Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

60 Admin Tips


Published on

Admin Tips In 60 Minutes
In this high speed session I take you through the best admin tips for Domino, Notes, Sametime, Traveler and more. From notes.ini values, to server configuration settings and valuable customisations.
Some tips will be new to v10 and some have been around but rarely used for years.
Whatever your experience there will be something new for you to take away and enjoy.

Presented at in Brussels May 2019

Published in: Software
  • Be the first to comment

60 Admin Tips

  1. 1. 60 ADMIN TIPS IN 60 MINUTES Gabriella Davis - IBM Lifetime Champion Technical Director - The Turtle Partnership Brussels May 14th 2019
  2. 2. • Admin of all things and especially quite complicated things where the fun is • Working with the design, deployment and security of IBM technologies within global infrastructures • working with the real world security and privacy aspects of expanding data ecosystems • Stubborn and relentless problem solver • • • IBM Lifetime Champion
  4. 4. UNIQUE PEOPLE • Verifying there are no duplicate or conflicting email addresses 1
  5. 5. EFFECTIVE ACCESS • Use effective access in each database ACL to determine what access a user or group has and how that is calculated including access granted via deeply nested group memberships 2
  6. 6. FIND USERS3
  7. 7. GROUP MEMBERSHIPS • What groups is someone a member of including membership via nested and wildcard entries 4
  8. 8. GROUPS IN ACLS • Before removing or renaming a group, find all instances of that group in the directory and in ACLs 5
  10. 10. DOMAINS VS CERTIFIERS • A server that needs its own domain it does not need its own certifier • For example both Traveler and Sametime Community Server should be in their own domain • However creating new certifiers for those servers increases your admin overhead to no benefit • Certifiers are about security but the servers need to access each other • Create a server ID using your existing certifier (it will create a server document in your current domain but you can delete that) • When setting up a new server tell it you have the server ID already • it will also want the certifier and admin ids 6
  11. 11. WEB AUTHENTICATION & SSO • WebAuth_Verbose_Trace=1 • Granted Access: • WebAuth> LOOKUP in view $Users (user='Gabriella Davis' org='Turtle') • WebAuth> VERIFY password • WebAuth> LOOKUP in view $Users (user='CN=Gabriella Davis/O=Turtle' org='') • WebAuth> Matched to a single entry in NAB for pre-authenticated user (user='CN=Gabriella Davis/O=Turtle' org=''). Using the record that we match • WebAuth> User CN=Gabriella Davis/O=Turtle found in group Cache! 7
  12. 12. WEB AUTHENTICATION & SSO • Disable cookies on the Internet Site Document - Server authentication for the basic debugging • To debug tokens use DEBUG_SSO_TRACE_LEVEL=1
 Parsing fields from configuration [Turtle:LtpaToken]
 SSO configuration name = LtpaToken
 Domino LtpaToken Cookie name = LtpaToken
 Decoding Domino style Single Sign-On token.
 Creation Ticks = 5CCDC5EE [04/05/2019 18:03:42]
 Expiration Ticks = 5CCDCCF6 [04/05/2019 18:33:42]
 Username = CN=Gabriella Davis/O=Turtle 8
  13. 13. WEB CONFIGURATION • DDM Probe to ensure all web servers meet a defined configuration • Using a baseline of an existing server configuration the probe creates a report of mismatches 9
  14. 14. ARCHIVE LOG.NSF • Setting in notes.ini Log= can limit the size of log documents and the number of days to retain • Log files can get very large and hard to compact if you want to retain more than 7-10 then archive the log.nsf as you would any mail file 10
  15. 15. ARCHIVE LOG.NSF • load compact log.nsf -a • Archiving documents from log.nsf (Clouds's Log) • Assigning new DBIID for /data/notesdata/archive/a_log.nsf • Pushing log.nsf to archive/a_log.nsf • Replicator added 4,285 document(s) to archive/a_log.nsf from log.nsf • Pushing log.nsf to archive/a_log.nsf • Archived log.nsf, 4285 documents were archived and 4285 were deleted • Compacting log.nsf (Clouds's Log), log.nsf -a 11
  16. 16. COMPACT REPLICA OPTION • -REPLICA as an option for the Compact task creates a new replica and removes the original allowing you to compact open databases such as log.nsf • The program documents below archive log.nsf at 4am then compacts the free space at 5am each day 12
