Ask the Experts Q&A session: Managing Domino - Open Session - Ask us Anything about Domino! - 10 June 2014
IBM hosted an Ask the Experts Q&A session on June 10, 2014. This was an open session that covered Q&A from various Domino topics. Amy Knox gave a short demo and he was joined by several other members of the Domino Support and Development teams for Q&A.
Ask us anything - Ask the Experts - 10 June 2014.mp3
- 58:00 minutes long
- Q&A begins at 13:00
- Admin How-to
- iNotes and Notes Browser Plug-in
- Notes, Admin & Designer clients
- Notes Traveler
- Security, SSL, Encryption
- Comments & Suggestions
Q1. Can someone tell me how to make sure all rules are removed from a users mail database?
- There are a few ways. If you look at the database in Notespeek, rules are called $Filterformula. if there are none of those, there are no rules. In Notespeek you would find the $FilterFormulas under "Calendar Profile".
- Here is a link for Notespeek - http://www-01.ibm.com/support/docview.wss?uid=swg24005686
- You can also check the rules view. If there are no rules there, the only other place they can exist is in the CalendarProfile document. If you delete this calendarprofile doc, it will remove the order in which they run in the background, in case there is no actual rule document but it's still running in the background
Q2. Is it possible to mix different version Domino in the same cluster?
Yes. We do recommend that your Admin server is the higher version of all the servers.
Q3. Is it also recommended to mix let's say 32-bit Domino with 64-bit Domino?
You can have different versions of Domino. It tends to be easier to administer if you keep your Domino versions the same. For example, if you have an issue where you need to get a fix, you're not patching multiple server versions. If you streamline, then you tend to run all the same versions and if one server has an issue you can patch them all at once.
Q4. Is it safe to delete the old server names in the domain catalog database?
Yes it is okay to delete old server names from the Domain catalog.
Q5. How can I get rid of already decommissioned servers in the drop down list of 'open Application' window's 'Look in:' bar?
I think if the databases appear anywhere on your Workspace they appear in the list. For example, if you stack your replicas and the old servers are buried in amongst them.
Q6. Is there a preference in the client or policy that can prevent calendar items in mail databases from being archived or falling away after date has passed?
- Calendar documents generally don't get archived unless you run the Calendar Clean-up tool.
- You can select only the folder and views in the archive settings that you would like to archive from. Be sure to not select the Calendar.
Q7. What is a good resource(s) on setting up and implementing ID vault? Not sure where to start so looking for guidance.
- Technote 1407232 - Replay and Questions/Answers from the Open Mic "Lotus Domino ID Vault" call of October 22 2009
- Notes ID Vault deployment content on the Notes/Domino Wiki - http://www-10.lotus.com/ldd/dominowiki.nsf/xpSearch.xsp?searchValue=Notes%20ID%20vault%20deployment
Q8. Currently I dig through Activity Trends to find inactive accounts? Is there a better way or some way to set up a report that will notify me?
How to find unused databases and remove them? The Activity Trends database has a Databases / Inactivity view. Also you can create an database event - monitor for user inactivity.
Q9. Does anyone have any recommendations on how to handle terminated employees' mail files? We still would like to receive email since many people still email to the user for a set time, but we would like to get people to stop sending to this person.
- We add the former user's email address to another user's Person doc, User Name field. Mail to the former user gets delivered to the current user. We also move the former user's mail database to our archive server which doesn't have SMTP or CalConn, etc. running on it.
- You could forward email from the terminated user to someone else, and also auto reply to tell sender user is no longer with company - new contact is...
- We remove the Mail file and user and add the mail address as an alias to whatever user is responsible. Also you could set up a rule / agent to respond to any inbound e-mails and alert them that the e-mail address will cease soon.
- Another option is to "hide" the Person document associated with this mail file. They will no longer appear for internal mail delivery, but the document remains active and the ROUTER can deliver incoming external mail. Steps below:
- Locate the person document in the names.nsf you wish to hide.
- Select the person document and bring up the Document properties.
- Click on the "key" TAB.
- De-select the "All readers and above" check box.
- In the list of users below, be sure that the Administrator of the server and the server itself are in the reader's field list. Add any users you wish to be able to "see" this person document.
