Deploying DAOS and ID Vault

Uploaded on


More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. MWLUG Conference 2009 IBM Center Chicago, IL August 27-28, 2009 Empowering the Lotus Community
  • 2. Deploying DAOS and ID Vault Luis Guirigay [email_address] Twitter: lguiriga Session: IN107
  • 3. Agenda
    • Who am I ?
    • Introduction to DAOS
    • DAOS Estimator Tool
    • Configuring DAOS
    • Best Practices
    • Introduction to ID Vault
    • Configuring ID Vault
  • 4. Who am I
    • Senior IT Specialist at PSC Group, LLC
    • Involved in Lotus Technologies since 1998
    • Co-Author of multiple IBM Redbooks (Domino 7 for i5/OS, Workplace Collaboration Services, DB2 for i5/OS and Lotus Workflow)
    • IBM Certified Administrator and Developer in 5, 6, 7, 8 and 8.5
    • IBM Certified Administrator in Sametime 7.5 and 8
    • IBM Certified Administrator in WebSphere Portal 6.0 and 6.1
    • IBM Certified Administrator in Lotus Connections 2.0.x
    • IBM Certified Developer in Lotus Workflow
    • Find me at:
      • Twitter = lguiriga
  • 5. DAOS
  • 6. Introduction to DAOS - Domino Attachment and Object Service
    • It is not “Shared Mail” (Shared Mail developers are doing something else)
    • Will keep only one instance of each attachment – unless:
      • Message is encrypted
    • It is a Server feature – Local Replicas will get all attachments
    • Cluster is supported but each server handles DAOS independently
    • DAOSCatalog.nsf keeps all relationships information
    • DAOS is configured per server (Not per Domain)
    • DAOS is green: less data = less storage/space needed = more savings
    • Attachments are now stored as encrypted .NLO files (by default)
    • Transparent to end users and applications
    • It requires Transaction Logging (TXN) - (That’s ok, TXN is cool)
      • Follow Transaction Logging Best Practices
  • 7. Introduction to DAOS - Domino Attachment and Object Service
  • 8. Introduction to DAOS - Domino Attachment and Object Service
  • 9. DAOS Benefits
    • Disk space savings
      • Also keep in mind Design and Data compression
    • Backup times
    • Mail routing optimization when attachments are involved
    • Database compact will run faster since file size is reduced
    • I/O Transactions are reduced
    • Reducing view rebuild times
    • DAOS files can be located at:
      • Network drive
      • SAN/NAS
      • Local drive
  • 10. DAOS Estimator Tool
    • Free
    • Will tell you how much space you will save before upgrading
    • Tested on Domino 6.x and later (but it can run on Domino 5)
    • Output:
    • Get it here – IBM Technote #4021920
  • 11. Configuring DAOS
  • 12. Configuring DAOS
    • DAOS disabled by default
    • Remember to apply Fix Pack 1
  • 13. Enabling DAOS
    • Go to Server Document > DAOS
    • Change it to Enabled
  • 14. Enabling DAOS
    • Set the minimum size based on the OS bytes per cluster and number of attachments to be created. Example = 64 KB
    • Specify DAOS base Path
    • Set Defer Object Deletion (Number of days DAOS will wait to delete the NLO file after the last message pointing to it has been deleted)
    • Save and Close
    • Restart server
  • 15. Configuring DAOS
    • Sh Server – TXN and DAOS must be enabled
  • 16. Upgrade to ODS 51
    • DAOS requires ODS 51
    • Add CREATE_R85_DATABASES=1 to server’s notes.ini
    • Update to ODS 51 using Load compact –c
    • ODS 51 will also compress the notes database
    • - Mail file reduction when upgraded to ODS 51 = 27 MB vs 12 MB
  • 17. DAOSify Applications and Templates
    • Use:
      • Load compact <folder/apps> -c –daos on
        • Or
      • Check application property
      • load compact <folder/apps> -c
    • Enable DAOS at least for Mailxx.ntf
    • and Mailbox.ntf (So you don't need to enable it
    • again and again and again....)
  • 18. Looking at the space savings
    • After sending 2 emails – 5 MB and 30 MB
    • LZ1 Compression is also used when creating the NLO files
  • 19. More DAOS Information
    • How many attachments were moved to DAOS
    • Total size of attachment moved to DAOS
    • This is a production Mail file..