  17. 17. DISABLE WEAK SSL CIPHERS • In Domino 10.0.1 the notes.ini setting SSLCipherSpec (which controlled which ciphers were supported by the HTTP task) is ignored and the list of ciphers from the internet site document is used exclusively • The ciphers on the internet site document are listed in declining order of strength 13
  18. 18. UPDATE_FULLTEXT_THREAD • The update task queues databases needing updating and then batches them to rebuild first the views and then the FT indexes • Often that means FT indexes can be delayed behind large view rebuilds or worse view rebuilds can be delayed behind a corrupt FT index • Let the update task separate the text indexing thread from the view indexing thread • Yes it means more threads running but that’s a small overhead compared with adding updaters= to try and resolve the same issue 14
  19. 19. FT_FLY_INDEX_OFF • Searching a database requires that database to be full text indexed first .. • Not true. Domino will attempt to build an in memory index in response to a search query if the database if not properly indexed • This is both inefficient for the server and frustrating to the users who often don’t get the accuracy they expect • Use event monitors to look for databases being searched when they aren’t indexed (“database is not full text indexed”) then choose whether to create an index for them • When FT_FLY_INDEX_OFF=1 the server will refuse to perform a search on a database that isn’t indexed 15
  20. 20. FTG_USE_SYS_MEMORY • The Full Text engine uses a % of memory that is assigned to the Domino server and shared by all the other server tasks • FTG_USE_SYS_MEMORY tells Domino to draw the memory it needs from the operating system directly and not from Domino’s own allocation 16
  21. 21. FTBASEPATH • Full text indexes are created by in a directory underneath each database, indexes can contain thousands of files on the file system being continually updated, created and deleted • this results in a lot of fragmentation as well as consuming space assigned to the data directory • customers often delete indexes or not turn them on in order to save space • Using FTBASEPATH the indexes can be moved away from the data directory to another path or even drive • recreate the indexes in the new location and delete the old ones using load updall -R 17
  22. 22. SERVER RESTRICTED • No new opens are allowed. • Existing opens still work. • Allows the Administrator to connect using remote console. • The restricted server will be able to initiate replication with other servers. • server_restricted=3 • additionally prevents client replication to the server unless the user has manager access • server_restricted=4 , setting 3 with restart persistence 18
  23. 23. COPY FILES OUT OF DOMINO ADMIN • Move to directory in Files tab - Edit Select All - Edit Copy - Paste into Excel (or anywhere • Makes it easy to find all files that are enabled for DAOS, all files using a certain template , all files with and old ODS etc 19
  24. 24. PREVENT MAIL FORWARD RULES • Disables “send copy to” action in a mail rule 20
  25. 25. INBOUND MAIL RESTRICTIONS • Set in the Server configuration document • Only accept mail for full internet addresses in either the internet address or fullname fields
 • Prevent external people from sending to internal groups • Return 550 “unknown user” where multiple matches are found 21 22
  26. 26. TOO MUCH RNRMGR • RNRMgr (Resources and Reservations) can only run on two servers at a time • One of those servers must be the admin server of the resources database(s) • The other can be any single server in a cluster • Running on more than one cluster server can cause conflicts in clubusy.nsf 23
  27. 27. MULTIPLE CONCURRENT SMTP TRANSFERS • RouterAllowConcurrentXferToAll • Domino uses transfer threads to route mail to other servers and also to SMTP destinations outside your organisations • If you have 100 messages going to another server or to gmail - only one transfer thread will be generated • This means that the server can more efficiently use multiple threads for multiple destinations and mail is less likely to be backlogged • Domino will create multiple threads per destination, delivering messages in the order they are queued and not restricting each destination to a single thread 24
  28. 28. NSF_DBCACHE_MAXENTRIES PERFORMANCE • Determines how many databases the Domino server will keep open in its cache • sh st database.dbcache.hits reports how often a database request was found in the cache • the higher the number the more times the database was found and your dbcache was efficient • Increase the default using set config NSF_DBCache_Maxentries • the cache size can not be grown beyond the memory available so use statistics to work out what max entries should be and if it needs increasing 25
