user management through administration process 2307
TRANSCRIPT
1
Open Mic on
User Management using Administration Process
25th July, 2013
2
Niraj Jani – Lotus Technical Support EngineerPresenter
Ranjit Rai – Lotus Technical AdvisorFocussing on Entire Notes Domino
Hansraj Mali – Lotus Technical AdvisorFocussing on Entire Notes Domino
Vinayak Tavargeri – Lotus Support ManagerOpen Mic Facilitator
Open Mic Team
Jayaval Rajendran – Lotus Technical AdvisorFocussing on Entire Notes Domino
Javed Batliwala – Lotus Technical Support EngineerPresenter
3
AgendaAgenda
Administration Process
Components of Administration Process
Default processing time of AdminP Requests
Different AdminP commands
Meaning of Icons in AdminP Requests/Responses
User Management
Best Practices
Troubleshooting
References
Q&A
4
● Administration Process (AdminP) automates many routine administrative tasks For example, if you delete a user, the Administration Process locates that user's name in the Domino Directory and removes it, locates and removes the user's name from ACL's, and makes any other necessary deletions for that user.
● Administration Process starts with server startup and there is no additional configuration needed to utilize this feature
● The Administration Process automates common tasks such as:
■ Name Management - Rename person, rename group, delete person, delete group, delete server name, recertify users
■ Mail file management- delete mail file and move mail file.■ Replica management - create replica, move replica, or delete all replicas of
a database
Administration ProcessAdministration Process
5
● AdminP server task
● Administrator client
● Notes client
● Domino Directory (names.nsf)
● Certification log database (certlog.nsf)
● Administration Request database (admin4.nsf)
● Administration server (assigned to each database in the domain)
Components of Administration ProcessComponents of Administration Process
6
AdminP server Task:■ Runs on all Domino Servers.■ Loads with server startup and can be controlled using ServerTasks Notes.ini■ Acts as per the default settings in Server Document ->Administration Process
tab■ Excecutes requests in Admin4.nsf database.■ After request execution, a response document gets created indicating status of
the request.
Administrator Client:■ The Administrator client has all of the tools needed to initiate the AdminP
commands including renaming and deleting users, deleting a replica, moving a database, and moving a user from one hierarchy to another.
Components of Administration Process (cont')Components of Administration Process (cont')
7
Notes Client:■ An active participant in the administration process.
■ Can complete and initiate many different administration processes. Eg: Client can accept user name changes and x509v3 certificates into the Notes.id file. The client is involved with the process to move a user to another server and can issue a request to change the user's password and/or synchronize his Notes.id and Web password.
Components of Administration Process (cont')Components of Administration Process (cont')
8
Domino Directory (names.nsf):
■ Domino Directory stores person documents. When Administrator performs any action like User rename or recertify, it updates certification information in person document.
■ Administration server in Domain is determined based on the Administration server mentioned in Domino Directory ACL.
■ When Administration process runs, it updates information like clusters, person documents including client information, Notes Password Synchronization with HTTP Password, Group updates and deletions, Server information (protocol and version), policies etc in Domino Directory.
Components of Administration Process (cont')Components of Administration Process (cont')
9
Certification log (Certlog.nsf):
■ Created when the first server is installed in domain
■ A replica of Certlog.nsf can be created on multiple Domino servers in a domain if any action is initiated by Administrator on those servers.
■ Keeps track on certificate related activities
■ Eg: New User / Server Registration, User Rename from one OU to another OU, User Recertification etc.
Example:
Components of Administration Process (cont')Components of Administration Process (cont')
10
Administration Request(Admin4.nsf) database:■ Created on Administration server for Domino Directory when server starts for
the first time■ Contains all the administrative requests from a single domain
■ All requests for work to be done by the Administration Process are stored in this database
■ Every server in the domain stores a replica of the Administration Requests database
■ All requests placed in Admin4.nsf database replicates to every server in domain
■ Each request has an icon that indicates the status
■ Result of each processed request, called as response document is stored in this database
Components of Administration Process (cont')Components of Administration Process (cont')
11
Components of Administration Process (cont')Components of Administration Process (cont')
Administration Server:● In each domain, there's a single primary Administration server, determined by
the value in ACL of Domino Directory(name.nsf)● Assigned to each database on each server in single domain.● Listed in Advanced tab of Database ACL● Tells Adminp where to process each database and controls how the
Administration Process does its work● Responsible to process many Adminp requests
Whenever restarting the AdminP task it prints the message on console the Name of Administration
Server of Domino Directory
12
Default processing time of Adminp RequestsDefault processing time of Adminp Requests
Default processing time of AdminP requests is defined in Server document → Server Tasks →Administration Process tab
13
Different Adminp CommandsDifferent Adminp Commands
You can force administration process request to run by using tell commands.
