? ❍ A. Database event generator ❍ B. Mail routing event generator ❍ C. Administration event generator ❍ D. Task status event generator

504 Chapter 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 13 Antonio would like to begin using Activity Logging for billing users who use the databases residing on the server South/Acme. Where is Activity Logging enabled? ❍ A. In the Activity Logging section of the Server document ❍ B. In the Activity Logging section of the Configuration Settings document ❍ C. On the Advanced tab of the database properties ❍ D. In the Notes.ini setting Log_User_Activity

Question 14 Bill would like to chart a defined set of server statistics on a regular basis. To do so, which of the following steps would he be required to perform? ❍ A. Create a statistics profile ❍ B. Enable Generate Statistic Reports While Monitoring or Charting Statistics in Administration Preferences ❍ C. Ensure that the Domino server monitor is running ❍ D. All of the above

Question 15 Danielle recently made some changes to a design template residing on the server North/Acme. However, the databases on the server North/Acme that inherit their design from this template still don’t reflect these design changes. Which command could she enter at the server console to assist her in investigating this problem? ❍ A. Issue the show tasks command to see if the updall task is running on the server ❍ B. Issue the show schedule command to see if the design task is scheduled to run on the server ❍ C. Issue the show design command to see if the design task is scheduled to run on the server ❍ D. Issue the tell design refresh command to display and update the list of design templates used by the design task

505 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 622 . .

Question 16 Kelly is using the Domino Administrator client to move a user from the server South/Acme to the server North/Acme. From the People and Groups tab, she has selected the user who is being moved and clicked on People, Move to Another Server. From the Move User(s) to Another Server dialog box, what files will she now be able to move to the new server? ❍ A. The user’s Notes ID file and roaming files ❍ B. The user’s Notes.ini file and roaming files ❍ C. The user’s mail file and roaming files ❍ D. The user’s mail file and Notes ID file

Question 17 What ACL access levels are required for replicating design changes from a database residing on the server South/Acme to a replica on the server North/Acme? ❍ A. The database on the server North/Acme must include South/Acme in its ACL with an access level of Designer or Manager. Also, the replica on the server South/Acme must include North/Acme in its ACL with an access level of Reader or above. ❍ B. The database on the server North/Acme must include South/Acme in its ACL with an access level of Reader or above. Also, the replica on the server South/Acme must include North/Acme in its ACL with an access level of Designer or Manager. ❍ C. The database on the server North/Acme must include South/Acme in its ACL with an access level of Manager, and the replica on the server South/Acme must include North/Acme in its ACL with an access level of Manager. ❍ D. The database on the server North/Acme must include South/Acme in its ACL with an access level of Editor or above. Also, the replica on the server South/Acme must include North/Acme in its ACL with an access level of Editor or above.

506 Chapter 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 18 Patrick, a Domino Administrator for the ACME domain, has decided to decommission server South/ACME. He plans to move the databases on the server South/ACME to the server North/ACME. What access rights should Patrick have to successfully generate an analysis report using the Decommission Server Analysis Tool? ❍ A. The ACL access level of Manager in the Domino Directory database ❍ B. The ACL access role of [ServerModifier] in the Domino Directory database ❍ C. Administrator access to the server South/ACME and the server North/ACME ❍ D. All of the above

Question 19 Candice has deployed the Staffing.nsf database on the server East/Acme with replicas on the servers West/Acme, North/Acme, and South/Acme. This database has several views that are controlled by read access lists. In addition, one of the forms contains a Readers field. What must Candice do to ensure that these servers properly replicate the data, design, and ACL for this database? ❍ A. Assign at least Editor access to all of these servers in each of the replicas, and include the servers in any Readers fields in the documents. ❍ B. Assign Manager access to all of these servers in each of the replicas, and include the servers in any Readers fields in the documents. ❍ C. Assign at least Editor access to all of these servers in each of the replicas. Also, include these servers in the read access lists for the restricted views as well as in any Readers fields in the documents. ❍ D. Assign Manager access to all of these servers in each of the replicas. Also, include these servers in the read access lists for the restricted views as well as in any Readers fields in the documents.

507 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 622 . .

Question 20 Which of the following server tasks can be set up to begin automatically when the Domino server is started? ❍ A. billing, authenticate, amgr, stats ❍ B. replica, router, backup, amgr ❍ C. router, billing, quota, stats ❍ D. replica, router, collect, amgr

Question 21 To authenticate an Internet user attempting to access a Domino server, in what order will Domino search the directories for the username and credentials? ❍ A. The server’s primary Domino Directory, the Condensed Directory Catalog on the server, the directories defined in the server’s directory assistance database ❍ B. The server’s primary Domino Directory, the server’s Configuration Directory, the directories defined in the server’s directory assistance database ❍ C. The user’s Personal Name and Address Book, the server’s primary Domino Directory, the server’s Configuration Directory ❍ D. The user’s Personal Name and Address Book, the server’s primary Domino Directory, the directories defined in the server’s directory assistance database

Question 22 Which of the following is not available from the Web Administrator? ❍ A. Policy Synopsis tool ❍ B. Policy Assign tool ❍ C. Domino Server Monitor ❍ D. All of the above

508 Chapter 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 23 The server North/Acme crashed and had to be restarted. Transaction logging was enabled on the server. When the server North/Acme was restarted, the databases were quickly recovered via the transaction logs, with one exception. The HelpDesk database was corrupt and had to have the FIXUP task run to recover this database. What is the most likely reason that transaction logging did not recover the HelpDesk database? ❍ A. Transaction logging was disabled for this database in the Server document. ❍ B. Transaction logging was disabled in the database properties for this database. ❍ C. Transaction logging was disabled for this database in the Configuration Settings document. ❍ D. This database was last saved as a Domino R5 design (ODS version 41).

Question 24 A setup policy settings document assigned to the users of the ACME organization specifies applet security settings. What must be done to ensure that these settings are maintained for these users? ❍ A. Nothing. These settings will be reinforced each time these users authenticate with their home server. ❍ B. Select Yes for the field Reinforce Settings in the setup policy settings document. ❍ C. Create a desktop policy settings document with the same settings. When these users authenticate with their home server, these settings will be reinforced. ❍ D. Create a security policy settings document with the same settings. When these users authenticate with their home server, these settings will be reinforced.

509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 622 . .

Question 25 Which of the following is a true statement about flat ID files in Lotus Notes/Domino Release 6? ❍ A. You can create new flat ID files with Lotus Notes/Domino Release 6. ❍ B. Lotus Notes/Domino Release 6 supports flat ID file maintenance. ❍ C. Flat names cannot be used as ACL entries in databases residing on Domino Release 6 servers. ❍ D. Flat names are converted to hierarchical names when the Domino Directory is replicated to a Domino Release 6 server.

Question 26 Lauren has recently deployed a new Sametime server in her organization. She would like to ensure that the users in Sales/Acme connect to this Sametime server when they start their Notes client. Which of the following policy settings documents would enable her to define this Sametime server for all the Sales/Acme users? ❍ A. Create a registration policy settings document with the Sametime server defined ❍ B. Create a setup policy settings document with the Sametime server defined ❍ C. Create a desktop policy settings document with the Sametime server defined ❍ D. All of the above

Question 27 A Connection document for the server South/Acme to the server North/Acme has been configured for replication on a daily basis. The replication schedule has been enabled. The Connect at Times field contains 6:00 AM, 6:00 PM, and the Repeat Interval Of field contains 0. For any one day, when will the connection attempt(s) occur? ❍ A. The first connection attempt will occur at 6:00 a.m. If the connection fails, additional attempts will occur continuously for up to an hour (7:00 a.m.). No additional connection attempts will occur until 6:00 p.m. If the 6:00 p.m. connection attempt fails, additional attempts will occur continuously for up to an hour (7:00 p.m.). ❍ B. The first connection attempt will occur at 6:00 a.m. If the connection fails, additional attempts will occur continuously until 6:00 p.m.

510 Chapter 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ❍ C. The first connection attempt will occur at 6:00 a.m. If the connection fails, no additional connection attempts will occur for the remainder of the day. ❍ D. Because the repeat interval is set to 0, only one connection attempt per scheduled time will occur (once at 6:00 a.m. and once at 6:00 p.m.), regardless of any connection failures.

Question 28 Which task must be running on a Domino server to allow HTTP clients to access LDAP Directory information? ❍ A. ICM ❍ B. NRPC ❍ C. DIRCAT ❍ D. LDAP

Question 29 Randy has been transferred from the Purchasing department to the Accounting department in the Acme organization. His full hierarchical name is Randy Smith/Purchasing/Acme. What should be done to change Randy’s full hierarchical name to Randy Smith/Accounting/Acme? ❍ A. Use the /Accounting/Acme Organizational Unit certifier ID to recertify his user ID. ❍ B. Change his username to Randy Smith/Accounting/Acme in his Person document. ❍ C. Delete the Randy Smith/Purchasing/Acme user ID and register a new user ID for Randy Smith/Accounting/Acme. ❍ D. Create a cross-certificate in his Person document for the /Accounting/Acme Organizational Unit, and recertify his user ID with the /Acme organization certifier ID.

511 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 622 . .

Question 30 Which of the following methods can be used to start a server task automatically? ❍ A. Include the task in the ServerTasks setting of the Notes.ini file ❍ B. Include the task in the ServerTasksAt setting of the Notes.ini file ❍ C. Create a Program document in the Domino Directory to schedule the task ❍ D. All of the above

Question 31 Rosemary is investigating a problem with a scheduled LotusScript agent that runs every six hours on the server South/Acme. The agent runs to completion without incident during the evening hours. However, the agent often terminates before completion when it runs during the daytime hours. What is the most likely cause of this problem? ❍ A. The agent is exceeding the number of minutes defined in the Agent Timeout setting in the Agent properties. ❍ B. The agent is exceeding the number of minutes defined in the Max LotusScript/Java Execution Time field in the Daytime parameters of the Agent Manager section of the Server document. ❍ C. There is an infinite loop in the code for the agent. ❍ D. Scheduled agents are not permitted to run while certain server tasks, such as COMPACT, UPDALL, and FIXUP, are running.

Question 32 Which policy settings document is used to define administration ECLs? ❍ A. Security Policy Settings document ❍ B. Administration Policy Settings document ❍ C. Setup Policy Settings document ❍ D. Desktop Policy Settings document

512 Chapter 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 33 Directory Assistance can be configured to use a specific directory for which of the following? ❍ A. Client authentication ❍ B. Notes mail addressing ❍ C. Lookups of Group entries in database ACLs ❍ D. All of the above

Question 34 Sherrie wants to enable password verification for several Notes users. These users should be required to enter a password to authenticate with the server North/Acme. They should also be prompted to change their password every 30 days. What settings are required to accomplish this? ❍ A. In the Server document for the server North/Acme, the Check Passwords on Notes IDs field must be enabled. In the Person documents for these users, the Check Password field should be set to 30. ❍ B. In the Server document for the server North/Acme, the Check Passwords on Notes IDs field must be enabled. In the Person documents for these users, the Check Password field should be set to Check Password, and the Required Change Interval field should be set to 30. ❍ C. In the Person documents for these users, the Password Verification field should be set to Enabled, and the Required Change Interval field should be set to 30. ❍ D. In the Person documents for these users, the Password Verification field should be set to 30.

Question 35 What is the minimum access required in the ACL of the Domino Directory for deleting a group? ❍ A. Editor access level, the GroupEditor role, and the Delete Documents privilege ❍ B. Editor access level, the GroupDeleter role, and the Delete Documents privilege ❍ C. Author access level, the GroupModifier role, and the Delete Documents privilege ❍ D. Manager access level, the GroupEditor role, and the Delete Documents privilege

513 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 622 . .

Question 36 The ACL of the Projects.nsf database has a default access level of Editor. Lisa is listed in the ACL as an individual entry with Reader access. The group AllProjectTeams is also in the ACL with an access level of Author. Lisa is a member of the ProjectTeam4 group. ProjectTeam4 is not listed in the ACL, but this group is a member of the AllProjectTeams group. Which of the following is a true statement about Lisa’s access level for this database? ❍ A. Because group ACL entries take precedence over individual and default entries, she has an access level of Author. ❍ B. Because individual ACL entries take precedence over group and default entries, she has an access level of Reader. ❍ C. Because the effective access for the user is determined by the highest access level assigned to either the default entry, their individual ACL entry, or a group that the user is a member of, she has an access level of Editor. ❍ D. Because cascading groups do not work in database ACLs, she has the default access level of Editor.

Question 37 Which of the following is a true statement about a Configuration Directory in a central directory architecture? ❍ A. A Configuration Directory is a selective replica of the primary Domino Directory. ❍ B. The administration server for the Domino Directory must store a Configuration Directory. ❍ C. Flat names must be converted to hierarchical names before replicating Person documents to a Configuration Directory. ❍ D. All of the above.

514 Chapter 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 38 Helena, a user in the Sales/Acme Organizational Unit, finds that certain user preferences that she makes on her workstation keep getting reset. What is the most likely reason for this? ❍ A. A setup policy settings document assigned to an organizational policy is resetting these preferences. ❍ B. A setup policy settings document assigned to an explicit policy is resetting these preferences. ❍ C. A desktop policy settings document assigned to an organizational policy is resetting these preferences. ❍ D. A security policy settings document assigned to an organizational policy is resetting these preferences.

Question 39 When users create new documents with the Project form in the Projects.nsf database on the server South/Acme, their username is supposed to be displayed automatically in the Created By field. This works when these users are accessing the database from a Notes client. However, when these same users access the database from a Web browser, the value Anonymous is displayed in the Created By field. What is the most likely reason for Anonymous to be displayed instead of the username? ❍ A. The Internet Authentication field in the Internet Access section of the Server document for the server South/Acme is set to Allow Anonymous Access. ❍ B. The Anonymous entry in the database ACL is set to Editor access. ❍ C. The Allow Anonymous Access setting is enabled in the database properties. ❍ D The Maximum Internet Name and Password setting in the database ACL is set to No Access.

Question 40 What documents are required to route mail with no restrictions between two adjacent Notes domains? ❍ A. One Connection document and one Adjacent Domain document ❍ B. Two Connection documents (one in each Notes domain) and one Adjacent Domain document ❍ C. Two Connection documents (one in each Notes domain) ❍ D. Two Adjacent Domain documents (one in each Notes domain)

515 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 622 . .

