Up-to-date with the Domino R5 Administration Process

Country/region select

developerWorks

AIX and UNIX
Information Mgmt
Lotus
	New to Lotus
	Products
	How to buy
	Downloads
	Live demos
	Technical library
	Training
	Support
	Forums & community
	Events
Rational
Tivoli
WebSphere

Java™ technology
Linux
Open source
SOA and Web services
Web development
XML

My developerWorks
About dW
Submit content
Feedback

developerWorks > Lotus > Technical Library

Printer-friendly

Up-to-date with the Domino R5 Administration Process

by
Mary Jrolf
and Dave Wilson

Level: Intermediate
Works with: Domino 5.0
Updated: 07/01/1999

Inside this article:
Cross-domain processing

Moving mail files

Additional R5 administration requests

Related links:
Roadmap of move mail file requests

Using the Extension Manager in the move mail file process

Setting up the Administration Process in your domain

Roadmap of Administration Process requests

Administration Process gotchas and hints

Domino 5 Administration Help

Lotus Administration Zone

Get the PDF:
229Kb

[Editors note: This article updates you on the Domino R5 Administration Process. For some background, check out our three-part series on the R4.x Administration Process. The articles include details on setup, a roadmap of common administration requests, and tips for using the Administration Process.]

Introduction
Each profession has its own essential tools of the trade. If you are a Domino administrator, the Domino Administration Process is just such a tool.

The Administration Process can save you time by automating your routine administrative tasks. For example, if you need to delete a user, the Administration Process automatically locates that user's name in the Domino Directory and removes it, locates and removes the user's name from ACLs, and makes any other necessary deletions for that user. For an introduction to the Administration Process, see "Setting up the Administration Process in your domain."

This article updates you on the new Administration Process features in Domino R5, as well as the enhancements to some existing administration requests. These new features and enhancements include:

Cross-domain processing for several administration requests, including: Create replica, Delete person, Delete server, Rename person, and Rename server from flat to hierarchical
Support for moving mail files and delegating mail files
New administration requests for updating the Server document, including: Store server's platform in server record, Update domain catalog configuration, Update server protocol information, Store server's DNS host name, and Request to store server CPU count
New secondary administration requests, including: Rename in unread lists, and Delete private design elements
Support for adding a deleted person to a Terminations group
New views in the Administration Requests database, including: Administrative Attention Required, and Cross Domain Delivery Failures

The rest of this article describes each of these areas in more detail, and includes tips for using the new features. Finally, we'll look at some troubleshooting tips for what to do when users haven't accepted a name change within the allotted time period.

Note: For in-depth information on the Administration Process and the tasks it can carry out, see Administering the Domino System, which is part of the Domino 5 Administration Help.

Cross-domain processing
With Domino R5, you can now use the Administration Process to create administration requests that work across domains. That is, the Administration Process can run an administration request on one domain and then send that request to another domain for processing. The administration requests that can be processed across domains are:

Create replica
Delete person
Delete server
Rename person
Rename server from flat to hierarchical

The secondary administration requests that are spawned during the execution of the cross-domain requests are fully documented in Appendix D of Administering the Domino System.

To verify that all cross-domain administration requests complete successfully, you can use the new Cross Domain Delivery Failures view in the Administration Requests database. You'll learn more about this new view later in this article.

Setup for cross-domain processing
The Administration Requests database (ADMIN4.NSF) now contains Cross-domain Configuration documents, which you use to specify how domains exchange and process administration requests. (Remember that to complete tasks, the Administration Process posts and responds to requests in the Administration Requests database.) You also need to specify who can create Cross-domain Configuration documents in the Directory Profile document in the Domino Directory.

To set up cross-domain processing:

Edit the Directory Profile document. From the Domino Administrator, click the Files tab and then open the Domino Directory (names.nsf). Choose Actions - Edit Directory Profile to access the Directory Profile document. In the field "List of administrators who are allowed to create Cross Domain Request Configuration documents in the Administration Process Requests database," enter the name(s) of the administrator(s) allowed to create Cross Domain Request Configuration documents. Only those administrators listed in this field, and Managers of the Domino Directory, are allowed to create Cross Domain Request Configuration documents.
Create two Cross Domain Request Configuration documents: one in the Administration Requests database in the sending domain for outbound requests, and a second in the receiving domain's Administration Requests database for inbound requests. For additional information on creating Cross Domain Request Configuration documents, see Chapter 10 of Administering the Domino System.
If the people and servers in the sending domain and the receiving domain are in different certificate hierarchies, create Cross-Certificate documents between the certifiers storing them in the Domino Directories of both domains. For additional information on creating a Cross-Certificate document, see Chapter 28 of Administering the Domino System.
If a domain is receiving Rename person and Rename server requests, verify that the Certifier documents for the certificate hierarchy of the person or server being renamed are present in the receiving domain's Domino Directory. If the Certifier documents are not present, you will need to create them. From the Domino Administrator on the source server, click Certificates. Locate the Certifier document that you want to place on the receiving domain. Copy that Certifier document. From the Domino Administrator on the receiving domain, paste the Certifier document in the Domino Directory. For additional information on Certifier documents, see Chapter 2 of Administering the Domino System.