  29. 29. NSF_DBCACHE_MAXENTRIES PERFORMANCE • Database.DbCache.CurrentEntries = 177 - how many databases are currently in the cache • Database.DbCache.MaxEntries = 3072 - the maximum number that can be in the cache • Database.DbCache.HighWaterMark = 178 - the highest number of databases the cache has seen • Database.DbCache.Hits = 164144 - the number of times a request was successfully found in the cache, you want this to be high • Database.DbCache.OvercrowdingRejections = 0 - the number of times a request could not be added to the cache as it was already at maximum entries, you want this to be low
  30. 30. FILE PROTECTION DOCUMENTS • Domino can be used / is used for serving non .nsf files • HTML • CGI • Images • You can protect these using an “ACL” • File protection documents • Protect a folder/file • Works just like an ACL 26
  31. 31. REMOVING BANNER DETAILS • Do you want your server coughing up unasked for information such as software, version and platform in response to requests for connections? To prevent that • For HTTP • Add HTTPDisableServerHeader=1 to server notes.ini • For SMTP • SMTPNoVersionInRcvdHdr=1 27 28
  32. 32. CLUSTER PROBLEMS • Tell ClRepl Dump will display all the information about cluster replication that the server has • The number of Cluster Replicators running • The work queue depth • The number of cluster replication retries in progress • The time of the last retry with each of the other cluster servers • The last time cluster replication was unsuccessful • The following information for each replication that still must be retried: the name of the database, the time the next retry is due, and the retry interval • Tell Clrepl Retry will retry failed replications • Tell Clrepl Dump Retry will show the detail of databases awaiting retry and replication 29
  33. 33. NOTES CLIENT
  34. 34. NOTES CLIENT PERFORMANCE • Test NRPC (Notes protocol) response times • ClientClock=1 / 2 / 3 in notes.ini • Restart • Console now appears logging data found in Misc Events in local log.nsf • Console_log_enabled=1 creates a text file under IBM_TECHNICAL_SUPPORT 30 31
  35. 35. LARGE DB REPLICATION • To avoid creating a large replica in the foreground and tying up your client • When creating a new replica choose “settings” and set a replication selection formula that will resolve to “no documents” e.g Form=“GabNoDocs” • The replica will be created with only design elements • You can then remove the selection formula from the new replica and let it replicate all the documents via background replication 32
  36. 36. CLEANUP WORKSPACE • Clear (rebuild) Workspace • From a command prompt in the Notes program directory • c:ibmnotesnotes -RPARAMS -resetconfig • Clear Cache • From a command prompt in the Notes program directory. • c:ibmnotesnotes -RPARAMS -clean 33 34
  37. 37. POLICIES
  38. 38. POLICIES • The $Policies view in the local names.nsf shows what policies are being applied • The “home” server specified in the location document is where the policy is pulled from Policy Type or Name Policy Name | UNID Effective Policy Name Effective Policy for: Gabriella Davis/Turtle Effective Policy for: Gabriella Davis/Turtle| 80FC5AD08F20363EF8A0C29C300C025C DesktopSets|CN=Gabriella Davis/O=Turtle Effective Policy for: Gabriella Davis/Turtle Effective Policy for: Gabriella Davis/Turtle| ABDA9CAE827695D2A3A6D85AF0DCD95B MailSets|CN=Gabriella Davis/O=Turtle Effective Policy for: Gabriella Davis/Turtle Effective Policy for: Gabriella Davis/Turtle| 82994CCC9BEFC5EAAD8A4BC75CEECA36 SecSets|CN=Gabriella Davis/O=Turtle Effective Policy for: Gabriella Davis/Turtle Effective Policy for: Gabriella Davis/Turtle| 892C29CCBA5C9F4CF9F34CA80BD8BF7A TravelerSets|CN=Gabriella Davis/O=Turtle PolicyDesktop Effective Policy for: Gabriella Davis/Turtle| 80FC5AD08F20363EF8A0C29C300C025C DesktopSets|CN=Gabriella Davis/O=Turtle PolicyMail Effective Policy for: Gabriella Davis/Turtle| ABDA9CAE827695D2A3A6D85AF0DCD95B MailSets|CN=Gabriella Davis/O=Turtle PolicySecurity Effective Policy for: Gabriella Davis/Turtle| 82994CCC9BEFC5EAAD8A4BC75CEECA36 SecSets|CN=Gabriella Davis/O=Turtle PolicyTraveler Effective Policy for: Gabriella Davis/Turtle| 892C29CCBA5C9F4CF9F34CA80BD8BF7A TravelerSets|CN=Gabriella Davis/O=Turtle 35 36
  39. 39. DO NOT INHERIT • Prevent descendent policies from inheriting settings from the ancestor 37