Question 41 Which option in Advanced Database Properties can be enabled to improve the performance of view updates? ❍ A. Limit Entries in $Revisions Fields ❍ B. Limit Entries in $UpdatedBy Fields ❍ C. Document Table Bitmap Optimization ❍ D. All of the above

Question 42 Tara wants to provide server failover and workload balancing to HTTP clients accessing several of the Domino servers in the Acme domain. What must she do to accomplish this? ❍ A. Create a Domino cluster for these servers and configure the Internet Cluster Manager on each server in the Domino cluster ❍ B. Create a Domino cluster for these servers and configure the Internet Cluster Manager on one or more servers within or outside of the Domino cluster ❍ C. Enable the Internet Cluster option in the Internet Protocols/HTTP section of the Server document for each of these servers ❍ D. Enable the Internet Cluster option in the Internet Protocols/HTTP section of the Server document for each of these servers, and create an Internet Cluster Manager document in the Domino Directory

Question 43 Requests for work to be done by the Administration Process are stored in which database? ❍ A. CERTLOG.NSF ❍ B. ADMINP.NSF ❍ C. ADMIN4.NSF ❍ D. EVENTS4.NSF

516 Chapter 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 44 Mary would like to allow the users in Sales/Acme to log in using the same password from both a Notes client and a Web browser. What steps would she need to take to accomplish this? ❍ A. Create a security policy settings document for these users with the field Synchronize Internet Password with Notes Password set to Yes ❍ B. Create a registration policy settings document for these users with the field Synchronize Internet Password with Notes Password set to Yes ❍ C. Create a security policy settings document for these users with the administration ECL setting Synchronize Internet Password with Notes Password enabled ❍ D. Create an administration policy settings document for these users with the Workstation ECL setting Synchronize Internet Password with Notes Password enabled

Question 45 Which server tasks can be run against databases to try to fix corruption problems? ❍ A. FIXUP ❍ B. UPDALL ❍ C. COMPACT ❍ D. All of the above

Question 46 Greg must rename several groups in the Domino Directory. He would like these changes to be reflected in the ACL of any databases on the server North/Acme that contain the groups. Also, any documents in these databases that contain Readers or Authors fields with these groups should be modified to reflect the changes. What settings should Greg review or update to ensure that these group name changes will be made in the databases? ❍ A. In the Advanced ACL settings for each of the databases, the server North/Acme should be selected as the Administration Server, and Modify All Reader and Author Fields should be selected. ❍ B. In the Advanced ACL settings for each of the databases, the server North/Acme should be selected as the Administration Server. In the group documents for these groups, the field Modify All Reader and Author Fields should be enabled.

517 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . .Exam . . . 622 . . ❍ C. In the group documents for these groups, the server North/Acme should be selected as the Administration Server. In the Advanced ACL settings for each of the databases, Modify All Reader and Author Fields should be selected. ❍ D. In the group documents for these groups, server North/Acme should be selected as the Administration Server, and the field Modify All Reader and Author Fields should be enabled.

Question 47 Dwight needs to register a new server in the Sales/Acme Organizational Unit. What does he require to register this server from his workstation? ❍ A. Access to the Acme organization certifier ID and password; access to the registration server; and at least Author access in the ACL of the Domino Directory, with the ServerCreator and GroupModifier roles assigned ❍ B. Access to the Sales/Acme Organizational Unit certifier ID and password; access to the registration server; and at least Author access in the ACL of the Domino Directory, with the ServerCreator and GroupModifier roles assigned ❍ C. Access to the registration server ID and password, and Manager access in the ACL of the Domino Directory, with the ServerCreator and GroupModifier roles assigned ❍ D. Access to the registration server ID and password, and at least Author access in the ACL of the Domino Directory, with the ServerModifier role assigned

Question 48 In the Server Access section of the Server document for the server North/Acme, the Access Server field contains the group TechSupport, and the Not Access Server field contains the group Contractors. In the Passthru Use section of this Server document, the Access This Server field and the Route Through field each contain the group Contractors. If Mike is a member of both groups (TechSupport and Contractors), what access will he have to this server? ❍ A. He will be able to use this server only to pass through to a destination server. ❍ B. He will be able to use this server only as a passthru destination. ❍ C. He will have full access to this server, including access as a passthru destination as well as for passthru use to another server. ❍ D. He will not be able to use this server in any capacity.

518 Chapter 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 49 What command can be entered at the console to check which servers have mail queued? ❍ A. show router mail ❍ B. show router stats ❍ C tell mail show ❍ D. tell router show

Question 50 Jeff attempted to open the Projects.nsf database on the server South/Acme and received the error message “You are not authorized to access that database.” What could be causing this error message? ❍ A. The server South/Acme is not operational. ❍ B. Jeff is listed in the Not Access Server field of the Server document for the server South/Acme. ❍ C. Jeff is listed in the database ACL with the access level of No Access. ❍ D. All of the above are possible reasons for this error message.

24 Answer Key for 622 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. C

18. C

35. C

2. B

19. D

36. B

3. A

20. D

37. A

4. C

21. A

38. C

5. D

22. D

39. B

6. B

23. B

40. C

7. C

24. C

41. D

8. A

25. B

42. B

9. D

26. C

43. C

10. B

27. A

44. A

11. A

28. D

45. D

12. C

29. A

46. A

13. B

30. D

47. B

14. D

31. B

48. A

15. B

32. A

49. D

16. C

33. D

50. C

17. A

34. B

520 Chapter 24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 1 Answer C is correct. The Notes client workstations must first be upgraded to Notes Release 6 before Smart Upgrade can be used. Answers A and B are incorrect because, although Smart Upgrade can be used to upgrade Notes Release 6 client workstations, Smart Upgrade cannot upgrade a Notes client to Release 6 from an earlier release of the product. Answer D is incorrect because answers A and B are not correct.

Question 2 Answer B is correct. Server Statistic Collection documents are stored in the Monitoring Configuration database (EVENTS4.NSF). Answers A and D are incorrect because the LOG.NSF and STATREP.NSF databases are used by Domino servers, but they do not store Server Statistic Collection documents. Answer C is incorrect because STATLOG is a Domino server task used for recording database activity in the log file (LOG.NSF); it is not a database used for storing Server Statistic Collection documents.

Question 3 Answer A is correct. Entering this command at the server console starts the Statistic Collector task. Answer B is incorrect because the command load stats starts the Stats task, which is used for generating statistics for a remote server on demand. Answers C and D are incorrect because these are not valid server commands.

Question 4 Answer C is correct. Audible alarms cannot be configured in the Server Console Configuration document. Answers A, B, and D are incorrect because these are all customizable settings for the Domino server console.

Question 5 Answer D is correct. An event handler can perform any of these actions for a specific event.

521 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 622 . .

Question 6 Answer B is correct. A roaming user’s Personal Address Book (names.nsf), Bookmarks (bookmark.nsf), and Journal (journal.nsf) files are replicated from the roaming user server to the user’s workstation during login. Answers A, C, and D are incorrect because the notes.ini and desktop.dsk files are not replicated for roaming users.

Question 7 Answer C is correct. When you set a stop trigger for an event, it causes the console to pause and display only the event and the next 10 lines of console text when the event occurs. Answers A and B are incorrect because an event trigger does not disable an event handler. Answer D is incorrect because a stop trigger has no impact on the font attributes used to display the text on the console.

Question 8 Answer A is correct. A value of 1 for Log_AgentManager logs agentexecution events that are partially or completely successful. A value of 2 logs only agent-execution events that are completely successful. Answers B and C are incorrect because these are not valid server console commands. Answer D is incorrect because there is no such field in the Server document as Allow Agent Logging.

Question 9 Answer D is correct. These are the minimum access levels and roles required to recertify the server ID. Answers A, B, and C are incorrect because [Certifier] is not a valid access role in either the Domino Directory or the Certification Log databases.

522 Chapter 24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 10 Answer B is correct. To extend the expiration date for the Notes ID, the user must be recertified. Answer A is incorrect because there is no such field as Certificate Expiration in the Notes Certificate section of the Person document. Answer C is incorrect because the expiration date of a user’s Notes ID cannot be changed from the user’s Notes client. Answer D is incorrect because answers A and C are not correct.

Question 11 Answer A is correct. These are features of the Domino Server Monitor. Answer B is incorrect because there is no such feature as Domino Server Analyzer. Answer C is incorrect because the Domino Server Controller is a Java-based program that runs on a Domino server to control that server. Remote consoles in the Domino Administrator and Web Administrator communicate with the Domino Server Controller. Answer D is incorrect because the Statistic Collector task gathers server statistics and creates statistic reports in the STATREP.NSF database; it does not provide real-time statistics.

Question 12 Answer C is correct. This is not a valid event generator document type. Answers A, B, and D are incorrect because these are all valid event generator document types.

Question 13 Answer B is correct. Activity Logging is enabled in the Configuration Settings document. Answer A is incorrect because Activity Logging is not enabled in the Server document. Answer C is incorrect because there is no setting in the database properties for enabling Activity Logging for a database. Answer D is incorrect because Log_User_Activity is not a valid Notes.ini setting.

523 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 622 . .

Question 14 Answer D is correct. These are all steps that must be performed to chart these server statistics on a regular basis.

Question 15 Answer B is correct. The design task must run on the server to automatically update database designs from a master design template. The show schedule command shows whether the design task is scheduled to run on the server. Answer A is incorrect because the updall task is used for updating views and full-text indexes for all databases, not for refreshing database designs. Answers C and D are incorrect because these are not valid server console commands.

Question 16 Answer C is correct. The user’s mail file and roaming files can be moved to another server using this method. Answers A, B, and D are incorrect because the user’s Notes ID and Notes.ini files are not choices in the Move User(s) to Another Server dialog box.

Question 17 Answer A is correct. To receive design changes from South/Acme (the source server), the database replica on North/Acme (the destination server) must give South/Acme at least Designer access, and the database replica on South/Acme must give North/Acme at least Reader access. Answers B and D are incorrect because an access level of Reader or Editor would not be sufficient for server South/Acme to push design changes to the database replica on the server North/Acme. Answer C is incorrect because although Manager access for these servers in both replicas would allow design changes to replicate, this level of access is not a requirement for these servers in either replica.

524 Chapter 24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 18 Answer C is correct. Administrator access to both of the servers would be required. Answer A is incorrect because it is not necessary to have Manager access in the Domino Directory to use this tool. Answer B is incorrect because it is not necessary to have the [ServerModifier] role in the Domino Directory to use this tool. Answer D is incorrect because answers A and B are not correct.

Question 19 Answer D is correct. Each of the servers would need Manager access to the other replicas to push ACL changes. These servers would need to be included in the view read access lists to have access to the view design elements. Also, these servers would need to be included in the Readers fields of the documents to have access to the documents. Answers A and C are incorrect because Editor access would not allow a server to push ACL or design changes to the database replicas on the other servers. Answer B is incorrect because if a server is not listed in the view read access lists, that server does not have access to the view design element.

Question 20 Answer D is correct. All of these server tasks can be listed in the ServerTasks= setting in the Notes.ini so that they begin automatically when the Domino server is started. Answer A is incorrect because authenticate is not a valid server task. Answer B is incorrect because backup is not a valid server task. Answer C is incorrect because quota is not a valid server task.

Question 21 Answer A is correct. This is the order in which Domino searches the directories for Internet users. Answers B and C are incorrect because a Configuration Directory is a selective replica of the primary Domino Directory in a central directory architecture. A Configuration Directory does not contain user information. Answer D is incorrect because Domino does not search an Internet user’s Personal Name and Address Book.

525 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 622 . .

Question 22 Answer D is correct. None of these choices are available from the Web Administrator.

Question 23 Answer B is correct. Transaction is enabled in the Server document for all databases on the server. However, transaction logging can be disabled for a specific database in the advanced database properties. Answer A is incorrect. Transaction is enabled in the Server document for all databases on the server. Transaction logging cannot be disabled for a specific database in the Server document. Answer C is incorrect because the Configuration Settings document is not used to enable or disable transaction logging. Answer D is incorrect because transaction logging can be used for Domino R5 databases.

Question 24 Answer C is correct. A desktop policy settings document can be used for existing users to reinforce policy settings that are defined in a setup policy settings document. Answer A is incorrect because the settings in a setup policy settings document are applied only during initial Notes client setup. Answer B is incorrect because there is no such setting as Reinforce Settings in the setup policy settings document. Answer D is incorrect because a security policy settings document is not used to specify applet security settings.

Question 25 Answer B is correct. Lotus Notes/Domino Release 6 supports maintenance of flat ID files. Answer A is incorrect. Although Lotus Notes/Domino 6 supports flat ID files, you cannot use Lotus Notes/Domino 6 to create new flat ID files. Answer C is incorrect because the ACL entries in databases residing on Domino Release 6 servers can include flat names as well as hierarchical names. Answer D is incorrect because Lotus Notes/Domino Release 6 supports flat names; they are not converted to hierarchical names during replication.

526 Chapter 24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 26 Answer C is correct. A desktop policy settings document would apply the Sametime server setting to these users the next time they authenticate with their home server. Answer A is incorrect because the Sametime server cannot be specified in a registration policy settings document. Answer B is incorrect because the settings in a setup policy settings document are applied during the initial Notes workstation setup. Existing users would not receive this change. Answer D is incorrect because answers A and B are not correct.

Question 27 Answer A is correct. Connection attempts occur during the scheduled connection times. If a connection attempt fails, the connection is tried continuously for up to an hour. Answer B is incorrect because if the connection fails during a scheduled connection time, the connection is tried continuously for only one hour for that scheduled connection time. Answer C is incorrect. Connection attempts will continue for up to an hour after the scheduled connection time. Also, a connection attempt will occur during the next scheduled connection time, regardless of the success of any previously scheduled connections. Answer D is incorrect because the repeat interval is used when the Connect at Times field uses a time range, not a list of specific times.

Question 28 Answer D is correct. The LDAP task must be running on the server to allow HTTP clients to access an LDAP directory. Answers A and C are incorrect because, although these are valid server tasks, they have nothing to do with allowing HTTP clients to access an LDAP directory. Answer B is incorrect because NRPC is the Notes Remote Procedure Call service; it is not a server task.

Question 29 Answer A is correct. Recertifying a user with another Organizational Unit certifier ID changes the user’s hierarchical name. Answer B is incorrect

527 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 622 . .

because a user’s hierarchical name cannot be changed by simply editing the user’s Person document. Answer C is incorrect because deleting the current user ID is not required for changing the hierarchical name to a different Organizational Unit. Answer D is incorrect because a cross-certificate is not necessary for changing the hierarchical name of a user.

Question 30 Answer D is correct. All of these methods can be used to start a server task automatically.

Question 31 Answer B is correct. Different maximum execution times for agents can be set for daytime and nighttime execution. Answer A is incorrect because there is no Agent Timeout setting in Agent Properties. Answer C is incorrect because the agent is completing during the evening hours without incident. An infinite loop in the agent code would have also impacted the agent running during the evening hours. Answer D is incorrect because there is no restriction for running agents during the execution of server tasks.

