User management through administration process 2307


Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

User management through administration process 2307

  1. 1. 1 Open Mic on User Management using Administration Process 25th July, 2013
  2. 2. 2 Niraj Jani – Lotus Technical Support Engineer Presenter Ranjit Rai – Lotus Technical Advisor Focussing on Entire Notes Domino Hansraj Mali – Lotus Technical Advisor Focussing on Entire Notes Domino Vinayak Tavargeri – Lotus Support Manager Open Mic Facilitator Open Mic Team Jayaval Rajendran – Lotus Technical Advisor Focussing on Entire Notes Domino Javed Batliwala – Lotus Technical Support Engineer Presenter
  3. 3. 3 AgendaAgenda Administration Process Components of Administration Process Default processing time of AdminP Requests Different AdminP commands Meaning of Icons in AdminP Requests/Responses User Management Best Practices Troubleshooting References Q&A
  4. 4. 4 ● Administration Process (AdminP) automates many routine administrative tasks For example, if you delete a user, the Administration Process locates that user's name in the Domino Directory and removes it, locates and removes the user's name from ACL's, and makes any other necessary deletions for that user. ● Administration Process starts with server startup and there is no additional configuration needed to utilize this feature ● The Administration Process automates common tasks such as: ■ Name Management - Rename person, rename group, delete person, delete group, delete server name, recertify users ■ Mail file management- delete mail file and move mail file. ■ Replica management - create replica, move replica, or delete all replicas of a database Administration ProcessAdministration Process
  5. 5. 5 ● AdminP server task ● Administrator client ● Notes client ● Domino Directory (names.nsf) ● Certification log database (certlog.nsf) ● Administration Request database (admin4.nsf) ● Administration server (assigned to each database in the domain) Components of Administration ProcessComponents of Administration Process
  6. 6. 6 AdminP server Task: ■ Runs on all Domino Servers. ■ Loads with server startup and can be controlled using ServerTasks Notes.ini ■ Acts as per the default settings in Server Document ->Administration Process tab ■ Excecutes requests in Admin4.nsf database. ■ After request execution, a response document gets created indicating status of the request. Administrator Client: ■ The Administrator client has all of the tools needed to initiate the AdminP commands including renaming and deleting users, deleting a replica, moving a database, and moving a user from one hierarchy to another. Components of Administration Process (cont')Components of Administration Process (cont')
  7. 7. 7 Notes Client: ■ An active participant in the administration process. ■ Can complete and initiate many different administration processes. Eg: Client can accept user name changes and x509v3 certificates into the file. The client is involved with the process to move a user to another server and can issue a request to change the user's password and/or synchronize his and Web password. Components of Administration Process (cont')Components of Administration Process (cont')
  8. 8. 8 Domino Directory (names.nsf): ■ Domino Directory stores person documents. When Administrator performs any action like User rename or recertify, it updates certification information in person document. ■ Administration server in Domain is determined based on the Administration server mentioned in Domino Directory ACL. ■ When Administration process runs, it updates information like clusters, person documents including client information, Notes Password Synchronization with HTTP Password, Group updates and deletions, Server information (protocol and version), policies etc in Domino Directory. Components of Administration Process (cont')Components of Administration Process (cont')
  9. 9. 9 Certification log (Certlog.nsf): ■ Created when the first server is installed in domain ■ A replica of Certlog.nsf can be created on multiple Domino servers in a domain if any action is initiated by Administrator on those servers. ■ Keeps track on certificate related activities ■ Eg: New User / Server Registration, User Rename from one OU to another OU, User Recertification etc. Example: Components of Administration Process (cont')Components of Administration Process (cont')
