Open Mic Webcast: Troubleshooting Policies on a Domino Server - 9 October 2012 [slides attached and recording now available]
IBM hosted an Open Mic webcast with Lotus Development and Support Engineers on Tuesday, October 9, 2012. The topic was "Troubleshooting Policies on a Domino Server."
For more information about our Open Mic webcasts, visit the IBM Collaboration Solutions Support Open Mics page.
|Presentation & Audio Recording|
Open Mic Domino Policies 10092012.pdf
Troubleshooting Domino Policies Open Mic Oct 9 2012 (edited).mp3
Q. I have an environment with 8.5.3 Domino servers and mostly 8.5.2 clients and a Desktop Settings policy and in the Mail tab I've got the "Use Local Mail.box to send messages faster", set to "1". However, not everyone is getting that "1" setting, so sometimes it's sitting the local mail.box in a "Pending" state until the next replication cycle, which by default I have set to 15 mins for all my users. Are you seeing that setting not get pushed? If I change the Location doc on one of those users, and look at If Outgoing messages are !, it's not set to "1".
A. Do you see the value of 1 not being set when you actually look at their locations? Yes.
Q. So basically, we've had to go into individual clients and set that manually, even though we have the policy to set that in there. Also, the other settings in the policies are being applied fine.
A. You should open a PMR on that so we can take a closer look because that shouldn't be happening. Most of the time when we've had a problem, it's involved the code for a setting, so we'll have to look into that.
Q. Some of the settings in the Desktop Settings policy are confusing to me because they don't have the field "Do not set values, and so on," to the right of them. For example, Widget Catalog Categories to install, it doesn't have a field to write to, so you can't edit the widget categories to install.
So you cannot edit which widget categories to install?
A. OK, we'll double-check on that---there may have been some changes in that particular area, causing the issue.
Q. Also regarding widgets, in the widgets app you see "Show widgets panel in sidebar Yes/No." And if you go to the Preference Window Management tab, you also see "Hide my widget panel". Which one of these controls the widget panel? It's shown in two places for the same function.
A. We'll need to ask the Widget team what the specific dynamics of those two places are, that is, which option takes precedence.
Q. I use a general action to apply to all the policy fields in say, v851, but when I upgrade, I must then hunt for additional things to turn off.
A. We'll need to investigate that issue; haven't heard of it before. I believe the default was to not set a value for every setting, until you actually set something for it, so it's not going to apply anything unless you set a value. However, now there are some exceptions to that; we don't yet have a documented list for those, but I will take a note to make that request.
Q. In our situation we don't have Notes mail users but do have Notes application users, and have never tried to use Policies before. When we tried to apply a simple policy for password construction rules, it was found that nobody could get the policy. In working a PMR, and after much work, we found we had to write a script to delete the users' Policy Profile document in their Names.nsf and then manually find/open their current Location doc and then prompt the user to choose the option Action > Advanced > Set Update Flag. That cleared whatever was in their policies and enabled DCC communication so they could actually get policies. It was much work just to the process somewhat automated but not even fully so.
A. How it works is, when a user connects to their Home Mail server, that's when the DCC bit can work. Your setup is unfamiliar to me, can you please post the PMR# in the chat @Mark, and I'll work with you on it further.
Q. We have an Organizational Archive policy that is set to delete emails after 120 days. Then I created an Explicit Archive policy, using a group, that will delete anything older than 5 years. So it was working fine and users in the Org policy were getting everything deleted, but then one day all the users in the Explicit policy for 5 years just suddenly dropped out. When I do a policy synopsis on those in that group, that Explicit policy is no longer in their synopsis.
A. And do the group memberships exist correctly for those users?
Q. Yes, it does.
A. On which server did you run the Pol Syn? Because when I do a PS, I do it on the Admin server, since that's where policy changes should be made. I've seen cases where there have been replication issues between the Admin server and Mail server, and when you do a PS on the Admin server you think everything's fine. But when you run it on the Mail server, it's wrong. It may be that your group got deleted from the local server and then didn't get replicated back in, so that's why the PS on the Home server might show a difference.
Q. Do you have many groups in your environment ? There may be an issue with the group cache that's causing the group to be popped out.
A. 1200 groups. OK, I'll check with the Directory team, but I believe there's some group cache debugging that we should investigate further. Post your PMR# to @Mark in the web chat, and we'll go from there.
Q. Regarding sequence of events: for example, I understand that with certain policy settings, you must log into your client in order to get your policy settings pushed to the client. But those policy settings for certain "options" are not applied until you log in a second time. Is that true, and if so, is there a list of which type of options require this type of operation?
A. There is not a list; it depends on the setting's consumer. Everyone can consume their settings differently; for example, mail settings when the policy settings first come up . Unfortunately I can't give you definitive a list. if there are several particular options, we can dig into them further.