Question 32 Answer A is correct. A security policy settings document can be used to define administration ECLs as well as Notes and Internet passwords. Answer B is incorrect because there is no such thing as an Administration Policy Settings document in Lotus Notes/Domino Release 6. Answers C and D are incorrect because, although these are valid policy settings document types, they are not used to define administration ECLs.

Question 33 Answer D is correct. Directory Assistance can be configured for all of these choices.

528 Chapter 24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 34 Answer B is correct. These settings in the Server and Person documents meet the password verification requirements for these users. Answer A is incorrect because 30 is not a valid selection for the Check Password field in the Person document. Answers C and D are incorrect because there is no such field as Password Verification in the Person document. Also, password verification must be enabled in the Server document for the server North/Acme.

Question 35 Answer C is correct. These are the minimum ACL settings required. Answers A, B, and D are incorrect because GroupEditor and GroupDeleter are not valid access roles in the Domino Directory ACL.

Question 36 Answer B is correct. Individual ACL entries always take precedence over the default entry or any group entries. Answer A is incorrect because group ACL entries do not take precedence over individual ACL entries. Answer C is incorrect because individual ACL entries always take precedence over the default entry or any group entries, regardless of which access level might be higher. Answer D is incorrect because cascading groups (groups that are members of other groups) can be used in database ACLs.

Question 37 Answer A is correct. A Configuration Directory contains only those documents that are used to configure servers in a Domino domain. Answer B is incorrect because the administration server for the Domino Directory must store a replica of the primary Domino Directory. Answer C is incorrect because user information is not replicated to a Configuration Directory. Also, Lotus Notes/Domino (including Release 6) supports flat names as well as hierarchical names. Answer D is incorrect because answers B and C are not correct.

529 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 622 . .

Question 38 Answer C is correct. If a user changes any user preference settings on the workstation that are controlled by a desktop policy settings document, those settings are reset the next time the user authenticates with the home server. Answers A and B are incorrect because the settings in a setup policy settings document are applied only during the initial Notes workstation setup. Existing users would not be impacted by any of these settings. Answer D is incorrect because user preference settings are not defined in a security policy settings document.

Question 39 Answer B is correct. When there is an Anonymous ACL entry in a database, Web users access the database as Anonymous until they attempt to perform an operation that exceeds the access level assigned to the Anonymous entry. Answer A is incorrect because there is no such field as Internet Authentication in the Server document. Answer C is incorrect because there is no such setting as Allow Anonymous Access in the database properties. Answer D is incorrect because if the Maximum Internet Name and Password setting in the database ACL was set to No Access, users would not be able to access the database from a Web browser.

Question 40 Answer C is correct. Two Connection documents, one in each Notes domain, are required to route mail in both directions. Answers A, B, and D are incorrect because Adjacent Domain documents would not be required. An Adjacent Domain document is used to define restrictions for the transfer of mail between adjacent domains.

Question 41 Answer D is correct. Enabling any of these settings in Advanced Database Properties can improve the performance of view updates.

530 Chapter 24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 42 Answer B is correct. These are the requirements for configuring Domino clustering and the Internet Cluster Manager (ICM) to provide server failover and workload balancing for HTTP clients. Answer A is incorrect because the ICM does not have to be configured for each server in the Domino cluster. Answers C and D are incorrect because the Server document does not include an Internet Cluster option.

Question 43 Answer C is correct. The Administration Requests database (ADMIN4.NSF) stores requests for the Administration Process. Answers A and D are incorrect. Although these are valid databases used by Domino, they do not store Administration Process requests. Answer B is incorrect because there is no such database as ADMINP.NSF used by the Administration Process.

Question 44 Answer A is correct. These are the steps for synchronizing Notes and Internet passwords for users. Answer B is incorrect because the registration policy settings document does not include the field Synchronize Internet Password with Notes Password. Answer C is incorrect because Synchronize Internet Password with Notes Password is not an administration ECL setting. Answer D is incorrect because there is no such policy settings document type as an administration policy settings document.

Question 45 Answer D is correct. All of the server tasks can be run to try to fix corruption problems with databases.

Question 46 Answer A is correct. These settings are required so that the Administration Process can perform the group name changes on these databases. Answer B is incorrect because there is no such field as Modify All Reader and Author

531 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answer . . . . .Key . . for . . 622 . .

Fields in the Group document. Answers C and D are incorrect because administration servers are not selected in group documents.

Question 47 Answer B is correct. These are the requirements for registering this server from a workstation. Answer A is incorrect because he would need to register the server with the Sales/Acme Organizational Unit certifier ID. Answers C and D are incorrect because the servers are registered with a certifier ID, not the registration server ID.

Question 48 Answer A is correct. Users listed in the Route Through field in the Passthru Use section of the Server document can use the server as a passthru server even if they are denied access to the server in the Not Access Server field. Answers B and C are incorrect because the Not Access Server field in the Server Access section of the Server document takes precedence over the Access This Server field in the Passthru Use section. Answer D is incorrect because he will be able to use this server as a passthru server.

Question 49 Answer D is correct. This command can be used to check a server for mail pending for local delivery or to check for messages that are being held for mail files that are over quota. Answers A, B, and C are incorrect because these are not valid console commands.

Question 50 Answer C is correct. If his individual ACL entry had the access level of No Access, he would have received this error message when attempting to open the database. Answers A and B are incorrect because users are first authenticated with the Domino server before their access level to the database is checked. He would not have received the error message “You are not authorized to access that database” if the server was not operational or if he was denied access to the server. Answer D is incorrect because answers A and B are not correct.

PART V Appendixes A Resources B What’s on the CD-ROM? C Using the PrepLogic Practice Tests, Preview Edition Software Glossary

A Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Print Resources Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notes and Domino 6. Indianapolis, Indiana: Que Publishing, 2003. Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBM Redbooks, 2002. Also available on the Web at www.redbooks.ibm.com/. For references to mail, consult Chapter 9, “New Messaging Administration Options.” Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBM Redbooks, 2002. Also available on the Web at www.redbooks.ibm.com/. For references to security, consult Chapter 10, “Security.”

Web Resources Accessing and protecting the file system:

www-10.lotus.com/ldd/today.nsf/

f01245ebfc115aaf8525661a006b86b9/a115026680fd744985256b34000f4c1b?OpenDocument.

Lotus Domino 6 technical overview:

www-10.lotus.com/ldd/today.nsf/

3c8c02bbcf9e0d2a85256658007ab2f6/089a22f9f8a573af85256a1b00782950?OpenDocument.

For references to mail, consult the “Messaging” section. Lotus Domino 6 technical overview:

www-10.lotus.com/ldd/today.nsf/

3c8c02bbcf9e0d2a85256658007ab2f6/089a22f9f8a573af85256a1b00782950?OpenDocument.

For references to security, consult the “New Security Features” section. The Lotus Developers Domain: www-10.lotus.com/ldd. “Maximizing Domino Performance” whitepaper:

ftp://ftp.lotus.com/pub/

lotusweb/product/domino/domperform/MaximizingApplicationPerf.pdf.

536 Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Policy-based system administration with Domino 6:

www-10.lotus.com/ldd/

today.nsf/8a6d147cf55a7fd385256658007aacf1/d78ede75b351cf8100256be9005b7d35? OpenDocument.

What’s in Store for the Domino R6 Database:

www-10.lotus.com/ldd/

today.nsf/8a6d147cf55a7fd385256658007aacf1/acc8a09b7e3e624f85256af700621c8a? OpenDocument.

Upgrading to Domino 6: Performance Benefits: www.ibm.com/redbooks. Webcast: Lotus Live! Series: “What’s New in Notes/Domino 6 Administration”: http://searchdomino.techtarget.com/webcastsTranscriptSecurity/1, 289693,sid4_gci857398,00.html. Webcast: “Preparation and Test-Taking Strategies with Lotus Education Managers”: http://searchdomino.techtarget.com/webcastsTranscriptSecurity/ 1,289693,sid4_gci876208,00.html.

B What’s on the CD-ROM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This appendix provides a brief summary of what you’ll find on the CD-ROM that accompanies this book. For a more detailed description of the PrepLogic Practice Exams, Preview Edition exam-simulation software, see Appendix C, “Using the PrepLogic Practice Exams, Preview Edition Software.” In addition to the PrepLogic Practice Exams, Preview Edition software, the CD-ROM includes an electronic version of the book in Portable Document Format (PDF) and the source code used in the book.

The PrepLogic Practice Exams, Preview Edition Software PrepLogic is a leading provider of certification training tools. Trusted by certification students worldwide, PrepLogic is the best practice exam software available. In addition to providing a means of evaluating your knowledge of this book’s material, PrepLogic Practice Exams, Preview Edition features several innovations that help you improve your mastery of the subject matter. For example, the practice exams enable you to check your score by exam area or domain, to determine which topics you need to study further. Another feature enables you to obtain immediate feedback on your responses, in the form of explanations for the correct and incorrect answers. PrepLogic Practice Exams, Preview Edition exhibits all the full-test simulation functionality of the Premium Edition but offers only a fraction of the total questions. To get the complete set of practice questions, visit www.preplogic. com and order the Premium Edition for this and other challenging exam training guides.

538 Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

For a more detailed description of the features of the PrepLogic Practice Exams, Preview Edition software, see Appendix C.

An Exclusive Electronic Version of the Text As mentioned previously, the CD-ROM that accompanies this book also contains an electronic PDF version of this book. This electronic version comes complete with all figures as they appear in the book. You can use Acrobat’s handy search capability for study and review purposes.

C Using the PrepLogic Practice Exams, Preview Edition Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This book includes a special version of the PrepLogic Practice Exams software, a revolutionary test engine designed to give you the best in certification exam preparation. PrepLogic offers sample and practice exams for many of today’s most in-demand and challenging technical certifications. A special Preview Edition of the PrepLogic Practice Exams software is included with this book as a tool to use in assessing your knowledge of the training guide material while also providing you with the experience of taking an electronic exam. This appendix describes in detail what PrepLogic Practice Exams, Preview Edition is, how it works, and what it can do to help you prepare for the exam. Note that although the Preview Edition includes all the test-simulation functions of the complete retail version, it contains only a single practice test. The Premium Edition, available at www.preplogic.com, contains a complete set of challenging practice exams designed to optimize your learning experience.

The Exam Simulation One of the main functions of PrepLogic Practice Exams, Preview Edition is exam simulation. To prepare you to take the actual vendor certification exam, PrepLogic is designed to offer the most effective exam simulation available.

540 Appendix C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question Quality The questions provided in PrepLogic Practice Exams, Preview Edition are written to the highest standards of technical accuracy. The questions tap the content of this book’s chapters and help you review and assess your knowledge before you take the actual exam.

The Interface Design The PrepLogic Practice Exams, Preview Edition exam-simulation interface provides you with the experience of taking an electronic exam. This enables you to effectively prepare to take the actual exam by making the test experience familiar. Using this test simulation can help eliminate the sense of surprise or anxiety you might experience in the testing center because you will already be acquainted with computerized testing.

The Effective Learning Environment The PrepLogic Practice Exams, Preview Edition interface provides a learning environment that not only tests you through the computer, but also teaches the material you need to know to pass the certification exam. Each question includes a detailed explanation of the correct answer, and most of these explanations provide reasons why the other answers are incorrect. This information helps to reinforce the knowledge you already have and also provides practical information you can use on the job.

Software Requirements PrepLogic Practice Exams requires a computer with the following: ➤ Microsoft Windows 98, Windows Me, Windows NT 4.0, Windows

2000, or Windows XP ➤ A 166MHz or faster processor ➤ A minimum of 32MB of RAM ➤ 10MB of hard drive space

541 . . . . . . . . . . . . . . . Using . . . the . . PrepLogic . . . . . . Practice . . . . .Exams, . . . .Preview . . . . Edition . . . . Software . . . . . Performance As with any Windows application, the more memory you have available in your system, the better the performance of the PrepLogic Practice Exams, Preview Edition software will be.

Installing PrepLogic Practice Exams, Preview Edition You install PrepLogic Practice Exams, Preview Edition by following these steps: 1. Insert the CD-ROM that accompanies this book into your CD-ROM

drive. The Autorun feature of Windows should launch the software. If you have Autorun disabled, select Start, Run. Go to the root directory of the CD-ROM and select setup.exe. Click Open, and then click OK. 2. The Installation Wizard copies the PrepLogic Practice Exams, Preview

Edition files to your hard drive. It then adds PrepLogic Practice Exams, Preview Edition to your desktop and the Program menu. Finally, it installs test engine components to the appropriate system folders.

Removing PrepLogic Practice Exams, Preview Edition from Your Computer If you elect to remove the PrepLogic Practice Exams, Preview Edition, you can use the included uninstallation process to ensure that it is removed from your system safely and completely. Follow these instructions to remove PrepLogic Practice Exams, Preview Edition from your computer: 1. Select Start, Settings, Control Panel. 2. Double-click the Add/Remove Programs icon. You are presented with

a list of software installed on your computer. 3. Select the PrepLogic Practice Exams, Preview Edition title you want to

remove. Click the Add/Remove button. The software is removed from your computer.

542 Appendix C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

How to Use the Software PrepLogic is designed to be user friendly and intuitive. Because the software has a smooth learning curve, your time is maximized because you start practicing with it almost immediately. PrepLogic Practice Exams, Preview Edition has two major modes of study: Practice Exam and Flash Review. Using Practice Exam mode, you can develop your test-taking abilities as well as your knowledge through the use of the Show Answer option. While you are taking the test, you can expose the answers along with detailed explanations of why answers are right or wrong. This helps you better understand the material presented. Flash Review mode is designed to reinforce exam topics rather than quiz you. In this mode, you are shown a series of questions but no answer choices. You can click a button that reveals the correct answer to each question and a full explanation for that answer.

Starting a Practice Exam Mode Session Practice Exam mode enables you to control the exam experience in ways that actual certification exams do not allow. To begin studying in Practice Exam mode, you click the Practice Exam radio button from the main examcustomization screen. This enables the following options: ➤ The Enable Show Answer button—Clicking this button activates the Show

Answer button, which allows you to view the correct answer(s) and full explanation for each question during the exam. When this option is not enabled, you must wait until after your exam has been graded to view the correct answer(s) and explanation for each question. ➤ The Enable Item Review button—Clicking this button activates the Item

Review button, which allows you to view your answer choices. This option also facilitates navigation among questions. ➤ The Randomize Choices option—You can randomize answer choices from

one exam session to the next. This makes memorizing question choices more difficult, thereby keeping questions fresh and challenging longer. On the left side of the main exam-customization screen, you are presented with the option of selecting the preconfigured practice test or creating your own custom test. The preconfigured test has a fixed time limit and number of questions. Custom tests enable you to configure the time limit and the number of questions in your exam.