Tips for using cross-domain processing
This section includes tips for using each cross-domain administration request: Create replica, Delete person, Delete server, Rename person, and Rename server.

Create replica
You can use the Administration Process to create replicas of databases across domains. (Just select the database and choose Database - Create Replica from the Tools pane in the Domino Administrator.) As with any administration request, you must have the correct access rights in place in order to process the request.

In addition, when you create the Cross Domain Request Configuration document for outbound requests, you must specify the servers in the receiving domains on which replicas may be created. Enter this information in the field "Only submit Create Replica requests to the domains listed above if the destination server is one of the following." If the field is left blank, an error message displays, and you cannot save and close the document. If you enter an invalid server and/or domain name, the "Check access for replica creation" request fails, and a message to that effect appears in the Administration Process Log.

The following flowchart shows the series of requests the Administration Process carries out to complete a cross-domain Create Replica request.
Create Replica request flowchart

Delete person
You can delete a user's name from the Domino Directory (by choosing Actions - Delete Person) and have the resulting administration request processed in the Domino Directory of another domain. When deleting a user across domains, no attempt is made to locate a mail file in the destination domains.The following requests are not generated:

Approve file deletion
Delete mail file
Delete unlinked mail file
Get file information for deletion
Request file deletion

In addition, when you delete a nonhierarchical person name on the source domain, the following Approval requests are generated on the destination domain:

Approve delete person in Address Book
Delete person in Address Book -- This second "Delete person in Address Book" request is generated after the "Approve delete server in Address Book" request is approved by the administrator.

Delete server
You can delete a server's name from the Domino Directory in one domain (by choosing Actions - Delete Server), and have the resulting administration request processed in the Domino Directory of another domain. The server name is then deleted from the receiving domain.

In addition, when you delete a nonhierarchical server name on the source domain, the following Approval requests are generated on the destination domain:

Approve delete server in Address Book
Delete server in Address Book -- This second "Delete server in Address Book" request is generated after the "Approve delete server in Address Book" request is approved by the administrator.

Rename person
You can use the Administration Process to rename (upgrade) a flat user name to a hierarchical user name, change the user's common name, or move a user to a new organizational hierarchy. To begin the renaming, choose People - Rename from the Tools pane of the Domino Administrator.

When you rename a user across domains, the following requests are not executed in the destination domain:

Rename person in Free Time Database
Rename person in Calendar entries and Profiles in mail file

This is because the user's Calendar entries and the Free Time database do not exist on the destination domain. They only exist on the home server in the source domain, because the mail file and Person documents reside on the home server in the source domain.

In addition, when you rename a user from a flat name to a hierarchical name, the following Approval requests are generated on the destination domain:

Approve Rename in Address Book
Rename person in Address Book -- This second "Rename person in Address Book" request is generated after the "Approve Rename in Address Book" request is approved by the administrator.

Rename server
You can use the Administration Process to rename (upgrade) a flat server name to a hierarchical server name. To begin the renaming, choose Actions - Upgrade server to hierarchical in the Domino Directory.

When you rename a server from a flat name to a hierarchical name, the following Approval requests are generated on the destination domain:

Approve Rename in Address Book
Rename server in Address Book -- This second "Rename server in Address Book" request is generated after the "Approve Rename in Address Book" request is approved by the administrator.

Moving mail files
With Domino R5, moving mail files between servers in a domain is as easy as clicking a button. You just click Tools/Move Mail File on the People & Groups tab of the Domino Administrator, or choose Actions - Move Mail File. In addition, you can drag-and-drop mail files to a new server. When moving more than one mail file at a time, you must move all the selected mail files to the same mail server.

When you use the Administration Process to move mail files, the task actually involves a series of administration requests. To see the complete sequence of requests, see the sidebar "Roadmap of Administration Process requests: Moving mail files."