- To stop mail coming from the internet to this user, ensure the "Internet Address" field of the person document is blank.
- You may have to restart the server for all these changes to take effect.
Q10. I never worked with Web services yet. Do you guys have some material to start reading? Is that with Java code?
- I would start with the Domino Designer Help. There is a good general description of what web services are, SOAP, etc.
Q11. Is there a way to configure a maximum attachment size on the client rather than just on the server at the router? What happens is if a user sends a 500MB file it sits there and gets replicated up to the server before it gets rejected and even then it stays in the mail file and gets replicated around, which is a real pain.
- Normally you could create a server rule to block it, but that would be server. I'm not sure on the replication part, I would think that it should fail as well without even depositing to mail.box. You could create a server rule that would automatically reject it on the send if you were on the server copy.
- So I did a test. If you do put a mail rule in place on the server, what will end up happening is that when you go to replicate it will say that mail rule size has been exceeded. So the document has been rejected by the mail rule. If you wanted to put a size limitation for your messages, you could create a mail rule on the server in the Server Configuration document (value is in bytes). So when the client goes to replicate up or tries to send that outgoing message, it will say that it has been rejected by a mail rule and it will not get deposited into the mail.box.
Q12. We need to run Java agents, essentially, and share class code with beans and things that are on XPages. That's not currently not really possible. You can do it but it's undesirable the way that it's done. I was wondering if there was any way that we might be able to work around that any better or maybe get something put in that allows us to share code more effectively.
Additional Background Info: We essentially have a bunch of agents in LotusScript right now that do all manner of back-end processing. We would like to migrate a bunch of that stuff to Java so that we can start moving the whole entire application from LotusScript to Java and leverage the whole environment of XPages more fully that we are now. Right now the only we have to call back-end code is to do Ajax, which is working. But we would like to have a little more tight-end integration from the front-end and the back-end using Java instead of LotusScript. Right now we are kind of stymied in that regard. Is there something we're missing? Does 9 do something that we don't know? Is there something in the pipe that would allow us to do kinda what we use to do with LotusScript in forms and stuff but entirely in Java and XPage space and no LotusSrcipt at all.
- We also have these new libraries. The Dojo Toolkit has been improved and expanded to include some of the things that you used to have to get off the OpenNTF. So there are some of those classes that you had to custom import into for Java anyway.
We need to run like an agent in Java space instead of running it in LotusScript space. We have all these classes we're building for beans in XPages to access the back-end. That's all easy, it's trivial. Now we want to leverage those same classes that we're building for XPages in order to migrate our agents to Java. And we can't do that because Java agents cannot access the code we already have in the database.
I don't know the answer to your question but we can do some research and post an answer to this question to the transcript.
Q13. Is there any kind of definitive install documentation for Sametime 9? I've been upgrading our servers to 9, but I still have the ST server to do. We only use it for chat and meetings, with the community server. But I know that ST9 doesn't have that setup anymore and to just have chat and meetings I would need to have the SSC, WebSphere, DB2 etc. But I have no idea what I really need or how to go about setting it up. And I would be virtualizing this. I did post on the Sametime forum a few days ago, but so far, no responses. Thanks.
- The Sametime InfoCenter is a great resource.
- This technote provides some info and links. We recommended opening a PMR with the Sametime support team to review the steps since ST 9 does require new elements as you stated.
technote 1648961 -
Upgrade Central: Plan your upgrade to IBM Sametime 9.0 and Sametime Unified Telephony 9.0
Back to top
iNotes & Notes Browser Plug-in
Q14. How do I get name changes to propagate to ACL, distribution lists, db title, etc if user is iNotes only and has never logged into a full client?
The admin4 request for iNotes users can't complete until the iNotes user access the id file, they'll need to perform a secure mail operations, sign / encrypt.
Q15. Is there a way to allow iNotes to add calendars other calendars? Currently there is only the Google calendars option listed.
There's an unsupported ini you can try iNotes_WA_CalOverlay=3. It exposes the calendar overlay option to list a different URL, but keep in mind this is use at your own risk.
