Open Mic Webcast: Administrating your Domino server using the Administration Process - 13 February 2013 [slides and recording attached]

Webcast


Abstract

IBM hosted an Open Mic webcast with Lotus Development and Support Engineers on Wednesday, February 13, 2013. The topic was "Administering your Domino server using the Administration Process."

Content

Topic: Administrating your Domino server using the Administration Process (AdminP)

Day: Wednesday, February 13, 2013
Time: 11:00 AM EST (16:00 UTC/GMT, UTC-5 hours) for 60 minutes

Agenda:

  • What is the Administration Process (AdminP)?
  • Working components of AdminP
  • Common tasks where AdminP is used
  • Troubleshooting AdminP – the basics
  • How to help yourself?
    • How to read the Admin Client help file
    • Searching for technotes
    • Using the wiki

For more information about our Open Mic webcasts, visit the IBM Collaboration Solutions Support Open Mics page.


Presentation & Audio Recording

OpenMic_ManageDominoWithAdminp_Feb132012.pdfOpenMic_ManageDominoWithAdminp_Feb132012.pdf

Administering Your Domino Server Using AdminP Open Mic Feb 13 2013 (edited).mp3Administering Your Domino Server Using AdminP Open Mic Feb 13 2013 (edited).mp3


Q&A

Q: Question, is there a way to delete archives in addition to mail files when deleting a user?

A: Not at the moment. Let me see if there is an enhancement for that; if not we can create one. SPR GMAA738GQ9 is the enhancement request.

http://www.ibm.com/support/docview.wss?uid=swg21382940


Q: Has there been any progress to create a process to change an owner of a meeting?

A: There is an enhancement request to modify the chair: SPR TDON634KRB.


Q: Is the field 'mail server' in the person document where a home server is listed, or is there a different place for 'home' server?

A: Mail server is the field in the person document to list the home server. The mail server in the person document is the home server for server based activities. For client based it's in the Location document.


Q: Thanks, but I had understood that if we used one of the other servers in our cluster it would help with load balancing?

A: Correct, some AdminP tasks will run on the users' home mail server. So spreading them to other servers will allow the tasks to be run on different servers.
You can definitely do that. I would use a 'move to new server' and split the load on the two servers. The AdminP move to another server will update the person doc and will seamlessly update the location doc for the users. Any request that updates the names.nsf will still be handled by the one server.


Q: What steps have to be taken to move the AdminP from an existing server to a new server?

A: You will need to change the Admin Server in the Advanced Tab of the ACL of the names.nsf, and copy the certlog.nsf across.


Q: Why would you set the names.nsf to No Modification? - how would the Person Docs and Group get updated?

A: The changes will still occur as AdminP has a specific request that will change the documents in names.nsf


Q: The Certlog needs to replicate??

A: It depends. Usually the Certification Log (CERTLOG.NSF) will be located only on the registration server. However, if you want to be able to register users and certify users in multiple servers then a replica should be created. Certlog must reside on the server that stores the Domino Directory in which you will initiate for example the name change or recertification. Only the Certlog used by the Administrative server will be updated. As previously stated, replicate if you require. But normally I will only do that in a clustered environment.


Q: Maybe this is outside the scope of this presentation but...is there any guide to programmatically creating requests in the admin4 database?

A: There is an excellent guide here:

http://www.ibm.com/developerworks/lotus/library/ls-LS_AdminProcess/


Q: Is there a way to get AdminP to reprocess a request? Lets say a user changes their password and it creates the AdminP request but I have an agent that edits that record when AdminP tries to change the password and it fails. Is there a way to get it to try again?

A: There is an option in the response document to run the request again


Q: If the user never logs in to accept their rename, is there any way to have the rest of the rename steps kick off? Without the user logging in to accept the name change, the process only goes through the 1st step.

A: Not at the moment, is this something that you find you need to do frequently? At this time it is required for the user to authenticate to continue the rename process.


Q: I also would like to see the user termination process cleanup the user's archive databases.

A: Enhancement requests, Technote 1382940:

http://www-01.ibm.com/support/docview.wss?uid=swg21382940

and SPR MSKA8KRP93: Remove user archives during person deletion.


Q: Is there a way to rename a user via AdminP who only uses iNotes?

A: The user needs to either sync with an ID Vault or authenticate with the server for the rename to be processed. Some more info on what is required at each step:

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_Rename_person_administration_requests.html

Unfortunately for users with IDs the user must either authenticate via Notes client or via iNotes reading an encrypted email. If your users are not users that will never use an id you will need to create a Web user rename. You can rename an iNotes user by getting them to encrypt or decrypt a mail if they have an ID. If the user doesn't have a notes certificate this can be done now. If they do then they need to read at least one encrypted mail message. If they are renamed as a web user if they weren't registered with an ID, this should be OK.