543 . . . . . . . . . . . . . . . Using . . . the . . PrepLogic . . . . . . Practice . . . . .Exams, . . . .Preview . . . . Edition . . . . Software . . . . .

The Preview Edition on this book’s CD-ROM includes a single preconfigured practice test. You can get the compete set of challenging PrepLogic Practice Exams at www.preplogic.com to make certain you’re ready for the big exam. You click the Begin Exam button to begin your exam.

Starting a Flash Review Mode Session Flash Review mode provides an easy way to reinforce topics covered in the practice questions. To begin studying in Flash Review mode, you click the Flash Review radio button from the main exam-customization screen. Then you either select the preconfigured practice test or create your own custom test. You click the Best Exam button to begin a Flash Review mode session.

Standard PrepLogic Practice Exams, Preview Edition Options The following list describes the function of each of the buttons you see across the bottom of the screen: Button Status Depending on the options, some of the buttons will be grayed out and inaccessible—or they might be missing completely. Buttons that are appropriate are active.

➤ Exhibit—This button is visible if an exhibit is provided to support the

question. An exhibit is an image that provides supplemental information that is necessary to answer a question. ➤ Item Review—This button leaves the question window and opens the

Item Review screen, from which you can see all questions, your answers, and your marked items. You can also see correct answers listed here, when appropriate. ➤ Show Answer—This option displays the correct answer, with an explana-

tion about why it is correct. If you select this option, the current question is not scored. ➤ Mark Item—You can check this box to flag a question that you need to

review further. You can view and navigate your marked items by clicking

544 Appendix C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

the Item Review button (if it is enabled). When your exam is being graded, you are notified if you have any marked items remaining. ➤ Previous Item—You can use this option to view the previous question. ➤ Next Item—You can use this option to view the next question. ➤ Grade Exam—When you have completed your exam, you can click

Grade Exam to end your exam and view your detailed score report. If you have unanswered or marked items remaining, you are asked whether you want to continue taking your exam or view the exam report.

Seeing Time Remaining If your practice test is timed, the time remaining is displayed on the upperright corner of the application screen. It counts down the minutes and seconds remaining to complete the test. If you run out of time, you are asked whether you want to continue taking the test or end your exam.

Getting Your Examination Score Report The Examination Score Report screen appears when the Practice Exam mode ends—as a result of time expiration, completion of all questions, or your decision to terminate early. This screen provides a graphical display of your test score, with a breakdown of scores by topic domain. The graphical display at the top of the screen compares your overall score with the PrepLogic Exam Competency Score. The PrepLogic Exam Competency Score reflects the level of subject competency required to pass the particular vendor’s exam. Although this score does not directly translate to a passing score, consistently matching or exceeding this score does suggest that you possess the knowledge needed to pass the actual vendor exam.

Reviewing Your Exam From the Your Score Report screen, you can review the exam that you just completed by clicking the View Items button. You can navigate through the items, viewing the questions, your answers, the correct answers, and the explanations for those questions. You can return to your score report by clicking the View Items button.

545 . . . . . . . . . . . . . . . Using . . . the . . PrepLogic . . . . . . Practice . . . . .Exams, . . . .Preview . . . . Edition . . . . Software . . . . .

Contacting PrepLogic If you would like to contact PrepLogic for any reason, including to get information about its extensive line of certification practice tests, you can do so online at www.preplogic.com.

Customer Service If you have a damaged product and need to contact customer service, please call 800-858-7674.

Product Suggestions and Comments PrepLogic values your input! Please email your suggestions and comments to [email protected].

License Agreement YOU MUST AGREE TO THE TERMS AND CONDITIONS OUTLINED IN THE END USER LICENSE AGREEMENT (“EULA”) PRESENTED TO YOU DURING THE INSTALLATION PROCESS. IF YOU DO NOT AGREE TO THESE TERMS, DO NOT INSTALL THE SOFTWARE.

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A Access Control List (ACL) List used to control the access level to a database or application. The ACL specifies which users can access the database and what tasks they can perform.

Access Control List Only group Group used exclusively for ACL lookups to determine access within a specific database.

activity logging Logging that generates a record for each Domino server-based agent that runs successfully. The record shows the name of the agent, the name of the database that contains the agent, the amount of time it took to run the agent, and the name of the person who last saved the agent.

adjacent domain A domain that has a constant connection to another domain.

adjacent domain document Document used to restrict connectivity between the adjacent domains defined by a Connection document.

Administration Process (AdminP) The Administration Process (AdminP) is a Domino task that runs on the server to execute housekeeping, maintenance, and administrative tasks. For example, AdminP processes requests for a user’s name to be changed, a new Organizational Unit to be assigned, or a user’s information to be added to a completely new organization in the hierarchy.

administrator A Domino Administrator’s access level to the server is the same as that of a database administrator and a full-console administrator. This access level cannot perform the functions available to a Domino System Administrator.

548 ADMIN4.NSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ADMIN4.NSF

AMgr_NewMailEventDelay

The default name of the database used by the Administration Process task.

A Notes.ini setting that is used to determine the amount of time that the Agent Manager delays the execution of the same agent that will process new mail events. The default time is 1 minute.

Agent log A listing of when an agent last ran and whether it completed running.

Agent Manager A Domino task that manages agents and how they run on the server. The Agent Manager should always be running, and the resourceintensive agents should be scheduled to run at off-hours, if possible.

agent signer The last user to save the agent, thereby signing it with his user ID.

AMgr_DocUpdateAgentMinInterval A Notes.ini setting that is used to determine the minimum amount of time that needs to pass before the same agent will run and update documents. The default time is 30 minutes.

AMgr_DocUpdateEventDelay A Notes.ini setting that is used to determine the amount of time that the Agent Manager delays the execution of the same agent that will run and update documents. The default time is 5 minutes.

AMgr_NewMailAgentMinInterval A Notes.ini setting that is used to determine the minimum amount of time that needs to pass before the same agent will run and process mail events. The default interval is 0.

AMgr_SchedulingInterval A Note.ini setting that is used to dictate the amount of time that the Agent Manager scheduler task pauses before running. The default is 1 minute, and the valid values are 1 minute to 60 minutes.

AMgr_UntriggeredMailInterval A Notes.ini setting that is used to dictate how much time should pass before the Agent Manager checks for untriggered mail. The default time is 60 minutes.

Anonymous access Lets users and servers access a server without authentication, which is useful for providing the general public access to servers and databases for which they are not certified. It is typically used for granting access to the servers and databases on a Web site.

archived transaction logging Creates transaction logs as needed. Log files are not overwritten; they are archived.

archiving policy Defines settings related to a user’s ability to archive mail. A document that allows administrators to centrally control mail file archiving.

549 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CERTLOG.NSF . . . . . . . .

authentication

centralized directory

The process by which ID files are checked to see if they are trusted— that is, that they have a certificate in common.

Schema that uses the administration server as the central point for the directory and configuration directories.

Authors field

central directory architecture

Field that lists the names of people who can edit the document, if they have Author access in the Access Control List (ACL).

Directory architecture in a Domino domain in which some servers store configuration directories and use primary Domino Directories on remote servers for lookups.

B

certificate

basic name-and-password authentication Provides Web users with access to data on the Web server using the name and password recorded in the user’s Person document in the Directory.

C Calconn Calendar Connector, used in conjunction with the Scheduling task to provide calendaring and scheduling. Calconn is loaded automatically when a Domino server is installed and is added to the Server Tasks line in the Notes.ini file.

CATALOG.NSF The Domino catalog database, identified by the name CATALOG.NSF by default. Enables administrators to view all database ACLs for databases registered in the domain.

A unique electronic stamp that identifies a user or server. Domino uses two types of certificates: Notes certificates and Internet certificates.

Certificate Authority Used to verify the identity of servers and clients by issuing a digital signature certificate. The certificate makes sure that all parties attempting access can be verified and trusted to access resources in the Domain.

Certificate Revocation List (CRL) A time-stamped list identifying revoked Internet certificates, such as certificates belonging to terminated employees.

Certifier ID A file that generates an electronic “stamp” that indicates a trust relationship. Used to certify or stamp all server and user IDs.

CERTLOG.NSF The database that tracks all certification requests within an organization.

550 character set mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

character set mapping A “map” or template used by the Web server to generate character sets for HTML text.

circular transaction logging Allows up to 4GB of disk space on the server, and then begins overwriting the oldest historical information in the transaction log database. The transaction log database should be backed up daily using this deployment version.

client license An authorization purchased from Lotus that enables the administrator to register and set up a client machine running the Lotus Notes client, the Notes Administrator client, or the Designer client.

Cluster Replicator Pushes database changes to other databases in the cluster immediately as they occur.

clustered replication Real-time replication between two or more servers in a cluster.

Compact A Domino utility that can be used to recover space in a database after documents are deleted. Deleting documents from a Domino database does not actually decrease the size of the database. A deletion stub is created, and the document is removed permanently when Compact is run; the size of the database is then reduced. Also, the process by which a database is compressed, to reclaim space freed by

the deletion of documents and attachments.

Connection document In the Domino Directory, a document that enables communication between two servers and specifies how and when the information exchange occurs. In the Personal Address Book, it describes how a client accesses a certain server.

copy-style compacting A copy is created, and when the compact is complete, the original database is deleted.

D Database and Statistic Wizard Wizard that creates an event generator that fires when a specified database or statistic event occurs on a server or database.

dead messages/mail Messages that are permanently “stuck” in the MAIL.BOX. They cannot find a route to the destination, and they can’t return a failure message to the sender.

Decommission Server Analysis tool Tool used to assist administrators in determining the impact of removing a server from the domain.

DECOMSRV.NSF The default results database for the Decommission Server Analysis tool.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Domino . . . . .Console . . . .

delivery failure A message that is returned to the originator to indicate that the mail message failed to arrive at its destination.

Deny Access group Group typically listed in the Not Access Server field in the Server document, used to deny access to servers for people who have left the company.

method is optimal when many users are on the network or the communications infrastructure has many points of congestion.

document-level sequence number The unique number assigned to each document in a database that tracks how many times a document has been edited.

domain

A Domino group exclusively used for denying access to the server.

A collection of Domino servers and users that share a common Domino Directory. The primary function of the domain is mail routing.

design template

Domain Search

A database design that lets you share design elements among databases and store design elements with a template. Administrators can enable the template so that when it changes, the change automatically occurs in all databases created with that template.

Provides the capability to search for files across multiple servers. Database information that is searchable includes documents, files, and file attachments.

Deny List Only group

desktop policy Used to enforce consistent client settings.

directory An address book that contains all servers and users in a single domain.

Distributed Directory Directory architecture in a Domino domain in which all servers use a local primary Domino Directory. A Distributed Directory schema assumes that each server has a replica copy of the directory. This

DominoAsynchronizeAgents A Notes.ini setting that is used to manage Web agents that are executed by browser clients so that they can run simultaneously. Setting this parameter to 1 enables multiple agents to run concurrently.

Domino Console An application that enables administrators to send commands to the server as if they were using the console on the server itself. It is a Java application and can also be loaded as a Windows Service when running Windows 2000 or Windows XP.

551

552

Domino . . . . . . Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Domino Directory The primary database on the server, previously known as the Name and Address book or Public Name and Address Book in earlier versions of Notes. The Directory contains information about users, groups, the server, and network information that provide the configuration of the Domino Domain. Information about users and servers that have the capability to access the server is contained in the Domino Directory.

Domino Messaging Server Type used if the only requirement for the server is messaging services.

Domino Named Network (DNN) A group of Domino servers that run on the same LAN protocol and are constantly connected by a LAN/WAN connection. Servers on the same Notes Named Network route mail to each other automatically.

DOMLOG.NSF The database that collects statistical information about the Web server.

E Encryption Security feature that scrambles data so that only the intended recipient can read encrypted text.

Enterprise server A Domino server that provides both messaging and application

services, with support for Domino clusters. This server type is used if applications and messaging are required or if clustering is required.

event generators Used by the server to gather information on specific tasks or statistics. Event generators are set with thresholds or conditions that are constantly monitored. When they are met, a specific action takes place based on the configuration of event handlers defined in the Event Monitor.

event handlers Determine what action Domino will take when an event is triggered by the Event Monitor.

Event Handler Wizard Wizard used to create event handlers.

Event Monitor Watches the system and sends event information to the database as they occur. The Event Monitor loads automatically when the server starts. In previous versions of Domino, the Event Monitor was known as the Event task.

EVENTS4.NSF The monitoring configuration database that stores all documents used to configure statistics and monitoring for a server, used to define which system tasks will be monitored and at what point a system alarm is generated.

553 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .full-text . . . . index . . .

exam proctor

Fixup

Someone who is certified to administer a certification exam. The proctor verifies the tester’s ID, downloads and sets up the exam, and supervises the exam for its duration.

The server task that runs on databases to attempt to fix any inconsistencies that result from partially written operations caused by a failure; used to repair databases that were open when a server failure occurred. Fixup runs automatically when the server starts, but it can also be run from the Domino Console, when necessary.

Execution Control List (ECL) A list stored on the workstation that controls which formulas and scripts created by another user can run on that workstation.

explicit policies Policies that define specific groups or users in the organization and their access requirements; should be used to make changes to existing users.

Extended Access Control List (xACL) An optional directory access control feature available for a Domino Directory and Extended Directory Catalog, used to apply restrictions to users’ overall directory access.

foreign Domain document Document used for connections between external applications. Typical applications using a foreign domain document are a fax or pager gateway.

foreign SMTP Domain document Document used to route Internet mail when the server does not have explicit DNS access.

full-access administrator Permitted access to all components of the Domino server. This is the highest level of access permitted.

full-console administrator

F field-level sequence number The unique number assigned to each field in a document that tracks how many times a field has been edited.

file-protection document Document that controls access to Web files (graphics, HTML, and so on).

Administrator that has all the rights of the view-only administrators, plus the capability to issue console commands.

full-text index A collection of files that indexes the text in a database to allow Notes to process users’ search queries.

554 global Domain document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

G global Domain document Document that defines the Internet domains considered to be internal to the local Domino domain and for which the local domain can accept inbound SMTP mail—for example, acme.com, sales.acme.com, and so on. It also defines rules for converting the sender’s Notes mail address to an Internet address in outbound SMTP messages in which the Internet address is not already specified.

group A named list of users and/or servers. It can be used in Domino Directories, Personal Address Books, Access Control Lists, and so on.

GroupModifier Role that allows anyone with appropriate access to edit group documents.

hybrid directory Directory schema that uses a combination of distributed and centralized directory configurations. Local users might use the centralized directory, while remote users have a local copy of the directory on their server so that bandwidth would not be an issue.

