Best practices for maintaining your on-premises environment

Follow these best practices to help ensure that your on-premises environment remains properly configured to work with the service.

Table 1. Best practices for maintaining your on-premises environment
Best practice	More information
Run the Configuration Test tool about once a month.	This tool detects problems with your on-premises configuration that can prevent proper operation of the service. If an error in your on-premises configuration is reported, after you fix the problem that caused the error, download and run a new copy of the Domain Configuration tool on-premises. Running the tool can fix many problems with your on-premises configuration. For more information, see the topics Running configuration tests and Downloading and running the Domain Configuration tool.
Follow the guidelines for maintaining on-premises Domino® servers.	For more information, see the server maintenance checklist topic in the Domino documentation.
Do not delete or modify the following entries in the ACL of any synchronized directory: Entries for your on-premises directory synchronization servers The `LLNServers` group entry The `SaaSLocalDomainServers` group entry.	The Domain Configuration tool creates these ACL entries. Download and run the tool to ensure that these ACL entries are correct. If these ACL entries are missing or modified, directory synchronization fails and user provisioning fails.
Do not edit the CustomerMailHubs group	Change on-premises hub servers through administration Account Settings. For example, change a mail hub server through the Account Settings > Mail Routing Server administration page. Then download and run the Domain Configuration Tool to update your on-premises configuration.
Do not delete or edit the following groups that the service creates in a synchronized directory: `LLNServers LLNMailHubs CustomerMailHubs`	These groups are created and maintained by the service.
Do not create groups with the following names: `LLNServers LLNMailHubs CustomerMailHubs` Do not create groups with names that begin with `Certifiers_` or `SAAS`.	These names are reserved for use in the service.
To move a synchronized directory to another server or to change the file name of a synchronized directory, follow the correct procedure.	Follow these steps: Move the directory or change the file name on-premises. If you are moving the directory, from Notes select File > Replication > New Replica to create a replica at the new location. In the Directory Sync Server Configuration page of SmartCloud Notes Administration, update the existing entry for the directory to match the new on-premises server location or file name. Important: Do not delete the existing entry and create a new one. If you do, all directory documents are deleted and then re-created, a process that can take multiple days to complete. Download and run the Domain Configuration tool.
To delete a synchronized directory, follow the correct procedure.	To delete a synchronized directory, follow these steps: Note: If you are moving a directory, do not delete it. In the Directory Sync Server Configuration page of SmartCloud Notes Administration, open the entry for the directory and click Remove. Download and run the Domain Configuration tool. Delete the directory on-premises.
In environments with multiple Domino domains that use policies, do not use the same policy name in more than one domain directory.	If two policies have the same name, the service uses one only, which can cause unexpected, incorrect results. The Domain Configuration tool warns you when duplicate policy names are found.
In environments with multiple Domino domains, do not a use the same group name in more than one synchronized directory.	If a group name in a mail file ACL matches two on-premises groups, the one ACL entry controls access for members of both groups. If mail groups have the same name, users must choose which one to use each time they send mail to the group name. Using unique group names avoids this step. The Domain Configuration tool warns you when duplicate group names are found.
In environments with multiple Domino domains that use Resource Reservations, do not use the same site name in more than one domain.	If sites in two domains have the same name, the service lists resources from both sites under one site name. This situation can lead users to reserve resources at the wrong site. See Technote 1473022 for instructions on making site names unique. The Domain Configuration tool warns you when duplicate site names are found.
Keep public key checking disabled on the following on-premises servers: Mail hub servers that route mail directly to the service Mail servers of on-premises users that look up the free-time of service users	If public key checking is not disabled, mail routing and free-time lookups fail. To disable public key checking on a server: Open the Server document in the Domino directory in edit mode. Click the Security tab. In the Compare public keys field in the Security Settings section, select Do not enforce key checking then click OK.
Continue to use your on-premises SMTP gateway server to route incoming mail.	When users on the Internet send mail to service users, the mail is sent to an on-premises SMTP server. From there it is routed to the service over NRPC. If the SMTP server is not available, service users cannot receive mail from the Internet. For more information, see the topic Preparing to route mail to service users
For mail hub servers that route directly to the service, configure the retry interval and multiple transfer threads for optimum mail routing performance.	For more information, see Preparing to route mail to service users registered in the on-premises hub domain and Preparing to route mail to service users in a secondary domain.