  10. 10. 10 Administration Request(Admin4.nsf) database: ■ Created on Administration server for Domino Directory when server starts for the first time ■ Contains all the administrative requests from a single domain ■ All requests for work to be done by the Administration Process are stored in this database ■ Every server in the domain stores a replica of the Administration Requests database ■ All requests placed in Admin4.nsf database replicates to every server in domain ■ Each request has an icon that indicates the status ■ Result of each processed request, called as response document is stored in this database Components of Administration Process (cont')Components of Administration Process (cont')
  11. 11. 11 Components of Administration Process (cont')Components of Administration Process (cont') Administration Server: ● In each domain, there's a single primary Administration server, determined by the value in ACL of Domino Directory(name.nsf) ● Assigned to each database on each server in single domain. ● Listed in Advanced tab of Database ACL ● Tells Adminp where to process each database and controls how the Administration Process does its work ● Responsible to process many Adminp requests Whenever restarting the AdminP task it prints the message on console the Name of Administration Server of Domino Directory
  12. 12. 12 Default processing time of Adminp RequestsDefault processing time of Adminp Requests Default processing time of AdminP requests is defined in Server document → Server Tasks →Administration Process tab
  13. 13. 13 Different Adminp CommandsDifferent Adminp Commands You can force administration process request to run by using tell commands. Command Description Tell Adminp Process All Processes all new and modified immediate, interval, daily, and delayed requests. This command doesn't override timed requests execution time Tell Adminp Process New Processes all new requests Tell Adminp Process Interval Processes all immediate requests and all requests that are usually processed according to the Interval setting in the Server document. Tell Adminp Process Delayed Processes all new and modified delayed requests. These are requests that are usually carried out according to the "Start executing on" and "Start executing at" settings in the Server document. Tell Adminp Process Daily Processes All new and modified daily requests to update Person documents in the Domino Directory as well as Any outstanding "Rename Person in Unread List" requests. Tell Adminp Process Mail Policy Applies mail policy to affected user's mail file Load Adminp Starts the adminp task Tell Adminp quit Stops the adminp task
  14. 14. 14 Meaning of icons in adminp requestsMeaning of icons in adminp requests
  15. 15. 15 Meaning of icons in adminp responsesMeaning of icons in adminp responses
  16. 16. 16 User Registration – Creating Mail File in BackgroundUser Registration – Creating Mail File in Background Create file in background is to force the Administration Process to create the files in the background. Use this option to save time during the user registration process. If you do not choose to create the file in the background, mail files are created during the user registration process
  17. 17. 17 Following are the request that will generate in Admin4.nsf to create the mail file on Mail Server and Cluster Server. Additional Information:- Maintain Trends Database Record Accelerated Create Replica In Server document → Security tab → Server Access Section → Create new replicas (Source Server name should be added in Target Server document). User Registration – Creating Mail File in BackgroundUser Registration – Creating Mail File in Background
  18. 18. 18 Changing Common Name With AdminPChanging Common Name With AdminP When you change the name of a user, the Administration Process implements the name change by initiating requests to the affected documents, databases, database ACLs, and Extended ACLs. Using the Domino Administrator Client you can use the “Rename” option to perform the following activities:- ● Upgrade a user name from flat to hierarchical (Obsolete) ● Change a user's common name ● Move a user to a new hierarchy Administration Process requirements ● In order for the Administration Process to facilitate the name changes, the databases must have an assigned administration server. ● In addition, the certifier ID you use and any ancestor of the certifier must have a Certifier document in the Certificates view of the Domino Directory. Viewing user name change requests ● To review the administration requests that are generated when renaming a user name, open the Administration Request (ADMIN4.NSF) database in your Domino Directory.