Command Description
Tell Adminp Process All Processes all new and modified immediate, interval, daily, and delayed requests.
This command doesn't override timed requests execution time
Tell Adminp Process New Processes all new requests
Tell Adminp Process Interval Processes all immediate requests and all requests that are usually processed according to the Interval setting in the Server document.
Tell Adminp Process Delayed Processes all new and modified delayed requests. These are requests that are usually carried out according to the "Start executing on" and "Start executing at" settings in the Server document.
Tell Adminp Process Daily Processes All new and modified daily requests to update Person documents in the Domino Directory as well as Any outstanding "Rename Person in Unread List" requests.
Tell Adminp Process Mail Policy Applies mail policy to affected user's mail file
Load Adminp Starts the adminp task
Tell Adminp quit Stops the adminp task
14
Meaning of icons in adminp requestsMeaning of icons in adminp requests
15
Meaning of icons in adminp responsesMeaning of icons in adminp responses
16
User Registration – Creating Mail File in BackgroundUser Registration – Creating Mail File in Background
Create file in background is to force the Administration Process to create the files in the background. Use this option to save time during the user registration process. If you do not choose to create the file in the background, mail files are created during the user registration process
17
Following are the request that will generate in Admin4.nsf to create the mail file on Mail Server and Cluster Server.
Additional Information:- Maintain Trends Database Record http://www-01.ibm.com/support/docview.wss?uid=swg21174382 Accelerated Create Replica http://www-01.ibm.com/support/docview.wss?uid=swg21308184
In Server document → Security tab → Server Access Section → Create new replicas (Source Server name should be added in Target Server document).
User Registration – Creating Mail File in BackgroundUser Registration – Creating Mail File in Background
18
Changing Common Name With AdminPChanging Common Name With AdminPWhen you change the name of a user, the Administration Process implements the name change by initiating requests to the affected documents, databases, database ACLs, and Extended ACLs. Using the Domino Administrator Client you can use the “Rename” option to perform the following activities:-
● Upgrade a user name from flat to hierarchical (Obsolete)● Change a user's common name ● Move a user to a new hierarchy
Administration Process requirements● In order for the Administration Process to facilitate the name changes, the databases
must have an assigned administration server. ● In addition, the certifier ID you use and any ancestor of the certifier must have a
Certifier document in the Certificates view of the Domino Directory.
Viewing user name change requests● To review the administration requests that are generated when renaming a user name,
open the Administration Request (ADMIN4.NSF) database in your Domino Directory.
19
Changing Common Name With AdminPChanging Common Name With AdminP
● Initially only single request will generate i.e. "Initiate Rename in Domino Directory". ● This request will be processed by Administration Server of Domino Directory and only person
document will be updated.● In order to generate the further request or complete the renaming process the user need to
authenticate with the server using his/her id file.
Note:-● If the user is accessing the emails only through iNotes then in order to complete the renaming process
one need to import the id file into mail file or use the ID Vault.● After user has initiated with rename command Administrator need to send the encrypted email to user
who has been renamed, once the user accesses the encrypted email via iNotes then the ID file will be used and the further request will get generated to complete the rename process
Following are the request will get generated in Admin4.nsf for Changing the Common name
20
Changing Common Name With AdminPChanging Common Name With AdminP
If you have implemented ID Vault then enable the below given option in Policy Security Setting document, this will help you in using the ID File from ID Vault while reading the encrypted emails and other features like recall of message from iNotes.
Additional Information:- How to rename an iNotes user http://www-304.ibm.com/support/docview.wss?uid=swg21216004
21
Moving user from one OU to another OU using Moving user from one OU to another OU using AdminPAdminP
Since the name hierarchy Domino is part of the user's name, when you move a user to a different certifier you have essentially changed the user's name. You can use the Administration Process to move a user name to a different location (Organizational Unit) in the organization's hierarchical name scheme or to move a name to a different Organization altogether.