Setup for moving mail files
To successfully move mail files between servers, make sure that:

The key servers involved are Domino R5 servers, including the old and new mail servers, the administration server of the Domino Directory, and the administration server of the mail file.
The client is running Notes R5. (If the client is running Notes R4.6, the administrator must explicitly create the "Push changes to new mail server" administration request in the move mail file request sequence -- either through an Extension Manager callout, an agent, or some other means. For more information on this, see the section "Updating Connection and Location documents" later in this article.)
The user's name is hierarchical.
The old and new mail servers are hierarchical.
Both mail servers are in the same domain.
Network connectivity is available between the old and new mail servers.

In addition, you should verify that you have the following access levels set:

The administrator and the old mail server must have Create Replica rights on the new mail server. (This way, the mail file can replicate to the new mail server.)
The administrator must have either Editor access to the Domino Directory, or Author access with the UserModifier Role.
If the client is running Notes R5, the user must have Author access to the Administration Requests database. (When the Administration Requests database is created, all users have Author access to the documents in the database.)

Tips for moving mail files
This section includes tips for moving mail files, including details on the Administration Process Log, the proper routing configurations, and updating Connection and Location documents.

Checking the Administration Process Log
As part of the "Check mail server's access" request, the Administration Process examines the mail file on the old mail server and identifies any agents scheduled to run in the mail file on the old mail server. If it locates any agents, it writes a message to that effect to the Administration Process Log so that you can reschedule the agents to run on the new mail server.

In addition, the Administration Process scans the replication formulas on the old mail server. If it finds the old mail server's name, it writes a message to that effect to the Administration Process Log so that you can update those formulas to reflect the new mail server.

Note: If the "Select by formula" field is checked on the Replication Setting dialog box, and the old mail server name is listed in the formula, the old mail server name will not be found.

Routing configurations for moving mail files
When you use the Administration Process to move mail files, your routing configuration may affect the user's mail delivery. If your configuration routes mail to the user's old and new mail servers through intermediary hub servers, mail addressed to the user may become undeliverable.

To determine the correct destination for a mail message, Notes relies on information in the Mail file field and Mail server field of the Person document in the Domino Directory. Given specific mail routing topologies and Domino Directory replication schedules, inconsistent Mail file and Mail server fields in the Person document on replicas of the Domino Directory on different servers could result in undelivered mail. To determine whether the potential for this problem exists in your environment, learn more about the move mail file requests in the sidebar "Roadmap of Administration Process requests: Moving mail files."

The following graphic shows a routing configuration using intermediary hub servers. Mail is routed to the user's old mail server through the old mail hub, and to the new mail server through the new mail hub. The administration server of the Domino Directory replicates the directory to the old mail hub and the new mail hub. These servers in turn replicate the Domino Directory to the old mail server and new mail server.

Mail routing diagram

After the administration server of the Domino Directory performs the "Replace mail file fields" request, it replicates the modified directory to the old mail hub. If mail addressed to the user arrives at the old mail hub, the hub sends the message to the new mail hub, as specified in the modified directory. However, there may be a period of time before the modified directory replicates to the new mail hub. During this time, the new mail hub sends any messages it receives back to the old mail hub.

Routing flowchart after directory change

Routing flowchart after directory change

In this configuration, the mail bounces between the two hubs until the message's Maximum Hop Count is reached. The message then returns to the sender as undeliverable or stays as Dead Mail in the mail.box of the old or new mail hub. A message is undeliverable if the message is a nondelivery report that cannot be delivered, or if the mail cannot return to the sender.

To ensure that no mail returns as undeliverable or is marked as dead, before initiating a Move mail file request, do the following:

Enable the Hold undeliverable mail field in the Server Configuration document for the servers in the domain that transfer mail to the old and new mail servers.
After the "Replace mail file fields" request is processed and you are sure that the modified Domino Directory has replicated to all the servers that transfer mail to the old and new mail servers, use the Server Monitor to examine the Mail.Hold statistic for the servers in the domain. For additional information on the Server Monitor, see Chapter 36 of Administering the Domino System.
For any servers that are holding mail, access the mail.box file (or mailx.box if multiple mailboxes are enabled), select the Held messages and release them so that they deliver to the intended recipient.

Updating Connection and Location documents
When you are moving a user's mail file, the Notes R5 user must access their home server through the desktop so that the Notes Dialup Connection and Location documents in the Personal Address Book update with the new mail file and new mail server information. After the Personal Address Book updates, Notes creates a "Push changes to new mail server" request, which initiates the mail file delete sequence on the old mail server.