Q16. How do you upgrade iNotes mail templates for webmail users? We have hundreds but I thought I'd seen a way to sort by template type somewhere?
technote 1304939 -
Switches and options that can be used when running Convert command
- You can use the load convert command on the server. You'd just need a list of users who use webmail. You can run the load convert across entire folders, doesn't have to be individual files at a time http://www-12.lotus.com/ldd/doc/domino_notes/7.0/help_admin_upgrade7.nsf/89d3962efd85426f85256b870069c0aa/763af0d791519e53852570bb004fff13?OpenDocument
- The template for iNotes no longer differs as it did before. Starting with 8, the Mail 8 template is used for both client and iNotes use but if you do have users on the older DWA template, you should be able to create a custom view in the NAB which you can sort by template name.
- To upgrade the mail template.
Run this command on the server to upgrade the design of all mail databases:
load convert -u Mail * mail85.ntf
The * is for the FROM template example dwa7.ntf
- If you have upgraded the server using a standard mail template the next time the design task runs the templates will be updated unless you have prohibit design refresh or the design task disabled via the ServerTasksAt1=Catalog,Design
Q17. We have upgraded most of our environment to 9.0. I was just wondering if a Web mail user's experience is optimized by using the Notes Browser Plug-in, or does that matter? We're just talking using mail rather than additional database that might be on our servers.
- You used the word optimized...
In a way I'm not really sure what I want because we're sort of thinking ahead. Right now we're sort of evaluating for a lot of reasons if we're going to stay on Domino or if we're going to move to Connections or if we're going to be pushed to go to the entire Exchange/Outlook, etc. platform. So I notice that there's a lot of hype about the Notes Browser Plug-in and I haven't really figured out what it is for, especially for the folks that only use iNotes as opposed to a client, if they should also get installed the plug-in.
- The Notes Browser Plug-in is basically it is meant for people who use iNotes more but what it does is it's a much lighter solution. Some people need to use iNotes some times and they also need to access Notes database some times so it's a much lighter solution than having a full client. For people who only work in their browser all day, the Notes Browser Plug-in will allow them to access other databases on the server rather than just their mail file.
- If you don't have a lot of heavy client users and you have a lot of iNotes people, the Notes Browser Plug-in doesn't actually display the mail file. When you go to mail in the plug-in, it actually redirects you to iNotes. So they would be using iNotes as they normally were and if they need to access any Notes databases they'll just open them within the Notes Browser Plug-in.
Back to top
Notes, Admin & Designer clients
Q18. Can someone remind me where the setting is that allows us to control (through policy) which page opens for client users? I set the Discover page to open in 9.0.1 and cannot recall which setting forced that, since there are so many options in each: mail, registration, desktop, etc
Desktop settings, Basics tab
Q19. Is there a way to install the Admin and Designer client on a USB drive so it can be portable?
Unfortunately the AllClient install isn't supported on USB.
Q20. Will you provide a replacement for the web administrator? Mobile friendly. This is deprecated for security reasons and should be reinstated in a secure fashion.
We can create an enhancement request requesting a mobile friendly webadmin client.
Q21. Are there any plans on releasing a 64 bit version of the client?
That is currently an enhancement request. APAR LO34760
Q22. Is there a way to customize to have two different versions of Designer on the same PC? I don't recommend it. I don't know anyone who does that. I wouldn't run 7 and 9 on the same machine. I'm not sure that it's not possible.
If you had a virtual machine, but not if you just had a Windows machine with two versions of the same box, that's not a good idea. In a virtual environment, yes, you could have as many different versions as you like.
Q23. When you go to switch servers in the Admin client, it comes up with a lot of servers that we don't even have any more. How do you clean that list out?
- In the Admin client, Administration -> Refresh Server Lists -> Current domain or All domains.
- You have to be on the first tab in your Admin client where it's showing your domain and then under Administration, there's a Refresh Server Lists, and you could say Current domain or All domains.
- It will go out to your Domino Directory on your server and if you've removed the servers there, it will remove them from your list and any new ones that you've added it will put in your list. Basically it's cached all those servers in your bookmarks and what that's going to do is update your bookmarks in the background as well with all of the current servers.
Q24. (Just tried that) They're still listed there. If I go File -> Open -> Server I still see all my old ones.
That's going to be your Desktop file, then.
