ADMINP DEEP DIVE

Olaf Boerner, BCC
UKLUG 2012
Cardiff 4.9.2012
Speaker introduction
CEO and founder of BCC in 1996
Working with Lotus Notes since Version 3 in 1993
• focused on Domino i...
AdminP History
AdminP was a major breakthrough in Release 4
Inspired by enterprise customers like Deutsche Bank who
had de...
Architecture – Admin4
Admin4 Database
• Replica on each server (automatic deployment)
• Storage for Task documents and log...
Architecture AdminP Server task
AdminP Server Entry in ACL defines AdminP Server for this
Database
• Only one AdminP Serve...
Architecture AdminP Server task
Domino Directory ACL (SPECIAL)
• AdminP Server Entry defines your Directory Server in
your...
AdminP Task execution & replication
Server which performs AdminP tasks :
• AdminServer for Domino Directory
• Users Homese...
AdminP Task execution & replication
AdminP will do changes just once !
Example
• Change ACL
• Executed at Database AdminP ...
How to define “Administration Server for
Databases”
Dedicated Server vs. Multi purpose server
• Group Applications to same...
AdminRequest Document
One Standard form for all requests
All Fields start with Proxy...
• ProxyAction: contains current ac...
All AdminP Requests – Field ProxyAction
Accelerated Create Replica|84
Add Information to Monitoring Report|130
Add Interne...
All AdminP Requests – Field ProxyAction
Accelerated Create Replica|84
Delete in Domino Directory|0
Rename Group in Person ...
AdminP and Security
AdminP is fully integrated within Domino Security
• ACL – even if AdminP is using local access
• Reade...
AdminP Security
Well we have a great PKI built in
AdminP Security relies on Signatures (Private Key)
• AdminP Documents ar...
AdminP Security Check
AdminP Security will check two fields :
• Name to perform the action on: User, Database or
Server
• ...
Sidestep: Why your server ID needs a
password ?
Server ID can
• sign adminp documents
• Agents signed with server id can C...
AdminP and Security
Do never ever modify documents in adminP database !!!
Public key in person/server document must match ...
AdminP Request Document
How to create AdminP Request Document
• Lotus AdminClient ->> 90%
• Script Agent – AdminP Class
• ...
AdminP Interaction with Notes Client
Some tasks need interaction with Users
Interaction is done due to fields in person do...
AdminP Interaction with Notes Client
Example: Rename User
• Rename User > AdminP changes Field and Public key
in person do...
AdminP Statistics
AdminP statistics reported to statrep.nsf
Useful to compare servers to see where AdminP activity
is high...
AdminP Monitoring (even more important)
Monitoring
• How do you know when your AdminP task has completely
finished?
• Reme...
AdminP – Monitoring „Enhanced Log“
Using DEBUG parameter for more useful information
about what AdminP is currently doing
...
Cross Domain AdminP
Cross Domain AdminP
Most AdminP processes are only working inside a
domain which is the same admin4.nsf
• Not clear why !
...
Cross Domain AdminP: How it works
Architecture
• AdminP will be sent “mails” from the source domain
to the target domain.
...
Cross Domain AdminP: How to setup
Domino Directory
• Create cross certificate documents. Identify all required
certifiers ...
Best Practice using AdminP

Or how to deal with Mass Recertification
Project: Mass recertification
Move a number of user to new Org Certifier
• Rename company name
• Recreate Certifier due to...
AdminP limitations -> „Renames“
AdminP-Process Expiration
• Enlarge the interval for user to accept the name
change reques...
AdminP Rename
What happens after User accept rename request ?
Notes Client is changing User Name in current ID File
ID Fil...
AdminP limitations -> „Renames“
Manual interaction required
• Admin must confirm execution,
• Move Certifier
• Move Mailfi...
AdminP – Project Troubleshooting
User currently not working in Lotus Notes (21 – 60 days
expiration)
• Avoid absent User: ...
AdminP limitations -> „Renames“
ACL Settings „Modify / Do not modify names“ in each
database must be set properly
Solution...
AdminP limitations -> „Renames“
AdminP does not handle text fiedls
• Check your application using text field for applicati...
AdminP limitations -> „Renames“
Default: AdminP scans all documents for reader, author or
names fields in a Database
Creat...
Mass Recertification – admin4 size issues
Domain size consideration belong to AdminP Size
• AdminP Database can grow to en...
Mass Recertification – admin4 size issues
Recertification tasks are part of the ordinary user
management in Domino
Issues ...
Mass Recertification – admin4 size issues
Request