Hypertext Markup Language (HTML) An Internet-standard language that allows text to be rendered to the Web browser client.

Hypertext Transfer Protocol (HTTP) Protocol used to exchange information with Web browser clients.

I ID backup and recovery

H

The process that allows administrators to store backup copies of user ID files so that IDs and passwords can be recovered.

hierarchical naming

ID file

A system of naming associated with Notes IDs that reflects the relationship of names to the certifiers in an organization. Hierarchical naming helps distinguish users with the same common name for added security and allows for decentralized management of certification.

home URL The home or default page that loads when accessing a Domino Web server via HTTP.

A file that uniquely identifies each certifier, server, and user in an organization.

in-place compacting with space recovery Recovers unused space in a database, but the physical size of the database remains the same. Unlike with Update and Updall, access to the database is not denied while the Compact task is running.

555 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MAIL.BOX . . . . . .

in-place compacting with space recovery and reduction in file size

L

A version of Compact that reduces the physical database size and recovers unused space, but takes longer than other versions to complete. The DBIID is changed with this Compact version. Running Compact without a software switch option compacts databases not associated with transaction logging.

LDAP (Lightweight Directory Access Protocol)

Internet Inter-Orb Protocol (IIOP) Protocol used to permit Java code to be executed on the server.

Internet Message Access Protocol (IMAP) Access protocol used to process mail. A typical example of a service that uses IMAP is Microsoft Exchange.

ISpy A server task that sends server and mail probes, and stores the statistics generated by those probes.

Issued Certificate List (ICL) A database that stores a copy of each unexpired certificate that it has issued, certificate revocation lists, and CA configuration documents.

J–K Jconsole A Java-based application provided by Lotus to launch the Domino Console.

Industry-standard protocol used for manipulating entries in a directory that are associated with a distinguished name.

linear transaction logging Similar to circular logging, but can use more than 4GB of disk space.

live console Console interface to the Domino server that allows the administrator to issue console commands from the Notes Administrator client.

Location document A document in the user’s Personal Address Book that contains communication and other locationspecific settings used when working with Notes in a specific place.

Log_AgentManger A Notes.ini setting that enables agent logging in the Domino log file, typically identified by the name LOG.NSF.

LOG.NSF The database on the Domino server that stores information about all activity on that server.

M MAIL.BOX The database that acts as the transfer point for mail on each routing server.

556 Mail-In Database document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Mail-In Database document A document in the directory that contains the information that allows the router to deliver mail to a database.

mail-in statistics Used to provide statistics information by sending reports to a specified mail recipient.

Mail Only group Group used to define groups that are used exclusively for mailing lists.

mail quota A limit that the administrator can set that determines how the mail router will restrict messages based on quota settings.

Mail Routing and Server Response Wizard Wizard that creates an event generator that generates statistics or fires an event based on the availability of a resource.

Mail Tracker Collector Domino tool that provides the capability for administrators as well as users to track their messages.

mail usage reports Reports that can be generated by the administrator based on message-tracking information collected by the Message Tracking Collector task.

memory cache An area in memory that stores mapping information about

databases and authenticating Web users for quick access.

Merge Replication Conflicts A form property that can be enabled to allow two documents to merge fields during replication.

message tracking A process that enables the administrator to check the status of any message that has been routed within the Domino network.

messaging server A Domino server that provides messaging services. There is no support for application services or Domino clusters.

Monitor document In statistics and monitoring, a document that allows the administrator to monitor replication and user activity.

MSTORE.NSF The MailTracker Store database, used by the Mail Tracker Collector task.

multipurpose group Group used for mailing lists and by ACLs to determine access to a specific database.

multiuser support A Domino tool that allows many users to share a single workstation and retain their own distinct setup information. It is available only on Windows workstations.

557 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . physical . . . . .security . . . .

N network compression

organization Typically a company name; the highest point on the hierarchy tree.

A style of compression that speeds up data transmission either between a Notes client and a Domino server or between two Domino servers.

organizational policies

nonadjacent domain

Organizational Unit

Domains that aren’t connected over a physical connection.

nonadjacent Domain document Provides three purposes in the domain. First, it supplies next-hop routing information to route mail. Second, it can be used to restrict mail routing from the domain. Third, it provides Calendar server synchronization between two different domains.

Notes network A group of servers that have the same network name and use the same port type to communicate.

Notes Remote Procedure Call (NRPC) The architectural layer of Notes used for all Notes-to-Notes communication.

O On Disk Structure (ODS) Used to determine the file format type used by a Domino database or application.

Policies used to establish distinct settings that are required for users in a specific OU. Typically used to identify a country or department name; a lower-level certifier used to stamp or certify servers and users that allows for a more decentralized naming scheme.

P passing mark The minimum score required to pass a certification exam. The passing mark differs for each exam.

password verification A server option that ensures that a Notes user can authenticate with a server only after providing the correct password that is associated with the user ID.

pending mail Mail messages sitting in the MAIL.BOX waiting to be routed.

physical security Security that involves securing the Domino server’s hardware and software from local, physical access.

558 Policy documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Policy documents

Program document

A document used to regulate how users can access the system and perform specific functions. All clients and servers participating in Policy document deployment must be running a minimum of version 4.67a or greater, to avoid directory replication errors.

A document that is used to automatically run a server task at a specific time.

Policy Synopsis

An encryption key associated with a Notes ID that is used to verify an electronic signature, encrypt a message, or identify an authenticating user. A public key is part of each user ID, and a copy of the key is stored in the Domino Directory. Certificates on IDs ensure that public keys are valid.

A tool that the administrator can use to determine the effective policy governing a selected user.

POP3 (Post Office Protocol Version 3) Protocol used by mail applications to retrieve mail, typically over the Internet.

port The hardware connection and its related protocol that allows the server to communicate with other servers or clients with the same protocols.

practice test A sample test included with the Exam Cram book that helps the reader practice for the real exam by attempting multiple-choice questions that are similar to the actual exam questions.

private key A secret encryption key that is stored in a Notes ID file and used to sign and decrypt messages and to authenticate the owner of the key.

protocol A communication language used between servers and clients.

public key

PUBNAMES.NTF Template used to design the Domino Directory.

pull One-way replication or mail routing in which the replica task pulls documents from the target server, or the router pulls mail from the target server.

pull-pull replication Bidirectional replication in which the source server pulls documents from the target server, and the target server then pulls documents from the source server.

push One-way replication or mail routing in which the replica task sends documents to the target server, or the router sends mail to the target server.

559 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . role . .

R radio button Type of field in which a single selection button is used to choose an option from a range of choices.

Readers field A document field that contains a list of names to control access to the document.

refresh design The process by which a database’s design elements are refreshed to match the design elements stored in the design template.

registration policy Policies assigned when a new user is created.

registration server The designated server that stores changes in the Domino Directory, such as new users, server, or name changes. When the changes are completed the server replicates the changes to the replica copies of the Directory throughout the domain.

repeat interval The time interval between replication attempts, agent scheduling, mail routing, and other time-based Notes tasks.

replace design The process by which a database’s design elements are deleted and replaced with the design elements in the design template.

replica ID A unique number that is generated when a database is first created. When you make a replica of the database, the replica inherits the replica ID. For two databases to replicate, they must share the same replica ID.

replication The process of exchanging modifications between replicas. Through replication, Notes makes all of the replicas essentially identical over time if the ACLs are defined to permit changes to the databases.

replication conflict A condition that occurs when two or more users edit the same document in different replicas of a database between replications.

replication history The listing of replication times, dates, and server names involved in replication.

replication topologies The configuration that an administrator uses to connect servers for replication.

review mark A check-box interface located in the top corner of the screen during an exam that allows the tester to mark a question for later review.

role An attribute assigned to an ACL entry (person, server, or group) and created to simplify the maintenance of restricted fields, forms, and views.

560 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Router

Security Settings document

The server task responsible for transferring mail between servers.

A document that allows the administrator to easily modify and maintain security standards across an organization.

routing cost A cost assigned by the router to each possible route for a message. The router attempts to deliver a mail message using the least-cost route.

routing tables The tables’ built-in memory on each server running the router task. These tables poll information stored in the Directory regarding mail routes, and the router refers to these tables when routing mail between servers instead of polling the Directory directly.

S Sched The Schedule Manager (Sched), used in conjunction with the Calendar Connector task to provide calendaring and scheduling. Sched is loaded automatically when a Domino server is installed and is added to the Server Tasks line in the Notes.ini file.

SECURE_DISABLE_FULLADMIN A Notes.ini setting that prevents full-access administrators from accessing the server. The setting for this parameter is SECURE_DISABLE_FULLADMIN=1.

security policy Policy that defines password management and ECL setup information.

self-assessment A tool included in this book that helps readers assess their ability to prepare for the exam based on their own background. The assessment helps readers identify parts of their background or experience that might need improvement, enhancement, or further learning.

server access The collection of security settings that control access to the server’s resources.

server ID A file that uniquely identifies each server within an organization, and allows the server to authenticate with other servers and with users.

SERVER_MAXSESSIONS A Notes.ini setting that limits the maximum number of sessions that can be opened on the server.

server monitor Provides Domino administrators with real-time statistics reporting.

server registration A process that allows the administrator to create an identity for the new server in the domain’s Domino Directory.

561 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .system . . . . administrator . . . . . . . access . . . .

server setup The process that allows the administrator to set up the Domino software on the server machine by running setup.exe.

ServerModifier A role that allows anyone with appropriate access to edit server documents.

session-based name-andpassword authentication Authentication that allows the Web user to authenticate with the Web server based on the name and password stored in that user’s Person document in the Directory, and logs the session using a cookie in the browser.

setup policy A policy used for new registrations that defines a group of settings applied to a new user when it is created.

shared mail A feature that stores messages addressed to more than one user on a mail server in a central database, called the shared mail database. Message headers are stored in user mail files. When users double-click the headers, links to the corresponding content in the shared mail database are activated.

Smart Upgrade A new Domino R6 feature that notifies users to update their Notes 6 clients to later releases. Lotus

Notes Smart Upgrade uses policy and settings documents to help manage updates. The tool monitors users as they log in and then alerts them when an upgrade is available. Smart Upgrade kits, or incremental installers, are available at the Lotus Developer Domain Web site.

source server The server that initiates replication.

SSL (Secure Socket Layer) Protocol designed to provide encrypted communications on the Internet; SSL applies to Web connections only.

STATREP.NSF Default database used by the Collector task, which can gather data for a single server or multiple servers in the domain.

streaming replication A type of replication that allows the replicator task to send multiple changes in one request and to replicate smaller documents first. This style of replication is used during pull or pull-pull replication.

system administrator access One of the four types of administrator access, all of which are used to define how an administrator can change server configurations. Individuals with system administrator access can issue only commands related to the operating system.

562 target server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

T target server The destination server during replication.

testing center A place of business authorized to administer the Lotus Domino certification exams, as well as certification exams by other vendors.

defined when launched by using a software switch. Updall is executed by default at 2:00 a.m. and, unlike Update, can be run manually.

Update Updates a database’s view indexes. Update runs automatically when the server is started and continues to run while the server is up.

user ID

The amount of time that passes before Domino drops an inactive thread.

A file that uniquely identifies each user within an organization and allows the user to authenticate with servers.

transaction logging

UserModifier

timeout

Feature available for Domino servers running release 5 or later and databases using release version 5 or later On Disk Structure (ODS). Database changes are sent to a transaction log database and then are written later to the target database. Transaction logging is useful for increasing backup throughput, disaster recovery, and database performance.

Troubleshooting Wizard Wizard that identifies some common configuration errors in the EVENTS4.NSF database and suggests possible resolutions.

U Updall Rebuilds corrupted views and fulltext index searches, as Update does, and has various options that can be

Role that allows anyone with appropriate access to edit user documents.

user registration A process that allows the administrator to create an identity for the new user in the domain’s Domino Directory.

user type Identifies whether a name in the ACL is a person, server, or group.

Utility Server A Domino server that provides application services only, with support for Domino clusters. The Domino Utility Server is a new installation type for Lotus Domino 6 that removes client access license requirements. There is no support for messaging services. The Utility Server type is used if the requirement is for application services only, with no messaging services.

563 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . welcome . . . . . page . . .

W warning threshold A limit that the administrator sets on a mail file that can be used to provide users with advance notice when their mail files approach the designated mail file quota. Users then can reduce the size of their mail files before message flow is interrupted.

WEBADMIN.NSF Database used to provide access control for the Domino Web Administrator.

Web Administrator The Web-based client that allows an administrator to administer the server using a Web browser instead of a Notes client interface. The Domino Web Administrator allows remote administration using only a browser client. Access using the Domino Web Administrator is maintained by the database WEBADMIN.NSF. In addition to using the Domino Console and the Domino Administrator client, Lotus has now provided the capability to administer the server using just a browser. Although the Web administrator is essentially the same as the administrator client, the navigation is slightly different, so be sure you are familiar with it.

Web server A Domino server that is running the HTTP task to allow Web client access to data.

Web site rule Documents that allow the administrator to relocate or reorganize sites without breaking existing links or browser bookmarks.

welcome page Pages used to provide a common entry point for all users across an organization, with a standard look and feel.