  19. 19. 19 Changing Common Name With AdminPChanging Common Name With AdminP ● Initially only single request will generate i.e. "Initiate Rename in Domino Directory". ● This request will be processed by Administration Server of Domino Directory and only person document will be updated. ● In order to generate the further request or complete the renaming process the user need to authenticate with the server using his/her id file. Note:- ● If the user is accessing the emails only through iNotes then in order to complete the renaming process one need to import the id file into mail file or use the ID Vault. ● After user has initiated with rename command Administrator need to send the encrypted email to user who has been renamed, once the user accesses the encrypted email via iNotes then the ID file will be used and the further request will get generated to complete the rename process Following are the request will get generated in Admin4.nsf for Changing the Common name
  20. 20. 20 Changing Common Name With AdminPChanging Common Name With AdminP If you have implemented ID Vault then enable the below given option in Policy Security Setting document, this will help you in using the ID File from ID Vault while reading the encrypted emails and other features like recall of message from iNotes. Additional Information:- How to rename an iNotes user
  21. 21. 21 Moving user from one OU to another OU usingMoving user from one OU to another OU using AdminPAdminP Since the name hierarchy Domino is part of the user's name, when you move a user to a different certifier you have essentially changed the user's name. You can use the Administration Process to move a user name to a different location (Organizational Unit) in the organization's hierarchical name scheme or to move a name to a different Organization altogether. There are two parts to moving a user name: ■ Request the move using the originating certifier. ■ Complete the move by using the target (new) certifier to approve the request and issue the new certificate. ● Once the request to move the user to another certifier is initiated it will generate the given request as shown. ● Need to click on Complete Move for selected entries, this will approve the request and issue the new certificate
  22. 22. 22 Following are the request will get generated in Admin4.nsf for moving the user in different Certifier Moving user from one OU to another OU usingMoving user from one OU to another OU using AdminPAdminP
  23. 23. 23 User Movement – Moving user to Another ServerUser Movement – Moving user to Another Server You can use the Administration Process to move a person's mail file from one server in your domain to another by performing a "Move To Another Server" using the Domino Administrator client Following are the request will get generated in Admin4.nsf. “Push Changes to New Mail Server” & “Delete Mail File” request will get generated after user authentication
  24. 24. 24 Recertify – User IDRecertify – User ID Before a user ID reaches its expiration date, recertify the user ID using the original certifier ID. Use the Certificate expiration view to determine which certifiers need to be recertified. Following are the request will get generated in Admin4.nsf. Additional Information:- How to Recertify User
  25. 25. 25 Rename - GroupRename - Group Use this procedure to rename a group in your domain. 1. From the IBM Lotus Domino Administrator, click People and Groups. 2. Choose Groups. 3. Select the name of the group you are going to rename. 4. From the Tools pane, choose Groups - Rename. 5. On the Rename Group dialog box, specify a new group name, and then click OK. Following are the request will get generated in Admin4.nsf.
  26. 26. 26 Deleting UserDeleting User You can delete a user name with the Administration Process by initiating a delete person command from the Domino Administrator Client. Delete User Prompt Admin4 request when user has been deleted Document will be moved to Inactive User Ids view in ID Vault database
  27. 27. 27 Other AdminP RequestsOther AdminP Requests New Server Configuration Following are the request generated when you configure the New Domino Server. Similarly, such type of request will be seen when you upgrade the Domino Server to newer release or update the Port information etc... Update Client Information Check Password Update Internet Password When Notes Client Password Changes - Policy
  28. 28. 28 Admin4.nsf – Replica IDAdmin4.nsf – Replica ID The replica IDs of some Lotus Domino server databases are related to that of the Domino Directory (names.nsf) The following is a list of Domino server databases that have a known replica ID based on the replica ID of the domain's Domino Directory: catalog.nsf, events4.nsf, statrep.nsf, ddm.nsf, admin4.nsf, billing.nsf, vpuserinfo.nsf (Sametime Authorization Database), activity.nsf Example: names.nsf has a replica ID of: 852564AC:004EBCCF catalog.nsf has a replica ID of: 852564AC:014EBCCF events4.nsf has a replica ID of: 852564AC:024EBCCF admin4.nsf has a replica ID of: 852564AC:034EBCCF statrep.nsf has a replica ID of: 852564AC:044EBCCF Notice that the similarity is in the last six (6) characters of the replica ID (4EBCCF in this example). The distinguishing characters are the first two (2) characters of the unique part of the replica ID (01, 02, 03, 04 in this example), such as 852564AC:034EBCCF.
  29. 29. 29 Best PracticesBest Practices ● Adminp must operate efficiently in order for many items to run properly in Lotus Domino ● Periodic checks and proper settings will ensure that the system operates as designed. ● Disable Transaction Logging for Admin4.nsf. ● As a part of best practices, an Administrator should consider below points ■ Admin4.nsf Replication ■ Admin4.nsf Size ■ Admin4.nsf ACL ■ Admin4.nsf Monitoring
  30. 30. 30 Best Practices (cont')Best Practices (cont') Admin4.nsf Replication ● Should be scheduled via a connection document with type pull-push ● Keep the small interval between subsequent replications to speed up the adminp request processing ● All replica copies of the Admin4.nsf in domain should be roughly the same size unless selective replication formula is used ● If during troubleshooting, Admin4.nsf replication is temporarily disabled, Make sure to re-enable it
  31. 31. 31 Best Practices (cont')Best Practices (cont') Admin4.nsf Size Multiple ways to control size ● Document retention settings : Default retention interval is seven days (File → Replication → Settings → Space Savers → Remove documents not modified in the last # days). This can be lowered if increased too high. Make sure, all replicas to have same setting ● Replication Formula: By selecting replication, document counts can be controlled and thus size. Should be applied on Administration server so admin4.nsf size may be larger than the spoke servers ■ Use a selective replication formula to prevent the response Log documents in ADMIN4.NSF from replicating. ■ Information in Log documents is a record of the status of the work a server does in response to an administration request. ■ This response Log is interesting to you, the administrator, and to the server that created it, but not to every server in the domain.