Q25. When you do a refresh of the Files tab (in Designer), it refreshes absolutely everything and then it resets even the folder that you were in. Am I missing something or is that just the way it is?
That is just the way that it is. I just verified that again. 8 and 9 does the same thing. You could be in a folder three-levels deep and then you hit the F9 key and that refreshes everything. That gives you a brand new list but, you're right, it takes you back to a different directory.
If you have a server with a 1000 users and they're all roaming then you've got at least 3000 files that it's going to go through and query and it's a time waster as well.
It's trying to get the latest and most updated list of databases and the only way to do that is to dump them all and refresh it all. The more databases you have, the longer it could take.
Back to top
Q26. Can Domino 9.0.1 run with Traveler 8.5.3?
Domino 9.0.1 and Traveler 8.5.3 can run on the same environment in the same Domino domain, but you cannot run Traveler 8.5.3 on a Domino 9 server.
Q27. Could some one send 901 hf1 Traveler link?
For the latest Notes Traveler releases, see technote 4019529 - Index of recommended maintenance for IBM Notes Traveler
Q28. I find myself updating or upgrading the Traveler server more than the Domino server over the last few years because of some new device or what have you. This time around iOS 7.1 broke attachments on all of these Apple devices. I guess the fix is to upgrade to Domino 9.0.1 which I cannot do at this point because you have to start with your Admin server and then your mail servers and all that and we have a few customizations on the NAB and it takes a while. My question is, can I upgrade the Traveler server to 9 and Traveler to 9 without messing with the NAB all together. Keeping the NAB on the Traveler server and all the other servers at 8.5.3?
- Chances are you may be OK but if the Traveler team has put anything in the NAB design that they require for that upgrade, you'd have to at least upgrade the design on the Traveler server.
- There's no problems, you don't actually have to upgrade all servers to put the new design of the 90x server in your domain. Internally here I run 90x servers, 85x servers, 70x servers and even 65x servers. I always run them with the latest design of the NAB just to make sure they are backward compatible.
- If you had to upgrade the design, you obviously would have to do your customization work first and then upgrade the design and let it go throughout your domain. But there's no reason why you couldn't just upgrade the design of the Traveler server first to 901. Best practices dictate doing your Admin servers first, then your Hub servers, but if you're in a bind and you just need to get that Traveler server upgraded to the latest release you can do it.
- Your Traveler server can be upgraded to version 9 and then you can prevent the replication of your names.nsf out to your other Domino servers in your environment, then you would just prevent that replication from happening from your 901 server to the 853 servers. Customers do this all of the time.
Q29. That's the part that I'm not clear on. If I prevent replication, let's say I've got a new user and I add him on the Admin server, does that mean I'm not replicating anything to the other servers?
No, the only thing you want to prevent from replicating are the Design elements. In the Replication settings, unfortunately, probably on all the other servers, you'd have to go in and uncheck the replication of design elements until such a point you where you wanted to allow that to replicate out. But you still want to get the data replicating between the servers.
Q30. So I think what I need to find out here, without doing all of this, will it work? If I can keep the Traveler server on 8.5.3 address book, then I will be fine?
There are certain views and tabs in the Server document that are updated. For example, if you are using BlackBerry devices or Windows devices, you want to have the tabs that are there. That's what you get when upgrade the design for your Traveler server. But if you're not using that then that wouldn't matter.
Again, what we would recommend is that you can upgrade your Traveler server to version 9 and then just prevent replication of those design elements to your other servers. Just to make sure that you have everything that you may ever want to use within Traveler available to you. You should be safe in that configuration.
Note: When you upgrade, be sure to upgrade to the latest available versions of both Domino and Notes Traveler.
- Index of recommended maintenance for IBM Notes Traveler
- Download Options for Notes & Domino 9.0.1 Fix Packs
- Interim Fixes for 9.0.1.x IBM Notes, IBM Domino & IBM iNotes
Q31. Are the devices going to see anything after the upgrades?
Yes, if you have Android users, they're going to be prompted to upgrade their Android client on their devices. But other than that it should be seamless.