Log Docs for 50
Server

Server

Timing

Move Person's Name in Hierarchy...
Mass Recertification – Replication Issues
Replication of names.nsf and admin4.nsf are critical !
• Domino Directory has to...
Mass Recertification – Replication Issues
R8 is using Direct Deposit Feature by default
• Automatically „replicate“ reques...
Mass Recertification – Performance
AdminP Tasks carried out on every server
• Rename in Reader/Author fields
• Rename in A...
Best Practice performance issues
Servertask configuration
• Change “daily” and “delayed” request execution to “non
working...
Best Practice performance issues
Change AdminP Task execution

•
•
•
•

ADMINP_IMMEDIATE_OVERRIDE= x, x, x
ADMINP_INTERVAL...
Best Practice to avoid performance issues
Kepp Admin4 small
• Plan renaming “waves”
• Do not rename all user at the same d...
Questions ?

THANK YOU !
Upcoming SlideShare
Loading in …5
×

Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012

6,643 views

Published on

AdminP is an elementary server task for your IBM Lotus Domino Administration. This session explains which administration processes are available and how those can make your day-to-day administration tasks easier. We will cover the best practices for setup and troubleshooting using AdminP, in projects like recertifications and server consolidations.

Published in: Technology, Business
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,643
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
123
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012

  1. 1. ADMINP DEEP DIVE Olaf Boerner, BCC UKLUG 2012 Cardiff 4.9.2012
  2. 2. Speaker introduction CEO and founder of BCC in 1996 Working with Lotus Notes since Version 3 in 1993 • focused on Domino infrastructure • CLP certification since Release 3 I am working • with large enterprise customers as Senior Architect and Project Manager • to optimize Lotus Domino Infrastructure Managements • with customers to enhance BCC products  UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  3. 3. AdminP History AdminP was a major breakthrough in Release 4 Inspired by enterprise customers like Deutsche Bank who had developed similar Server AddIn tasks for their administration • Domino Directory Management • Central PKI Management with User IDs on Lotus Notes • Tasks to change fields in databases • Support Distributed Systems • Better performance than agents Continuous improvement in each Domino version UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  4. 4. Architecture – Admin4 Admin4 Database • Replica on each server (automatic deployment) • Storage for Task documents and logs • Users need access right to create documents in admin4.nsf (Notes Client creates documents with users rights) - Archivar How does a server know that he has to execute a task • Check AdminP settings in server document • Check for new task document in admin4.nsf • Checks for its name or Wildcard How does a server know that he has executed this task • Keep in Memory • Each server can write a log document • Write a log document as response document to task document Own Task for housekeeping (Delete Obsolete Change Requests) UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  5. 5. Architecture AdminP Server task AdminP Server Entry in ACL defines AdminP Server for this Database • Only one AdminP Server for each Database Replica • Every Server can be AdminP Server  • Define “Administration Server for Databases” (next slide) AdminP Options • Do not modify names • Modify all readers and authors fields • Modify all names fields -> DO NOT USE for Mailfiles UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  6. 6. Architecture AdminP Server task Domino Directory ACL (SPECIAL) • AdminP Server Entry defines your Directory Server in your Domain • Every adminp tasks changing documents in Domino Directory is executed on that server • Changes must be replicated ! • Do not change this if you have “open” adminp request documents in admin4 ! DR procedure needs define how to handle AdminP Server of DD • Using cluster member is not a good idea UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  7. 7. AdminP Task execution & replication Server which performs AdminP tasks : • AdminServer for Domino Directory • Users Homeserver • AdminP Server of each Database -> Wildcard Requests Task documents are distributed with admin4 replication or direct deposit „replication“ in R8.x UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  8. 