Q. No, nothing specific, just wanted to confirm that's the general practice.
A. Yes, it's a good standard practice anyway.
Q. OK, in that case, I'm all set.
Q. I've got a problem when running the Policy Synopsis tool on a set of users and certain users are showing up as being incorrectly assigned to a policy by a dynamic assignment to a group-based policy. When I look in the Group Membership field, the user is not in that field. How do resolve this? Rebuild the group? Rebuild the policy?
A. Are you running the synopsis tool on the Admin server or Mail server for the user in question?
Q. Admin server.
A. As mentioned previously, I'd advise to try running it on the users' Mail server instead, due to the possible server replication issues cited above. You could also do a rebuild of the directory or Groups view, making sure it's up to date, and then run the synopsis.
Q. So I should rebuild the Groups view, the Policies view and what else regarding LDAP?
A. The ldapsearch tool could be used to do a lookup on the group and its members while pointing to the mail server, to see if the server's view of the group membership is what you think. Also, you could try updating the hidden view ($PoliciesByGroup) in the Domino Directory. It's likely a directory-related issue, so we'll investigate it down that path.
FYI from IBM:
- I want to take a moment to report on at least one fix we've made in the next Domino release: We found a problem in the Notes Social Edition where some third-party software that a customer was using to manage their clients was overwriting the value of the Mail server in the Location document to be non-abbreviated. Since the Home Mail server, as I mentioned before, in the Location doc is very important to the whole DynConfig policy put-on process, that was causing policies not to be applied.
So, we fixed it to so that if we find a non-canonical name in the Location doc, we'll reset it to canonical. So, if you do use third-party software to manage your locations, this is something to be aware of.
As a rule, the general issue is that, if you think you're not getting any policies down, then confirm that the Home Mail server listed in the Location doc is the mail server. The debug INI variables mentioned earlier for troubleshooting, when you actually turn those on, it'll complain that the connection being made is not to the mail server.
- Another item that was fixed, also for Notes Special Edition, is that if you're a Notes Traveler user, Traveler users' policies are much different than what we've used for Domino in the past, in that Traveler is actually a Domino mail server running against another. We found an issue where, when lookup was being done on the user's mail server, the result was being examined on the Traveler server and that was causing problems. So if you have heavy Traveler usage in your environment, then I would suggest that, to fix this, upgrade to the next Domino release when it comes out.
Q. Should the polcysyn.sf database be local on my Admin machine? And if so, in which directory?
A. Yes, in should be local, in the general Notes Data directory. That's where all the results of your policy synopsis will go, so if you ever need to submit something, say, to Support, you can pull the documents from there.
A. There was a question in the Web Chat that I wanted to address: The customer had set initial enabled for a bunch of settings and whenever they would update the policy, those settings would get overridden, which isn't expected behavior. Sounds like there was field was set to prevent changes probably enabled somewhere in the hierarchy that's causing that.
Q: Statement: "1. Client sends hash value to server with policy information...." What if it doesn't send that hash?
A: It's a standard part of client authentication, so it's not a choice that the Client has. If somehow it didn't send it, the server would think that it would need a policy update.
Q: Except it doesn't and the user does not get the policy. Dirtying the person document does nothing.
A: The debug info later will show how to capture that, but I've never seen that case. It sounds like you're having a specific issue, but what is being described is how it normally works
Q: How do I force the client to pull policies?
A: The current screen in the presentation shows one method, another one is to “dirty” the person document for the user you want to update, or modify the policy by editing and saving the document on the server.
Q: What's the difference between F5 and Ctrl-F5?
A: F5 - Version<=7, Ctrl-F5 - Version > 7. As of Notes 8.5 (8.0?) F5 no longer locks the client, it refreshes.
Q: It works only in case of explicit policy?
A: No, it will fetch any update at that point, it simulates an explicit yes, but it will fetch all.
Q: Do you have to have an 8.5 client to use Dynamic Policies?
A: You need at least a 8.01 client and 8.5 server.
Q: which is the recommended policy for an iNotes user?
A: A Mail settings policy is needed for iNotes settings.
Q: Suppose if you change group membership, now when will dynamic policies reflect that?
A: It is highly variable. The changed group would have to replicate to a user's home mail server first. That is dependant on a companies replication topology and schedule. The the indexer would update the relevant views a minute later. Then the user would have to open a new session to their home mail server. If they were already connected to that server, they would have to either log out/in or restart the client. Clearly, all of this means that there is no simple statement that can be made of when a group membership change will be reflected in a user's policies.
Q: Is there a tool that would allow the users to easily delete the existing Policy docs in their Names.nsf $Policies?
A: There is no tool available but a lotus script agent can be created. If you post the question in the forum we can probably provide a sample.
Q: How can I delete automatically old policies in user's address book?
A: Policies are supposed to be refreshed automatically. In the event where you are seeing an issue a LotusScript agent can be used to clean the view.
Manually, you can press CTRL+SHIFT and click >>View>> Go To... choose the "$Policies" view and delete all the policies listed.
Q: Any known issues with managed replica settings not being applied to Notes 8.5.x clients?