There are two parts to moving a user name:■ Request the move using the originating certifier.■ Complete the move by using the target (new) certifier to approve the request and issue
the new certificate.
● Once the request to move the user to another certifier is initiated it will generate the given request as shown.
● Need to click on Complete Move for selected entries, this will approve the request and issue the new certificate
22
Following are the request will get generated in Admin4.nsf for moving the user in different Certifier
Moving user from one OU to another OU using Moving user from one OU to another OU using AdminPAdminP
23
User Movement – Moving user to Another ServerUser Movement – Moving user to Another Server
You can use the Administration Process to move a person's mail file from one server in your domain to another by performing a "Move To Another Server" using the Domino Administrator clientFollowing are the request will get generated in Admin4.nsf.
“Push Changes to New Mail Server” & “Delete Mail File” request will get generated after user authentication
24
Recertify – User IDRecertify – User IDBefore a user ID reaches its expiration date, recertify the user ID using the original certifier ID.
Use the Certificate expiration view to determine which certifiers need to be recertified.
Following are the request will get generated in Admin4.nsf.
Additional Information:- How to Recertify User http://www-01.ibm.com/support/docview.wss?uid=swg21087566
25
Rename - GroupRename - GroupUse this procedure to rename a group in your domain.
1. From the IBM Lotus Domino Administrator, click People and Groups. 2. Choose Groups. 3. Select the name of the group you are going to rename. 4. From the Tools pane, choose Groups - Rename. 5. On the Rename Group dialog box, specify a new group name, and then click OK.
Following are the request will get generated in Admin4.nsf.
26
Deleting UserDeleting UserYou can delete a user name with the Administration Process by initiating a delete person command from the Domino Administrator Client.
Delete User PromptAdmin4 request when user has been deleted
Document will be moved to Inactive User Ids view in ID Vault database
27
Other AdminP RequestsOther AdminP RequestsNew Server ConfigurationFollowing are the request generated when you configure the New Domino Server.Similarly, such type of request will be seen when you upgrade the Domino Server to newer release or update the Port information etc...
Update Client Information
Check Password
Update Internet Password When Notes Client Password Changes - Policy
28
Admin4.nsf – Replica IDAdmin4.nsf – Replica ID
The replica IDs of some Lotus Domino server databases are related to that of the Domino Directory (names.nsf)
The following is a list of Domino server databases that have a known replica ID based on the replica ID of the domain's Domino Directory:catalog.nsf, events4.nsf, statrep.nsf, ddm.nsf, admin4.nsf, billing.nsf, vpuserinfo.nsf (Sametime Authorization Database), activity.nsf
Example:names.nsf has a replica ID of: 852564AC:004EBCCFcatalog.nsf has a replica ID of: 852564AC:014EBCCFevents4.nsf has a replica ID of: 852564AC:024EBCCFadmin4.nsf has a replica ID of: 852564AC:034EBCCFstatrep.nsf has a replica ID of: 852564AC:044EBCCFNotice that the similarity is in the last six (6) characters of the replica ID (4EBCCF in this example). The distinguishing characters are the first two (2) characters of the unique part of the replica ID (01, 02, 03, 04 in this example), such as 852564AC:034EBCCF.
29
Best PracticesBest Practices
● Adminp must operate efficiently in order for many items to run properly in Lotus Domino
● Periodic checks and proper settings will ensure that the system operates as designed.
● Disable Transaction Logging for Admin4.nsf.
● As a part of best practices, an Administrator should consider below points
■ Admin4.nsf Replication■ Admin4.nsf Size■ Admin4.nsf ACL■ Admin4.nsf Monitoring
30
Best Practices (cont')Best Practices (cont')
Admin4.nsf Replication● Should be scheduled via a connection document with type pull-push
● Keep the small interval between subsequent replications to speed up the adminp request processing
● All replica copies of the Admin4.nsf in domain should be roughly the same size unless selective replication formula is used
● If during troubleshooting, Admin4.nsf replication is temporarily disabled, Make sure to re-enable it
31
Best Practices (cont')Best Practices (cont')
Admin4.nsf Size
Multiple ways to control size● Document retention settings : Default retention interval is seven days (File →
Replication → Settings → Space Savers → Remove documents not modified in the last # days). This can be lowered if increased too high. Make sure, all replicas to have same setting
● Replication Formula: By selecting replication, document counts can be controlled and thus size. Should be applied on Administration server so admin4.nsf size may be larger than the spoke servers
■ Use a selective replication formula to prevent the response Log documents in ADMIN4.NSF from replicating.