  32. 32. 32 Best Practices (cont')Best Practices (cont') If you do not want to replicate the response document then add the replication formula Type!=”AdminLog” in spoke servers which will not add the response document. Note: Under some conditions, the replication formula for admin4.nsf can cause AdminP requests to process repeatedly on spoke servers. ● Regular maintenance: Scheduled compaction should be run to recover unused space. Fixup and Updall to be run whenever necessary To resolve this issue, change the formula to the following: SELECT Type != "AdminLog" | ProxyServerName = @UserName This modification will prevent a server from deleting its own response documents, preventing the repetitive processing described above.
  33. 33. 33 Best Practices (cont')Best Practices (cont') Admin4.nsf ACL ● Make sure correct server is listed as an Administration server in ACL → Advanced tab ● Default access should be Author with 'Create Documents' privilege as certain requests deposited by users in Admin4.nsf ● ACL of the Admin4.nsf should mirror the ACL of the Domino Directory Admin4.nsf Monitoring ● Administrators should monitor this database closely for any errors being recorded and should take corrective actions to resolve those errors
  34. 34. 34 TroubleshootingTroubleshooting To troubleshoot AdminP issues, an Administrator should check as below ● Is AdminP running on all servers? If not, it should be. To check this, issue a SHOW TASKS command at the server console ● Has CERTLOG.NSF been created? ● Has the Administration Server been specified in the Domino directory (names.nsf) ACL? In the Domino directory, select File → Database → Access Control → Advanced panel. List only one Administration Server for the directory. ● All databases that are expected to get the ACL updates must have an Administration Server specified before the request is put into AdminP ● Are both the names.nsf and admin4.nsf replicating properly between the affected servers? Both of these databases must replicate correctly between the directories' "Administration Server" and the spoke servers ● Does admin4.nsf show the correct Request documents?
  35. 35. 35 Troubleshooting (cont')Troubleshooting (cont') ● For each Request document, is there a Response document that shows that AdminP has executed the request? Does the response document show an error message or was is successful? ● Is the time/date on the servers synchronized? ● Be sure Certificate documents have the correct Public Key; the Public key must match the key in each CERT.ID. Similarly public key must match between Person document and User ID files.
  36. 36. 36 Troubleshooting (cont')Troubleshooting (cont') Administrator can perform below steps if Admin4.nsf gets corrupted: 1 Write down the database size and number of documents found on the Info tab of the Database properties . 2 Make a backup of the database. 3 Disable replication of the database. 4 Design Replace (File, Database, Replace Design) - making sure to use original ADMIN4.NTF template file. 5 Load Fixup ADMIN4.NSF -f 6 Load Compact ADMIN4.NSF -c 7 Load Updall ADMIN4.NSF -R 8 IF the database is OK now, re-enable the replication of ADMIN4.NSF (that was disabled in step #3 above).
  37. 37. 37 Troubleshooting (cont')Troubleshooting (cont') If the database is still corrupted or too large after running maintenance, Administrator can recreate the database with below steps: ● Remove the corrupt Admin4.NSF from the data directory when the Domino server is down and allow AdminP to recreate it automatically. ● Only on server startup a new Admin4.NSF will be recreated with the original replica ID. ● The server must be restarted with the AdminP task enabled. ● Delete or move the original Admin4.NSF off the server ● Replicate Admin4.NSF from a Administration server. This should repopulate the database.
  38. 38. 38 ReferencesReferences Domino Administrator help is best to refer for AdminP help: ● Administration Process Request – One Domain To gain a better overall view of how AdminP works, read these documents: ● All About Adminp Part 1 ● All About Adminp Part 2 ● Generic Troubleshooting Guide
  39. 39. 39 Q & AQ & A