Back to top
Security, SSL, Encryption
Q32. Can someone provide an update what the plans are to have SHA-2 certificate support on Domino for SSL (Microsoft will drop support of older certificates by 31-Dec-2015) ? SPR # ABAI7SASE6 Enhancement Request: Support SHA-2 algorithm for SSL on Domino (High triage priority, but no answer)
For SHA2 certificate support, we recommend at this time using an HTTP proxy server to handle the inbound HTTPS requests, Domino 9.x provides IHS with the server that is configured to work with the Domino HTTP web server.
Q33. Will Domino support SHA-2? IBM HTTP Server on the front is not ideal.
Natively there's limited support for SHA-2 - http://www-12.lotus.com/ldd/doc/domino_notes/9.0/help9_admin.nsf/855dc7fcfd5fec9a85256b870069c0ab/05c1271fa301b23485257b19005b4d18?OpenDocument&Highlight=0,Encryption,standards
Q34. Domino support told me to get a SHA-1 certificate because SHA-2 wasn't supported.
SHA-2 is not supported for Domino SSL. SHA-2 pretty much is limited to SMIME message encryption.
Q35. What are your plans to resolve wildcard cert setup and import with Domino and related products that run on Domino? It is far too complex a process for 2014, poorly documented, and really a put-off for new customers.
You can use wildcard SSL certs on Domino as long as you create the CSR using the Domino server certificate admin database. However, as of today we don't have a supported way to import or export the SSL private key out of a kyr so you wont be able to share the SSL wildcard cert with any non-Domino Web servers.
From Darren Duke (STS):
- it's convoluted but you *can* convert Domino wild cards for other purposes.... http://blog.darrenduke.net/darren/ddbz.nsf/dx/exporting-domino-ssl-keyfiles-to-another-format-for-use-with-ihs-.htm
- that blog is actually a "series" on getting IHS to work with Domino http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/setting-up-ibm-http-server-to-redirect-all-traffic-to-https-when-fronting-domino-i-guess-this-is-part-3.htm
Q36a. One of my clients needs a database that is not user connected, but is still a user. They want to receive encrypted emails into that database. Could I insert the ID file into a mail database and then create an agent that will decrypt these emails and maybe save them again or forward them to a group or whatever. Is that possible?
- So you've got a mail file you want to upload the ID file into the mail file as if you were using it for iNotes, for example. And then you want to have an agent that will decrypt rather than using the standard process of decrypting. There is a LotusScript method that does encrypt that but I would have to look that up really fast.
- I remember too there's an agent that you could run that could decrypt documents in mass but I think you need to be logged into a Notes client with an ID that would decrypt them.
Q36b. That's why I thought that maybe I could upload the ID to the mail database that you could access it and use it, but that's not possible?
- Whoever is the signer and the executor of the agent has to be running with that ID file. I can't even really think how to do that. You would have to detach the ID, switch ID, those are methods and operations we don't have direct access to.
- It seems like if it was possible to run an agent based on the public and private keys that are inside of an ID that are in that mail file. If that was possible it seems like that would be a security flaw with encryption enabled. It would be possible to just extract the private key and you would be able to decrypt anything anytime. So to decrypt the document, you need to be logged into either iNotes or Notes using that ID.
- 95% of anything related to ID files is not available through the APIs or LotusScript. So there's not much you can do with an ID file. There's only like two or three things that I could think of off the top of my head. We do that for security reasons and legal and liability reasons; makes things more secure that way.
Q36c. But is there any way for me to use this anyway. This is a non-user address which is going to receive encrypted emails but maybe a group of five people need to read these emails. Is there any way I can...Can I grant the user to these 5 persons or something?
- What you might want to do. If they need to read the emails, you don't need to decrypt them. You could just put the ID in the mail file and these users could access iNotes and read these emails on the Web. They don't need to be necessarily decrypted. But if the ID is in the mail file, they could log in to iNotes as long as they know the password to get in to the mail file they should be able to read the encrypted emails from the Web. That's the easiest way.
- A more cumbersome way is to just give them each a copy of the ID and they could switch to it from the Notes client when they want to read the email.
Q36d. I was hoping they could still keep their own IDs and perhaps access it some way.
If it wasn't using mail encryption you could use the ideal of a private encryption key and then distribute that private encryption key to all five users, and then they could use their own ID files.
Q37. Are there any plans on group encryption like there is with Exchange? Connected to Active Directory?