Q: Replicating a large size admin4.nsf takes long time to complete for servers with slower network connections. Is there a formula that can be placed in admin4.nsf so spoke servers can replicate the requests that are for that server only?

A: You can use selective replication


Q: I recommended the user change their implementation to a mail-in database rather than a user since this user is a "headless" user and never logs in, others just access the mail file.

A: In that case use a mail-in will be better. Save you a license as well =)


Q: A RenameWebUser does not require the end user to "accept" the rename as with standard Notes client renames ? Right?

A: Correct


Q: Perhaps its an enhancement request but I don't see a benefit to the "accept" step.

A: If you know that the user is not going to use an id then you can delete the certified public key from the person doc, then initiate the rename. This will kick off the web user rename and you will not have to wait for authentication. Some Documentation on steps for renaming Web users:

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_RENAME_WEB_USER_STEPS.html

Clients will accept the name change by default unless specified otherwise.

There can be performance issues when initiating a large number of renames - they require a lot of processing and take several days to complete.

http://www.ibm.com/developerworks/lotus/documentation/domino/d-ls-adminp/

The accept no longer occurs . The reason why we wait for the user to authenticate is to ensure we update the id prior to changing acls and everything else as the user would end up being locked out.


Q: The expiring rename requests is a problem in my organization. People are out of the office for extended periods.

A: Set the expiration period to the max value of 60 days.


Q: Is there a document lists all 8.5.3's AdminP proxy actions and it's numeric code information?

A: There is a public document about the proxy numbers:

http://www.ibm.com/developerworks/lotus/library/ls-AllAboutAdminP_1/side1.html


Q: 60 day limit is not possible via Lotusscript. AdminP renames via Lotusscript default to 14 days.

A: The benefit is it's a security check. I believe the Lotusscript default is 21 days

Still not long enough. (SPR?)


Q: When our HelpDesk users delete a person and select to the remove the ID from the IDVault - they always get an error "....you are not listed as an Allowable author for this document" This HelpDesk group is an Author for the IDVault's ACL? Any Ideas?

A: You forgot the role in the ACL of the ID Vault.

Administration process one domain:

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_ADMINISTRATION_PROCESS_REQUESTS_ONE_DOMAIN_STEPS.html


Q: Where do you set the space saver settings for the database size (ADMIN4.nsf)?

A: In the replication settings. If you look in the database properties the replication settings are easily accessed from there.

Setting up ACLs for the Administration Process:

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_MODIFYING_ACLS_TO_USE_THE_ADMINISTRATION_PROCESS.html

What to do if the Admin4.NSF file becomes corrupt or very large:

http://www-01.ibm.com/support/docview.wss?uid=swg21093356


Q: HelpDesk would need to have the Auditor Role in order to delete an ID? Wouldn't this also give them the rights to Extract any ID file?

A: See Technote 1427061, link to follow:
Auditor role gets an error on ID extraction:

http://www-01.ibm.com/support/docview.wss?uid=swg21427061


Q: How can I move a large number of databases (with mail functionality) from a cluster to another using AdminP?

A: If you are moving users and their mail files then you can select the option "move to another server" in the admin client:

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_Move_a_mail_file_from_one_server_to_another.html


Q: That document is for R6 AdminP, any update one for 8.5.3?

A: We have an internal Technote with more update proxy details for 8x.


Q: Are there any Best Practice available for how to clean up the Admin4.nsf - errors, etc,?

A: http://www-01.ibm.com/support/docview.wss?uid=swg21093356. This may help


Q: I have applications, and until now I move the database and create the replica(s) in another step. Same to do with deleting files on the old servers

A: If you are just moving applications you can use the option "Move.." which is in the files tab of the admin client.

You can move roaming files separately. If roaming data is to move then BOOKMARK.NSF will be moved as well because it is in the Roaming directory.


Q: This SECURE_DISABLE_AUDITOR would remove the rights for everyone being able to extract IDs? Ideally, I would want a small group to be able to Extract IDs and the Helpdesk group the ability to delete any IDs in the Vault?

A: Add a group to the ACL and check or uncheck the option. You can check/uncheck the Auditor role in the ID Vault database ACL. Check this open mic from ID Vault, the answer may be there:

http://www-01.ibm.com/support/docview.wss?uid=swg27021719


Q: Can MOVE be used to move users home server in a cluster but keep mailfiles on both servers?