  • 20. Disabling DAOS
    • If DAOS is disabled only at the server document
      • Old messages will stay in the DAOS folder
      • New messages will be stored in the DB
    • To Disable DAOS at the application level
      • load compact <folder/app> -c –daos off
      • It will restore the attachments to the application, and if the attachment is not longer used by anyone else, it will be deleted based on the “Defer Object Deletion for” setting
  • 21. DAOS – Best Practices
    • Backup Mail folder(s) first if backup is performed while server is running (Very Important !!!!)
    • Enabling DAOS on the will improve DAOS processing time
    • Enable DAOS on required Templates (Mailbox.ntf, Mailxx.ntf, etc…)
    • Do not enable DAOS to the Mail Journal
    • DAOS encryption represents up to 5% cpu utilization. Evaluate if needs to be disable (don’t worry too much about this)
    • Evaluate location of DAOS Folder based on:
      • I/O costs
      • Storage Capacity
  • 22. DAOS – Best Practices
    • Do not play with the DAOS folder (It’s not a toy)
      • Don’t move files
      • Don’t delete files
      • Let DAOS to handle NLO files
    • Notes/Domino Best Practices: Transaction Logging (# 7009309)
    • Using the Lotus Domino Attachment and Object Service Estimator tool (# 7014980 )
    • DAOS Backup and Restore (# 1358548)
  • 23. DAOS – Best Practices
    • Minimum size limit based on your system's disk block
    • fsutil fsinfo ntfsinfo <drive>
    • DAOS Estimator tool can help you to define minimum value
  • 24.  
  • 25. ID Vault
    • It is an optional feature that automates the most important ID related operations
      • Synchronize passwords across multiple copies
      • Upload a copy of the user ID to the ID Vault
      • Allows to reset a password from the Admin client
      • Use method ResetUserPassword to create self-service applications
      • Automates Key rollovers
      • Automates user renames
      • Allows to restore IDs in case of lost or corruption
      • No need to have the ID when installing a new Notes client
      • Audit role – allows to download a copy of the ID for auditing purposes.
        • SECURE_DISABLE_AUDITOR=1 to disable it
  • 26. ID Vault Requirements
    • Servers hosting the Vaults or involved in the process must be 8.5
    • Clients must be 8.5
    • New Security view in both server and client’s log.nsf
    • Multiple Domino Domains are not supported
      • But Multiple Organizations within the same domino domain are
  • 27. Configuring ID Vault
  • 28. Configuring ID Vault
    • Read carefully and click Next
  • 29. Configuring ID Vault
    • Enter the ID Vault’s name and some descriptive information. Click Next
      • Remember.. You can create multiple ID Vaults
      • The description will become the DB tittle
      • Don’t name the ID vault as the Org, Domain, OU
  • 30. Configuring ID Vault
    • Enter a password and confirm it. Click Next.
      • Optional: Set the ID Vault‘s id location (Yes.. You need to worry about a new ID)
      • Do not forget this password !!!
  • 31. Configuring ID Vault
    • Select your primary ID Vault server. Click Next
    • You can add replicas of the ID Vault to other servers later
    • Important !!!! ID Vaults replicas cannot be created using standard “Create Replica” process – You must use ID Vault > Manage ID Vault Replicas
  • 32. Configuring ID Vault
    • Select the ID Vault administrators
  • 33. Configuring ID Vault
    • Select the Organizations or OUs that should be part of this ID Vault
  • 34. Configuring ID Vault
    • Add the users authorized to reset passwords
    • Users/Servers with the “Password reset agent authority” will be able to sign agents that can reset passwords.
  • 35. Configuring ID Vault
    • Select “Create a new policy assigned to an organization”
      • It will create an organizational policy
      • There are multiple options here…. Be my guest !
  • 36. Configuring ID Vault
    • Select the Org to which this policy will be assigned.
  • 37. Configuring ID Vault
    • Enter some information to help the user contacting the right team or anything that may help.
    • This field supports html
  • 38. ID Vault
    • Review all the details and click Create Vault.
    • You will be asked for one or more Cert Ids (based on the Org applied to the ID Vault)
  • 39. ID Vault
    • Cool !!!! We have created our first ID Vault
  • 40. ID Vault
    • Let’s see our new Policy
  • 41. ID Vault
    • and our ID Vault
  • 42. ID Vault – Best Practices
    • Here is our first user’s id uploaded to the Vault.
    • It may take some time to upload the ID (the first time)
    • ID File is encrypted
  • 43. Administering ID Vault
  • 44. ID Vault
  • 45. Questions ??