A: bug in 8.5.3 NAB Template affecting Dosktop settings doc
Q: Which is the recommended policy for a DOLS user?
A: DOLS settings are also part of the Mail Settings docs.
Q: I think only 80 - 90% of our 4000 Users have the policy (Org-Policy) assigned. What can we do? Update in the policy we tried already. Servername not hierarchical may be one reason. (Server: 8.5, Client 8.5.1 both windows)
A: The best method would be to collect debug DEBUG_DYNCONFIG to see what is happening on those users not getting the policy
Q: We have the same issue with the server name not being hierarchical. What causes that and how do we fix?
A: If the server is not in hierarchical format DCC will fail. To solve the issue push out an agent to correct that
Q: Why is it happening - what is the root cause of the issue?
A: Regression bug in 8.5.3 script library doesn't clean up temp field values on doc Save.
Q: We have 8.5.1 FP3 and seeing the issue in that release with the server name format. Not all users though.
A: Are you seeing the issue happening? I would assume that the problem is probably related to an old policy or agent that set the field incorrectly. If you are seeing the location document changing from hierarchical to canonical then we would need to catch the edit possibly with nsfdiag debug.
Q: If a user currently is assigned to an org policy and I add then to an Exception Policy, will that override the settings of the current org policies and apply the exception policy settings? or do I have to update the $Policies view?
A: The policy closest to the user wins. So in this case the exception policy settings would override the org policy.
Q: Is there some technote with recommended policy settings for each type of user (Client User, DOLS User, iNotes User, ...) ?
A: We do not yet have a "one-stop" shopping list of all policy settings recommendations for all types of users., what we have is referenced in this technote:
The help documentation for 8.5 also has settings that can be applied to types of users. Policies settings are specific to an organization. What is recommended at IBM might not be recommended in your company. So it might be best to look at what you would like to set by default. If you need help with this you can post a question in the forum or open a pmr.
Q: We have the same non email setup. We delete the local names.nsf and set setup= to zero in the notes.ini
The policy will get pushed down into the fresh names.nsf
A: I believe the above is an attempt to force an update of the design of the local pnab.
Q: Can we run the following on a user's local names.nsf:
'lastly, we will find and delete the DirectoryProfile document
Dim dbNAB As New NotesDatabase("", "names.nsf")
Dim profile As NotesDocument
Set profile = dbNAB.GetProfileDocument("DirectoryProfile")
If Not profile Is Nothing Then Call profile.remove(True)
A: I believe the above is an attempt to force a policy update by removing the directory profile, however, it's removing the wrong one. It's removing the generic one instead of the user qualified one.
Q: Desktop Settings - How to Apply - Don't set value for all fields - Can not set -> Widgets >> Widget catalog>> categories to install. I can not make it SET this one value only
A: I am not sure I follow. Are you saying you are not able to set the value "Do not set value" for the widget catalog? Can you provide some steps on how you reproducing the issue?
STEPS: 1. New Desktop Settings. 2. Action : Don't set value for all fields. 3. Put a category in the Widget catalog categories to install.
The category field does not have a corresponding HTA field which would explain the behavior. We would need to add that to the form. This missing HTA field in the widget UI has been addressed in the next release. It's a template change, so template changes are not included with Fix packs.
Q: Is it ok to force dynamic configuration to run via command line?
A: It is not supported. This does not mean it wont work ;-)
Q: Might it be a problem to have about 6.600 groups and start to use group policies?
A: You risk running into a group cache issue. Is it possible to use Org policies in your organization? Also, starting with 853 the GROUP_CACHE_SIZE can be set up to 15 mb from the 10 mb of 8.5. there is a known issue with 8.5 where the namelookup cache is too small so in a large env adminp is unable to apply the policy
Q: When we set up our environment we set the "empty trash after" option to 48 hours with no change allowed by users with an explicit policy. Then we registered all users, all got the 48 hours setting. Because of weekends, we wanted to change the setting to 72 hours afterwards, but the change to the policy takes no effect to the user settings, the setting stays with 48 hours... Even after a month and many reboots the value stays at 48.
A:. Make sure to do a tell adminp process mail policy because that setting is applied by adminp. If that is not working adminp might be the one erroring out. We can enable debug to see if the policy is being set. The debug for the adminp policy is AdminP_Verbose_Poll_Task=2 .
Q: We have the benefit of roaming so we use a serverbased agent to update all users servernames in their locationdocuments...
A: This appears to be an attempt to ensure that the MailServer field in the Location docs in the PNAB have a valid servername. An incorrect server name will prevent the user's home mail server from being correctly identified and thus prevent policies from coming down. Roaming user's have a copy of the PNAB on the server, thus the agent can be run on the server instead of every end user's machine.
Q: Is there is a technote for the problem with settings being applied to preferences after policy is saved?
A: Yes. Technote 1642511 - "Unexpected desktop settings applied to User Preferences after policy document re-save"