A: The deletion requires admin approval to process the deletion. If you're wondering about doing a full move or just changing the home server in the person document, as long as the admin does not approve the deletion you will not remove the original;

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_Move_a_mail_file_from_one_server_to_another.html

If it is a cluster, and the mailfile is already present on both clusterpairs, I would just change the server in the person document manually and adjust the Adminserver in the ACL. You can keep the mail files by not checking the option “delete old replicas in current cluster". If you use MOVE the adminserver will update. Always use MOVE.


Q: Thanks, but no, I am more wanting the stuff that updates the locations in the client. But keep the replicas in the cluster. I assume that is AdminP request? Looking at it now I see a checkbox for delete old replicas in cluster, has that always been there?

A: If REPL_MAIL_MODE=1 is specified, the user's local mail file will replicate with the home server specified in the location document. In addition, the end user will not be able to change the value for the server on the replicator page.

Title: How to manually recertify an expired ID
Doc #: 1087566
URL: http://www.ibm.com/support/docview.wss?uid=swg21087566

REPL_MAIL_MODE=1 GREAT! This solves some problems..

Here is the Technote regarding changing the preferred server setting:

http://www-01.ibm.com/support/docview.wss?uid=swg21584786

Thank you so much for that info. Saves me opening a PMR!


Q: When you run a rename on the server is there anything that you have to do on the client for this process to complete after AdminP ran?

A: If the user is a notes client user they just have to authenticate with the server.


Q: Had the name revert change as well. Same scenario as the caller (on the phone). An interesting point is that the new name (prior to reversion) remains in the "Administrator" field.

A: When the rename reverts there should be a revert rename request which I believe requires admin approval. Do you get this request? I have a customer that has run into the rename reversion issue as well. It's sporadic, hasn't happened for quite a while now.


Q: So after the rename the individual needs to log out and log back in and that's it?

A: It's not necessary for them to log out. They just need to access the server; such as opening a server based database for example.

My experience with recertification of expired id files is that it works fine recertification of users also after the user id has expired. The user then get a message that the id is expired, but when they press OK and access the server, the id file is updated with the new certificate.


Q: How long does it take for a password change to take effect, to replicate to Sametime and Quickr?

A: The requests(notes/http) to change their password should be processed quickly on the admin server. How long it takes for the password change to replicate to other servers depends on your replication topology.


Q: Is the INI setting REPL_MAIL_MODE cluster aware when you force the value to 1? Say the primary/home mail server is down, will it still find the cluster to replicate?

A: Yes, it should be assuming failover is working as expected.


Q: We are having the same issue with the mismatch public key. Updating the person doc with the public key from the ID does not allow the AdminP request to continue.

A: Technote 1097547:

http://www-01.ibm.com/support/docview.wss?uid=swg21097547

Technote 1097186:

http://www-01.ibm.com/support/docview.wss?uid=swg21097186


Q: What is the URL for opening a PMR?

A: https://www-947.ibm.com/support/servicerequest/Home.action


Q: Are there any thoughts to allowing AdminP to synch up passwords on different copies of an ID file? For example, user has a laptop and desktop.

A: This can be handled by the ID vault.


Q: Rename process of AdminP: when the initial rename takes place in the person doc, the rest of the steps such as renaming groups - do not take place until user authenticates with the server. So this means that dynamic policies that are related to the person no longer work. This is because the next step like rename in groups, does not take place. Opened a PMR and got an APAR, but I do not see it as an enhancement, but as a bug. Is there anyway to force the rename process without the user having to authenticate? Users are out on extended periods.

A: At the moment there is really no way to force AdminP through an entire rename without having the user authenticate first. Local policy is still valid on client before rename. What you could do to workaround this, though not ideal, is to prepopulate a pending rename group with the user's future name before you actually do the rename, then when the rename is complete, you can remove the user from the group. The policy will still be maintained without losing it.


Q: Recommended cutoff interval is 7 days, we are worried that someone will restore an old copy of admin4.nsf and old requests will replicate back into the environment. Workaround is with the new Purge feature, which will not allow old documents back in. However if the request waiting for the admin approval, is there anyway to preserve those documents so they are not purged after 7 days?

A: The requests requiring admin approval have a flag set in the actual document that says do not purge it until the admin takes action on it.


Q: If you do the MOVE function on the admin client, it moves the mailfile. Does this include moving roaming and bookmarks over to another server and creating the directory?

A: It will move everything. Move Roaming User takes care of the Roaming files. It will create the directory


Q: One person has a 10Gb mail db, how long will it take to move? Is there a file size limit? How many at a time can I move? Will the Location Document be updated?

A: No filesize limit, depends on the environment. 10 GB is not the limit, it is 64 GB. It is recommended to move dbs in batches, so that it can be tracked better. The Location document will be updated.