  42. 42. CATALOG • If you are running the catalog task each night there is some very valuable data in the catalog.nsf • even databases set not to update in the catalog will appear in hidden views • Easily identify any databases where Anonymous or -Default- have unwanted high access 39
  43. 43. VIEW OPTIMISATION • Domino creates temporary files due view rebuilds and then deletes them once complete however often those files aren’t deleted and take up space in your data directory • Domino uses the “temp” directory for these builds if it can but if it can’t find one it uses the data directory instead • With the server down those TMP files can be safely deleted • Since they are intended to be temporary any older TMP files can be deleted 40
  44. 44. DISABLE_VIEW_REBUILD_OPT • If the server continually reports that it’s unable to rebuild views due to insufficient disk space it and that it will revert to using standard view rebuild that tells Domino to fallback to standard view rebuilding instead of optimised using TMP files • avoid using the setting and disabling view optimisation unless it is affecting a lot of databases and view and you can’t free up disk space or reassign the rebuild directory using VIEW_REBUILD_DIR 41
  45. 45. MOVE VIEWS OUT OF THE DATABASE • Why would you do that? • reduce database size • improve performance • locate large views on another drive • CREATE_NIFNSF_DATABASES=1 • NIFNSFEnable=1 • NIFBasePath=path • load compact -c -nifnsf on(off) appsstafflist.nsf 42
  46. 46. REPORTING ON NIF VIEWS • Use the following server console command to show all databases, whether they use separate view indexes (NIFNSF state ON), and if so the .NDX file size: • show dir -nifnsf • Use the following server console command to show only information about databases that use separate view indexes: • show dir -nifnsfonly 43 44
  47. 47. SLOW LDAP • Schema.nsf is used by the ldap task to analyse and translate LDAP queries • It’s based on schema.ntf which is a standard Domino template and the database should be less than 10MB in size when created • In some envrionments we’ve seen schema.nsf grow to 100s of MB or even multiple GBs in size and when that happens the LDAP task will be slow to respond to queries and could take up to an hour to load • This usually happens when schema.nsf is on multiple servers which are different versions or have been upgraded several times and all servers are allowed Editor access or higher to the documents resulting in hundreds of thousands of duplicate documents each populated by a different server • Delete the schema.nsf from all servers, load LDAP on the administration server and let it replicate out to the rest of the Domain 45
  48. 48. DISABLING LDAP WHEN NOT BEING USED • For LDAP to work in your environment it must first be loaded at least once on the Administration server of the domain • The Administration server creates the schema.nsf • Any other server in the domain that runs LDAP pulls a replica of schema.nsf from the Administration server • If you’re not using LDAP on the Administration server, once the schema.nsf is created you don’t need to keep running it and can stop LDAP • Just remember LOAD LDAP once on the administration server after each upgrade so the schema.nsf gets updated and will replicate out to the other servers in the domain that are running LDAP 46
  49. 49. STOP THE COMPACT STOPPING • If you are compacting a mail file and mail is delivered to it, the compact stops • Use MailFileDisableCompactAbort=1 to ensure the mail is queued for delivery until compact is finished • For large files that can take a while, sometimes too long for mail not to be delivered • MailFileEnableDeliveryFailover=1 will ensure the server doesn’t queue the mail but instead delivers to to a cluster mate • Usually if your home server is up and responding the router will not deliver mail to a cluster mate even if your mail file is inaccessible 47 48
  50. 50. COMPACT OPTIONS • Run only against databases of ODS version X • compact -O 43 -c • Run against any databases that aren’t ODS version X • compact -o 52 -c 49
  51. 51. DBMT • Runs copy-style compact operations • Purges deletion stubs • Expires soft deleted entries • Updates views • Reorganises folders • Merges full-text indexes • Updates unread lists • Ensures that critical views are created for failover • Replaces Updall and Compact • Load updall - nodbmt tells updall to run but not perform the functions that DMBT already does 50