8. AdminP Task execution & replication AdminP will do changes just once ! Example • Change ACL • Executed at Database AdminP Server • AdminP Server replicates ACL change to all replicas • Change of field entries • Executed only at Database AdminP Server • Replicate modified documents to all replicas UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  9. 9. How to define “Administration Server for Databases” Dedicated Server vs. Multi purpose server • Group Applications to same AdminP Server (AdminP Hub) • Define a dedicated AdminP Server for all Applications Extended Administration servers ? • Idea: Split up workload to multiple servers • Requires extended ACL • Do not do this !!! UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  10. 10. AdminRequest Document One Standard form for all requests All Fields start with Proxy... • ProxyAction: contains current actioncode • ProxyServer: server to perform the action • ProxyAuthor: who has requested • ... Field ProxyAction • Contains a list of all AdminP Request • Field contains request numbers UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  11. 11. All AdminP Requests – Field ProxyAction Accelerated Create Replica|84 Add Information to Monitoring Report|130 Add Internet Certificate to Person Record|44 Add New Mailfile Fields|50 Add or Modify Group in Domino Directory|144 Add Resource|29 Add Server to Cluster|11 Approve Certificate Request|115 Approve Delete Person in Domino Directory|58 Approve Delete Server in Domino Directory|59 Approve Deletion of Hosted Organization Storage|139 Approve Deletion of Moved Replica|75 Approve Deletion of Private Design Elements|72 Approve Mail File Deletion|22 Approve New Public Key Request|117 Approve Person's Name Change Request|116 Approve Refused Name Change|106 Approve Rename Person in Domino Directory|60 Approve Rename Server in Domino Directory|61 Approve Replica Deletion|82 Approve Resource Deletion|31 Approve Revert Name Change|114 Certificate Authority Configuration To Be Signed|105 Certify New Certifier Key Request|171 Certify New Person Key Request|170 Certify New Server Key Request|169 Change HTTP Password in Domino Directory|127 Change the Server on which the Agent Runs|158 Change User Password in Domino Directory|35 Check Access for Move Replica Creation (time based execution)|151 Check Access for Move Replica Creation|33 Check Access for New Replica Creation (time based execution)|150 Check Access for New Replica Creation|32 Check Access for Non-cluster Move Replica (time based execution)|153 Check Access for Non-cluster Move Replica|65 Check Mail Server's Access (time based execution)|152 Check Mail Server's Access|45 Check Roaming Server's Access|93 Collect Monitoring Report Information|129 Configure Certificate Authority Publication|102 Copy Server's Certified Public Key|2 Create Hosted Organization Storage|135 Create IMAP Delegation Requests|131 Create Mail-In Database|64 Create Mailfile|24 Create Monitoring Report|128 Create New Mailfile Replica|49 Create Object Store|137 Create Replica|13 Create Roaming User's Replica Stubs|91 Create Roaming User's Replicas|94 Create Roaming User's Roaming Files|87 Create SSL Certificate and Keyring File|156 Delegate Mail File on Administration Server|149 Delegate Mail File on Home Server|167 Delegate Mail File|57 Delegate Web Mail File|78 Delete Group in Domino Directory|56 Delete Hosted Organization Storage|140 Delete Hosted Organization|132 Delete in Access Control List|17 Delete in Agent's Readers Field|165 Delete in Design Elements|177 Delete in Domino Directory|0 Delete in Person Documents|16 Delete in Reader/Author fields|18 Delete Mailfile|21 Delete Obsolete Change Requests|26 Delete Original Replica after Move|15 Delete Person in Domino Directory|54 Delete Person In Unread List|147 Delete Policy Record in Domino Directory|113 Delete Private Design Elements|74 Delete Replica After Move|69 Delete Replica|81 Delete Resource|30 Delete Server in Domain Catalog|111 Delete Server in Domino Directory|55 Delete Statistic Monitors in Domino Directory|7 Delete Unlinked Mailfile|23 Delete Vaulted User|181 Delete Web User in Domino Directory|126 Domain Catalog Configuration|77 Enable Server's SSL Ports in Domino Directory|157 Find Name in Domain|142 Get Hosted Organization Storage Information for Deletion|138 Get Mail File Information for Deletion|27 Get Replica Information for Deletion|79 Initiate Rename in Domino Directory|8 Initiate Web User Rename in Domino Directory|118 Maintain Server's Fault Recovery Settings|168 Maintain Trends Database Record|112 Modify CA Configuration in Domino Directory|99 Modify DB2 Access Connection|178 Modify ID Recovery Information in Domino Directory|146 Modify Room/Resource in Domino Directory|62 Modify User Information Stored in Domino Directory|97 Monitor New Mailfile Fields|51 Monitor Replica Stub|25 Monitor Roaming Server's Field in Person Record|90 Monitor Roaming User's Replica Stubs|148 Monitor Server's SSL Status in Domino Directory|166 Monitor Server Record for DB2 Fields|173 Move DB2 Tablespace to New Container|175 Move Person's Name in Hierarchy|6 Move Replica|14 Non Cluster Move Replica|66 Place Server's Notes Build Number into Server Record|3 Promote New Mail Server's Access|48 Promote New Roaming Server's Access|88 Push Changes to New Mail Server|53 Push Changes to New Roaming Server|100 Re-Initiate Rename in Domino Directory|110 Recertify Certificate Authority in Domino Directory|141 Recertify Cross Certificate in Domino Directory|136 Recertify Person in Domino Directory|10 Recertify Server in Domino Directory|9 Remove Certificate from Domino or LDAP Directory|98 Remove Certificate Revocation List from Domino or LDAP Directory|103 Remove Roaming User's Roaming Files|92 Remove Server from Cluster|12 Rename Group in Access Control List|42 Rename Group in Design Elements|180 Rename Group in Domino Directory|40 Rename Group in Person Documents|41 Rename Group in Reader/Author fields|43 Rename in Access Control List|1 Rename in Agent's Readers Field|164 Rename in Design Elements|176 Rename in Person Documents|19 Rename in Reader/Author fields|20 Rename in Shared Agents|162 Rename Person in Calendar Entries and Profiles in Mail File|39 Rename Person in Domino Directory|5 Rename Person in Free Time Database|38 Rename Person in Unread List|68 Rename Server in Domino Directory|4 Rename Web User in Access Control List|119 Rename Web User in Calendar Entries and Profiles in Mail File|124 Rename Web User in Design Elements|179 Rename Web User in Domino Directory|120 Rename Web User in Free Time Database|123 Rename Web User in Person Documents|121 Rename Web User in Reader/Author fields|122 Rename Web User in Unread List|125 Replace Mailfile Fields|52 Replace Roaming Server's Field in Person Record|89 Request Mail File Deletion|28 Request Replica Deletion|80 Request to Delete Moved Replica|76 Request to Delete Private Design Elements|73 Retract Person's Name Change|107 Set DB2 Password in Server's ID File|174 Set Directory Assistance Field|37 Set Directory Filename|86 Set Password Fields|34 Set User Name and Enable Scheduled Agent|108 Set Web Admin Fields|83 Set Web User Name and Enable Scheduled Agent|160 Sign Database with Server's ID File|101 Store Certificate in Domino or LDAP Directory|95 Store Certificate Revocation List in Domino or LDAP Directory|96 Store Cross Certificate in Domino or LDAP Directory|159 Store DB2 Information in Server Record|172 Store Directory Type in Server Record|85 Store Server's CPU count|67 Store Server's DNS Hostname in Server Record|70 Store Server's Platform in Server Record|71 Unrecognized Request|145 Unrecognized Request|154 Unrecognized Request|155 Unrecognized Request|36 Unrecognized Request|999 Update Client Information in Person Record|46 Update Delegated User's Mailfile List|104 Update External Domain Information|47 Update License Tracking Information in Domino Directory|109 Update Replica Settings|161 Update Roaming User Information in Person Record|134 Update Roaming User State in Person Record|133 Update Server's Protocol Information|63 Verify Hosted Organization Storage|143 Web Set Soft Deletion Expire Time|163 UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  12. 12. All AdminP Requests – Field ProxyAction Accelerated Create Replica|84 Delete in Domino Directory|0 Rename Group in Person Documents|41 Add Information to Monitoring Report|130 Delete in Person Documents|16 Rename Group in Reader/Author fields|43 Add Internet Certificate to Person Record|44 Delete in Reader/Author fields|18 Rename in Access Control List|1 Add New Mailfile Fields|50 Delete Mailfile|21 Rename in Agent's Readers Field|164 Add or Modify Group in Domino Directory|144 Delete Obsolete Change Requests|26 Rename in Design Elements|176 Add Resource|29 Delete Original Replica after Move|15 Rename in Person Documents|19 Add Server to Cluster|11 Delete Person in Domino Directory|54 Rename in Reader/Author fields|20 Approve Certificate Request|115 Delete Person In Unread List|147 Rename in Shared Agents|162 Approve Delete Person in Domino Directory|58 Delete Policy Record in Domino Directory|113 Rename Person in Calendar Entries and Profiles in Approve Delete Server in Domino Directory|59 Delete Private Design Elements|74 Mail File|39 Approve Deletion of Hosted Organization Delete Replica After Move|69 Rename Person in Domino Directory|5 Storage|139 Delete Replica|81 Rename Person in Free Time Database|38 Approve Deletion of Moved Replica|75 Delete Resource|30 Rename Person in Unread List|68 Approve Deletion of Private Design Elements|72 Delete Server in Domain Catalog|111 Rename Server in Domino Directory|4 Approve Mail File Deletion|22 Delete Server in Domino Directory|55 Rename Web User in Access Control List|119 Approve New Public Key Request|117 Delete Statistic Monitors in Domino Directory|7 Rename Web User in Calendar Entries and Profiles Approve Person's Name Change Request|116 Delete Unlinked Mailfile|23 in Mail File|124 Approve Refused Name Change|106 Delete Vaulted User|181 Rename Web User in Design Elements|179 Approve Rename Person in Domino Directory|60 Delete Web User in Domino Directory|126 Rename Web User in Domino Directory|120 Approve Rename Server in Domino Directory|61 Domain Catalog Configuration|77 Rename Web User in Free Time Database|123 Approve Replica Deletion|82 Enable Server's SSL Ports in Domino Directory|157 Rename Web User in Person Documents|121 Approve Resource Deletion|31 Find Name in Domain|142 Rename Web User in Reader/Author fields|122 Approve Revert Name Change|114 Get Hosted Organization Storage Information for Rename Web User in Unread List|125 Certificate Authority Configuration To Be Deletion|138 Replace Mailfile Fields|52 Signed|105 Get Mail File Information for Deletion|27 Replace Roaming Server's Field in Person Record|89 Certify New Certifier Key Request|171 Get Replica Information for Deletion|79 Request Mail File Deletion|28 Certify New Person Key Request|170 Initiate Rename in Domino Directory|8 Request Replica Deletion|80 Certify New Server Key Request|169 Initiate Web User Rename in Domino Directory|118 Request to Delete Moved Replica|76 Change HTTP Password in Domino Directory|127 Maintain Server's Fault Recovery Settings|168 Request to Delete Private Design Elements|73 Change the Server on which the Agent Runs|158 Maintain Trends Database Record|112 Retract Person's Name Change|107 Change User Password in Domino Directory|35 Modify CA Configuration in Domino Directory|99 Set DB2 Password in Server's ID File|174 Check Access for Move Replica Creation (time based Modify DB2 Access Connection|178 Set Directory Assistance Field|37 execution)|151 Modify ID Recovery Information in Domino Set Directory Filename|86 Check Access for Move Replica Creation|33 Directory|146 Set Password Fields|34 Check Access for New Replica Creation (time based Modify Room/Resource in Domino Directory|62 Set User Name and Enable Scheduled Agent|108 execution)|150 Modify User Information Stored in Domino Set Web Deep Dive, Olaf Boerner, BCC UKLUG 2012: AdminPAdmin Fields|83Enable Scheduled Check Access for New Replica Creation|32 Directory|97 Set Web User Name and
  13. 13. AdminP and Security AdminP is fully integrated within Domino Security • ACL – even if AdminP is using local access • Reader • Encrypted and signed documents How does adminp server task know that he has a "real" task document ? • You might copy and modify a task document • "misused" server tasks might be dangerous UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  14. 14. AdminP Security Well we have a great PKI built in AdminP Security relies on Signatures (Private Key) • AdminP Documents are signed • Signature will ensure "correct" task documents • Modification will break signature • Documents with broken signature will not be executed ! UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  15. 15. AdminP Security Check AdminP Security will check two fields : • Name to perform the action on: User, Database or Server • Action requested by: User or Servername • Entry must match signature ! • Entry will be checked with ACL and security settings Error Handling • “You are not authorized to create new replica databases on this server.” • Check settings in server documents and ACL UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  16. 16. Sidestep: Why your server ID needs a password ? Server ID can • sign adminp documents • Agents signed with server id can Create adminp docs • Server ID can create „fake“ adminp requests Runing ID Vault you need to secure your Domino Server ID • http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vaultserver • See Paul Mooneys 2012 AdminBlast Tip #42 UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  17. 17. AdminP and Security Do never ever modify documents in adminP database !!! Public key in person/server document must match with key pair in idfile UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  18. 18. AdminP Request Document How to create AdminP Request Document • Lotus AdminClient ->> 90% • Script Agent – AdminP Class • Server Tasks – AdminP API Manually with Script / API • Create a sample request • Do some reengineering (field and values) • Create a document and set all fields manually • Sign the document !!! Why do you need this ? • Automation and batch processing UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  19. 19. AdminP Interaction with Notes Client Some tasks need interaction with Users Interaction is done due to fields in person documents and/or creating documents in admin4.nsf • AdminP changes fields in person document • Lotus Notes creates „response“ document in admin4.nsf UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  20. 20. AdminP Interaction with Notes Client Example: Rename User • Rename User > AdminP changes Field and Public key in person document • Lotus Notes Client checks at login for these field and execute internal procedures inside Lotus Notes Client • Notes Clients creates • a „done successfull“ log document in admin4.nsf UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  21. 21. AdminP Statistics AdminP statistics reported to statrep.nsf Useful to compare servers to see where AdminP activity is high Statistics (Sample from Domino Admin Help) • ACLsModified • ReaderAuthorModified • ProfilesModified (mailfile) • AppointmentsModified • DirectoryDocumentsDeleted • DirectoryDocumentsModified UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  22. 22. AdminP Monitoring (even more important) Monitoring • How do you know when your AdminP task has completely finished? • Remember AdminP usually runs per User, Database etc !!! Possible Solutions • Create Monitoring Agent (run on server) • which scans AdminP Request for response documents • Create a report per Object • Realtime “Scan” using Notes C API • Analyzing Extension Manger Events before/after each adminp execution • Execute a monitoring action / log etc. • Use Domino Domain Monitoring UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  23. 23. AdminP – Monitoring „Enhanced Log“ Using DEBUG parameter for more useful information about what AdminP is currently doing • “DEBUG_ADMINP_REQUEST_PROCESSING=1” • “DEBUG_ADMINP_REQUEST_PROCESSING=2” DEBUG Output can be directed to text file • “DEBUG_OUTFILE=<output file path> Can be set using „set config“ at server console UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  24. 24. Cross Domain AdminP
  25. 25. Cross Domain AdminP Most AdminP processes are only working inside a domain which is the same admin4.nsf • Not clear why ! Cross Domin AdminP Tasks are • Rename User • Delete User • Rename Server • Delete Server • Create Replica UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  26. 26. Cross Domain AdminP: How it works Architecture • AdminP will be sent “mails” from the source domain to the target domain. • mail will be created at the administration server of the source domain • Mail will be delivered directly to the admin4.nsf in the target domain • Mail will be processed as a adminp request document Security • Still relies on PKI and „Signature Validation“ UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  27. 27. Cross Domain AdminP: How to setup Domino Directory • Create cross certificate documents. Identify all required certifiers ! • Create connection document to allow server to connect to other domain • Edit Domino Directory Profile: Who are allowed to create Cross Domain Configuration in admin4.nsf Admin4 Database • Create Cross Domain Configuration document • For each domain to import and • For each domain to export request UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  28. 28. Best Practice using AdminP Or how to deal with Mass Recertification
  29. 29. Project: Mass recertification Move a number of user to new Org Certifier • Rename company name • Recreate Certifier due to security issues • Integrate a new company • Split off company Move in hierarchy adminP for name change • Two approvals for each user • Response documents might be an issue or nightmare • No view update for admin4.nsf UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  30. 30. AdminP limitations -> „Renames“ AdminP-Process Expiration • Enlarge the interval for user to accept the name change request. Default interval is 21 days. (can be configured from 14 – 60 days) • it is strictly necessary that User connects to his server during that period to start the AdminP • If a name change request expires, the user will be reverted to it’s old username! Same behaviour with ID Vault ! Error in Documentation. UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  31. 31. AdminP Rename What happens after User accept rename request ? Notes Client is changing User Name in current ID File ID File get synchronized with ID Vault What happened with old user name • It is still there !!! • User ID contains old and new user name • User can access Database which still have ist old names in ACL • Old User name get removed after expiration date • You will not receive Help Desk Calls before  UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  32. 32. AdminP limitations -> „Renames“ Manual interaction required • Admin must confirm execution, • Move Certifier • Move Mailfile • User must "confirm" execution • Login / Access to server • No pass thru server or replication access !!! Same behaviour with ID Vault ! Error in Documentation UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  33. 33. AdminP – Project Troubleshooting User currently not working in Lotus Notes (21 – 60 days expiration) • Avoid absent User: In average 15% - 20% of all users are not taking part in the daily working process. • Define a Workaround for absent users with your Audit Department or write an server tasks (C-API) User is using a wrong ID (public key does not match to AdminP request) UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  34. 34. AdminP limitations -> „Renames“ ACL Settings „Modify / Do not modify names“ in each database must be set properly Solution • New request: “Rename Person in Calendar Entries and Profiles in Mail File Extended • Overwrites ACL Setting • Renaming users in ACLs, Calendar profiles, C&S documents UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  35. 35. AdminP limitations -> „Renames“ AdminP does not handle text fiedls • Check your application using text field for application logic ! AdminP will not modify profile documents • Check applications for profile documents using Reader / Author / Names fields AdminP does not modify wildcards (*USR/BCC) • Check applications for use of wildcards in Reader / Author / Name fields • adjusted manually or by agent The Administration Process can not modify encrypted documents. • Reader / Author / Names fields in encrypted documents must be adjusted manually by the user, who has encrypted the document. UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  36. 36. AdminP limitations -> „Renames“ Default: AdminP scans all documents for reader, author or names fields in a Database Creating an AdminP View in an application with name $AdminP • Only documents which appear in that view will be considered and processed • Be careful  AdminP in R8.x is using namelist for Rename • namelist contains all users in that database • Requires ODS 48 • If AdminP does not find the username in the namelist, it does not search that database UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  37. 37. Mass Recertification – admin4 size issues Domain size consideration belong to AdminP Size • AdminP Database can grow to enormous sizes • Number of documents are an issue • Response documents slow down indexer tasks Local AdminP Tasks and response documents will be replicated to all admin4 databases • User in Tokio will change ACL of Mailfile • User Creates ACL Change Request in admin4 on his current mail server • Tokio Server will execute AdminP task document and creates log document • Documents will replicate to whole domain UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  38. 38. Mass Recertification – admin4 size issues Recertification tasks are part of the ordinary user management in Domino Issues start with mass data / batch requests Admin4.nsf database size • admin4.nsf with 300.000 documents (1,5 – 2 GB size) will have performance issues • Replicator tasks requires index update • Example “Move User in Hierarchy”: Example „Move User in Hierarchy“ • The request requires 11 requests documents • 20.000 users • 50 Servers UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  39. 39. Mass Recertification – admin4 size issues Request Log Docs for 50 Server Server Timing Move Person's Name in Hierarchy 1 Directory Server Requires administrator approval in Administration Requests database Initiate Rename in Domino Directory 1 AdminP Server Interval Rename Person in Domino Directory 1 AdminP Server Interval Rename in Person Documents 1 AdminP Server Execute once a day requests at Rename Person in Unread List 50 One per Server Execute once a day requests at Rename in Access Control List 50 One per Server Interval Rename in Design Elements 50 One per Server Delayed Rename Person in Free Time Database 1 Mail Server Immediate Rename Person in Calendar Entries and Profiles in Mail File 1 Mail Server Immediate Rename in Reader / Author Fields 50 One per Server Start Executing On Start Executing At Rename Person in Address Book 1 AdminP Server Multi Domain Configuration Summary per User 207 20.000 User 4.140.000 documents!!! UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  40. 40. Mass Recertification – Replication Issues Replication of names.nsf and admin4.nsf are critical ! • Domino Directory has to replicate before Administration Database !!! • Otherwise you may get errors that have to be corrected manually (i.e. “Rename Person in Domino Directory” fails because Domino Directory was not updated) In the replication settings the value to purge documents shall be set to 7 days on all replicas (not more than 14 days) Prevent replication to all servers using replication formula: • select (Form='AdminRequest') | (ProxyServername=@username) UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  41. 41. Mass Recertification – Replication Issues R8 is using Direct Deposit Feature by default • Automatically „replicate“ requests • AdminP requests can be directly deposited to „target server“ admin4.nsf • Wildcard requests must be replicated Also enabled at the client • Example: Change HTTP Password in Domino Directory • You need direct access to the target server Disable with notes.ini parameter ADMINP_DONT_ATTEMPT_DIRECT_DEPOSIT=1 UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  42. 42. Mass Recertification – Performance AdminP Tasks carried out on every server • Rename in Reader/Author fields • Rename in Access Control List • Rename in Design Element Time consuming tasks and will have performance impact Performance Problems while processing the AdminP • Indexing admin4 • Searching fields in Databases Check AdminP Threads settings • Default 3 • Check if you have idle tasks and CPU time • Increase to 10 Threads max UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  43. 43. Best Practice performance issues Servertask configuration • Change “daily” and “delayed” request execution to “non working times”. • Use suspend AdminP at when you see performance issues on mail servers • Reduce the amount of (log) documents. A server that has nothing done during the rename process should not report. (server task configuration) Split up threads in Domino 8 (max 10) • ADMINP_IMMEDIATE_THREAD=X • ADMINP_INTERVAL_THREAD=X UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  44. 44. Best Practice performance issues Change AdminP Task execution • • • • ADMINP_IMMEDIATE_OVERRIDE= x, x, x ADMINP_INTERVAL_OVERRIDE=X, X, X ADMINP_DAILY_OVERRIDE=X ADMINP_DELAYED_OVERRIDE=X Example (see Admin Help) • Rename in Access Control List • Interval • Number 1.00 • Rename in Reader/Author Fields • Delayed • Number 20.00 Be careful !!! UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  45. 45. Best Practice to avoid performance issues Kepp Admin4 small • Plan renaming “waves” • Do not rename all user at the same day Clean-up Admin4 • reduce the amount of Admin4 documents. • User that has been renamed successfully should not stay in admin4.nsf Replication • Check Use of selective replication formula • Ensure fast and reliable replication UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  46. 46. Questions ? THANK YOU !

×