- There isn't really anything like that I know of in Notes. Encryption in Notes is a very personal thing, there's no real group encryption. There might be a way to accomplish it but by default, encryption is a personal with the person's public and private key in their own ID is pretty much the only way you could decrypt by default.
- Will mention this to the Security team just to see if they're thinking about it.
Back to top
Q38. I had an issue with the DBMT tool. I implemented it in on three servers in a production environment for a client. When I tried to implement it on a fourth server, it does not start on this server. I can launch it manually and it works fine but I would like to do it on server startup. When I say implement all I really did is made the Program document server start up for DBMT.
Have you tried putting in a simple fixup or anything? I don't think it's DBMT related. It sounds more program related and maybe an issue with your NAB and the view indexes that the Program documents are using.
Q39. Would there be any reason why contact entries would be disappearing from a specific user? Perhaps a good place to start gathering more information?
technote 1086649 -
How to analyze questionable deletions in a Notes database
- Get a back up from the day before the document was removed and get the NoteID and then check for a deletion stub in the db that is missing the doc. to confirm they are truly deleted. It might be a good starting point if you need to open a PMR too.
- Open a PMR - and ask SWE for sample code to log all future deletions
- Yes, questionable deletions are very tough to troubleshoot. My first guess (if there was no replication or sync of any kind) would be something third party. There's nothing by design in Notes that deletes contacts without user action, unless they're recent contacts.
- A few possible reasons, there could be deletion stubs for those contacts within his mail file, and he's synchronizing contacts. Or any replication for that matter. They could have been deleted or archived from another database, so the deletion stubs carry over to the local nab but that seems like something that would need to be troubleshot.
Q40. We have an issue with secondary Domino Directory, indexes are not being updating automatically, so each new user added can't receive emails from outside of company unless we do manually rebuild views in this directory CTRL+Shift+F9 on all SMTP servers. Any documents available on how to setup this automatically?
- Did anyone mess with the View Design settings for Automatic Updating? If not suggest opening PMR with Support
- Might want to try loading multiple Update tasks in case one is being blocked for an extended period of time
Q41. I have two SMTP servers that are both ND9 servers. In the past week, one of them seems to get stuck when routing outbound SMTP mail and it gets stuck in the mail.box. The only way they seem to go is if I update the routing tables or start and stop the router. Nothing has changed on the server. Priority is normal. This happens to all kinds of users, not just a few.
- Any difference in third party apps running on the problematic system? Also if you issue a route * does that release some of the mail?
- When you have the issue if you issue a "Tell Router Show" what do you see? Also with outgoing mail issue you would want to
SET CONFIG CONSOLE_LOG_ENABLED=1
SET CONFIG DEBUG_THREADID=1
SET CONFIG SMTPCLIENTDEBUG=1
Q42. Argh. It would be really really nice if Domino would do something more meaningful than "Error 500". It says see such and such log, which I never do any more because it never says more than the console.
- Most of the time when you see 500 server error in the HTTP response, you'll see some more info in the domino server console relating to the error.
- Open up a PMR, we can help you collect htthr thread logs around that error to maybe better understand what's up with your error.
Q43. We restart Domino each week but the folder IBM Technical Support blows up. Is it a way to clear the files from this folder? Can it be cleared automatically?
- Yes, you have a file retention days within your notes.ini that can reduce that.
- If you want to clean up the IBM tech folder : Open the Server Config Doc --> Diagnostic Tab --> Remove diagnostic files after a specified number of days. Change to Yes and then select the number of days
Using the IBM_TECHNICAL_SUPPORT directory
- technote 1176434 - Console Log is overwritten when size limit is reached
NOTE: Beware using Console Log Max size. When you use that, a lot of times customers will set that to 200MB. What ends up happening if you run into a particular problem, it overwrites the older information. There's an ini parameter that's your file retention days. You can change that to reduce the amount of information that's stored or when you reboot you can clear it as well.
- You could also create an IBM Technical Support.dir link and put it off to another drive if you wanted. In theory there's nothing in there that the server needs to run. It's just first time data capture of a lot of information in case you need to capture for a problem report. So periodically, if you're not having any problems and you just want to cleanse that directory, you could do it and it will just start from scratch again when the server starts. Good to have for historical reasons when troubleshooting problems.