The Notes R5 Dynamic Client Configuration task is responsible for updating Location documents and for adding Connection documents to a client's Personal Address Book to reflect a mail file move. After the "Replace mail file fields" administration request has processed, the next authentication the user performs with their home server (mail server) does two things. It first adds a Notes Dialup Connection document to the new mail server, and then it updates the Location documents, replacing the names of the old mail server and the old mail file with the names of the new mail server and new mail file. It only updates Location documents that have a wildcard character (*) or the user's name in the field "Only for user." It does not update Location documents designated by the user as not to be remotely administered.

If you execute a Move mail file action, and the Location documents are not updated and/or the Connection documents are not added to the Personal Address Book, you may need to manually do so. This can happen if the user accesses the home server exclusively through the Replicator. Then the Personal Address Book does not update and the "Push changes to new mail server" request is not created.

A similar situation occurs if the client is running Notes R4.6. In both of these cases, the mail file move process terminates after the administration server for the Domino Directory processes the "Replace mail file fields" request. Notes R4.6 cannot automatically update its Personal Address Book by accessing its home server (because this is an R5 feature), so it doesn't create the "Push changes to new mail server" request. Therefore, the Personal Address Book doesn't update, and the mail file is not removed from the old mail server.

To remedy both of these situations, you can use an Extension Manager callout (running on the administration server of the Domino Directory) or an agent (running in the Administration Requests database) to compose the "Push changes to new mail server" administration request. For help with the Extension Manager option, see the sample script included in the sidebar "Using the Extension Manager in the move mail file process." You may want to require that the user respond to you directly after updating the documents. When you receive that notification, you can approve the "Approve file deletion" request in the Administration Requests database. Approving that request sets the mail file deletion in motion.

Note: In Release 5.0.1, the Dynamic Client Configuration task does not update Location documents that have an ID file in the field "User ID to switch to" that is different than the ID file currently being used. Any Location document that is not updated by the Dynamic Client Configuration task must be manually updated by the user.

Additional R5 administration requests
Domino R5 includes many additional administration requests and features, including requests for updating fields in the Server document, delegating mail files, and new secondary requests for renaming in unread lists and deleting private design elements. You can also now use the Administration Process to add a deleted user to a Terminations group. Finally, you can use two new views in the Administration Requests database: Administrative Attention Required and Cross Domain Delivery Failures.

Updating the Server document
Domino R5 offers five new administration requests that update fields in the Server document. These requests are generated when the server determines that a particular field is blank or contains incorrect information. The fields are blank after server registration and during initial server startup. They also may contain incorrect information when changes are made and the Server document is not updated.

The update server administration requests are carried out on the administration server for the Domino Directory, according to the "Interval" setting in the Administration Process section of the Server document. Then, the Administration Process updates the corresponding field in the Server document, as shown in the following table.

Administration Request Result

Store server's platform in Server record Updates the platform information in the "Operating system" field on the Basics tab in the Server document.

Update domain catalog configuration Updates the server in the LocalDomainCatalogServer group and verifies that the "Domain-wide indexer" setting is enabled on the Server Tasks - Domain Indexer tab of the Server document. The CATALOG.EXE server task determines that there is a catalog designated as the Domain Catalog and then the task checks to see if the Domain-wide indexer setting is enabled in the Server document. If so, the server task then determines whether the server is in the LocalDomainCatalogServer group and triggers the request if the server is not in the group.

Update server protocol information Updates the current protocol in the "Protocol" field in the Notes Network Ports section on the Ports tab in the Server document.

Store server's DNS host name Updates the server's DNS host name in the "Fully qualified Internet host name" field on the Basics tab in the Server document.

Request to store server CPU count Updates the number of processors in the "CPU count" field on the Basics tab in the Server document. The discrepancy between the number of CPUs on the server and the number listed in the Server document is determined when the server starts.

Delegating mail files
Domino R5 allows users who have at least Editor access to their mail file to "delegate" their mail file, or give other users access to it. When users modify the Delegation Preferences of their mail file, a "Delegate mail file" administration request is created. The process flow for this new request is detailed in Appendix D of Administering the Domino System.

New Secondary Administration Requests
There are two new administration requests that are executed during the processing of other requests: Rename in unread lists, and Delete private design elements.

Rename in unread lists
The "Rename in unread lists" administration request checks all databases on the server and substitutes a user's new name in any unread lists that it finds for the old name. "Rename person in unread lists" is a secondary request that is generated after the Rename person administration request is processed.