Q: Error: "Certificate is about to expire", so you recertify the user. One issue we had is we recertified the user and watched AdminP the whole day, the change did not kick in. In the Admin client, chose recertify user. This was done after expiration.

A: Accessing mailfile is ACL issue. If ID is already expired, you need to choose CERTIFY. Recertify is used before expiration.


Q: When the mail move is done, replicator tab is not updating the setting "try last successful, but try home mail server first", second it doesn't remove any old replica cluster icons. Any way to tweak these settings? In the prompt for mail move - there is a prompt to delete prior cluster members. Does this create a redirect?

A: Notes.ini available for changing mailfile option. REPL_MAIL_MODE=1. You can also write something to remove old replica icons, or use DB redirect. Checking the setting to delete prior cluster members does not create the redirect. An enhancement can be created to delete the icons.


Q: When the mail move is done, replicator tab is not updating the setting try last successful, but try home mail server first, second it doesn't remove any old replica cluster icons. Any way to tweak these settings? In the prompt for mail move - there is a prompt to delete prior cluster members. Does this create a redirect?

A: Notes.ini available for changing mailfile option. We can find it and post it in the forum or on the chat. You can also write something to remove old replica icons, or use DB redirect. Checking the setting to delete prior cluster members does not create the redirect. An enhancement can be created to delete the icons. REPL_MAIL_MODE=1 is the Note.ini parameter.


Q: A couple of different times over the last 2 months I did a rename. For two people, the person document reverted back to the original name. The info in the person document disappeared. In the ACL, it has the new name, and mail db has new name, but person doc information disappears. I had to rename the two people again. Has anyone seen this? Happens a month or few weeks later - the person's name reverted back to the old name in the Domino Directory. New name remains in ACL and other places, just person doc reverts. Cannot be reproduced at will, and only happened to a small percentage of people.

A: Sounds like we never got rid of the name change request in admin4 and 21 days later the name reverted. It sounds like we may have a problem where we are reverting the name where we should not be. Open a PMR when you are in the problem condition. It sounds like the old person document was reintroduced. Perhaps old replicas as stated by some attendees in the web chat.


Q: Rename process: Looking for a way to automate or prevent the revert name change from occurring. We process name changes via Lotusscript, so the period of 21 days is not long enough. People are out longer than that. Large numbers of these reversions occur in AdminP validation queue. Name changes are reverting back to the old name. We need name changes to be permanent. Thousands of users, sometimes up to 1000 renames in a day. The web user rename is permanent with no revert or expiration, why then does the Notes user rename have an expiration?

A: We were discussing this in the web chat as well. This can be bumped up to 60 days. It would be a good idea to have certain types of renames not expire. This seems to be a pain point for a number of people. We will create an enhancement request.


Q: When I recertify a user, error on AdminP states "signature on the certificate was found to be invalid" and when I check the public key it is not the same. How can I change the public key on the names.nsf? Or do I need to? It won't create any problems?

A: If you do a comparison between user ID and Person doc and found them not to match, you can edit person document and replace with public key copied from User ID. It is when they authenticate, it fails, because there is no match. This should not create any problems.


Q: For a password change, running HTTP password change for Sametime and Quickr so the passwords are the same, the process does not seem to be working correctly. Sometimes it updates in 5 to 10 minutes, sometimes it never updates. No errors seen in AdminP. Also, if we rename a user, is there anything we have to do on the client?

A: Request to change HTTP password happens on the Admin Server, so if the change happens on user's home mail server, the request has to replicate to the admin server. Then the update has to replicate back down to the user's home mail server. Depending on replication topology, this may take some time. Change the password, ensure the request gets put into admin4, then ensure this replicates to the admin server admin4. This is the way to check this process. Try and determine if it's AdminP or replication. There should be nothing to do on the client end for rename. There used to be an issue with Calendar entries not updating with the new name, but that was addressed in 8.5.3. In the admin4.nsf, there should be a request for "rename person in calendar entries and profiles in mailfiles extended."

Related Resources

To stay informed about all upcoming Open Mic Webcasts, Like our page on Facebook: http://www.facebook.com/IBMLotusSupport and follow us on Twitter: IBM Collaboration Solutions Support - http://twitter.com/IBM_ICSsupport #icsopenmic

Setting up ACLs for the Administration Process

Rename Person Adminp steps

Rename Users - Move to new certifier

Recertify Users

Delete person

Upgrade to Roaming

Downgrade user from roaming

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Domino
Administration

Software version:

8.5.3

Operating system(s):

AIX, IBM i, Linux, Solaris, Windows

Reference #:

7036938

Modified date:

2014-07-03

Translate my page

Machine Translation

Content navigation