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A access ACL levels, 302 administrators, 140, 343 agents, 297-299 applications, 235-236 data access control, 412-413 databases, 302-303, 344 Authors/Readers fields, 305 consistent ACLs, 303-304 roles, 304-305 domains, 247-248 Domino application, 148-149 Domino servers, 135 administrators, 136-137 allowing/denying, 137-138 monitoring/maintaining, 139 ports, 138 server console, 135 troubleshooting, 140-141 intermediate servers, 112 ports, 138, 293 roaming users, 221-222 servers, 344 administrator, 292 assigning, 266-269 configuring, 291-293 Manager/Editor, 267 Manager/Manager, 266 Manager/No Access, 268 Manager/Reader, 267 Reader/Reader, 268 troubleshooting, 293-294, 409-411 users, 306-308

Access Control List Only groups, 21 access control list only groups, 364 Access Control Lists. See ACLs access levels ACLs, 142-143 assigning, 109-112 author, 143 depositor, 143 designer, 143 editor, 111, 143 manager, 109, 143 manager/designer, 110 manager/editor, 110 manager/reader, 111 reader, 143 accessing and protecting the file system Web site, 157, 535 ACLs (Access Control Lists), 101, 108 access levels, 142-143, 302 access, assigning, 109-112 application security, 302-304 Authors field, 146 consistency, 112, 303-304 Domino application security, 141-142 access levels, 142-143 user types, 144 Domino Directory, 131-133 editor access, 111 integrity, 413 intermediate server access, 112 manager access, 109 manager/designer access, 110 manager/editor access, 110 manager/reader access, 111 Readers field, 146-147

566 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reading, 112 replication, 266-269 user types, 144 Activity Analysis dialog box, 340 activity logging agents, 301 configuring, 338-340 ACTIVITY.NSF database, 339 adjacent domains, 191-192, 229, 348 administration ECL, 68 monitoring tools, 84 Domino Administrator client, 84-85 Domino server console, 86-87 Web Administrator client, 85-86 Administration Preferences dialog box, 352 Administration Process (AdminP), 365 configuring, 90 group maintenance, 91-92 troubleshooting, 237-238, 397-398 users maintenance, 89-91 management, 225 administrators, 136 access, 136-137, 343 full access, 343 full console, 343 servers, 292 system, 343 troubleshooting, 140 AdminP, 365 database, 136-137 full remote console, 137 full-access, 136 groups, 22 restricted system, 137 system, 137 view-only, 137 Advanced Domino Services dialog box, 168 Advanced tab (Replication Settings dialog box), 265 Agent event, 400 Agent Manager, 394-395 agents access, 297-299 Agent Manager, 394-395 controlling, 66-68 creating, 149 formula, 67 local, 299 logging, 300, 329-330 monitoring/maintaining, 300-301 running, 299 server-based, 299 signing, 67 simple, 67

troubleshooting, 308 Web application, 83 Agents command (View menu), 329 applications access control, 235-236 Administration Process. See Administration Process agents, 308 Compact, 233-234 database maintenance, 232-234 deploying, 62 agents, controlling, 66-68 attachment based, 214 coding based, 212 compression, 69-70 design elements based, 212-213 ECL, 68-69 HTML-based applications, 64-65, 216 nonshared design elements based, 214 NSF based, 215-216 replication based, 215 shared design elements based, 214 server-based applications, 62-64 Web applications for internationalization, 65-66 designs Design task, 70-72 refreshing, 71 replacing, 72, 216-218 replicating, 73 Domino, 141-144, 146-149 Fixup, 233 jconsole, 241-244, 380 multiple replicas, 263-265 security, 295-297 ACLs, 302-304 agent access, 297-299 agents, 300-301 Authors/Readers fields, 305 encrypted fields, 296 Form Access Lists, 297 Form Read Access Lists, 295 hidden fields, 296 Readers fields, 295 roles, 304-305 section access lists, 296 signed fields, 296 View Read Access Lists, 296 Server Monitor, 236-237 Smart Upgrade, 320 Updall, 233 Update, 233 Archive Criteria Settings documents, 50

567 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .clients . . . Archive Policy Settings documents, 50 archiving, 210 client-based, 49, 210 configuring, 211-212 copying, 210 databases, 74 document selection, 210 logging, 180, 350 mail archiving policies, 49-50 file clean up, 210 policies creating, 48-49 mail archiving management, 49-50 settings documents, creating, 50 server-based, 49, 210 Archiving Settings document, 50 Assign Policy tool, 28 assigning access levels, 109-112 editor, 111 manager, 109 manager/designer, 110 manager/editor, 110 manager/reader, 111 authentication, 236, 355 configuring, 280-281 name-and-password, 134, 281 organization certifier IDs, creating, 356 organizational unit IDs, creating, 356-357 Remote Console, 246 session-based, 134, 281 troubleshooting, 395 Domino directory configuration, 396 server ID verification, 397 user problems, 397 Web, 134 author access level, 143, 303 authorization, troubleshooting, 395 Domino directory configuration, 396 server ID verification, 397 user problems, 397 Authors fields (application security), 146, 305 automating client installations, 23 server tasks, 342

B -B switch, 415 backups, 210, 348 basic name-and-password authentication, 134

Basics tab (Replication Connection documents), 106 batch file installations, 24 Bookmarks view Console, 243 Domino server, 381 browsers clients, 319 Web, 177 bundled statistics, 385

C -c switch, 415 CA Configuration documents, 290 CA keys, 175-176 CA process, 289-291 calendaring, 177 capacity planning, 162-163 CAT Global, 4 CATALOG.NSF database, 413 central directories configuring, 20-21 distributed directory migrations, 87-88, 183-184 Certificate Expiration Date dialog box, 224, 367 Certificate Revocation List (CRLs), 290-291 certificates, 172 CA keys, 175-176 Internet, 25 managing, 291 Notes, 25 organization certifier IDs, 173 organizational unit certifier IDs, 173-174 troubleshooting, 411 certification exams. See exams certifier IDs, 18-19, 130, 281 Certify ID dialog box, 219, 353 character set mapping, 65 Choose a Certifier dialog box, 220, 224, 366 Choose the Domino Domain Name dialog box, 167 circular logging, 180, 350 client-based archiving, 49, 210 clients browsers, 319 Domino Administrator monitoring preferences, 84-85 replication, forcing, 258-259

How can we make this index more useful? Email us at [email protected]

568 clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IMAP, 176 iNotes Web Access, 177 licenses, 23-24 Notes, 176, 257 POP3, 177 upgrades, 320 users configuring, 24-25 IDs, 25-26 registering, 22-23 Web Administrator, 85-86 workstations, 176-177 Cluster Replica task, 115 clustering failovers, 182 load balancing, 181 replication, 115-116 troubleshooting, 238-239 collecting server information, 330-331 statistics, 331-332 Collector task, 331-332 command-line utility installations, 24 commands agents, 301 Compact, 74 console mail routing, troubleshooting, 47-48 viewing, 258 Domino console, 380 File, Preferences, User Preferences, Mail, 53 fixup, 410 jconsole, 243 Load Router, 48 pull, 103, 258 push, 104, 258 Refresh Design, 72, 271 Replace Design, 72 Replicate, 102-103, 258 Route, 40 Set Secure, 135 show server, 330 Domino console, 380 server tasks, monitoring, 227 show tasks, 380 Tell amgr debug, 330 Tell amgr schedule, 330 Tell amgr status, 330 Tell Router Compact, 48 Tell Router Delivery Stats, 48 Tell Router Exit, 48 Tell Router Quit, 48 Tell Router show, 40

Tell Router Show Queues, 48 Tell Router Update Config, 48 trace, 412 View, Agents, 329 Compact, 233-234 command, 74 task, 414 compacting, 74, 414 compression application deployment, 69-70 enabling/disabling, 218 LZ1, 70 network, 69 Configuration documents, 198 configuring activity logging, 338-340 Administration Process, 90 administrator access, 343 agent access, 297-299 archiving, 211-212 authentication, 236, 280-281 calendaring, 177 client workstations, 176-177 database access, 302-303 Authors/Readers fields, 305 consistent ACLs, 303-304 roles, 304-305 directories, 19, 169-170 administrator groups, 22 central, 20-21 distributed, 20-21 domains, 19 groups, 21 Domain Search, 355 Internet clients, 319 mail quotas, 195 mail routing, 36-37, 190-191 messaging Location document, 54-55 tracking, 197-199 user preferences, 53-54 multiuser support, 176 networks names, 344 timeouts, 81-82 Notes R6 users, 24-25 replication, 261-262 resource sharing, 177-179 roaming users, 221-222, 372-374 Router responses (mail quotas), 196-197 scheduling, 177 servers, 165-169 access, 291-293, 344 additional, 16-17

569 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .databases . . . . . administrators, 167 Country codes, 167 domain names, 167 names/titles, 166 organization name, 166 passwords, 167 ports, 17-18 protocols, 17-18 security, 169 size quotas (mail), 196 transaction logging, 179-181, 351 Confirm Database Delete dialog box, 209 conflict documents, 114 conflicts (replication), 113-115 Connected Servers view Console, 243 Domino server, 382 Connection documents, 36, 190, 260 changes, 39 creating, 260-261 mail routing, scheduling, 38-39 replication connection types, 106 creating, 106-108 destination domains, 106 destination server, 106 ports, 106 priorities, 107 pull only, 107 pull pull replication, 107 pull push replication, 107 push only, 107 replication tasks, 106 replication types, 107 source domains, 106 source server, 106 time limits, 107 usage priority, 106 replication, scheduling, 104 connections mail, 198 modems, 240 Replication Connection documents, 106 testing, 411-412 troubleshooting, 411-412 consoles commands mail routing, troubleshooting, 47-48 viewing, 258 Domino, 241, 380-382 exiting, 382 File menu, 380 jconsole, 241-244

launching, 242 views, 381 Live, 258 Remote, 245-247 server replication, forcing, 102-104 security, 135, 291 copy-style compacting, 414 corrupted views (databases), 413 costs (exams), 4 Country codes (servers), 167 crashes (server). See servers, crashes CRLs (Certificate Revocation Lists), 290-291 customizing group memberships, 364-365 installations, 24 replication, 263-265 user hierarchy locations, 365-366 user names, 223-224, 367

D data access control, 412-413 database administrators, 136-137 Database and Statistic Wizard, 329, 400 database instance IDs (DBIIDs), 179, 350, 414 Database Replication Failure Monitor, 118 databases access, 302-303 Authors/Readers fields, 305 consistent ACLs, 303-304 roles, 304-305 ACTIVITY.NSF, 339 adding to servers, 208 agents, 149 archiving, 74 backing up, 210 catalog file, 413 compacting, 74, 414 corrupted views, 413 creating, 344 DECOMSRV.NSF, 347 deleting, 209 design changes, 270-271 documents deleting, 414 viewing, 149 documents, locking, 148 DOMLOG.NSF, 80

How can we make this index more useful? Email us at [email protected]

570 databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVENTS4.NSF, 85 event handlers, 329 server tasks, monitoring, 226 system tasks, 328 fault recovery, 75-76 full-text index searches, 233, 413 local, 129 LOG.NSF, 75 mail-in, 283 MAIL.BOX, 36, 42, 190 MailTracker Store, 408 maintenance tasks, 234-235 utilities, 232-234 moving, 209 MTSTORE.NSF, 43, 198 quotas, 74 recipient mail, 191 repairing, 233 replication, troubleshooting, 398-399 REPORTS.NSF, 44 Resource Reservations, 177-179 restoring, 210 routing mail to, 199-201 servers crashes, causing, 393 tasks, monitoring, 228 size, 74-75, 232, 392 soft deletions, 74 space, recovering, 233-234 STATREP.NSF, 46, 331 system tasks, 413-414 troubleshooting, 413-416 upgrading, 209 user activity recording, 74 view indexes, 413, 233 views, 233 WEBADMIN.NSF, 86, 246, 383-384 DBIIDs (database instance IDs), 179, 350, 414 dead messages, 41 Debug Output Window view Console, 243 Domino server, 382 Decommission Server Analysis tool, 346-347 DECOMSRV.NSF database, 347 Delete Group dialog box, 368 Delete Person dialog box, 369 deleting databases, 209 documents, 148, 414 groups, 368

PrepLogic Practice Exams, Preview Edition, 541 users, 225, 368-369 Delivered messages, 230 Delivery failed messages, 230 delivery (messages) failure reports, 46-47 status, 230, 408 Deny Access groups, 145 deny list only groups, 21, 364 deploying applications, 62 agents, controlling, 66-68 attachment based, 214 coding based, 212 compression, 69-70 design elements based, 212-213 ECL, 68-69 HTML, 64-65, 216 nonshared design element based, 214 NSF based, 215-216 replication based, 215 shared design elements based, 214 server-based, 62-64 Web for internationalization, 65-66 user IDs, 25 Depositor access level, 143, 303 Design task, 70-72, 271 designer access, 110, 143, 303 designs Design task, 70-72 refreshing, 71 replacing, 72, 216-218 replicating, 73, 270-271 destination domains, 106 destination servers, 106, 260 dialog boxes Activity Analysis, 340 Administration Preferences, 352 Administrator Name and Password, 167 Advanced Domino Services, 168 Certificate Expiration Date, 224, 367 Certificates in Selected Entries, 369 Certify ID, 219, 353 Choose a Certifier, 220, 224, 366 Choose the Domino Domain Name, 167 Confirm Database Delete, 209 Delete Group, 368 Delete Person, 369 Edit Master Recovery Authority List, 283 Form Properties, 147

571 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . documents . . . . . . Manage Groups, 370 Move Users(s) to Another Server, 221, 371 New Tracking Request, 43 People and Rename, 224, 367 Processing Statistics, 367 Recertify User, 220, 369 Register Organization Certifier, 356 Register Organizational Unit Certifier, 357 Register Person—New Entry, 221, 373 Registration Server, 353 Rename Person, 224, 367 Renew Certificates in Selected Entries, 220 Replication Settings, 265 User Preferences, 53 directories administrator groups, 22 central, 20-21, 87-88, 245, 352 configuring, 19, 169-170 distributed, 245, 352 configuring, 20-21 migrating to central directories, 87-88, 183-184 domains, 19 Domino, 131 ACLs, 131-133 authentication, troubleshooting, 396 errors, 410-411 file protection documents, 133 roles, 133 errors, 410-411 groups, 21 hybrid, 245, 352 disabling compression, 218 user activity recording, 74 distributed directories, 245, 352 configuring, 20-21 migrating to central directories, 87-88, 183-184 DNNs (Domino Named Networks), mail routing, 36, 190 configuring, 36-37 forcing to specific servers, 40 monitoring/maintaining, 41-46 scheduling, 38-39 troubleshooting, 46-48 documents ACLs, 101, 108 access, 109-112, 142-143 Authors field, 146

consistency, 112 Domino application security, 141-144 Domino Directory, 131-133 editor access, 111 integrity, 413 intermediate server access, 112 manager access, 109 manager/designer access, 110 manager/editor access, 110 manager/reader access, 111 Readers field, 146-147 reading, 112 user types, 144 adjacent domains, 192, 229, 348 archive policy settings, 50 CA Configuration, 290 Configuration, 198 conflict, 114 Connection, 36, 190, 260 changes, 39 creating, 260-261 mail routing, scheduling, 38-39 replication, 104-108 deleting, 148, 414 Domain, 348 editing, 149, 307 file protection, 133 foreign domains, 229, 348 global domains, 229, 348 Location, 54-55 locking in databases, 148 Mail-In Database, 199-201 main, 114 non-adjacent domains, 194, 229, 348 Person explicit policies, assigning, 28 policies, 341 user management, 371 policies, 149 applying, 26-28, 183 existing users, 341-342 explicit, 27-28 new users, 318 organizational, 27 security, 345-346 Program, 342 replication order, 101 security settings, 150 selecting for archiving, 210 Site Profile, 178-179 viewing, 149

How can we make this index more useful? Email us at [email protected]