  52. 52. DBMT PARAMETERS • -compactThreads
 -timeLimit refers to compact timeout for DBMT -range starttime stoptime • –compactNdays (run Compact every x days) • –ftiNdays (run FT Index every x days) • –force d (day Sunday =1) fixup if compact fails for consecutive day
  53. 53. PIRC • A database doesn’t replicate with a server for a year and then suddenly, one day, someone switches on an old machine and this old database (usually containing names.nsf) suddenly replicates. • and brings back all the deleted documents that are more than 90 days old with it • Suddenly your server replica is full of old documents you deleted months ago • A new database property on a database running on 8.5.3 or higher will prevent documents old than the purge date from replicating back in • To turn on PIRC to a large number of databases use Compact '-PIRC On' 
  54. 54. CLUSTER SYMMETRY & AUTO REPAIR • Use Cluster Symmetry to populate a folder on a new server in a cluster • The server to be populated must be running the AutoRepair and RepairCleanup tasks (put them in the servertasks= line) • the cldbdir.nsf will be used to verify if the files in the folders are present and to find the server to retrieve them from 52
  55. 55. FIND PRIVATE AGENTS • Use sh agents <dbname> to display all shared and private agents in a database • sh agents names.nsf
  56. 56. SAMETIME
  57. 57. CLIENT TYPE RESTRICTIONS • In the [config] section of sametime.ini use the value with each approved type separated by a comma • VPS_ALLOWED_LOGIN_TYPES=0x130F,0x122A • ST Connect 9.0.1, ST 9.0.1 embedded in Notes 10 • Whilst we wait for persistent chat across clients • VPS_PREFERRED_LOGIN_TYPES=0x130F,0x143A • ST Connect 9.0.1, Mobile for iOS • 54 55
  58. 58. COMMUNITY NAME • A user’s contact list is stored along with the Community name of the Sametime server • If someone logs onto different servers that are not clustered they will have different community names and so different contact lists • The ST_COMMUNITY_ID= value in the [Config] section of the sametime.ini determines the Community name • if the value isn’t set (which it isn’t by default) then the community name defaults to the server’s hostname • ST_COMMUNITY_ID is very useful when adding new servers or moving servers in an environment to ensure users keep their contact/buddy lists intact 56
  59. 59. TRAVELER
  60. 60. COLLECT TRAVELER LOG INFORMATION • Tell Traveler Log Collect • Collect all information and upload it to a specific PMR directly to IBM
 • Tell Traveler pmr <PMR NUMBER> 57
  61. 61. DEFAULT LOGGING •Data is written to •..dataibm technical supporttraveler •Default is informational •Can change via console or server doc •Tell traveler log level <level> 58
  62. 62. INCREASING LOGGING •Tell traveler log adduser <level> <username> •List field types logged •Tell traveler log fields <fieldinitials> •S=Subject, B=Body, L=Location, A=Address, P=Phone •*=show all fields •blank=hide all fields 59
  63. 63. TELL TRAVELER USER <NAME> • Outputs all the information about the user including their mail file location, assigned devices, security and policy settings • Mail File Replicas: • [CN=Clouds/O=Turtle, Mail/ghedley.nsf] is reachable. • [ACL for Graham Hedley/Turtle: Access=Designer,Editor Capabilities=create,update,read,delete,copy Missing Capabilities=none • ACL for DEW/Turtle: Access=Manager Capabilities=create,update,read,delete,copy Missing Capabilities=none • ACL for Graham Hedley/Turtle: Access=Designer,Editor Capabilities=create,update,read,delete,copy Missing Capabilities=none • ACL for DEW/Turtle: Access=Manager Capabilities=create,update,read,delete,copy Missing Capabilities=none • Notes ID: Mail File does not contain the Notes ID. • Auto Sync User State: Monitoring enabled • Device ID: 16MAQ9UMGL0NN5S8AJDV5HCUUG • Device Description: iPhone 5c:Apple-iPhone5C4/1407.60 (OS 10) • Last Sync: Thursday, April 25, 2019 9:03:30 PM BST • IBM Traveler has validated that it can access the database Mail/ ghedley.nsf. • Monitoring of the database for changes is enabled. • Encrypting, decrypting and signing messages are enabled because the Notes ID is in the mail file or the ID vault. • Canonical Name: CN=Graham Hedley/O=Turtle • Internet Address: • Master Server: DEW/Turtle, version 40 • Master Server Locked: May 7, 2019 6:44 PM, type=Soft • Home Mail Server: CN=Clouds/O=Turtle • Home Mail File: mail/ghedley.nsf • Current Monitor Server: CN=Clouds/O=Turtle Release 10.0.1 • Current Monitor File: mail/ghedley.nsf 60
  64. 64. QUESTIONS?