Q44. I'm wondering if there is any way to clean up Console Logs. We have a bunch of old mail files for users and everytime the server loads, you can imagine what happens. Busytime looks for user who doesn't exist and it's just a mess. Cannot find a profile document for every single database. Is that just going to happen or is there a way to fix that?
- That's going to happen as long as those mail files stay in the data directory. It sounds like you've deleted users from the NAB but you haven't deleted their mail files. Is that accurate?
We're required to keep them for records.
- Is there some way to keep them outside of the data directory or do you still need them for active use for the duration of x number of days.
They still need to be there for 2 - 3 years.
- One thing you could do is change the Mail File Owner field to somebody that is still in the system. Because it's basically looking at the Mail File Owner and saying that person's no longer here. If it was changed to someone who was still around we would cease to see those errors at server startup.
- The only problem is if you change the Mail File Owner and mail is received and then an auto-reply message goes out, it's probably going to have that user's name on it (the name of the person listed in the Mail File Owner field). Or if you happen to be running the Out of Office agent, it'll let people know "this person is no longer with the company, email this person instead." There's so many ways around that.
- Another option: Create a generic User ID file and use it in all of them.
Q45. We've got a small shop here and occasionally one of our users has their Internet password compromised and it results in spam will get a hold of it and use our server. What I have difficulty doing is identifying that compromised account. Is there a way that I could identify more easily SMTP authentication, either current or recent?
- We have Domino Web Server log that's called Domlog.nsf that shows the logins from users including their IP address. It can identify if you're seeing things coming from IP addresses that don't look correct. Do you have a lot of users who are always traveling coming in from various places and it's hard to identify IP addresses?
No, what's hard to identify is I turn on Verbose logging and I get all of these Web authentication entries in there, but they come in constantly because it always says "User John Doe found in group cache.." And then there will be occasional Web authentications and verify passwords. It's difficult to modify that log with all of the SMTP traffic going on and the routing and trying to find trends where you find a common user name that immediately precedes a bunch of SMTP failures. We're running Domino 8.5.3 Fix Pack 6.
- In 8.5.3 Fix Pack 5 and above, we made a change to the way Auth works so you don't get a dictionary attack. It works the same way as the Internet lockout. But I think what you're saying is their account has already been compromised so they're able to get in and you're trying too figure out how to isolate that, correct?
Right. I'm trying to identify the account so I could change the password
- The biggest thing is that once you've identified the user that has been compromised, you would have to turn on Log Connections, Log Sessions, and SMTP debug with the verbose debugging on so that we could find out that user that has been compromised.
- So if you know the user, then all you would do is turn on Log Connections, Log Sessions, we'll get the IP address and with the SMTP debugging on verbose we would be able to see that it is that user from that IP address, you could block the IP from a firewall but sometimes spammers will change it.
- One of the things that gets harder is if they come through a firewall like a DMZ the authentication will look like it's your DMZ server coming in so you'll have to turn on additional logging to determine who or what IP is making the connection in to you.
But as far as identifying the user the Domlog is the best source?
The Domlog will give you the connections that have been made with the Log Sessions, Log Connections and the SMTP debug=4 you would be able then to convert the connection that is being made with the SMTP debugging to see exactly which user it is.
Q46. Excel and Lotus Notes/Domino and moving data back and forth. I think everyone is aware with Microsoft's move to the new version of Office, they don't allow .123 files. And so I'm forced to find an old version of Excel. What is a solution, something maybe I don't know so I can quickly move data from Excel into 123, so that I could upload it into Lotus Notes?
- There should be an Enhancement Request for Excel export/import that may have been realized already.
- Open a PMR with Support to look in to exactly what you need to get done and we could tell you the best ways to do that. Depending on what you need to do there's probably a couple different things you could use to import that data.
I already did and they didn't have anything new that I didn't already know. It was go get a copy of Microsoft 2003 Excel. I was hoping there would be something better even in the Lotus world trying to get a hold of 123 proves to be difficult.
Coming out of the IBM client is easy, you save it as .csv. It's when you want to go the other way that you have a big whopper Excel and you want to pump it up to build your database and send it over. That's where my problems are.