572 Domain documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Domain documents, 348 Domain Search, 354-355 Domain view Console, 243 Domino server, 382 domains, 19 access, 247-248 adjacent, 191 capacity planning, 162-163 Domain documents, 348 external, 191-194 maintenance, 228-229 monitoring, 228-229 names, 167 non-adjacent, 192 Domino Administrator client monitoring preferences, 84-85 replication, forcing, 258-259 application security ACLs, 141-144 Authors field, 146 groups, 144-146 Readers field, 146-147 troubleshooting, 148-149 Console, 241, 380-382 exiting, 382 File menu, 380 jconsole, 241-244 launching, 242 views, 243-244, 381 Directory, 131 ACLs, 131-133 authentication, troubleshooting, 396 file protection documents, 133 roles, 133 Web Administrator. See Web Administrator Web Server Log database, 80 Domino Named Networks. See DNNs Domino servers access, 135 administrators, 136-137 allowing/denying, 137-138 monitoring/maintaining, 139 ports, 138 server console, 135 troubleshooting, 140-141 console, 86-87 IDs, 218-220 security, 129 Domino Directory, 131-133 IDs, 130-131 monitoring/maintaining access control, 139

server access, 135-138 troubleshooting, 140-141 Web authentication, 134 DOMLOG.NSF, 80

E ECLs (Execution Control List), 68-69, 150 Edit Master Recovery Authority List dialog box, 283 editing documents, 149, 307 editor access, 110-111, 143, 267, 303 effective policies, 88-89 enabling compression, 218 protocols, 349 encryption, 52 fields, 296 keys, 25 local databases, 129 passwords, 129 public/private keys, 52-53 Enterprise servers, 15, 164 errors. See also troubleshooting directory, 410-411 mail routing, 231 messages Server Not Responding, 140, 294 You Are Not Authorized to Access the Server, 141 Event Filter view (Domino server), 381 event generators creating, 328 mail-routing, 46 replication, 118, 272 server tasks, monitoring, 226 Event Handler Wizard, 329, 400 Event Monitor, 328 events Agent, 400 handlers, 400 creating, 329 server tasks, monitoring, 226 Mail, 400 mail routing, 42 monitoring, 86-87 POP3, 400 Replica, 400 replication, 117 SMTP, 400 triggers, 400 EVENTS4.NSF database, 85 event handlers, 329 server tasks, 226 system tasks, 328

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . groups . . . . Examination Score Report, 544 exams costs, 4 formats, 7 layout, 6 objectives, 3 practice test exams, 425, 463, 499 questions, 5 readiness assessment, 2 reviewing, 8 studying for, 9 techniques, 7-9 test exams, 445, 485, 519 testing center, 4 time allowed, 4 vendors, 4 Web site, 9 Execution Control Lists (ECLs), 68-69, 150 Exhibit button (practice exams), 543 exiting Domino console, 382 jconsole, 244 expiration IDs, 219 extending, 369-370 servers, 219 users, 26 passwords, 150 explicit policies, 27-28, 183, 318 Extended Access Control List (xACL), 269-270 external domains, 191-194

F failovers, 182 fault recovery, 75-76 fields Authors, 296, 305 encrypted, 296 hidden, 296 Readers, 295, 305 signed, 296 File menu Domino console, 380 Preferences, User Preferences, Mail command, 53 file protection documents, 133 files ID, 130-131, 280 backups, storing, 283-284 CA process, 289-291 recovering, 282-287

log monitoring, 78-80 replication, 117, 272 mail, 221, 371 NSD, 394 text, 80 Fixup, 233, 410, 414 forcing mail routing to specific servers, 40 replication, 256-257 Domino Administrator client, 258-259 Notes client, 257 server console, 102-104 foreign domain documents, 229, 348 foreign SMTP domain documents, 229, 348 Form Access Lists, 297 Form Properties dialog box, 147 Form Read Access Lists, 147, 295 formula agents, 67 full access administrators, 136, 343 full console administrators, 343 full remote console administrators, 137 full-text index searches (databases), 233, 413

G generators (event) creating, 328 mail-routing, 46 replication, 118, 272 server tasks, monitoring, 226 global domain documents, 229, 348 Grade Exam button (practice exams), 544 group expanded messages, 230 GroupCreator role, 133 GroupModifier role, 133 groups Access Control List Only, 21, 364 administrator, 22 deleting, 368 Deny Access, 145 deny list only, 21, 364 directories, 21 Domino application security, 144-146 mail only, 21, 364 maintenance, 91-92 managing, 370 memberships, 222-223, 364-365 multipurpose, 21, 364 renaming, 372 server only, 21, 364

How can we make this index more useful? Email us at [email protected]

573

574 handling events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

H handling events, 226, 329, 400 Header view Console, 243 Domino server, 381 held messages, 42 hidden fields, 296 hierarchy names, 18-19 policies, 89 user locations, 365-366 HTML-based applications, 64-65 HTTP protocol, 349 HTTP task, 384 hub-and-spoke topology, 105 hybrid directories, 245, 352

I IBM Redbooks Web site, 60 ICLs (Issued Certificate Lists), 290 IDs, 130-131, 280 backups, 283-284 CA process, 289-291 certifier, 18-19, 130, 281 expiration dates, 369-370 organization certifier, 173, 355-356 organization unit certifier, 355 organizational unit, 356-357 organizational unit certifier, 173-174 OU certifier, 18-19 recovering, 282 backup ID files, 283-284 from backups, 286-287 recovery information, 283-285 replica, 100 servers, 14, 130, 281 expiration dates, 219 maintenance, 218-220 names, 219 passwords, 219 recertifying, 353-354 verification, 397 troubleshooting, 411 user, 130, 281 deploying, 25 expiring, 26 maintenance, 26, 220 IIOP (Internet Inter-ORB Protocol), 349 IMAP (Internet Message Access Protocol), 176, 349 In queue messages, 230 in-place compacting with space recovery, 414

in-place compacting with space recovery and reduction in file size, 414 incremental installers, 320 indexing servers, 354 individual statistics, 385 iNotes Web Access, 177 installing clients, 23-24 Domino servers Web site, 33 PrepLogic Practice Exams, Preview Edition, 541 server, 163-165 intermediate servers, 112 Internet certificates, 25 clients, 319 Internet Inter-ORB Protocol (IIOP), 349 Internet Message Access Protocol (IMAP), 176, 349 ISpy task, 198 Issued Certificate Lists (ICLs), 290 Item Review button (practice exams), 543

J-K -j switch, 411 jconsole, 241-242, 380 commands, 243 Console views, 243-244 exiting, 244 keys, 25 kits (Smart Upgrade), 320

L -L switch, 415 LDAP protocol, 349 licenses, 23-25 linear logging, 180, 350 Live console, 258 load balancing, 181 Load Router command, 48 local agents, 299 local databases, 129 Location documents, 54-55 locations (hierarchy), 365-366 LOG.NSF, 75 logging activity agents, 301 configuring, 338-340 agents, 300, 329-330 archived, 180 circular, 180

575 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . maintenance . . . . . . . database, 75 linear, 180 monitoring, 78-80 replication, 117, 272 transactions, 349-350 configuring, 179-181 implementation planning, 180 implementing, 350-351 versions, 350 Look and Feel view Console, 243 Domino server, 382 Lotus Developers Domain Web site, 390, 421, 535 Domino 6 Technical Overview Web site, 60, 535 Live! Series: “What’s New in Notes/Domino 6 Administration” Web site, 536 LZ1 compression, 70

M mail archiving, 210 client-based, 210 configuring, 211-212 copying, 210 document selection, 210 mail file clean up, 210 policies, 49-50 server-based, 210 connectivity, 198 delivery status messages, 408 encryption, 52-53 files clean up, 210 management tasks, 89 moving, 221, 371 message tracking, 197-199 quotas, 51, 195-197 controls, 195 exceeding, 195 limits, 195 Router responses, 196-197 setting, 51, 195-196 warning thresholds, 51, 195 routing configuring, 36-37, 190-191 databases, 199-201 errors, 231 event generators, 46

events, viewing, 42 external domains, 191-194 forcing to specific servers, 40 messages, tracking, 230 monitoring/maintaining, 41-46 reports, viewing, 43 scheduling, 38-39 status, viewing, 42 topology, 42, 47 troubleshooting, 46-48, 399, 408-409 shared, 42 tracing, 47 tracking, 408 usage reports, 44-45 Mail event, 400 mail only groups, 21, 364 Mail Routing and Server Response Wizard, 329, 400 Mail Tracking Collector (MT Collector), 43, 198, 408 Mail-In Database documents, 199-201, 283 MAIL.BOX database, 36, 42, 190 mailboxes, 41 MAILER task, 190 MailTracker Store database, 43, 198, 408 main documents, 114 maintenance agents, 300-301 databases, 232-234 adding, 208 backing up, 210 deleting, 209 fault recovery, 75-76 moving, 209 restoring, 210 size, monitoring, 74-75 tasks, 234-235 upgrading, 209 domains, 228-229 Domino Server IDs, 218-220 effective policies, 88-89 groups, 91-92 mail routing errors, 231 event generators, 46 message tracking, 43-44, 230 Messaging, Mail tab, 41-43 usage reports, 44-45 migrating distributed directories to central directories, 87-88 replication, 272 server access control, 139

How can we make this index more useful? Email us at [email protected]

576 maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . users, 89-91 IDs, 26, 220 profiles, 222-223 Manage Groups dialog box, 370 Manager access, 109, 143, 303 designer access, 110 editor access, 110 reader access, 111 servers, 266 managing certificates, 291 groups, 370 users, 371 mapping character set, 65 HTML-based applications, 64 topologies mail-routing, 47 replication, 118 Mark Item button (practice exams), 543 Master Design templates, 70, 344 Maximizing Domino Performance Web site, 163, 535 memberships (groups), 222-223, 364-365 memory cache, 81 messages configuring Location document, 54-55 user preferences, 53-54 dead, 41 delivery status, 230, 408 error Server Not Responding, 140, 294 You Are Not Authorized to Access the Server, 141 held, 42 pending, 41 tracking, 44, 197-199, 230 Messaging servers, 15, 164 Messaging, Mail tab, 41-43 Microsoft Windows Management Instrumentation Software Development Kit (WMI SDK), 245 modems, 240 monitoring administration monitoring tools, 84 Domino Administrator client, 84-85 Domino server console, 86-87 Web Administrator client, 85-86 agents, 300-301 database size, 74-75, 232, 392 domains, 228-229 events, 86-87 log files, 78-80

mail routing errors, 231 event generators, 46 message tracking, 43-44, 230 Messaging, Mail tab, 41-43 usage reports, 44-45 replication, 116-118, 272 server access control, 139 Server Monitor, 236-237 server tasks, 77-78, 226-228, 393 databases, 228 event generators, 226 event handlers, 226 show server command, 227 tools, 228 users, 41 Web servers, 80 memory cache, 81 network timeouts, 81-82 threads, 81 Web application agents, 83 Web Site rules, 83-84 Monitoring Configuration database, 85 Monitoring Results database, 46 Move Users(s) to Another Server dialog box, 221, 371 moving databases, 209 mail files, 221, 371 MSTORE.NSF, 408 MT Collector (Mail Tracking Collector), 43, 198, 408 MTSTORE.NSF database, 43, 198 multipurpose groups, 21, 364 multiusers, 23, 176

N-O name management tasks, 89 name-and-password authentication, 281 names domains, 167 groups, 372 hierarchical, 18-19 Master Design templates, 70 networks, 344 organization, 166 owners, 25 server IDs, 219 servers, 166 users, 223-224, 367 NetCreator role, 133 NetModifier role, 133

577 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PrepLogic . . . . . .Practice . . . . Exams . . . . networks compression, 69 names, 344 timeouts, 81-82 troubleshooting, 239 New Tracking Request dialog box, 43 Next Item button (practice exams), 544 No Access access, 143, 268, 303 non-adjacent domains, 192-194, 229, 348 Notes certificates, 25 client, 176, 257 NRPC (Notes Remote Procedure Calls), 36, 190 NSD (Notes System Diagnostics) file, 394 organization certifier IDs, 173, 355-356 organization names, 166 organizational policies, 27, 183, 318 OUs (organizational units), 18-19 certifier IDs, 173-174, 355 IDs, 356-357 owner names, 25

P partitioning, 239 Password Management tab, 150 passwords, 287, 289 encryption, 129 expiration, 150 server IDs, 219 servers, 167 user, 247 verification, 287-288 patches (server crashes), 393 peer-to-peer topology, 105 pending messages, 41 People and Rename dialog box, 224, 367 performance, 42 Person document explicit policies, 28 management tasks, 90 policies, 341 user management, 371 Personal Address Book, 53-55 physical security, 128-129 policies applying, 26-28 archiving creating, 48-49 mail archiving management, 49-50 settings documents, creating, 50

effective, 88-89 explicit, 27-28, 183, 318 hierarchy, 89 organizational, 27, 183, 318 Policy Synopsis report, 89 security, 149-151 policy documents, 50, 149 applying, 183 existing users, 341-342 new users, 318 security, 345-346 Policy Synopsis reports, 89 Policy Viewer, 89 Policy-based system administration with Domino 6 Web site, 157, 536 PolicyCreator role, 133 PolicyModifier role, 133 PolicyReader role, 133 POP3 (Post Office Protocol), 349 clients, 177 event, 400 ports access, 138, 293 configuring, 17-18 Replication Connection documents, 106 practice exams, 425, 463, 499, 537 deleting, 541 Examination Score Report, 544 Flash Review mode, 543 installing, 541 interface, 540 learning environment, 540 options, 543-544 Practice Exam mode, 542-543 question quality, 540 reviewing, 544 simulation, 539 software requirements, 540 time remaining, 544 Preferences, User Preferences, Mail command (File menu), 53 “Preparation and Test-Taking Strategies with Lotus Education Managers,” 536 PrepLogic, 537, 545 PrepLogic Practice Exams, Preview Edition, 537 deleting, 541 Examination Score Report, 544 Flash Review mode, 543 installing, 541 interface, 540 learning environment, 540 options, 543-544

How can we make this index more useful? Email us at [email protected]

578 PrepLogic Practice Exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice Exam mode, 542-543 question quality, 540 reviewing, 544 simulation, 539 software requirements, 540 time remaining, 544 Previous Item button (practice exams), 544 print resources, 535 private keys, 25, 52-53 Processing Statistics dialog box, 367 profiles statistics, 384 users, 222-223 Program documents, 342 protocols configuring, 17-18 enabling, 349 HTTP, 349 IIOP, 349 IMAP, 349 LDAP, 349 POP3, 349 SSL, 349 troubleshooting, 239 public keys, 52-53 pull command, 103, 258 pull only replication, 107 pull pull replication, 107, 258, 263 pull push replication, 107 push command, 104, 258 push only replication, 107

Q-R quotas databases, 74 mail, 51, 195-197 controls, 195 exceeding, 195 limits, 195 Router responses, 196-197 setting, 51, 195 size quotas, setting, 196 warning thresholds, 51, 195 reader access, 111, 143, 267-268, 303 Readers field, 146-147, 295, 305 readiness for exams, 2 real-time statistics, 384-385 Recertify User dialog box, 220, 369 recertifying server IDs, 353-354 recipient mail database, 191

recovering database space, 233-234 ID files, 282 backups, 283-287 recovery information, 283-285 server crashes, 393-394 Refresh Design command, 72, 271 Register Organizational Unit Certifier dialog box, 357 Register Organization Certifier dialog box, 356 Register Person—New Entry dialog box, 221, 373 registering servers, 14 users, 22-23, 27, 175 Registration Server dialog box, 353 registration servers, 351-352 Remote Console, 245-247 Rename Person dialog box, 224, 367 Renew Certificates in Selected Entries dialog box, 220, 369 Replace Design command, 72 replacing application designs, 216-218 design changes, 72 Replica event, 400 Replica task, 100-101 replicas, 181 creating, 344 IDs, 100 management tasks, 90 multiple, 263-265 replicate command, 102-103, 258 Replicating/Routing tab (Replication Connection documents), 106-107 replication, 100 ACLs, 108, 266 access, assigning, 109-112 consistency, 112 editor access, 111 intermediate server access, 112 manager access, 109 manager/designer access, 110 manager/editor access, 110 manager/reader access, 111 reading, 112 server access, 266-269 changes, 264 clustered, 115-116 commands, 258-260 configuring, 261-262 conflicts, 113-115

579 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . script . . . .libraries . . . . Connection documents connection types, 106 creating, 106-108 destination domain, 106 destination server, 106 ports, 106 priorities, 107 pull only, 107 pull pull replication, 107, 258, 263 pull push replication, 107 push-only, 107 replication tasks, 106 replication types, 107 source domain, 106 source server, 106 time limits, 107 usage priority, 106 defined, 256 design changes, 73, 270-271 destination servers, 260 events, 117 forcing, 256-257 Domino Administrator client, 258-259 Notes client, 257 server console, 102-104 history, 100, 116, 272 maintenance, 272 monitoring, 118, 272 multiple replicas, 263-265 pull only, 107 pull pull, 107, 258, 263 pull push, 107 push only, 107 Replica task, 100-101 scheduling, 118, 260-262, 272 Connection documents, 106-108 topologies, 104-105 server-to-server, 100 streaming, 263 tasks, 106 time intervals, 263 time limits, 107 topologies, 104-105, 118, 272 troubleshooting, 398-399 workstation-to-server, 100 xACL, 269-270 Replication Settings dialog box, 265 reports delivery failure, 46-47 mail routing, 43-45 Policy Synopsis, 89 version reporting, 320

REPORTS.NSF database, 44 Resource Reservations database, 177-179 resources print, 535 sharing configuring, 177-178 site profiles, 178-179 Web, 535 restricting administrator access, 136-137 ring topologies, 105 roaming users configuring, 221-222, 372-374 management tasks, 89 roles, 133, 304-305 Route command, 40 routing configuring, 36-37 errors, 231 events, 42 forcing to specific servers, 40 mail configuring, 190-191 databases, 199-201 external domains, 191-194 quota responses, 196-197 mailboxes, 41 messages, tracking, 230 monitoring/maintaining message tracking, 43-46 Messaging, Mail tab, 41-43 reports, 43 scheduling, 38-39 SMTP, 191 status, viewing, 42 tables, 37, 191 topology, 42 troubleshooting, 46, 399, 408-409 console commands, 47-48 delivery failures, 46-47 mail trace, 47 mail-routing topology maps, 47

S Schedule tab (Replication Connection documents), 108 scheduling configuring, 177 mail routing, 38-39 replication, 118, 260, 262, 272 Connection documents, 106-108 topologies, 104-105 script libraries, 68

How can we make this index more useful? Email us at [email protected]

580 section access lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . section access lists, 296 Secure Password view Console, 243 Domino server, 382 Secure Sockets Layer (SSL) protocol, 349 security applications, 295-297 ACLs, 302-304 agent access, 297-301 Authors/Readers fields, 296, 305 encrypted fields, 296 Form Access Lists, 297 Form Read Access Lists, 295 hidden fields, 296 Readers fields, 295 roles, 304-305 section access lists, 296 signed fields, 296 View Read Access Lists, 296 authentication, 236, 280-281, 355 organization certifier IDs, creating, 356 organizational unit IDs, creating, 356-357 troubleshooting, 395-397 authorization, 395-397 CA keys, 175-176 CA process, 289-291 certificates, 172-174 Domino application ACLs, 141-144 Authors field, 146 groups, 144-146 Readers field, 146-147 troubleshooting, 148-149 Domino server, 129 Domino Directory, 131-133 IDs, 130-131 monitoring/maintaining access control, 139 server access, 135-138 troubleshooting, 140-141 Web authentication, 134 encryption, 52-53 encryption keys, 25 ID files, 282-287 passwords, 287-289 physical, 128-129 policies, 149-151, 345-346 servers configuring, 169 console, 135, 291 settings documents, 150 user access, 306-308

Security tab (Form Properties dialog box), 147 Server Monitor, 236-237, 385-386 Server Not Responding error message, 140, 294 server only groups, 364 server-based agents, 299 server-based applications, 62-64 server-based archiving, 49, 210 server-to-server replication, 100 ServerCreator role, 133 ServerModifier role, 133 servers access, 344 administrator, 292 assigning, 266-269 configuring, 291-293 Manager/Editor, 267 Manager/Manager, 266 Manager/No Access, 268 Manager/Reader, 267 Reader/Reader, 268 troubleshooting, 293-294, 409-411 configuring, 14-16, 165-169 additional, 16-17 administrators, 167 Country codes, 167 domain names, 167 names/titles, 166 organization name, 166 passwords, 167 security, 169 console replication, 102-104 security, 135, 291 crashes causes, 393 fault recovery, 75-76 NSD files, 394 recovering from, 393-394 decommissioning, 346-347 destination, 260 document-management tasks, 89 Domino, 129-141 Enterprise, 15, 164 IDs, 130, 281 expiration dates, 219 maintenance, 218-220 names, 219 passwords, 219 recertifying, 353-354 verification, 397 indexing, 354 information collecting, 330-331

581 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Tell . . Router . . . .Update . . . . Config . . . .command . . . . . installing, 163-165 intermediate, 112 Messaging, 15, 164 names, 166 new, viewing, 294, 307 not responding, 140 partitions, 239 ports, 17-18 protocols, 17-18 registering, 14, 351-352 resource sharing, 177-179 tasks automating, 342 monitoring, 77-78, 226-228, 393 titles, 166 types, 164 Utility, 15, 164 viewing, 140 Web, 80-84 servers only groups, 21 sessions, 134, 281 Set Secure command, 135 sharing installation, 23 mail, 42 resources, 177-179 Show Answer button (practice exams), 543 show server command, 330 Domino console, 380 server tasks, monitoring, 227 show tasks command, 380 signing agents, 67 fields, 296 script libraries, 68 simple agents, 67 single-user client installation, 23 Site Profile documents, 178-179 size databases, 74-75, 232, 392 mail quotas, 196 Smart Upgrade, 24, 320 SMTP event, 400 SMTP routing, 191 soft deletions (databases), 74 source domains, 106 source servers, 106 Specify and Administrator Name and Password dialog box, 167 SSL (Secure Sockets Layer) protocol, 349 statistics bundled, 385 collecting, 331-332

individual, 385 profiles, 384 real-time, 384-385 viewing, 385-386 STATREP.NSF database, 46, 331 storing backup ID files, 283-284 recipient mail database, 191 switches, 411, 415 system administrators, 137, 343 system tasks, 413-414

T tables, 37, 191 target servers, 106, 260 tasks Agent Manager, 394-395 automating, 342 Cluster Replica, 115 Collector, 331-332 Compact, 414 database maintenance, 234-235 Design, 70-72, 271 Fixup, 414 HTTP, 384 ISpy, 198 mail file management, 89 MAILER, 190 MTC, 43, 198, 408 name management, 89 Person document management, 90 Replica, 100-101 replica management, 90 replication, 106 roaming user management, 89 server document-management, 89 monitoring, 77-78, 226-228, 393 system, 413-414 Updall, 413 Update, 413 user mail file management, 89 Tell amgr debug command, 330 Tell amgr schedule command, 330 Tell amgr status command, 330 Tell Router Compact command, 48 Tell Router Delivery Stats command, 48 Tell Router Exit command, 48 Tell Router Quit command, 48 Tell Router show command, 40 Tell Router Show Queues command, 48 Tell Router Update Config command, 48

How can we make this index more useful? Email us at [email protected]

582 templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . templates (master), 70, 344 testing. See also exams centers, 4 connections, 411-412 Mail-In Database documents, 201 text files, 80 Thompson Prometric, 4 threads, 81 thresholds, 195 tools administration monitoring, 84 Domino Administrator client, 84-85 Domino server console, 86-87 Web Administrator client, 85-86 Assign Policy, 28 Decommission Server Analysis, 346-347 Domain Search, 354-355 replication, 272 server tasks, monitoring, 228 troubleshooting routing, 409 topologies hub-and-spoke, 105 mail routing, 42 maps, 118, 272 peer-to-peer, 105 replication, 104-105 ring, 105 trace command, 412 tracing mail, 47 tracking mail, 408 messages, 43-44, 197-199, 230 transaction logging, 349-350 configuring, 179-181 implementation planning, 180 implementing, 350-351 versions, 350 Transfer failed messages, 230 Transferred messages, 230 troubleshooting Administration Process, 237-238, 397-398 Agent Manager, 394-395 authentication, 395-397 authorization, 395-397 certificates, 411 clustering, 238-239 connections, 411-412 data access control, 412-413 databases, 413-416 Domino application access control, 148-149 IDs, 411

mail routing, 399, 408-409 console commands, 47-48 delivery failures, 46-47 errors, 231 mail trace, 47 mail-routing topology maps, 47 modems, 240 networks, 239 partitions, 239 protocols, 239 replication, 398-399 server access, 140-141, 293, 409-411 administrators, 140 commands, entering, 293 directory errors, 410-411 new servers, viewing, 294 Server not responding message, 140, 294 unauthorized access, 141 viewing new servers, 140 server crashes causes, 393 fault recovery, 75-76 NSD files, 394 recovering from, 393-394 user access, 306 access level conflicts, 308 agents, creating, 308 can’t access applications, 306 document editing, 307 new servers, viewing, 307 viewing all items, 307 users, 241 workstations, 416 Troubleshooting Wizard, 329, 400

U unauthorized server access, 141 Unknown messages, 230 unrestricted methods, 67 Updall, 233, 413 Update, 233, 413 updates design changes, 270-271 view indexes, 233, 413 WEBADMIN.NSF database, 384 upgrades clients, 320 databases, 209 server crashes, causing, 393 Smart Upgrade, 24

583 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Web . . sites . . . Upgrading to Domino 6: Performance Benefits Web site, 421, 536 usage priorities, 106 User Preferences dialog box, 53 UserCreator role, 133 UserModifier role, 133 users access, 306-308 activity, recording, 74 Administration Process, 225 configuring, 24-25 creating, 175 deleting, 225, 368-369 existing, 27-28, 341-342 groups, 222-223, 364-365 hierarchy locations, 365-366 IDs, 130, 281 deploying, 25 expiration date, extending, 369-370 expiring, 26 file recovery information, 284-285 maintenance, 26, 220 mail files, 89, 221, 371 maintenance, 89-91 managing, 371 monitoring, 41 multiuser support, 176 names, 223-224, 367 new, 318 passwords, 247 policy documents, applying, 183 preferences, 53-54 profiles, 222-223 registering, 22-23, 27, 175 roaming, 221-222, 372-374 troubleshooting, 241 types, 144 viewing, 41 utilities. See applications Utility servers, 15, 164

V versions reporting, 320 transaction logging, 350 view indexes, 233, 413 View, Agents command, 329 View Read Access Lists, 296 view-only administrators, 137 viewing Agent log, 301, 329-330 Console, 243-244

console commands, 258 databases corrupted, 413 rebuilding, 233 dead messages, 41 Deny Access groups, 145 documents, 149 Domino console, 381 held messages, 42 mail routing, 42-43 new servers, 294, 307 pending messages, 41 policies, 89 real-time statistics, 384-385 replication events, 117 mailboxes, 41 schedules, 118, 272 topology maps, 118 servers, 140 shared mail, 42 statistics, 385-386 users, 41

W–X–Y–Z warning thresholds, 51, 195 Web applications agents, running, 83 deploying for internationalization, 65-66 authentication, 134 browsers, 177 client, 246 resources, 535 servers, monitoring, 80-84 memory cache, 81 network timeouts, 81-82 threads, 81 Web application agents, 83 Web Site rules, 83-84 Web Administrator, 382-384 client, 85-86 database, 86 Web client, compared, 246 WEBADMIN.NSF database, 383-384 Web sites accessing and protecting the file system, 157, 535 CAT Global, 4 exams, 9

How can we make this index more useful? Email us at [email protected]

584 Web sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IBM Redbooks, 60 installing Domino servers, 33 Lotus Developers Domain, 390, 421, 535 Domino 6 Technical Overview, 60, 535 Live! Series: “What’s New in Notes/Domino 6 Administration,” 536 Maximizing Domino Performance, 163, 535 Policy-based system administration with Domino 6, 157, 536 “Preparation and Test-Taking Strategies with Lotus Education Managers,” 536 PrepLogic, 537 rules, 83-84 Smart Upgrade, 24 Thompson Prometric, 4 Upgrading to Domino 6: Performance Benefits, 421, 536 Webcast: “Lotus Live! Series: What’s New in Notes/Domino 6 Administration,” 60 Webcast: “Preparation and Test Taking Strategies with Lotus Education Managers,” 60 What’s in Store for the Domino R6 Database, 125, 536 WEBADMIN.NSF database, 86, 246, 383-384 Webcast: “Lotus Live! Series: What’s New in Notes/Domino 6 Administration,” 60 Webcast: “Preparation and Test Taking Strategies with Lotus Education Managers,” 60 Welcome pages, 170-171 What’s in Store for the Domino R6 Database Web site, 125, 536 wizards Database and Statistic, 329, 400 Event Handler, 329, 400 Mail Routing and Server Response, 329, 400 Troubleshooting, 329, 400 WMI SDK (Microsoft Windows Management Instrumentation Software Development Kit), 245 workstation-to-server replication, 100

workstations client, 176-177 ECL, 68 messaging configuration Location document, 54-55 user preferences, 53-54 troubleshooting, 416 xACL (Extended Access Control List), 269-270 You Are Not Authorized to Access the Server error message, 141