Unread lists are created when you access a database and do not open every document in the database. Any document that you do not open is added to the unread list. The documents in a user's mail file are a good example of this. When a user first opens a mail file, all unread messages display in one color (red), mail messages that have been read display in another color (black). Any messages that are not read are added to an unread list and display in the original color until they are read. After the message is opened, it is removed from the unread list.

The "Rename in unread lists" request is triggered by the successful completion of the "Rename person in Address Book" request. It is carried out on all the Domino R5 servers in the domain, according to the "Execute once a day requests at" setting for the Administration Process in the Server document. The Administration Process updates any databases containing old user names with the new names.

Delete private design elements
Private design elements are design elements, such as folders, views, and agents, that the user creates.

The "Delete in Reader/Author fields" administration request locates any private design elements created by the deleted user, and generates an "Approve deletion of private design elements" request. When the administrator approves this request, a "Request to delete private design elements" request is created.

The "Delete private design elements" request is triggered by the completion of the "Request to delete private design elements" request. The "Delete private design elements" request is carried out on the server containing the database with the private design elements, according to the "Interval" setting in the Administration Process section of the Server document. Then, the Administration Process removes any private design elements that were signed by the deleted user from the database.

Adding a deleted person to a Terminations group
When you delete a user from the Domino Administrator R5, the Delete User Options dialog box appears. Enter the Terminations group name in the Add to group field. Doing so will add that user name to the Terminations group, thereby denying the deleted user access to servers.

To create a Terminations group, create the group in the Domino Administrator and assign a Group Type of Deny List Only to that group. For more information on creating groups, see Chapter 5 of Administering the Domino System.

New views in the Administration Requests database
Domino R5 contains two new views to assist you in monitoring administration requests and correcting failed cross-domain administration requests. These views are the Administration Attention Required view and the Cross Domain Delivery Failures view.

The Administrative Attention Required view displays warnings generated while administration requests are being processed. The warnings do not indicate errors or failures to process the request; they indicate that situations exist that the administrator needs to be aware of.

The Cross Domain Delivery Failures view lists any administration requests that did not complete during cross-domain processing. Use this view to determine the cause of the failure and correct it.

To access these views:

From the Domino Administrator, click Analysis.
Open the Administration Requests database (ADMIN4.NSF).
From the Views pane, select either the Administrative Attention Required view or the Cross Domain Delivery Failures view.

Troubleshooting name changes
If a user has not accepted a name change within the allotted time period or you have changed a user's name incorrectly, you can restore the user's name as described here. When you rename a user, an "Initiate Rename in Address Book" administration request is created. When processing this request, the Administration Process modifies the First Name, Middle Initial, Last Name, User Name, Change Request, and Certified Public Key fields of the Person document. In the case of an incorrect or expired name change, perform the following steps to restore the user's old name. Afterwards, you can perform the correct Rename action through the Domino Directory or Domino Administrator.

Restoring the user's name
To restore the user's name:

You need to replace the new name entries in the Person document with the old names. Restore the user's old name in each of the four fields updated with the new name.
Have the user who has not accepted the name change send you a copy of their public key.
Open the Person document and choose Actions - Remove Name Change Request.
Copy the old public key that the user sent to you into the Notes Certified Public Key field of the Person document (Certificates - Notes Certificates).
Rename the user by choosing Actions - Rename in the Domino Directory, or by choosing People - Rename from the Tools pane of the Domino Administrator.

Conclusion
As you've seen in this article, the enhancements to the Administration Process make monitoring administration requests easier and enable you to expand the Administration Process across domains. Moving one or more user's mail files is quick and easy -- initiated with the click of a button via the Domino Administrator. If you are using Notes R4.6 clients with an R5 server, you can use the Extension Manager callout included with this article or an agent to make moving mail files easier. With the other new R5 administration requests and more, you'll find that the Administration Process continues to be an essential tool for Domino administration.

ABOUT THE AUTHOR
Mary Jrolf earned a Master of Technical and Professional Writing Degree from Northeastern University in Boston, Massachusetts. She has worked as a software technical writer for 14 years. She now writes technical documentation regarding the Domino server, most recently contributing to the Administering the Domino System for Domino R5.

Dave Wilson holds a Bachelor of Arts Degree (English) and a Bachelor of Science Degree (Mathematics) from the University of Massachusetts at Lowell. He has worked as a software engineer for 14 years -- five at Iris Associates working on User and Server Administration and the Administration Process. His current hobby is trying to remember what his hobbies were before he began developing code for R5.

About IBM

Privacy

Contact