■ Information in Log documents is a record of the status of the work a server does in response to an administration request.
■ This response Log is interesting to you, the administrator, and to the server that created it, but not to every server in the domain.
32
Best Practices (cont')Best Practices (cont')
If you do not want to replicate the response document then add the replication formula Type!=”AdminLog” in spoke servers which will not add the response document.
Note: Under some conditions, the replication formula for admin4.nsf can cause AdminP requests to process repeatedly on spoke servers.
● Regular maintenance: Scheduled compaction should be run to recover unused space. Fixup and Updall to be run whenever necessary
To resolve this issue, change the formula to the following:
SELECT Type != "AdminLog" | ProxyServerName = @UserName
This modification will prevent a server from deleting its own response documents, preventing the repetitive processing described above.
33
Best Practices (cont')Best Practices (cont')
Admin4.nsf ACL● Make sure correct server is listed as an Administration server in ACL →
Advanced tab● Default access should be Author with 'Create Documents' privilege as certain
requests deposited by users in Admin4.nsf● ACL of the Admin4.nsf should mirror the ACL of the Domino Directory
Admin4.nsf Monitoring● Administrators should monitor this database closely for any errors being
recorded and should take corrective actions to resolve those errors
34
TroubleshootingTroubleshootingTo troubleshoot AdminP issues, an Administrator should check as below● Is AdminP running on all servers? If not, it should be. To check this, issue a
SHOW TASKS command at the server console● Has CERTLOG.NSF been created?● Has the Administration Server been specified in the Domino directory
(names.nsf) ACL? In the Domino directory, select File → Database → Access Control → Advanced panel. List only one Administration Server for the directory.
● All databases that are expected to get the ACL updates must have an Administration Server specified before the request is put into AdminP
● Are both the names.nsf and admin4.nsf replicating properly between the affected servers? Both of these databases must replicate correctly between the directories' "Administration Server" and the spoke servers
● Does admin4.nsf show the correct Request documents?
35
Troubleshooting (cont')Troubleshooting (cont')● For each Request document, is there a Response document that shows that
AdminP has executed the request? Does the response document show an error message or was is successful?
● Is the time/date on the servers synchronized?● Be sure Certificate documents have the correct Public Key; the Public key must
match the key in each CERT.ID. Similarly public key must match between Person document and User ID files.
36
Troubleshooting (cont')Troubleshooting (cont')
Administrator can perform below steps if Admin4.nsf gets corrupted:
1 Write down the database size and number of documents found on the Info tab of the Database properties .
2 Make a backup of the database.
3 Disable replication of the database.
4 Design Replace (File, Database, Replace Design) - making sure to use original ADMIN4.NTF template file.
5 Load Fixup ADMIN4.NSF -f
6 Load Compact ADMIN4.NSF -c
7 Load Updall ADMIN4.NSF -R
8 IF the database is OK now, re-enable the replication of ADMIN4.NSF (that was disabled in step #3 above).
37
Troubleshooting (cont')Troubleshooting (cont')
If the database is still corrupted or too large after running maintenance, Administrator can recreate the database with below steps:
● Remove the corrupt Admin4.NSF from the data directory when the Domino server is down and allow AdminP to recreate it automatically.
● Only on server startup a new Admin4.NSF will be recreated with the original replica ID.
● The server must be restarted with the AdminP task enabled. ● Delete or move the original Admin4.NSF off the server ● Replicate Admin4.NSF from a Administration server. This should repopulate
the database.
38
ReferencesReferences
Domino Administrator help is best to refer for AdminP help:● Administration Process Request – One Domain
To gain a better overall view of how AdminP works, read these documents:
● All About Adminp Part 1● All About Adminp Part 2● Generic Troubleshooting Guide
39
Q & AQ & A