Additional idea and suggestions:
- Lotus Symphony? Open Office?
- Here's the Excel 2010 fix for 123 files http://answers.microsoft.com/en-us/office/forum/office_2010-excel/convert-lotus-123-wk4-to-excel-2010/f9508a7f-9cd0-418e-aac8-0e01f0e26da1
- Use the ExportToExcel code on openntf.org
- Here's a Lotus 123 converter that works well. http://download.cnet.com/Fantastic-Lotus-1-2-3-Converter/3000-2065_4-75758879.html
- @Export to Excel: Use the ExportToExcel code on openntf.org
- @Import from Excel: Use .COL files - Google it :-)
Back to top
Q47. Can a 8.5.3 client run on ODS level 52 running on Domino 9.0.1?
- Yes, a 8.5.3 client can access a ODS 52 DB as long as it is on the server. If the ODS 52 DB is off the server you will get the invalid ODS.
- You cannot OS file copy that database locally to your 8.5.3 client and attempt to access it locally if you did you would get the Invalid ODS error
- A 9.0.1 client can access an ODS52 database locally
Q48. So I need to upgrade my clients before I upgrade ODS?
- You can open a ODS 52 Database if it is on the server using an 8.5.3 client. if you wanted to open the ODS 52 db on the local machine you would need 9.0.1 client.
- No only need to if you would be opening an ODS52 database locally on the Notes Client... If the databases are on a remote 9.0.1 server you do not have to upgrade your Notes Client
Q49. Since upgrading to Notes v9.0 client, we have noticed much slower startup times of the client, typically 5-10 mins, any ideas?
I would open a ticket. It is almost definitely something provisioning in the background that we'd need more information for.
Q50. If I upgrade my server from 8.5.3 to 9.0.1, will it create any trouble for applications running on server?
Should be just fine.
Q51. We have versions Domino 7 and 8 and we're trying to upgrade the 8 versions to 9.0. I'm wondering is there a way to set the compatibility of the applications out within the Web because they are custom. We have hundreds of applications built in the 6 version. Is there a way to certify that they will be working in 7?
I understand that you've got custom Web applications with a variety of different codes behind them that are running just fine on your 7 and 8 servers but you're planning to upgrade to 9. In all of these cases, we don't actually have to certify guarantee that yes, you will never have any problems when you upgrade your servers and then apply your custom applications.
So, yes, a lot of times things just work great and there aren't any issues. We just don't have a way to guarantee because we didn't create the code in your custom applications. We can guarantee the code that we create but we can't guarantee the code that somebody else creates. We do support it in the way that we can help you if you do run in to an error we can help you work around that error or suggest how to make that better so that it does work with the new release. I don't anticipate that you should have any major issues but if you do, we could help you with that.
Back to top
Comments & Suggestions
If there's additional technical topics you'd love to see future ask the experts / demos please let us know so we can include in our next season of AskTheExperts
- there should be a separate session on business case to "how and why to fully embrace social: " - enable activity stream; enable OpenSocial; enable connections 4.5 integration with notes 901 client, etc
- on the social client request, the webcasts IBM offers do not have concurrent live Q&A and this format is the one admins like us need to see why Social Client might be so useful.
- idea for an Open Mic - would be on Web services
- an Open Mic on installing Connections 4.5 on IBM i would be great
- no shortage of topics on Sametime for ask the experts. That is one complex set up.
- migrating from Exchange to Domino
- migrating from Quickr on Domino to Connections (I believe that is the suggested migration path)
- topic idea would be to update us on all of the items that were taken back, or did not have a full/implemented solution today.
- an Open Mic where you reviewed the status of the most common requests for enhancements? We could submit the SPR numbers we've received from support over the years. It'd be great if the Open Mics for next season covered all of the new features that were released (hopefully)
- Comment/Suggestion: Please visit IdeaJam.net Go to the last page, and address the first 15 pages. That will give you plenty of seed values for what to change with Domino and Notes - Admin, Designer, and Client; these issues have remain unfixed for years and really bring down the overall awesomeness that is Domino (which is really great as a whole).
Back to top
|About Ask the Expert Q&A sessions|
Original publication date
Translate this page: