Lotus 6 Exam2

Lotus Notes®

and Domino® 6System

Administrator

Tony Aveyard

Karen Fishwick

00 0789729180 FM 10/21/03 3:25 PM Page i

Lotus Notes® and Domino® 6 System Administrator Exam Cram 2Copyright © 2004 by Que Publishing

All rights reserved. No part of this book shall be reproduced, stored ina retrieval system, or transmitted by any means, electronic, mechanical,photocopying, recording, or otherwise, without written permissionfrom the publisher. No patent liability is assumed with respect to theuse of the information contained herein. Although every precautionhas been taken in the preparation of this book, the publisher andauthor assume no responsibility for errors or omissions. Nor is any lia-bility assumed for damages resulting from the use of the informationcontained herein.

International Standard Book Number: 0-7897-2918-0

Library of Congress Catalog Card Number: 2003109276

Printed in the United States of America

First Printing: November 2003

06 05 04 03 4 3 2 1

TrademarksAll terms mentioned in this book that are known to be trademarks orservice marks have been appropriately capitalized. Que Publishing can-not attest to the accuracy of this information. Use of a term in thisbook should not be regarded as affecting the validity of any trademarkor service mark.

Lotus Notes is a registered trademark of IBM Corporation.

Domino is a registered trademark of IBM Corporation.

Warning and DisclaimerEvery effort has been made to make this book as complete and as accu-rate as possible, but no warranty or fitness is implied. The informationprovided is on an “as is” basis. The authors and the publisher shall haveneither liability nor responsibility to any person or entity with respectto any loss or damages arising from the information contained in thisbook or from the use of the CD or programs accompanying it.

Bulk SalesQue Publishing offers excellent discounts on this book when orderedin quantity for bulk purchases or special sales. For more information,please contact

U.S. Corporate and Government [email protected]

For sales outside the U.S., please contact

International [email protected]

PublisherPaul Boger

Executive EditorJeff Riley

Acquisitions EditorCarol Ackerman

Development EditorLorna Gentry

Managing EditorCharlotte Clapp

Project EditorTonya Simpson

Copy EditorsKrista Hansing

Karen Annett

IndexerHeather McNeill

ProofreaderJuli Cook

Technical EditorsDennis Teague

David Wilde

Team CoordinatorPamalee Nelson

Multimedia DeveloperDan Scherf

Page LayoutBronkella Publishing

00 0789729180 FM 10/21/03 3:25 PM Page ii

A Note from Series Editor Ed Tittel

You know better than to trust your certification preparation to justanybody. That’s why you, and more than two million others, havepurchased an Exam Cram book. As Series Editor for the new and

improved Exam Cram 2 series, I have worked with the staff at Que Certification toensure you won’t be disappointed. That’s why we’ve taken the world’s best-sellingcertification product—a finalist for “Best Study Guide” in a CertCities reader pollin 2002—and made it even better.

As a “Favorite Study Guide Author” finalist in a 2002 poll ofCertCities readers, I know the value of good books. You’ll beimpressed with Que Certification’s stringent review process,which ensures the books are high-quality, relevant, and technically accurate. Rest assured that at least a dozen industryexperts—including the panel of certification experts atCramSession—have reviewed this material, helping us deliver anexcellent solution to your exam preparation needs.

We’ve also added a preview edition of PrepLogic’s powerful, full-featured testengine, which is trusted by certification students throughout the world.

As a 20-year-plus veteran of the computing industry and the original creator andeditor of the Exam Cram series, I’ve brought my IT experience to bear on thesebooks. During my tenure at Novell from 1989 to 1994, I worked with and aroundits excellent education and certification department. This experience helped pushmy writing and teaching activities heavily in the certification direction. Since then,I’ve worked on more than 70 certification-related books, and I write about certification topics for numerous Web sites and for Certification magazine.

In 1996, while studying for various MCP exams, I became frustrated with the huge, unwieldy study guides that were the only preparation tools available. As anexperienced IT professional and former instructor, I wanted “nothing but the facts”necessary to prepare for the exams. From this impetus, Exam Cram emerged in1997. It quickly became the best-selling computer book series since “…ForDummies,” and the best-selling certification book series ever. By maintaining anintense focus on subject matter, tracking errata and updates quickly, and followingthe certification market closely, Exam Cram was able to establish the dominantposition in cert prep books.

You will not be disappointed in your decision to purchase this book. If you are,please contact me at [email protected]. All suggestions, ideas, input, or constructivecriticism are welcome!

Que Certification • 800 East 96th Street • Indianapolis, Indiana 46240

00 0789729180 FM 10/21/03 3:26 PM Page iii

Expand Your Certification Arsenal!

www.examcram2.com

Lotus Notes and Domino 6Application Development Exam Cram 2 (Exam 610, 611, 612)Tim Bankes and David Hatter

ISBN 0-7897-2917-2

$39.99 US/$60.99 CAN/£28.99 Net UK

• Key terms and concepts highlighted at the start of each chapter

• Notes, Tips, and Exam Alerts advise what to watch out for

• End-of-chapter sample Exam Questions with detailed discussionsof all answers

• Complete text-based practice test with answer key at the end ofeach book

• The tear-out Cram Sheet condenses the most important itemsand information into a two-page reminder

• A CD that includes PrepLogic Practice Tests for complete evaluation of your knowledge

• Our authors are recognized experts in the field. In most cases, they are current or former instructors, trainers, or consultants—they know exactly what you need to know!

00 0789729180 FM 10/21/03 3:26 PM Page iv

From Tony Aveyard

I dedicate this book to the following people:

Kathi, my wife and my best friend: My life is richer because of you and wasincomplete until you joined it. Thanks for always sticking with me andbelieving in me. My dreams have come true and still do because of you.

Marie, my daughter, my friend, and one of the reasons I was able to sur-vive as a single parent for seven years: You are the twinkle in a father’s

eye, and I will always regret the day when you move out to make your ownlife. Thanks for all the memories you gave your dad.

Garet, my computer partner and movie-going buddy: Don’t forget that Ican beat you at Unreal Tournament! You’re a lot of fun to be around, andthe way you look at life is refreshing and exhilarating. I love the time we

spend together and the way you laugh at the Stooges and MXC.

Terry Brooks: Your work inspires me, and when I read your books I feel likeI know the Ohmsfords personally. Thanks for all the memories and for the

inspiration. I know this isn’t a book of fiction, but at least I’m writing!Thanks, Terry.

And last but not least, God: for giving me the strength to write again andthe patience and endurance to finish the task.

From Karen Fishwick:

I’d like to dedicate this book to my children, Beth and Cam. Thanks forbeing willing to share Mommy with the computer and for obeying the sign

on the door.

❧

00 0789729180 FM 10/21/03 3:26 PM Page v

About the Authors

Tony Aveyard has been in the IT business for more than 20 years. Duringhis career, he has worked on the desk side support team and the data com-munications team, and has spent more than seven years in Notes adminis-tration. He’s currently leading the Web & eBusiness team for SiemensBusiness Services in Mason, Ohio. He lives in Cincinnati, Ohio, with Kathi,his lovely bride of five years; his two kids, Marie and Garet; and the belovedfamily dog, Tango. FPS and role-playing computer games are still a passionafter many years of world-conquering and Orc-killing, but the desire nearesthis heart is to be a full-time fiction writer and share his adventures with theworld.

Karen Fishwick has been actively working with Notes and Domino sinceRelease 3. She became a Certified Lotus Professional in Release 3 in 1995and a Certified Lotus Instructor in 1996. She has upgraded that certificationthrough each release of Notes/Domino and now holds the CLP designationfor R6 in both the system administration and application developmenttracks.

Karen has been delivering the certified Lotus curriculum to students all overCanada for more than eight years. Based in Ottawa, Canada, she providesconsulting and training services to a wide array of both public- and private-sector clients.

She has been involved as an author or technical editor for many book proj-ects over the past five years. Karen is ideally suited to be a co-author of thisbook because of her long-standing experience with the Lotus certificationtests. She has written exams in every release of the Domino SystemAdministration track, from R3 to R6. She has also participated as author oreditor in books dealing with Domino certification for R4, R5, and R6.

As an independent consultant, Karen has assisted many clients with bothadministration and development projects. Her focus over the past couple ofyears has been in the areas of administrative troubleshooting for servers andresolving access-control problems within applications.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

00 0789729180 FM 10/21/03 3:26 PM Page vi

Karen currently lives in Ottawa with her husband, Warren, and her 4-year-old twins, Beth and Cam. In her spare time, she enjoys cooking, playingsports, and taking an active role in her local church.

About the Contributing AuthorRandy Smith lives in Omaha, Nebraska with his wife, Patty, and two sons,Kevin and Eric. He began his Lotus Notes/Domino consulting career in1996 and founded R.D. Smith Consulting in 2000. Randy is an IBMCertified Advanced System Administrator and an IBM Certified AdvancedApplication Developer in Lotus Notes/Domino 6. He has also attainedPrincipal CLP certification in Lotus Notes/Domino R5 and R4 for bothApplication Development and System Administration. He is currently con-sulting at the State of Nebraska, where he supports their LotusNotes/Domino infrastructure and mentors their Lotus Notes developmentteams.

00 0789729180 FM 10/21/03 3:26 PM Page vii

.

About the Technical EditorsDennis Teague has been working with Lotus Notes/Domino since version4 came out. He has worked for several worldwide firms over the years doingNotes administration and network support. He has obtained his CLP in R4,R5, and R6 and his PCLP in R4 and R5 in Notes Administration. Thanks tohis wife for all her help in getting these certifications in Notes and Domino—drilling him with question after question until he knew why the answer wasright versus knowing, when she started out saying “Heidi is a Domino admin-istrator and has a user Milo that is having a problem replicating...,” that theanswer was C. He is glad that his wife, Susan, and his two sons, Trevor andDevon, allowed him the time to tech edit this book, so as to reinforce someof the practices he is already using in R6 and remind him of some other fea-tures that could be implemented.

David C. Wilde is a Lotus Notes senior consultant and Team Lead with thefourth-largest independent information technology services firm in NorthAmerica. His team is responsible for maintaining a Lotus Notes environmentthat supports well over 20,000 users spread across Canada and the UnitedStates. His expertise in system security and back-end system integration is inhigh demand, and he has been utilized to perform security audits for many ofthese clients.

David has more than 17 years of IT experience and has been specializing inLotus Notes for the last 8 years, with considerable time spent in both SystemAdministration and Application Development capacities. His Lotus Notesbackground includes certifications as an IBM certified Advanced SystemAdministrator—Lotus Notes and Domino in versions 4, 5 and 6, as an IBMAdvanced Application Developer—Lotus Notes and Domino in versions 4, 5and 6, and as an IBM Certified for e-business Solution Advisor.

David is also the former president and founder of the CONDORS LotusNotes and Domino User’s Group located in Saskatchewan, Canada. David iscurrently working toward his WebSphere and SUN Java certifications.

00 0789729180 FM 10/21/03 3:26 PM Page viii

Acknowledgments

I would like to thank Carol Ackerman for giving me the chance to writeagain and believing in me. Her patience and support have been invaluable indriving me to keep pressing forward. I would also like to say thanks to myfriends and co-workers who gave me the encouragement and showed gen-uine excitement at my chance to participate in another project. Andrew,Chris, Eric, Heather, Ken, and Susan, you’re the best.

—Tony Aveyard

I’d like to thank Que Certification for allowing me the opportunity to workwith them again on an interesting publication. Thanks also to my husband,Warren, for supporting me through the endless writing times, and to my par-ents, who help so much with child care for my kids so that I can work onprojects like this one.

—Karen Fishwick

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

00 0789729180 FM 10/21/03 3:26 PM Page ix

.

00 0789729180 FM 10/21/03 3:26 PM Page x

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents at a Glance

Introduction xxv

Self-Assessment xxxi

Chapter 1 Overview of Domino System AdministrationCertification Exams 1

Part I: Exam 620

Chapter 2 Installing and Configuring 13

Chapter 3 Mail 35

Chapter 4 Managing and Maintaining 61

Chapter 5 Replication 99

Chapter 6 Security 127

Part II: Exam 621

Chapter 7 Installing and Configuring 161

Chapter 8 Mail 189

Chapter 9 Monitoring Server Performance 207

Chapter 10 Replication 255

Chapter 11 Security 279

Part III: Exam 622

Chapter 12 Managing Non-Notes and Notes Clients 317

Chapter 13 Setting Up Server Monitoring 327

Chapter 14 Managing Servers 337

Chapter 15 Managing Users and Groups 363

00 0789729180 FM 10/21/03 3:26 PM Page xi

.

Chapter 16 Monitoring Server Performance 379

Chapter 17 Resolving Server Problems 391

Chapter 18 Resolving User Problems 407

Part IV: Sample Exams

Chapter 19 Practice Exam 620 425

Chapter 20 Answer Key for 620 445





Part V: Appendixes

Appendix A Resources 535

Appendix B What’s on the CD-ROM? 537

Appendix C Using the PrepLogic Practice Exams, PreviewEdition Software 539

Glossary 547

Index 565

00 0789729180 FM 10/21/03 3:26 PM Page xii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of Contents

Introduction.....................................................................xxv

Self-Assessment..............................................................xxxi

Chapter 1Overview of Domino System Administration Certification Exams .......1

Assessing Exam-Readiness 2The Exam Objectives 3The Exam Situation 4Exam Layout and Design 5Lotus’s Testing Formats 7Exam-Taking Techniques 7Mastering the Inner Game 9Additional Resources 9

Part I Exam 620 .......................................................11

Chapter 2Installing and Configuring ...................................................13

Registering Servers 14Server Setup 14Setting Up Additional Domino Servers 16Setting Up Server Protocols and Ports 17

Implementing a Hierarchical Naming Scheme 18Maintaining Domino Certifier IDs 18

Configuring Directories 19Understanding the Domino Domain 19Implementing Distributed Versus Centralized Directories 20Creating Groups in the Directory 21Setting Up Administration Groups 22

Notes Client Configuration 22Registering New Users 22Installing Clients of Different License Types 23Setting Up and Configuring a Notes R6 User 24

00 0789729180 FM 10/21/03 3:26 PM Page xiii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiv Table of Contents

Deploying Notes User Authentication—Notes ID 25Maintaining Notes User IDs 26

Applying Policy Documents 26Applying Policies During New User Registration 27Applying Policies to Existing Users 27

Exam Prep Questions 29Need to Know More? 33

Chapter 3Mail .............................................................................35

Server Messaging Configuration 36Setting Up and Configuring Mail Routing 36Setting Up and Configuring Message Distribution UsingSchedules 38Forcing Mail to Route to a Specific Server 40Monitoring and Maintaining Mail Routing 41Troubleshooting Routing Problems 46

Basic Messaging Settings 48Creating Archiving Policies 48Implementing Mail Quotas 51Understanding Mail Encryption 52

User Messaging Configuration 53User Preferences Related to Mail 53Setting Workstations for Different Locations 54


Chapter 4Managing and Maintaining .................................................61

Application Deployment 62Deploying Server-Based Applications 62Deploying HTML-Based Applications 64Deploying Web Applications for Internationalization 65Deploying Applications Based on Coding: Formula Language,LotusScript, JavaScript, C 66Deploying Applications Based on Document Characteristics:Document Size 69

Managing Application Design 70Distributing Application Design Changes Using the DesignTask 70Replicating Design Changes 73

00 0789729180 FM 10/21/03 3:26 PM Page xiv

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvTable of Contents

Application Maintenance 73Monitoring Application Size 74Maintaining Data Integrity 75

Domino Server Monitoring and Maintenance 77Monitoring Server Tasks 77Monitoring and Managing Log Files 78Monitoring and Managing Web Services 80Setting Up and Configuring Administration Monitoring Tools 84

Other Maintenance Tasks 87Migrating from a Distributed Directory to a Central Directory 87Creating a Policy Synopsis to Determine an Effective Policy 88Maintaining Users 89Maintaining Groups 91


Chapter 5Replication .....................................................................99

The Replica Task 100Understanding Document Replication Order 101Setting Up and Configuring Replication Through Force 101

Forcing Replication Using the Server Console 102Setting Up and Configuring Replication Through Scheduling 104

Replication Topologies 104Creating a Replication Connection Document 106

How Access Control Lists Affect Replication 108Guidelines for Assigning Server Access to Databases 109Other Access Control Settings That Affect Replication 112

Resolving Replication and Save Conflicts 113Choosing Which Document to Keep 114Using Design or Administration Techniques to PreventReplication or Save Conflicts 114

Clustered Replication 115Monitoring and Maintaining Replication 116

Monitoring Replication History 116Viewing the Replication Events View in the Log File 117Using an Event Generator to Monitor Replication 118Viewing Replication Schedules 118Replication-Topology Maps 118

00 0789729180 FM 10/21/03 3:26 PM Page xv

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contentsxvi


Chapter 6Security ........................................................................127

Physical Security 128Securing Domino Applications Based on Password Encryption 129

Domino Server Security 129Securing Domino Resources Based on Notes Authentication 130Securing Domino Resources Based on the Domino Directory 131Securing Domino Resources Based on Web Authentication 134Setting Up and Configuring Server Access 135Monitoring and Maintaining Server Access Control 139Troubleshooting Common Server Access Problems 140

Domino Application Security 141Understanding the ACL 141Securing Applications with Groups 144Securing Applications with Authors Fields 146Securing Applications with Readers Fields 146Troubleshooting Data Access Control Problems 148

Creating Security Policies 149Exam Prep Questions 152Need to Know More? 157

Part II Exam 621 ......................................................159

Chapter 7Installing and Configuring ..................................................161

Capacity Planning Based on Performance 162Installing a Notes/Domino Release 6 Server 163

Setting Up Servers of Different Types 164Running the Installation Program 164

Setting Up and Configuring a Notes/Domino Release 6 Server 165Setting Up/Configuring Directories 169Deploying a Corporate Standard Welcome Page 170Creating/Registering Certificates 172

Creating an Organization Certifier ID 173Creating an Organizational Unit Certifier ID 174

Creating/Registering Users 175

00 0789729180 FM 10/21/03 3:26 PM Page xvi

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents xvii

Certifying with a CA Key 175Setting Up Multiuser Support 176Setting Up Workstations for Different Clients 176Setting Up/Configuring Calendaring and Scheduling 177Setting Up Servers for Sharing Resources 177

Defining the Database ACL 178Completing the Site Profile 178

Setting Up/Configuring Transaction Logging 179Planning the Transaction Logging Implementation 180Setting Up Transaction Logging on the Server 181

Setting Up Servers for Load Balancing and Failover 181Applying Policy Documents to Existing Users 183Migrating from a Distributed Directory to a Central Directory 183Exam Prep Questions 185Need to Know More? 188

Chapter 8Mail ............................................................................189

Setting Up and Configuring Message Distribution Using Notes-Based Mail 190

Notes Routing to External Domains 191Implementing and Changing Mail Quotas 195Configuring Message Tracking 197Deploying Applications Based on Routing Fundamentals 199Exam Prep Questions 202Need to Know More? 205

Chapter 9Monitoring Server Performance ............................................207

Adding/Moving/Upgrading/Deleting Databases 208Backing Up/Verifying and Restoring Databases 210Creating Archiving Policies 210Deploying Applications Based on Coding 212Deploying Applications Based on Design Elements 212Deploying Applications Based on Design Elements: Shared VersusNonshared 214Deploying Applications Based on How Attachments Are Handled 214Deploying Applications Based on Replication Fundamentals 215Deploying Based on the NSF Structure: NSF Components 215Deploying Server-Based Applications: HTML 216Distributing Application Design Changes Based on Design 216Enabling/Disabling Compression 218

00 0789729180 FM 10/21/03 3:26 PM Page xvii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contentsxviii

Maintaining Domino Server IDs 218Maintaining Domino User IDs 220Managing Users 220

Creating and Setting Up Roaming Users 221Maintaining User Profiles 222Changing User Names 223Deleting Users 225Using the Administration Process 225

Monitoring Server Tasks 226Monitoring/Maintaining Domains 228Monitoring/Maintaining Mail Routing 229

Tracking Messages 230Resolving Mail Routing Errors 231

Monitoring/Maintaining/Repairing Databases 231Monitoring Database Size 232Using Database Maintenance Utilities 232Other Database Maintenance Tasks 234

Monitoring/Modifying Application Access Control 235Setting Up Authentication 236Setting Up/Configuring/Monitoring Monitors 236Troubleshooting Administration Process Problems 237Troubleshooting Clustering Problems 238Troubleshooting Network/Protocol Problems 239Troubleshooting Partitioning Problems 239Troubleshooting Port (Modem) Problems 240Troubleshooting User Problems 241Using a Java-Based Domino Console 241

Launching jconsole 241Using jconsole 242Exiting from jconsole 244

Using Distributed and Centralized Directories 244Using the Remote Console 245Managing User Passwords 247Monitoring/Maintaining Domain Access 247Exam Prep Questions 249Need to Know More? 253

Chapter 10Replication ....................................................................255

Setting Up and Configuring Replication Through Force 256Forcing Replication Using the Notes Client 257Forcing Replication Using the Domino Administrator Client 258

00 0789729180 FM 10/21/03 3:26 PM Page xviii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents xix

Setting Up and Configuring Replication Through Scheduling 260Streaming Replication 263Planning Applications Based on the Impact of Replication onDocument Distribution 263Understanding How the ACL Affects Replication 265

Guidelines for Assigning Server Access to Databases 266Understanding Changes to xACL Replication 269Replicating Design Changes 270Monitoring and Maintaining Replication 271Exam Prep Questions 273Need to Know More? 277

Chapter 11Security.........................................................................279

Setting Up Authentication 280Setting Up and Configuring ID Backup and Recovery 282

Specifying Recovery Information for a Certifier ID File andCreating a Mail-In Database to Store Backup ID Files 282Making User ID Files Recoverable 284Recovering an ID File 286

Managing User Passwords 287Using the ICL and the CRL 289

The Issued Certificate List (ICL) 290Certificate Revocation List (CRL) 290

Setting Up and Configuring Server Access 291Troubleshooting Common Server Access Problems 293

The Administrator Can’t Enter Commands at the Server 293Users Can’t See a New Server in the List of Servers 294The Server Is Not Responding 294

Adding Security to an Application 294Designing a Secure Application—Security Versus Deterrence 295Setting Up and Configuring Agent Access 297Monitoring and Maintaining Agents 300Setting Up and Configuring Database Access Using the ACL 302Securing Applications with Roles 304Securing Applications with Authors Fields and Readers Fields 305

Troubleshooting User Access Problems 306Users Report That They Can’t Access the Database 306Users Can’t Find a New Server in the List of Servers 307

00 0789729180 FM 10/21/03 3:26 PM Page xix

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contentsxx

Users Complain That They Can’t Seem to “See” All theDocuments in the Database 307A User Complains That He Can’t Edit a Document That HeCreated in the Database 307Users Complain That They Can’t Create Agents in theDatabase 308Users Complain That They Don’t Have the Correct AccessLevel Within the Database 308


Part III Exam 622 .....................................................315

Chapter 12Managing Non-Notes and Notes Clients .................................317

Applying Policy Documents to New Users 318Setting Up Browser Clients 319Setting Up Version Reporting and Updating Client Software 320Exam Prep Questions 322Need to Know More? 325

Chapter 13Setting Up Server Monitoring ..............................................327

Creating Event Generators 328Creating Event Handlers 329Enabling Agent Logging 329Identifying Mechanisms for Collecting Server Information 330Starting the Statistics Collectors Task 331Exam Prep Questions 333Need to Know More? 336

Chapter 14Managing Servers ...........................................................337

Analyzing Activity Data 338Applying Policy Documents to Existing Users 341Automating Server Tasks 342Changing Administrator Access 343Changing Server Access 344Configuring Domino Network Names 344Creating Security Policies 345Decommissioning a Server 346Defining a Backup Process 347Defining Domino Domains 348

00 0789729180 FM 10/21/03 3:26 PM Page xx

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents xxi

Enabling Protocols 349Enabling Transaction Logging 349

Transaction Logging Versions 350Implementing Transaction Logging 350

Identifying a Registration Server 351Implementing Distributed and Centralized Directories 352Recertifying a Server ID 353Searching for Server References in a Domain 354Setting Up Authentication with Other Domino Organizations 355

Creating a New Organization Certifier ID 356Creating a New Organizational Unit ID 356


Chapter 15Managing Users and Groups ...............................................363

Changing a User’s Group Membership 364Changing a User’s Location in the Hierarchy 365Changing a User’s Name 367Deleting Groups 368Deleting Users 368Extending a Notes ID’s Expiration Date 369Managing Groups 370Modifying Person Documents 371Moving a User’s Mail File 371Renaming Groups 372Setting Up Roaming Users 372Exam Prep Questions 375Need to Know More? 378

Chapter 16Monitoring Server Performance ...........................................379

Using the Domino Console 380Using the Domino Web Administrator 382Viewing Real-Time Statistics 384Viewing Statistics with Server Monitor 385Exam Prep Questions 387Need to Know More? 390

Chapter 17Resolving Server Problems ................................................391

Monitoring Application Size 392Monitoring Server Tasks 393

00 0789729180 FM 10/21/03 3:26 PM Page xxi

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contentsxxii

Recovering from a Server Crash 393Solving Agent Manager Issues 394Solving Authentication and Authorization Issues 395

Verifying Correct Domino Directory Setup 396Verifying Server ID 397Troubleshooting User Problems 397

Troubleshooting Administration Process Problems 397Troubleshooting Replication Problems 398Troubleshooting Mail Routing Issues 399Using Event Triggers to Troubleshoot Problems 400Exam Prep Questions 401Need to Know More? 405

Chapter 18Resolving User Problems ...................................................407

Tracking User Mail Messages 408Troubleshooting Routing Problems 408Troubleshooting Server Access Problems 409

Directory Errors 410Other Techniques for Troubleshooting Server Access Problems 411

Troubleshooting Connection Problems 411Troubleshooting Data Access Control Problems 412Troubleshooting Database Issues 413Troubleshooting Workstation Problems 416Exam Prep Questions 417Need to Know More? 421

Part IV Sample Exams ...............................................423

Chapter 19Practice Exam 620 ...........................................................425

Chapter 20Answer Key for 620 ..........................................................445




00 0789729180 FM 10/21/03 3:26 PM Page xxii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents xxiii


Part V Appendixes ...................................................533

Appendix AResources .....................................................................535

Print Resources 535Web Resources 535

Appendix BWhat’s on the CD-ROM ......................................................537

The PrepLogic Practice Exams, Preview Edition Software 537An Exclusive Electronic Version of the Text 538

Appendix CUsing the PrepLogic Practice Exams, Preview Edition Software .....539

The Exam Simulation 539Question Quality 540The Interface Design 540The Effective Learning Environment 540Software Requirements 540Installing PrepLogic Practice Exams, Preview Edition 541Removing PrepLogic Practice Exams, Preview Edition from YourComputer 541How to Use the Software 542

Starting a Practice Exam Mode Session 542Starting a Flash Review Mode Session 543Standard PrepLogic Practice Exams, Preview Edition Options 543Seeing Time Remaining 544Getting Your Examination Score Report 544Reviewing Your Exam 544

Contacting PrepLogic 545Customer Service 545Product Suggestions and Comments 545

License Agreement 545

Glossary .......................................................................547

Index ............................................................................565

00 0789729180 FM 10/21/03 3:26 PM Page xxiii

.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

We Want to Hear from You!

As the reader of this book, you are our most important critic and commenta-tor. We value your opinion and want to know what we’re doing right, what wecould do better, what areas you’d like to see us publish in, and any other wordsof wisdom you’re willing to pass our way.

As an executive editor for Que Publishing, I welcome your comments. Youcan email or write me directly to let me know what you did or didn’t like aboutthis book—as well as what we can do to make our books better.

Please note that I cannot help you with technical problems related to the topic of thisbook. We do have a User Services group, however, where I will forward specific tech-nical questions related to the book.

When you write, please be sure to include this book’s title and author as wellas your name, email address, and phone number. I will carefully review yourcomments and share them with the author and editors who worked on thebook.

Email: [email protected]

Mail: Jeff RileyExecutive EditorQue Publishing800 East 96th StreetIndianapolis, IN 46240 USA

For more information about this book or another Que Certification title, visitour Web site at www.examcram2.com. Type the ISBN (excluding hyphens) or thetitle of a book in the Search field to find the page you’re looking for.

00 0789729180 FM 10/21/03 3:26 PM Page xxiv

Introduction

Welcome to the Notes and Domino 6 System Administration certificationIBM CP Exam Cram. The purpose of this book is to prepare you to take—andpass—the IBM/Lotus Certified Professional exams for version 6. This intro-duction explains the IBM Certified Professional exam and gives you an idea ofthe preparations required in getting ready to take the test. Additional infor-mation about Prometric and exam locations can be found at www.prometric.com.

Exam Cram books are not teaching guides. They assume that the reader hassome familiarity with the subject matter and are used to reinforce and pre-pare the tester for the exams. They will not teach you how to fully operate aspecific application or system, but they enable you to focus on passing theexam based on your experience and study. The authors have taken the examsand attempt to prepare you for the types of material that can be covered anditems of specific importance.

Whom Is This Book For?Nothing can prepare you for the exam better than actually using the producton a regular basis. Lotus Notes administration can be a challenging butrewarding experience, and the enhanced capabilities Lotus has introduced inversion 6 have made it even more flexible and powerful as a workflow appli-cation.

The most complete training program you can experience is actually per-forming the administrative tasks on a regular basis. On-the-job training,along with supervised classroom instruction led by a trainer who has actuallyhad experience running a Notes Network, is invaluable to becoming a world-class administrator. Reading a book or taking a CBT will help you understandthe basics of how the Notes components all work together, but nothing cancompare to spending a weekend upgrading or installing a server and encoun-tering all of the “challenges” that can occur. Experience is the best teacher,and it will set you apart from the other Notes IBM CPs who have only apaper certification with no real experience. We strongly recommend that if

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

00 0789729180 FM 10/21/03 3:26 PM Page xxv

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Introductionxxvi

you are not currently involved in daily Notes Administration, you downloadand install the R6 server and client trials at www.lotus.com.

The Lotus Notes and Domino 6System Administration CertificationCLP ExamsTo achieve the IBM CP certification, you must pass three separate tests:

➤ Exam 620: “Notes Domino 6 System Administration OperatingFundamentals.” The skills tested in this exam include installing and con-figuring Domino Servers, using Mail, managing and maintaining Servers,using replication, and managing security.

After you have passed the Exam 620, you earn a certification of CertifiedLotus Specialist.

➤ Exam 621: “Notes Domino 6: Building the Infrastructure.” The skillstested in this exam are also installing and configuring Domino domains,using Mail, managing and maintaining Domino domains, using replica-tion, and managing security.

➤ Exam 622: “Notes Domino 6: Managing Servers and Users.” The skillstested in this exam are managing non-Notes and Notes clients, managingservers, managing users and groups, monitoring server performance,resolving server problems, resolving user problems, and setting up servermonitoring.

After passing the preceding two exams, you become an IBM CertifiedSystem Administrator—Lotus Notes and Domino 6.

One additional test is available if you want to achieve a certification of IBMAdvanced System Administrator:

➤ Exam 623: “Notes Domino 6: Configuring Domino Web Servers.” Theskills tested in this exam are handling administration, installing and con-figuring Domino Web Servers, and managing security.

00 0789729180 FM 10/21/03 3:26 PM Page xxvi

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Introduction xxvii

Scheduling the ExamAfter you have studied this book and taken and consistently passed the sam-ple tests, you must schedule the exams with Prometric at www.prometric.com.When this book was written, the cost for the exams was $100, but this isalways subject to change. You are required to pay for the exam in advanceusing a credit card. If you have a problem that requires you to reschedule theexam, you must contact the exam site directly. When you schedule the exam,you might be required to give some or all of the following information:

➤ Your name

➤ Your Social Security, social insurance, or Prometric testing ID number

➤ Contact phone numbers

➤ Mailing address

➤ Exam number and title

➤ Eligibility information

➤ Email address

Taking the ExamSchedule your exam at a time that will enable you to arrive early to the testsite with a minimal amount of frustration. There’s nothing more tiring ordistracting than having to fight bad traffic or inclement weather on the wayto the test site; make sure you arrive with ample time to regain your concen-tration and composure. A good night’s sleep goes a long way toward main-taining your concentration, so try to work that in as well.

When you arrive at the exam site, you will check in with the exam facilita-tors, who will verify your exam time and your identity. You will be asked toprovide two valid forms of identification, one of which must be a picture ID,such as a driver’s license. After you have successfully checked in at the examcenter, you will be asked to leave your cell phone, your keys, and any papersor books at a designated location, where they will be monitored for you. Youwill then be taken to an exam station.

When you sit down at the exam station, you will be given a piece of paperthat includes your login ID and that you can also use as scrap paper. An examfacilitator will then assist you in logging in and selecting the test that you

00 0789729180 FM 10/21/03 3:26 PM Page xxvii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Introductionxxviii

have been assigned. Before you begin the test, take a look at your surround-ings to make sure that the area is conducive to test taking. Make sure that thelighting in the test station is adequate and that your chair is comfortable andadjusted properly. You might be sitting in this station for more than an hour,and you want to make sure that you are not distracted by bright lights orexcessive noise. If the conditions are not properly conducive to taking theexam, speak to the exam facilitator and ask to have them corrected, orreschedule the test for a later time, after the problems have been corrected.

You will be observed while you are taking the test, so be prepared to havesomeone in the testing room. Additionally, depending on when you are tak-ing the test, you might be the only person in the room or the room might befull. If something needs to be corrected, bring it to the examiner’s attentionimmediately.

The most important thing about taking the test is this: Don’t rush. You willhave an adequate amount of time to take the test, so there is no reason tohurry. Read each question carefully, and make sure you understand exactlywhat is being asked and in what context. If a question seems confusing, markit and come back to it later. Answer the questions that you are certain of ini-tially, and return to the more difficult ones later. However, make sure thatyou read each question completely and understand what is being asked.Often test-takers avoid choosing incorrect answers simply by taking the timeto read the question more than once.

When you complete the exam, you might be presented with a quick survey.The test facilitator will require you to complete the survey before allowingyou to leave. After you have completed the survey, you will be given your testscore and then escorted back to the arrival area, where you will be presentedwith a printout of your score and you can pick up your personal items.

About This BookEach Exam Cram chapter follows a standard format, along with graphicalcues containing important information that the reader will need to remem-ber.

Each chapter begins with hotlists. These are bulleted lists that highlightterms, concepts, and techniques that you will need to become familiar withthroughout the chapter.

➤ The first list is titled “Terms You’ll Need to Understand.” This list con-sists of important terms that you will need to learn and understand. These

00 0789729180 FM 10/21/03 3:26 PM Page xxviii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Introduction xxix

terms appear in the order in which they appear in the chapter (these termsand others are included in the book’s glossary).

➤ The second list is titled “Techniques/Concepts You’ll Need to Master.”This list might be a mix of concepts and techniques related to exam objec-tives that you must master by the end of the chapter before proceeding.

The chapters are presented in a logical order that builds upon each conceptcovered in the certification exam. Within each chapter, pay attention to thesespecial elements:

An exam alert stresses concepts, terms, configurations, or activities that might relateto one or more certification exam questions. You should note items identified by thealert notice as vital to successfully passing an exam question.

Tips, notes, and cautions are used to describe shortcuts, some efficient ways toaccomplish a task, an “inside take” on some alternative way to accomplish a task,asides that provide good information that supplements the regular text, or cautionsabout potential pitfalls to watch for. Longer sidebars might offer case studies orextended examples to illustrate the current topic.

➤ Practice questions—Near the end of each chapter, you’ll find a set of prac-tice questions to test your comprehension of the material you’ve just read.Be sure to complete each question; if you have difficulty, reread thatmaterial in the text until you have a better understanding of the concepts.

➤ Backup detail and additional resources—At the end of each chapter is a list ofother sources you can use to further your understanding of the materialcovered in that chapter of the Exam Cram. Remember, the intent of thisbook is to prepare you for the exam, not teach you how to become anexperienced Notes/Domino administrator.

➤ The Cram Sheet—In the front of this book you will find a removable sheetof tips and important points that you will need to remember for yourexam. Keep in mind that when you are in the exam center, you will not beable to take notes or look over any study aids, so arrive early enough totake one final look at the Cram Sheet before going into the testing area.

00 0789729180 FM 10/21/03 3:26 PM Page xxix

.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Introductionxxx

How to Use This BookAlthough this book has been modeled from the proposed exam requirementsat www.lotus.com, we also have organized the content to present informationin a logical flow. If you feel comfortable with your knowledge of some of thebook’s material, focus your study on other sections of the book and pay spe-cial attention to these items in the practice tests.

If you find errors or material that could be presented more clearly, feel freeto contact us at [email protected].

00 0789729180 FM 10/21/03 3:26 PM Page xxx

Self-Assessment

The authors have included a Self-Assessment in this Exam Cram to help youevaluate your readiness to take the IBM Certified System AdministratorLotus Notes and Domino 6 certification exams. The exams are broken intothree sections; 620, “Notes Domino 6 System Administration OperatingFundamentals”; 621, “Notes Domino 6: Building the Infrastructure”; and622, “Notes Domino 6: Managing Servers and Users.” Before jumping in tostudy the material required for the exams, let’s take a few moments to discusswhat it’s like to be a Domino Administrator.

Domino Administration in TheseChallenging TimesAs of the writing of this book, the IT industry is struggling as companiesreinvent themselves after the dot-com failure of the last decade. Althoughthe industry isn’t the free-for-all, high-salary industry it once was, it’s stillflourishing and people are working and making good salaries. What’s differ-ent now is that, in the past, a simple paper certification would allow some-one to get an interview and a subsequent hiring. The situation has nowchanged, and candidates are interviewed and tested before they are hired tomake sure they have the experience to hit the ground running. Our goal inthe next section is to show you what is expected of a Domino Administratorand what you can do to gain an edge over other candidates.

Whether you’re an experienced Domino Administrator and are trying tomove to the next certification level, or someone who is picking up this bookout of curiosity, everyone had to start somewhere. No one has just walkedinto an exam center without ever cracking a book or administering a serverfor a significant amount of time and passed all of the Notes exams on the firsttry. Although the Domino product line is easy to learn when you understandthe fundamentals of the products, it is a highly specialized application andtakes skill and training to support.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

00 0789729180 FM 10/21/03 3:26 PM Page xxxi

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Self-Assessmentxxxii

You need to take a skills inventory to determine your strengths and weak-nesses and what you need to do to get to the level you desire. Keep in mindthat the authors and tech editors of this book all started in the same place.We all built our first server, created our first user ID, and spent a late nightor early morning trying to figure out why that one troublesome server wouldnot route mail when everything else in the Domain worked fine. Don’t bediscouraged. It has all been worth it, and we are better for the challenges wehave faced and conquered. Our goal with this Exam Cram is to make at leastone part of the challenge easier, and that’s to help in passing the exams. We’llshow you what to focus on when you study, and we’ll point out things we feelare important not only in passing the test, but also in broadening your skillbase.

The “World Class” DominoAdministrator What does it take to be a “world-class” administrator and stand out from thecrowd? In this section, we point out some items that we feel are essential toa Domino Administrator. Based on how long you have been in the IT indus-try, you might meet some or all of these requirements. Don’t be discouragedif you take a look at the list and recognize only some of your skills. The goalis to identify areas that you can work on and improve. Here are some rec-ommended “baseline” qualifications for anyone pursuing certification as aDomino Certified System Administrator:

➤ Academic or professional training in Windows or Linux operating sys-tems, and certifications in each discipline at an administrator level. A well-trained administrator will be able to see where a problem might beoccurring in the Domino configuration and will also be able to think out-side the box for other system-related issues and how to correct them.

➤ Three-plus years of professional system administration experience,including experience installing and upgrading operating systems, doingperformance tuning, troubleshooting problems, creating users, and man-aging backup and recovery scenarios. There is no substitute for real-worldexperience; although having a lab environment can be instrumental intesting new configurations, it might not assist in troubleshooting prob-lems

00 0789729180 FM 10/21/03 3:26 PM Page xxxii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Self-Assessment xxxiii

Remember, you are trying to distinguish yourself from the other administra-tors and stand out in the crowd. Consider two things when assessing yourreadiness for the certification exams:

➤ Even a modest background in computer science is helpful.

➤ Hands-on experience with a Domino server is essential for certificationsuccess. Nothing compares to real-world experience.

We believe that most certification candidates meet these requirements. Withthis level of experience in general administration, half the battle is won. Nowyou just need to focus on finishing the job and acquiring the Domino knowl-edge needed to finish the picture.

Put Yourself to the TestThe following series of questions and observations is designed to help youdetermine how much work you’ll face in completing the IBM LotusCertification Exams and where to turn for help in getting ready for the tests.Be absolutely honest in your answers, or you’ll end up wasting money onexams that you’re not ready to take. There are no right or wrong answers,only steps along the path to certification.

Educational Background1. Have you ever taken any computer-related classes? (Yes or No)

If yes, proceed to question 2; if no, consider a CBT or class at a localcommunity college to gain a base understanding of computer operatingsystems administration.

2. Have you taken any classes on the Domino application? (Yes or No)

If yes, you will probably be able to handle the discussions related toDomino system administration. If you’re rusty, brush up on the basicconcepts related to building a server and creating users. If the answer isno, consider reading a book in this area. We strongly recommend a goodDomino administration book, such as Lotus Notes & Domino EssentialReference, by Tim Bankes and Dave Hatter (1999). If this title doesn’tappeal to you, check out reviews for similar titles at your favorite onlinebookstore.

3. Have you taken any networking concepts or technologies classes? (Yes or No)

00 0789729180 FM 10/21/03 3:26 PM Page xxxiii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Self-Assessmentxxxiv

If yes, you will probably be able to handle the networking terminology,concepts, and technologies. If you’re rusty, brush up on basic network-ing concepts and terminology. If your answer is no, you might want tocheck out some titles on the Transport CommunicationProtocol/Internet Protocol (TCP/IP).

4. Have you done any reading on certificates or public/private keys? (Yes or No)

If yes, review the requirements from questions 2 and 3. If you meetthem, move to the next section, “Hands-On Experience.” If youanswered no, consult the recommended reading for both topics. Thiskind of strong background will be of great help in preparing for theLotus exams.

Hands-On ExperienceThe next question assesses the extent of your hands-on experience as aDomino server administrator. Nothing will prepare you for the exams morethan actually working on a Domino server. If we leave you with only onerealization after taking this Self-Assessment, it should be that there’s no sub-stitute for time spent installing, configuring, and using the Domino admin-istration procedures and processes covered in the exams.

5. Have you installed, configured, and worked with Domino version 6?(Yes or No)

If yes, make sure you understand the basic concepts covered in Exams620, 621, and 622.

If you haven’t installed Domino version 6, download an evaluation copyfrom www.lotus.com and install the enterprise server and the three admin-istrator clients. Then learn about the installation and administrationconcepts required for the exams.

You can obtain the exam objectives, practice questions, and other informationabout Domino exams from the Lotus Certification page on the Web atwww.lotus.com.

Testing Your Exam-ReadinessWhether you attend a formal class on a specific topic to get ready for anexam or use written materials to study on your own, some preparation for

00 0789729180 FM 10/21/03 3:26 PM Page xxxiv

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Self-Assessment xxxv

the Domino certification exams is essential. If you can, attend an instructor-led class at an authorized Lotus training facility. If you can’t afford a class,practice exams are available to gauge your readiness. Check for the practiceexams at the Lotus Web site, www.lotus.com. Search the Internet for Lotussites that might have information about what to expect from people whohave taken the exam and what their experiences were. The most effectivething that you can do is study, study, study.

We have included in this book several practice exam questions for each chap-ter and a sample test. If you don’t score well on the chapter questions, youcan study more and then tackle the sample tests at the end of each part.

6. Have you taken a practice exam on your chosen test subject? (Yes or No)

If yes and you passed consistently, you’re probably ready to take the realexam. If you’re struggling, keep studying and taking the exams until youpass. If you answered no, obtain all practice tests you can find (or afford),study this book, and retake the tests.

Using Other Sources to Prepare forthe Lotus 620, 621, and 622 Exams In addition to the information in this chapter, other resources are availableto help you prepare for the exams. As previously discussed, the Lotus Website, www.lotus.com, is a great source for information about the certificationexams. Another great Web site for general Lotus information is www.

lotusadvisor.com. If you have access to an NNTP news server, the compnewsgroups comp.groupware.lotus-notes and comp.groupware.lotus.notes-adminare great resources for Domino information. Whitepapers and redbooks arealso available at www.redbooks.ibm.com.

Onward, Through the Fog!After you’ve taken a look at your skills and decided where you want to focusyour studies, nothing is left but to get started. Every journey begins with thatfirst step, and you have already taken it by picking up this book. Study, takethe practice exams, and then go back and study the areas where you strug-gled. When you’re consistently passing the practice exams, go to the testingcenter with confidence and pass the tests.

00 0789729180 FM 10/21/03 3:26 PM Page xxxv

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Self-Assessmentxxxvi

Remember this wisdom from Wayne Antaw: “Lessons learned by ourselveshave a greater value than lessons learned through others.”

Now, go study and pass the tests.

Good luck!

00 0789729180 FM 10/21/03 3:26 PM Page xxxvi

Overview of DominoSystem AdministrationCertification Exams

Terms you’ll need to understand:✓ Self-assessment✓ Practice test✓ Testing center✓ Exam proctor✓ Passing mark✓ Radio button✓ Review mark

Techniques you’ll need to master:✓ Preparing to take a certification exam✓ Preparing to take a certification exam using practice questions

and tests✓ Understanding the intricacies of the testing software and its

interface✓ Budgeting your time to allow you to answer all questions✓ Formulating a test-taking strategy in advance to ensure

success

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1

01 0789729180 CH01 10/21/03 2:47 PM Page 1

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 12

Regardless of how much you’ve studied, exam taking is not likely somethingyou’ll enjoy. In most cases, familiarity helps relieve test anxiety. You proba-bly won’t be as nervous when you take your second or third Domino certifi-cation exam as you will be when you take your first one.

Whether it is your second exam or your tenth, understanding the finer pointsof exam taking (how much time to spend on questions, the setting you willbe in, and so on) and the exam software will help you concentrate on thequestions at hand rather than on the surroundings. Likewise, mastering somebasic exam-taking skills should help you recognize—and perhaps even out-smart—some of the tricks and traps you are bound to find in several of theexam questions.

This chapter explains the Lotus Domino System Administration exam envi-ronment and software, and describes some proven exam-taking strategiesyou can use to your advantage when preparing for and taking the exams.

Assessing Exam-ReadinessBefore you take any Domino exam, we strongly recommend that you readthrough and take the Self-Assessment included with this book (it appears inthe Introduction). It will help you compare your knowledge base with therequirements for obtaining the Domino R6 System Administrator certifica-tion and help you identify parts of your background or experience that mightneed improvement through experience or learning. If you get the right set ofbasics under your belt, obtaining Domino certification is that much easier.

After you’ve gone through the Self-Assessment, you’ll have a better idea ofwhat your strengths and weaknesses are so that you can judge how muchtime to spend in studying the different subject areas.

Your next step in preparing for the Domino exams should be to visit theLotus Certification Web site to look at Lotus’s recommended exam-prepara-tion strategy. Lotus outlines a preparation method for each of the threeadministration exams at www.lotus.com/. Look for the link to Training andCertification on the left side of the page, and then navigate to LotusCertification and finally Exam Preparation, all on the left menus.

After you’ve worked through this Exam Cram, read the supplementary mate-rials, and taken the practice tests at the end of the book, you’ll be wellprepared to take the exam.

01 0789729180 CH01 10/21/03 2:47 PM Page 2

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Overview of Domino System Administration Certification Exams 3

The Exam ObjectivesYour next step in preparing for the Domino exams should be to visit the LotusCertification Web site to look at Lotus’s recommended exam-preparationstrategy. Use the URL mentioned in the previous section to locate the examLotus exam guides. Lotus recommends that you download its exam guide fora complete listing of exam competencies and that you prepare for the exam byusing a combination of training, hands-on practice, practice exams, and otherthird-party materials. We’ve structured this Exam Cram book so that eachchapter covers all of the topics listed in the exam-preparation guide. We’vestuck closely to the wording used in the exam guide for each of the topics, butwe’ve reordered the topics within each chapter so that topic areas are groupedby subject, which allows us to present the material in a more logical order.

After reading through the exam guide, you can proceed to work your waythrough this Exam Cram book. This book covers the exam competencies forall three administration exams:

➤ Exam 620, “Notes Domino 6 System Administration OperatingFundamentals”: Chapters 2 to 6

➤ Exam 621, “Notes Domino 6: Building the Infrastructure”: Chapters 7to 11

➤ Exam 622, “Notes Domino 6: Managing Servers and Users”: Chapters12 to 18

If you haven’t taken any of the exams, you’ll likely want to prepare for andtake the exams in order, starting with Exam 620. You might want to consid-er reading the material for both Exams 620 and 621 before attempting eitherexam because there is quite a bit of overlap in the exam topics for those twoexams. Exam 622 has a more unique topic listing, so you can prepare for thatexam separately from the other two.

After you’ve worked your way through the chapters related to each exam andhave read some of the suggested supplementary materials, you’ll want to trythe practice tests included with this book. You might also want to purchaseadditional practice tests. Refer to the Lotus Certification Web site listed ear-lier for up-to-date listings of practice exam vendors.

You’ll likely want to continue practicing the tests until you achieve a score of 90%or higher.

01 0789729180 CH01 10/21/03 2:47 PM Page 3

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14

The Exam SituationFirst, it’s important to note that all Lotus exams are administered by a third-party testing center, not by Lotus itself. To register for the exam, you’ll needto contact the testing vendor. Two testing vendors administer the Lotusexams:

➤ Thompson Prometric (formerly Sylvan Prometric): 1-800-74-LOTUS,or www.prometric.com

➤ CAT Global (now owned by Promissor): www.catglobal.com

The testing vendor will ask for all of your personal information, as well asthe name of the exam you want to take, the name and location of the testingcenter, and your payment method. Each exam attempt costs $100, payable atregistration.

When you arrive at the testing center where you scheduled your exam, youwill need to sign in with an exam proctor. The proctor will ask you to showtwo forms of identification, one of which must be a photo ID. After you havesigned in, you will be asked to deposit any books, bags, or other items youbrought with you. The exam proctor will advise you to go to the restroombefore you start the exam because you won’t be allowed to leave the examroom after the exam has started. Then you’ll be escorted into the closedroom that houses the exam seats.

All exams are completely closed book. In fact, you won’t be permitted to takeanything with you into the testing area. You will be furnished with a pen orpencil and a blank sheet of paper—or, in some cases, an erasable plastic sheetand an erasable felt-tip pen. You are allowed to write down any informationyou want on both sides of this sheet. You might want to jot down notes fromthe Cram Sheet on this piece of paper before you begin writing the exam.The exam proctor will help you log in to the exam using the testing ID pro-vided by the testing vendor.

Typically, the room will be furnished with one to half a dozen computers, andeach workstation will be separated from the others by dividers designed tokeep you from seeing what is happening on someone else’s computer. Mosttest rooms feature a wall with a large picture window. This permits the examproctor to monitor the room, to prevent exam takers from talking to oneanother, and to observe anything out of the ordinary that might go on.

All Domino certification exams allow a predetermined, maximum amount oftime in which to complete your work. This time is indicated on the exam byan onscreen timer in the upper-right corner of the screen, so you can check

01 0789729180 CH01 10/21/03 2:47 PM Page 4


the time remaining whenever you like. At the beginning of each test is a tuto-rial that you can go through if you are unfamiliar with the testing environ-ment. The time allocated for the tutorial is not included in the testing time.

All exams are computer generated and use a multiple-choice format. Theexams vary in the number of questions asked, the amount of time allocatedper exam, and the passing mark for each exam. Table 1.1 lists the informa-tion available for each of the three exams at the time of printing:

Table 1.1 Exam Details for Each Exam

Number of Exam Number Time Allocated Questions Passing Score

620 1 hour 45 75%

621 1 hour 45 70%

622 1 hour 45 72%

When Exam 622 is released in gold format, the exam format likely will follow the for-mat for Exam 621—a one-hour exam with 45 questions and a passing score of 70%.

When you complete a Domino certification exam, the software tells youwhether you have passed or failed. The results are then broken down intoseveral competencies. You are shown the percentage of correct answers foreach individual competency. Even if you fail, you should ask for and keep thedetailed report that the test proctor prints for you. You can use this report tohelp you prepare for another attempt, if needed. If you need to retake anexam, you will have to schedule a new test with Prometric or CAT Globaland pay for another exam attempt. Keep in mind that because the questionscome from a pool, you will receive different questions the second timearound.

In the following section, you will learn more about how Domino test ques-tions look and how they must be answered.

Exam Layout and DesignAll exam questions present multiple-choice answers and require you to selecta single answer. At the time of this printing, Lotus has confirmed that thereare no multiple-answer questions on the Domino exams. The followingquestion is an example of a multiple-choice question that requires you to

01 0789729180 CH01 10/21/03 2:47 PM Page 5

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 16

select a single correct answer. Following the question is a brief explanationof why the answer is correct.

Question 1

When is mail routed between servers that are in the same Domino NamedNetwork?

❍ A. Immediately

❍ B. Every 10 minutes

❍ C. According to the schedule in the Connection document

❍ D. When there are five messages pending

Answer A is correct. The router immediately routes mail to servers in thesame Notes Named Network. The messages are immediately routed fromthe MAIL.BOX file on the sender’s server to the MAIL.BOX file on therecipient’s server. Because servers in a Notes Named Network share a com-mon protocol and are always connected, you do not need to createConnection documents for mail routing.

Although there are no multiple-answer questions on the exams, there might be ananswer like this one: “D. All of the above.” This answer means that A, B, and C are allcorrect, and, therefore, the answer should be D. Make sure you carefully read allanswers to determine whether to choose the “All of the above” option.

This sample question format corresponds closely to the Lotus CertificationExam format—the only difference on the exam is that questions are not fol-lowed by answer keys. To select an answer, position the cursor over the radiobutton next to the answer and then click the mouse button to select theanswer.

At the end of every chapter are several practice exam questions to help testyour knowledge of the competencies covered in that chapter. Most of thequestions are single-answer questions; however, there may be a few multiple-answer questions in which you are asked to select more than one rightanswer. We’ve included these questions to help you learn the material, butthere will be no multiple-answer questions on the exam. For that reason,you’ll notice that the practice exams at the end of the book use single-answerquestions only.

01 0789729180 CH01 10/21/03 2:47 PM Page 6


Lotus’s Testing FormatsWhen you start the exam, the timer begins ticking immediately. The timerappears in the top-right corner of the screen. You’ll want to keep your eyeson the timer from time to time to ensure that you’re managing your timewisely.

The question number also appears on the screen, followed by the total num-ber of questions. For example, if you’re on question 3, the screen will read“Question 3 of 45,” so you’ll know how many questions you’ve completed ofthe total number of questions. There will also be a Mark Question checkbox, to allow you to mark a question to find the question easily at the end.

When you’ve completed all questions, you’re presented with a summaryscreen that shows all questions with their corresponding answers. The screenshows a mark beside the questions you chose to mark. You’ll be able to pusha button that allows you to Review All questions or to Review Marked ques-tions. You can then go back through the questions and change your answer,if desired.

When you’ve finished reviewing your questions, you can push the button toend the exam. You’re prompted to confirm that you want to end the exam.When you’ve confirmed that you have finished the exam, the computer takesa few moments to tally your score. You then are informed of your score andwhether you passed or failed. A printout of your marks prints to the proctor.The proctor then stamps your printout with the seal of the testing center, toprove the printout’s authenticity. At that point, you must retrieve yourbelongings, and you’re free to go.

Exam-Taking TechniquesEach exam has 45 questions (assuming that Exam 622 also follows this for-mat), and you have 60 minutes to complete the exam. Here is our advice onhow you should approach your exam.

Read the first question quickly, and scan the list of answers provided. Thenreread the same question carefully, and read each answer carefully. If you aresure that you know the answer to the question, choose the correct radio but-ton. Then proceed to the next question without marking it.

If after reading the question carefully you don’t know the answer, take yourbest guess and mark one of the radio buttons as your answer. Then choosethe Mark Question check box at the top of the page. Proceed this waythrough the entire exam until you’ve completed all of the questions. You

01 0789729180 CH01 10/21/03 2:47 PM Page 7

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 18

should allow yourself approximately 1 minute per question, which shouldleave you with 15 minutes to spare at the end of the exam. Watch the clockevery so often, to see if you’re on track for your timings. If you’re on ques-tion 23, you should have spent approximately 23 minutes on the test, and youshould have 37 minutes left. If you’re ahead of schedule, you can slow downa bit and take more time with each remaining question. If you’re behindschedule, you should try to speed up a bit.

When you’ve answered each question and you’re looking at the questionsummary, review only the questions you’ve marked. You should have approx-imately 15 minutes left, during which time you can proceed through themarked questions and change your answer if you think you’ve found a betteranswer. Make sure that you choose the Review Marked button and not theReview All button so that you don’t have to go through all of the questionsagain.

On the Lotus exams, you’re allowed to change your answer to the question whetheryou marked it or not. You can go forward and backward through the questions andchange answers if you find you’ve made a mistake. Lotus exams are more flexiblethan some types of exams that don’t allow you to go back to a question after you’veanswered it. Rest assured that if you think you made a mistake, you can always goback to any question and change your answer.

When you’ve reviewed all of the marked questions, if you still have time left,you might want to consider reviewing all of the questions. Personally, I don’treview the questions for which I am sure of the correct answer, to avoid second-guessing myself and changing a potentially right answer to a wrongone.

Make sure that you read each question carefully. Some questions are deliberatelyambiguous, some use double negatives, and others use terminology in incrediblyprecise ways. I have taken numerous exams—both practice and live—and in nearlyevery one I have missed at least one question because I didn’t read it closely or care-fully enough.

Based on exams I’ve have taken, some interesting trends have become appar-ent. For most questions, usually two or three of the answers will be obvious-ly incorrect, and one or two of the answers will be possible—of course, onlyone can be correct. Unless the answer leaps out at you, begin the process ofanswering by eliminating those answers that are most obviously wrong. Ifyou have done your homework for an exam, no valid information should becompletely new to you. In that case, unfamiliar or bizarre terminology mostlikely indicates a bogus answer.

01 0789729180 CH01 10/21/03 2:47 PM Page 8


If you are not finished when 95% of the time has elapsed, use the last fewminutes to guess your way through the remaining questions. Remember thatguessing is potentially more valuable than not answering: Blank answers arealways wrong, but a guess could turn out to be right. Make sure that youenter an answer for every question.

Mastering the Inner GameKnowledge breeds confidence, and confidence breeds success. If you studythe information in this book carefully and review all the practice questions atthe end of each chapter, you should become aware of the areas for which youneed additional learning and studying.

Follow up by reading some or all of the materials recommended in the“Need to Know More?” section at the end of each chapter, and check theresources offered in Appendix A, “Resources.” Don’t hesitate to look formore resources online. Remember that the idea is to become familiar enoughwith the concepts and situations you find in the sample questions that youcan reason your way through similar scenarios on a real exam. If you knowthe material, you have every right to be confident that you can pass the exam.

Make sure you follow up and review materials related to the questions thatyou miss on the sample test before scheduling a real exam. The key is toknow the why and how. If you memorize the answers, you do yourself a greatinjustice and might not pass the exam. Only when you have covered all theground and feel comfortable with the whole scope of the sample test shouldyou take a real one.

With the information in this book and the determination to supplement yourknowledge, you should be able to pass the certification exam. Get a goodnight’s sleep and prepare thoroughly; you should do just fine. Don’t forget toeat something before you attempt the exam—don’t take it on an empty stom-ach. Good luck!

Additional ResourcesA good source of information about Domino certification exams comes fromthe software vendor—in this case, Lotus. The best place to go for exam-related information is online at www.lotus.com/certification.

01 0789729180 CH01 10/21/03 2:47 PM Page 9

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 110

Coping with Change on the WebSooner or later, all the information we have shared about Web-based resources mentionedthroughout this book will go stale or be replaced by newer information. There is always a wayto find what you want on the Web if you are willing to invest some time and energy. Lotus’s sitehas a site map to help you find your way around. Most large or complex Web sites offer searchengines. Finally, feel free to use general search tools to search for related information.

01 0789729180 CH01 10/21/03 2:47 PM Page 10

PART IExam 620

2 Installing and Configuring

3 Mail

4 Managing and Maintaining

5 Replication

6 Security

02 0789729180 Pt 1 10/21/03 2:38 PM Page 11

02 0789729180 Pt 1 10/21/03 2:38 PM Page 12

Installing and ConfiguringTerms you’ll need to understand:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2

✓ Server registration✓ Server ID✓ CERTLOG.NSF✓ Server setup✓ Utility server✓ Messaging server✓ Enterprise server✓ Protocol✓ Port✓ Hierarchical naming

✓ Certifier ID✓ Organizational unit (OU)✓ Directories✓ Domain✓ Group✓ User registration✓ Client license✓ Smart Upgrade✓ User ID✓ Policy settings document

Techniques and concepts you’ll need to master:✓ Registering and setting up a Domino

server✓ Knowing server and user license types✓ Setting up server protocols and ports✓ Understanding Domino domains and the

role of the Domino Directory✓ Creating groups in the Domino Directory

✓ Implementing central and distributeddirectories

✓ Registering, installing, and setting upNotes clients

✓ Maintaining and deploying Notes user IDs✓ Applying policy documents

03 0789729180 CH02 10/21/03 2:39 PM Page 13

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 214

It’s important to remember that this chapter does not provide a comprehen-sive, step-by-step approach to installation, but rather covers only the topicsspecified in the exam guide for this particular exam. For this reason, we don’tgo through the installation process from start to finish. The best way to pre-pare for the Installation and Configuration portion of the exam is to performthe installation and configuration tasks several times with the actual software,and then review the exam-specific topics covered in this book.

If you’re looking for a comprehensive installation guide, please consult theLotus Domino Administration Help database. Look for the topic called“Installation” in the Contents section.

Registering ServersSetting up a Domino server involves two processes: server registration andserver setup. If the Domino server is the first server in the domain, then thesetwo steps are combined into a single step.

Server registration allows the administrator to create an identity for the newserver in the domain’s Domino Directory. The registration process does thefollowing:

➤ Creates a server ID for the new server and certifies it with the certifierID. The server ID is a file that uniquely identifies each server within anorganization, and allows the server to authenticate with other serversand with users.

➤ Creates a Server document for the new server in the Domino Directory.

➤ Encrypts and attaches the server ID to the Server document and savesthe ID on a disk or in a file on the server.

➤ Adds the server name to the LocalDomainServers group in the DominoDirectory.

➤ Creates an entry for the new server in CERTLOG.NSF.

Server SetupAfter registering the server, the administrator must set up the server. Serversetup involves installing the Domino software, and then configuring thatsoftware using the ID file generated during the registration process. Performthe following steps to install the Domino server software:

03 0789729180 CH02 10/21/03 2:39 PM Page 14

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing and Configuring 15

1. Run the install program (SETUP.EXE), which is on the installationCD.

2. Read the Welcome screen, and click Next. Then read the LicenseAgreement and click Yes.

3. Enter the administrator’s name and the company name.

4. Choose whether to install partitioned servers.

On a Domino partitioned server, all partitions share the same Domino program direc-tory, and thus share one set of Domino executable files. However, each partition hasits own Domino data directory and NOTES.INI file; thus, each has its own copy of theDomino Directory and other administrative databases. There will likely be at least oneexam question about partitioned servers, so it’s important to remember what thisinstallation option means.

5. Choose the program and data directory in which to copy the software,and then click Next. For partitioned servers, choose only a programdirectory.

6. Select one of the following server types:

➤ Domino Utility Server—Installs a Domino server that provides appli-cation services only, with support for Domino clusters. TheDomino Utility server is a new installation type for Lotus Domino6 that removes client access license requirements. There is NO sup-port for messaging services.

➤ Domino Messaging Server—Installs a Domino server that providesmessaging services. There is NO support for application services orDomino clusters.

➤ Domino Enterprise Server—Installs a Domino server that providesboth messaging and application services, with support for Dominoclusters.

Only the Domino Enterprise Server supports a service provider (xSP) environment.

7. Click Customize to choose which components to install, or click Nextto accept all components.

8. If installing partitioned servers, specify a data directory for each parti-tion.

03 0789729180 CH02 10/21/03 2:39 PM Page 15

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 216

9. Specify the program folder or accept Lotus Applications as the pro-gram folder that will contain the software.

10. Click Finish to complete the install program.

After the installation program has finished, the administrator must start theserver in order to complete the server configuration. Choose Start,Programs, Lotus Applications, Lotus Domino Server to start the ServerSetup program. The Domino Server Setup program guides the administra-tor through the settings required to configure a Domino server.

Setting Up Additional Domino ServersSetting up the first Domino server in a domain establishes a framework thatconsists of the Domino Directory, ID files, and documents. When theadministrator sets up additional servers, they build upon this framework.

Setting up an additional Domino server does the following:

➤ Creates a replica of the Domino Directory, if a file location was specifiedduring the setup program, names it NAMES.NSF, and saves it in theDomino data directory.

➤ Copies the server’s ID from the location specified during the setup pro-gram, either from a file, a copy of the directory, or the existing Dominoserver’s directory; names it SERVER.ID; and saves it in the Dominodata directory.

➤ Retrieves the domain name and administrator name from the Serverdocument in the Domino Directory.

➤ Creates a new log file, names it LOG.NSF, and saves it in the Dominodata directory.

➤ Creates a replica of the Administration Requests file, names itADMIN4.NSF, and saves it in the Domino data directory.

➤ Creates a replica of the Monitoring Configuration file, names itEVENTS4.NSF, and saves it in the Domino data directory.

➤ Creates a Connection document to the existing Domino server in theDomino Directory.

➤ Creates a replica of the Reports file, names it REPORTS.NSF, and savesit in the Domino data directory.

➤ Updates network settings in the Server document of the DominoDirectory.

03 0789729180 CH02 10/21/03 2:39 PM Page 16


➤ Configures SMTP, if selected during the setup program.

➤ If “DOLS Domino Off Line Services” was selected during the setupprogram, creates the Off-Line Services file, names itDOLADMIN.NSF, and saves it in the Domino data directory.

➤ Updates the Access Control List in all databases and templates in theDomino data directory tree to remove Anonymous access and/or addLocalDomainAdmin access, depending on the selections made duringthe setup program.

➤ Configures xSP Service Provider information, if selected during theinstall program.

For the exam, remember that in Domino R6, if there is an error generated duringserver setup, the administrator has the option to either go back and correct the error,or cancel setup. In previous releases, after an error was generated, the administra-tor had to stop the setup, fix the problem, and restart setup again. Be prepared toanswer questions involving this new procedure on the exam.

Setting Up Server Protocols and PortsPort and protocol settings for a Domino server can be configured eitherbefore or after the server has been set up. A port refers to the networkingsoftware that allows the server to communicate with other servers or clientsthat share a common protocol; a protocol is the interface that allows eithertwo servers or a client and a server to communicate over a network. If theadministrator wants to complete port configuration during the setup pro-gram, he should ensure that they have completed the following beforeinstalling a Domino server:

➤ Install one or more NICs on the system.

➤ Install protocol software as necessary.

➤ Install all network drivers in the correct directories.

➤ Install any network software required for the protocols

The administrator can then use the Domino Server Setup program to acceptnetwork defaults or customize network settings for any ports and protocolsthat are detected by the setup program itself.

After the administrator has run the setup program, he or she may need tocomplete one or more of these tasks to finish setting up Lotus Domino onthe network:

03 0789729180 CH02 10/21/03 2:39 PM Page 17

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 218

➤ Change the default names assigned to Notes named networks to makethem consistent with actual network topography.

➤ Fine-tune network port setup by adding, enabling, renaming, reorder-ing, disabling, or deleting ports or by enabling network encryption orcompression on a port.

➤ Complete tasks specific to the TCP/IP, NetBIOS, or IPX/SPX protocol.

Implementing a HierarchicalNaming SchemeHierarchical naming is the cornerstone of Domino security; therefore, plan-ning it is a critical task. Hierarchical names provide unique identifiers forservers and users in a company. When the administrator registers newservers and users, the hierarchical names determine their certification, ortheir level of access to the system, and control whether users and servers indifferent organizations and organizational units can communicate with eachanother.

Maintaining Domino Certifier IDsA hierarchical name scheme uses a tree structure that reflects the actualstructure of a company. At the top of the tree is the organization name, whichis usually the company name. The organization name is associated with thetop-level certifier ID—usually called the cert.id. Below the organization nameare organizational units (OUs), which are created to suit the structure of thecompany. These OUs are associated with OU certifier ID files.

The administrator can create up to four levels of organizational unit (OU)certifiers. To create first-level OU certifier IDs, use the organization certifi-er ID. To create second-level OU certifier IDs, use the first-level OU certi-fier IDs, and so on.

The cert.id file is created during first server setup. Now in R6, OU IDs can also becreated during first server setup, or they can be created by the administrator at anytime using the Domino Administrator client. OU ID filenames are typically similar tothe OU name itself; for example, sales.id would be associated with the Sales/AcmeOU certifier. Watch for exam questions that test your ability to recognize that OU cer-tifiers can now be created on first server setup.

03 0789729180 CH02 10/21/03 2:39 PM Page 18


Using organizational unit certifier IDs, administrators can decentralize cer-tification by distributing individual certifier IDs to administrators who man-age users and servers in specific branches of the company. For example, theAcme Company has three administrators. One administers servers and usersin West/Acme and has access to only the West/Acme OU certifier ID, andthe second administers servers and users in East/Acme and has access to onlythe East/Acme OU certifier ID. The third administrator works out of Acme’shead office and has access to the cert.id, as well as all OU IDs. He is alsoresponsible for generating any new OU certifiers.

Each certifier ID has a unique password, and in order to use the certifier ID for regis-tration, the administrator must enter the password. Lotus recommends that pass-words for certifier IDs be at least nine characters, and that certifier IDs be stored insecure locations, only to be accessed by trusted Domino administrators.

Configuring DirectoriesDirectory services are an integral part of how Domino facilitates clientauthentication and data transmission for clients. It is necessary to understandthe Domino Directory—the most important database in the Domino systemfor the administrator.

Understanding the Domino DomainA Domino domain is a group of Domino servers that share the same DominoDirectory. The Domino Directory contains, among other documents, aServer document for each server and a Person document for each Notesuser.

There are different scenarios for setting up Domino domains. The mostcommon scenario, used by many small- and medium-size companies,involves creating only one Domino domain and registering all servers andusers in one Domino Directory. All users and servers are stamped with eitherthe organization certifier or an OU that inherited certificates from that top-level certifier, so all users and servers can authenticate. Mail routing is sim-plified, because all users and servers share the same directory.

Some companies use a multidomain scenario whereby users and servers areregistered into different Domino Directories. This scenario is harder tomanage, and usually requires that the administrator facilitate directory man-agement using Directory Assistance and/or Directory Catalog.

03 0789729180 CH02 10/21/03 2:39 PM Page 19

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 220

Implementing Distributed VersusCentralized DirectoriesA central directory architecture is an optional directory architecture that canbe implemented in a Domino domain. This architecture is new to R6 anddiffers from the traditional distributed directory architecture in which everyserver in a domain has a full replica of the primary Domino Directory.

With a central directory architecture, some servers in the domain have selec-tive replicas of a primary Domino Directory. These replicas, which areknown as Configuration Directories, contain only those documents that areused to configure servers in a Domino domain, such as Server, Connection,and Configuration Settings documents. A server with a ConfigurationDirectory uses a remote primary Domino Directory on another server tolook up information about users and groups and other information related totraditional directory services.

A central directory architecture has the following key features:

➤ Provides secondary servers quick access to new information because theservers aren’t required to wait for the information to replicate to them

➤ Enables secondary servers to run on less powerful machines becausethey don’t have to store and maintain the primary Domino Directory

➤ Provides tighter administrative control over directory managementbecause only a few directory replicas contain user and group information

A server with a Configuration Directory connects to a remote server with aprimary Domino Directory to look up information in the following docu-ments that it doesn’t store locally—Person, Group, Mail-in Database,Resource, and any custom documents added by the administrator.

The administrator can set up a Domino Directory as either a primaryDomino Directory or a Configuration Directory in one of the following twoways:

➤ For a new server, when an additional server is registered and set upwithin the domain

Often, the domain name and organization name are the same name, but they have twoseparate functions. The domain name refers to the collection of users and servers inthe Domino Directory, whereas the organization name refers to the company’s secu-rity system.

The title of the Directory is always “Domain’s Directory”; for example, “Acme’sDirectory.”

03 0789729180 CH02 10/21/03 2:39 PM Page 20


➤ For an existing server in the domain, by using replication settings for thedirectory to change a primary Domino Directory to a ConfigurationDirectory or to change a Configuration Directory to a primary DominoDirectory

After a server has been designated with a Configuration Directory, it canlocate a primary Domino Directory replica by using either default logic orcan use a directory replica specified through directory assistance.

Creating Groups in the DirectoryMany administration tasks can be simplified through the use of groups. Agroup is a list of Domino servers or users that share common characteristicsand are grouped together for a common purpose. Groups are used mainly tocontrol access and as mail distribution lists.

To create a group, the administrator must have at least Author access withthe Create Documents privilege, and must be assigned to the GroupCreatorrole. To edit the group, the administrator must have at least Author access,and must either be assigned to the GroupModifier role, or must be listed inthe group document as the owner or administrator.

There are five different types of groups:

➤ Multipurpose—A group that has multiple purposes; for example, mail,ACLs, and so on. This is the default group type.

➤ Access Control List Only—A group that is used in ACLs so that access canbe restricted for databases to servers and users.

➤ Mail Only—A group that is used as a mail distribution list.

➤ Servers Only—A special group that can be used in Connection docu-ments and in the Domino Administrator client’s domain bookmarks forgrouping servers together.

➤ Deny List Only—A group that is used to control access to servers.Typically used in the Deny Access field of the Server document to pre-vent terminated employees from accessing a server.

Deny List Only groups are not listed in the Groups view in the Domino Directory.They are, however, listed in the Deny Access Groups view. An administrator must beassigned to either the GroupModifier or NetModifier role to be able to access thisview.

03 0789729180 CH02 10/21/03 2:39 PM Page 21

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 222

Setting Up Administration GroupsTypically, the administrator creates one or more multipurpose groups specif-ically for administrators of the Domino system. In a small company, theremay be only one group of administrators who all do the same jobs. Typically,this one group would be given high access to resources. Larger organizationsmay have several different groups of administrators, based on the jobs thosegroups perform. For example, there may be one group called “SeniorAdministrators” that is given high access to resources and another groupcalled “Junior Administrators” that is given limited access to resources.

Administrators can also be given different access rights to the server throughthe use of Administrator fields on the Server document. Please consult thetopic “Restricting Administrator Access to the Server” in Chapter 6,“Security,” for a detailed overview of administrator rights.

Notes Client ConfigurationLike the Domino server, Notes client configuration involves two steps—reg-istering the client and running the setup program to configure the client.

Registering New UsersThe administrator needs to register users before he can install Notes onusers’ workstations. The administrator can use either the NotesAdministrator client or the Web Administrator client to perform the regis-tration. For each user, the user registration process creates:

➤ A Person document in the Domino Directory

➤ A user ID that is stamped with appropriate certificates (does not apply tonon-Notes users)

➤ A mail file (optional)

The user’s name and the certificates that a user’s ID inherits depend upon which cer-tifier ID is chosen during registration. If the administrator chooses the OU ID calledWest/Acme when registering Mary Green, then her name will be MaryGreen/West/Acme, and she will have two certificates—one for the organization,/Acme, and one for the OU, /West/Acme.

Notes offers different options for registering users, as follows:

➤ Basic user registration

➤ Advanced user registration

03 0789729180 CH02 10/21/03 2:39 PM Page 22


➤ Text file registration

➤ Migration tools registration (for companies using an external mail sys-tem or directory)

Installing Clients of Different License TypesDepending on the size of the company, the administrator may need to pro-vide an installation method for only a few users or for thousands of users. Inaddition, they may need to customize the installation process so that usersinstall only the features they need. There are three types of clients that canbe installed:

➤ Notes client

➤ Domino Administrator client

➤ Domino Designer client

A user might require one or a combination of the preceding clients. If the DominoAdministrator or Designer client is installed, the Notes client is also installed. Theclient installation software also offers the option to install all three clients.

Domino offers several methods or types of installation that the administra-tor can make available to the Domino Notes users in their company.Companies must purchase a client license for each client they want to install.A client license is an authorization purchased from Lotus that allows theadministrator to register and set up a client machine running the LotusNotes client, the Notes Administrator client, or the Designer client.

➤ Single-user Client Installation—This installation is usually done from theCD or from files placed on the network.

➤ Multiuser Installation—This option allows the administrator to configurethe workstation for use by more than one user. This option is availableonly for Notes client installation, not for installing the DominoAdministrator client or Domino Designer.

➤ Shared Installation—This option installs all program files to a file serverwhile the users’ data files reside on their local workstations.

➤ Automated Client Installations (Silent Installation)—This option can beused with or without a transform file depending on whether the admin-istrator wants to customize the silent installation.

03 0789729180 CH02 10/21/03 2:39 PM Page 23

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 224

➤ Customized Installations—This option uses a transform file to customizethe installation process.

➤ Batch File Installation—This option enables users to install the clients byrunning a batch file that you create for them.

➤ Installation with Command-line Utilities—This option allows users toinstall the clients using a command-line utility that is provided for themby the administrator.

➤ Scriptable Setup—This option uses a setting in the NOTES.INI file toprovide information to the Client Setup Wizard.

After the R6 client software has been installed and configured, administra-tors will likely need to upgrade the client installation over time. Lotus Notes6 provides the following options for upgrading Notes clients:

➤ Upgrade-by-mail

➤ IBM Lotus Notes Smart Upgrade

➤ Administrative installation

Lotus Notes Smart Upgrade is a new R6 upgrade option that works with the LotusNotes 6 update kits or incremental installers that can be downloaded from the LotusDeveloper Domain (www.lotus.com/ldd/smartupgrade). Smart Upgrade sends anotification to users to upgrade their Notes clients. Smart Upgrade lets you set agrace period in which users must upgrade their clients. This upgrade method usespolicy and settings documents to help manage updates. Because this is a new R6feature, watch for exam questions that test your understanding of how the SmartUpgrade process works.

Setting Up and Configuring a Notes R6 UserLotus Notes 6 users are people who use the Notes client to access Dominoservers and databases and have a Notes ID, a Person document, and, if theyuse Notes Mail, a mail file. After the administrator has registered the newuser and installed the client software on the user’s workstation, they must runsetup at that workstation.

To run the client setup program, choose Start, Programs, LotusApplications, Lotus Notes. The setup wizard asks a series of questions anduses the answers to configure all of the client connections. During setup,users are asked to provide the following information:

➤ Notes name

➤ ID file, to which they must know the password

03 0789729180 CH02 10/21/03 2:39 PM Page 24


➤ Name of mail server

➤ Names of Internet mail server, newsgroup server, and directory serverfor Internet address searching (optional)

➤ Whether to connect to the Internet through a proxy server (optional)

➤ Whether to set up a schedule for replicating mail (optional)

For all these options, users are asked whether the physical connectionmethod is a local area network or a dial-up modem.

Clients can create new or modify existing connections at any later time by choosingFile, Preferences, Client Reconfiguration Wizard, or by creating connections directlyin their Personal Address Book (names.nsf).

Deploying Notes User Authentication—Notes IDDomino uses ID files to identify users and to control access to servers. EveryDomino server and Notes user must have an ID in order to authenticate. IDfiles are created during the registration process. A user ID file contains:

➤ The owner’s name—A user ID file may also contain one alternative name.

➤ A permanent license number—This number indicates that the owner islegal and specifies whether the owner has a North American orInternational license to run Domino or Notes.

➤ At least one Notes certificate from a certifier ID—A Notes certificate is adigital signature added to a user ID or server ID. This signature, whichis generated from the private key of a certifier ID, verifies that the nameof the owner of the ID is correctly associated with a specific public key.

➤ A private key—Notes uses the private key to sign messages sent by theowner of the private key and to decrypt messages sent to its owner.

➤ Internet certificates (optional)—An Internet certificate is used to secureSSL connections and encrypt and sign S/MIME mail messages.

➤ One or more secret encryption keys (optional)—Encryption keys are createdand distributed by users to allow other users to encrypt and decryptfields in a document.

03 0789729180 CH02 10/21/03 2:39 PM Page 25

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 226

Maintaining Notes User IDsWhen ID files are created, the certificates on the ID are stamped with anexpiration date. After the expiration date, the ID becomes unuseable. Beforea user ID reaches its expiration date, the administrator should recertify itusing the original certifier ID. The user ID is recertified without renamingthe user.

Administrators can use the Certificate Expiration view to determine whichcertifiers need to be recertified. Access this view from within certlog.nsf fromthe Files tab in the Administrator client. All certifiers are listed by expirationdate within the By Expiration Date view.

A user whose ID is close to expiring will start to receive a warning message every daystarting three months before the expiration date. At that time, the user can ask theadministrator to update the ID file. If the ID file expires, it becomes unuseable and theadministrator must either recertify a backup ID or create a new ID for the user.Administrators should be checking the certlog.nsf and monitoring the IDs coming upfor expiration, allowing them to be proactive about preventing IDs from expiring.

If a user loses or damages an ID file or forgets a password, the user can workwith administrators to recover the ID file from backup. Administrators musthave a database within which they have saved a backup copy of each user IDthey want to recover. When the user notifies the administrator of a problemwith the ID, the administrator must detach the backup copy of the ID fromthe database. He can then send the copy of the user ID to the user, and pro-vide the user with the recovery password required to recover the ID file.

Usually, users need to be in contact with an administrator by phone in order toreceive the recovery password, because they can’t access their mail file withouttheir ID.

Applying Policy DocumentsUsing a policy, administrators can control how users work with Notes. A pol-icy is a document that identifies a collection of individual policy settings doc-uments. Each of these policy settings documents defines a set of defaults thatapply to the users and groups to which the policy is assigned. After a policyis in place, administrators can easily change a setting, and it will automati-cally apply to those users to whom the policy is assigned.

03 0789729180 CH02 10/21/03 2:39 PM Page 26


Policy settings documents cover these administrative areas:

➤ Registration

➤ Setup

➤ Desktop

➤ Mail archiving

➤ Security

Applying Policies During New UserRegistrationIdeally, administrators should plan and create policies before they registerand set up users. Then, during user registration, they can assign the policies.If users are already registered, administrators can plan and create policies,but they cannot assign any registration and setup policy settings, becausethose apply only once, during user registration and setup.

There are two types of policies: organizational and explicit. An organiza-tional policy automatically applies to all users registered in a particular orga-nizational unit. An explicit policy assigns default settings to individual usersor groups.

To plan and assign policies, administrators should complete the followingsteps:

1. Determine which settings to assign to all users in specific organization-al units. For these settings, create organizational policies.

2. Determine which settings to assign to individual users or groups. Forthese settings, create explicit policies.

3. Register users and assign explicit policies during registration.

Applying Policies to Existing UsersAdministrators can assign explicit policies manually in one of three ways:during user registration, in the Person document, or by using the AssignPolicy tool.

03 0789729180 CH02 10/21/03 2:39 PM Page 27

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 228

Assigning Explicit Policies in the Person DocumentWhen the administrator wants to change policies for one or a few users, hecan assign or change a user’s explicit policies directly in the Person docu-ment. Changes to the Desktop, Security, or Archive policy settings that areassociated with an explicit policy can be distributed this way. Changes to auser’s settings that were previously defined using registration and setup pol-icy settings are not made retroactively, so administrators would need to makeany changes to those settings manually in the Person document; for example,roaming user settings can be defined in a Registration policy setting docu-ment, but administrators can’t change a user’s roaming user status by chang-ing the Registration policy setting document for that user.

Assigning Explicit Policies Using the Assign Policy ToolAdministrators also have the option of assigning an explicit policy using theAssign Policy tool. Administrators should use this tool when they want tomake changes to multiple users or groups. Administrators can distributechanges to the Desktop, Security, or Archive policy settings that are definedin explicit policies using this tool. When changing the explicit policy for auser or group using this tool, administrators have the option of viewing theway the policy assignment change impacts the effective policy for that useror group.

03 0789729180 CH02 10/21/03 2:39 PM Page 28


Exam Prep Questions

Question 1

Which of the following is not true of the Domino Utility server?

❍ A. Includes an integrated Web server

❍ B. Provides application services

❍ C. Provides mail services

❍ D. Provides support for clusters

Answer C is correct. The Domino Utility server provides application servic-es only, with support for Domino clusters. The Domino Utility server is anew installation type for Lotus Domino 6 that removes client access licenserequirements and can be hosted on multiple platforms. There is NO supportfor messaging services, and none of the Domino servers can host ASPs.

Question 2

Cam was installing a Domino R6 server and encountered the following error:

“An error occurred during setup. The file server.id already exists.”

55% of the setup had already completed. Cam confirmed that there was a server.idleft over from a previous attempt at the setup process. What can he do to fix theproblem?

❍ A. Go back and correct the problem and either continue with the setup orcancel the setup.

❍ B. Domino will automatically fix the problem and continue with the setup.

❍ C. Cam must exit out of setup, fix the problem, and restart setup again.

❍ D. Cam must exit out of setup and reinstall the server software beforeattempting the setup process again.

Answer A is correct. The new Domino 6 server setup allows you to go backand correct any problems, and then continue with the setup or you canchoose to cancel the setup. Answer B is incorrect because Domino has never“fixed” problems in setup automatically, and answers C and D are incorrectbecause the administrator does not have to halt setup in R6 to fix errors.

03 0789729180 CH02 10/21/03 2:39 PM Page 29

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 230

Question 3

Bert is upgrading his Domino server to R6 in order to be able to take advantageof policy documents. Which of the following statements is true about policy-based administration?

❍ A. Policy documents can be defined for either organizations or servers.

❍ B. Policy documents can be defined for either organizations or organiza-tional units (OUs).

❍ C. Policy documents can be defined for either users or servers.

❍ D. Policy documents can be defined for groups, users, or servers.

Answer B is correct. Policy documents can be defined for organizations ororganizational units. An organizational policy is automatically applied at theorganization level, and organizational unit policy is automatically applied toan organizational unit. Policies can also be explicit. Policies can never beapplied to servers—only to users.

Question 4

A user at Acme Company received a message indicating that his ID was aboutto expire. The user ignored the warning, and the ID eventually expired. Whatmust happen before the user can use the ID again?

❍ A. A new Person document must be created for the user.

❍ B. The administrator must extend the expiration date on the expired ID.

❍ C. The ID file must be recertified by an administrator.

❍ D. The user must request a recovery password from the administrator tounlock his ID file.

Answer C is correct. ID files contain expiration dates. To assign a new expi-ration date, you must recertify the ID file. Expired IDs cannot be recovered,so answer D is incorrect. Answer B is incorrect because once an ID file hasexpired, the expiration date cannot be extended. Answer A is incorrectbecause the ID file is not stored on the Person document—it is stored local-ly on the workstation.

03 0789729180 CH02 10/21/03 2:39 PM Page 30


Question 5

Which of the following is true of a partitioned server installation?

❍ A. Partitioned servers share the same Domino data directory.

❍ B. Partitioned servers share the same Domino program directory.

❍ C. Partitioned servers share the same NAMES.NSF.

❍ D. Partitioned servers share the same NOTES.INI.

Answer B is correct. Domino server partitioning lets you run multipleDomino servers on a single computer. Using partitioned servers reduceshardware expenses and minimizes the number of computers that you have toadminister. Each partitioned server has its own Domino data directory andNOTES.INI file and data files, so answers A, C, and D are incorrect.

Question 6

Which of the following is not true about the Server registration process?

❍ A. An ID file is created for the server.

❍ B. The server name is added to the LocalDomainServers group in theDomino Directory.

❍ C. The MAIL.BOX is created on the server.

❍ D. A new Server document is created for the server in the DominoDirectory.

Answer C is correct. The server registration process creates an ID file for theserver, a Server document, adds the server to the LocalDomainServers groupand adds an entry for the server in CERTLOG.NSF. The MAIL.BOX filedoes not get created until the server is started for the first time.

Question 7

Joan created a group in the Domino Directory, but after saving and closing thegroup, she can’t find it listed in the Groups view. Which type of group did shecreate?

❍ A. A Mail-only group

❍ B. A Multipurpose group

❍ C. A User group

❍ D. A Deny Access group

03 0789729180 CH02 10/21/03 2:39 PM Page 31

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 232

Answer D is correct. The Deny Access list denies access to users listed in thegroup. A Deny Access group usually contains former employees of compa-nies in which the user may still have their Notes ID file. The Deny Accessgroup type doesn’t display in the Groups view of the Domino Directory, butrather displays in a separate Deny Access Groups view.

03 0789729180 CH02 10/21/03 2:39 PM Page 32


Need to Know More?Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notesand Domino 6. Indianapolis, IN: Que Publishing, 2003.

Installing Domino Servers: www-12.lotus.com/ldd/doc/uafiles.nsf/

docs/Domino6PR2/$File/install.pdf.

Webcast: Lotus Live! Series: What’s New in Notes/Domino 6 Administration: http://searchdomino.techtarget.com/

webcastsTranscriptSecurity/1,289693,sid4_gci857398,00.html.

Webcast: Preparation & Test Taking Strategies with Lotus Education Managers: http://searchdomino.techtarget.com/


03 0789729180 CH02 10/21/03 2:39 PM Page 33

03 0789729180 CH02 10/21/03 2:39 PM Page 34

Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3

✓ Domino Named Network (DNN)✓ Notes Remote Procedure Call (NRPC)✓ MAIL.BOX✓ Router✓ Routing tables✓ Connection document✓ Routing cost✓ Pending mail✓ Dead messages/mail✓ Held mail✓ Shared mail✓ Message tracking

✓ MTSTORE.NSF✓ Mail usage reports✓ ISpy✓ Delivery failure✓ Archiving policy✓ Mail quota✓ Warning threshold✓ Encryption✓ Public key✓ Private key✓ Location document

Terms you’ll need to understand:

Techniques you’ll need to master:✓ Defining the role of the DNN in message

transfer✓ Scheduling mail routing between servers

using Connection documents✓ Monitoring and maintaining mail routing✓ Troubleshooting mail-routing problems

using administrative tools

✓ Controlling mail archiving through policiesand settings

✓ Controlling mail file size by implementingmail quotas and warning thresholds

✓ Understanding the role of the public andprivate keys in encryption

✓ Setting workstation preferences and loca-tions to use mail

04 0789729180 ch03 10/21/03 2:32 PM Page 35

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 336

This chapter outlines the basic messaging-configuration options that enablethe Domino administrator to set up servers for mail routing and to monitorand troubleshoot mail routing within the Domino network. The chapter alsocovers basic messaging settings such as mail-archiving policies, mail quotas,and mail encryption. We finish the chapter with a brief look at configuringthe Notes client workstation to work with different locations for both localand server-based mail.

For the purposes of the exam, it is important to understand when mail routesautomatically within a Domino Named Network, as opposed to mail thatneeds to be scheduled between networks with a Connection document. Aswith every chapter, it’s also important to learn and memorize the consolecommands related to routing.

Server Messaging ConfigurationConfiguring the Domino servers for mail routing involves understandinghow mail routes between servers based on the server’s Domino NamedNetwork (DNN). A DNN is a group of servers in a given Domino domainthat share a common protocol and are constantly connected. The adminis-trator must then be capable of creating any necessary Connection documentsand using tools to help monitor and maintain routing. A Connection docu-ment is a document that contains all of the settings necessary to schedulemail routing between servers in different DNNs.

Setting Up and Configuring Mail RoutingBy default, Domino uses Notes Remote Procedure Calls (NRPC), also calledNotes routing, to transfer mail between servers. Notes routing uses infor-mation in the Domino Directory to determine where to send mail addressedto a given user. Notes routing moves mail from the sender’s mail server tothe recipient’s mail server.

A user creates a mail message in the mail database. When the user sends themessage, a workstation task called the MAILER transfers the message to theMAIL.BOX database on the user’s server (also known as the user’s mail serv-er or home server). MAIL.BOX is the transfer point for all messages beingrouted to and from a server. The ROUTER task polls MAIL.BOX and askstwo questions about the messages waiting to be routed:

➤ Where this message should be delivered—to which recipients on whichservers?

➤ How this message should be delivered—which routes and connectionsshould be used?

04 0789729180 ch03 10/21/03 2:32 PM Page 36

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 37

The router consults its routing tables to determine where the recipient’s maildatabase is stored. Routing tables are built in memory on the server when therouter first starts and are refreshed every few minutes. These routing tablesare built using information in various documents in the Domino Directory—Person documents, Connection documents, Domain documents, and so on.The location of the recipient’s mail database determines how the message isdispatched by the router. A recipient’s mail database can be stored in any ofthe following locations:

➤ On the same server as the sender’s mail database—If the sender and therecipient share the same mail server, the message is delivered immedi-ately and the Router task is not involved in the message transfer. TheRouter task is invoked only for transfer to another server.

➤ On a different server in the same DNN—If the Server document for thedestination server is found within the Domino Directory, the routerchecks that document to determine the network information for theserver.

➤ On the ports—On the Notes Network Ports tab of the Server document,the server is assigned to one or more DNNs. As you learned earlier, aDNN is a group of servers in a given Domino domain that share a com-mon protocol and are constantly connected. If the two servers share aDNN, the Router immediately routes the message from the MAIL.BOXfile on the sender’s server to the MAIL.BOX file on the recipient’s server.

Because mail routes automatically between servers in the same DNN, you do notneed to create any Connection documents to facilitate mail routing. Mail routingwithin a DNN is always automatic and instantaneous.

➤ On a server in a different DNN within the local Domino domain—Whenservers are members of two different DNNs, the Domino administratormust create connections between the two networks.

➤ On a server in an external Domino domain—In this case, the Router mustfind a Connection document between domains or must route the mes-sage using SMTP, configured to route outside of the local domain.

The exam will likely use scenario questions to test your ability to understand mailrouting between servers, based on your understanding of DNNs and domains. Whentaking the exam, you may find it helpful to draw a diagram of servers with labels foreach of the server names. Then place a circle around each of the servers in the sameDNN so that you’re able to clearly see where automatic mail routing occurs andwhere it needs to be scheduled by the administrator.

04 0789729180 ch03 10/21/03 2:32 PM Page 37

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 338

Setting Up and Configuring MessageDistribution Using SchedulesBy default, when using Notes routing, Domino can transfer messages only toother servers in the same DNN. To extend Notes routing beyond a singleDNN, you must create Connection documents in the Domino Directoryand specify a routing schedule. Domino does not automatically createConnection documents for mail routing.

The best way to prepare for this exam topic is to practice creating sampleConnection documents and populating all of the settings. If you’re able toconfigure some Domino servers and clients, practice putting two Dominoservers in different DNNs and practice scheduling mail routing between thetwo servers with Connection documents.

To schedule Notes routing using a Connection document, follow these steps:

1. From the Domino Administrator, click the Configuration tab andexpand the Messaging section.

2. Click Connections.

3. Click the Add Connection button.

4. On the Basics tab, enter the names of both the source (originating) andtarget (destination) servers, as well as their domain names and thename(s) of the network ports that the two servers will use to connect.Optionally, you can also enter a network address for the target.

5. Click the Schedule tab and complete the following fields in theScheduled Connection section:

➤ Schedule—Choose either Enabled to use this schedule to controlconnections between the specified servers, or Disabled to cause theserver to ignore the schedule.

➤ Connect at Times—Enter a time range during which you want mail toroute. The default is 8 a.m. to 10 p.m.

For 24-hour mail routing, enter 12 a.m. to 11:59 p.m.

04 0789729180 ch03 10/21/03 2:32 PM Page 38

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 39

➤ Repeat interval of—The number of minutes between routingattempts; the default is 360 minutes.

➤ Days of week—The days of the week when the server should use thisschedule and route mail. The default is to use this connection foreach day of the week.

6. Click the Replication/Routing tab and complete the following fields inthe Routing section:

➤ Routing task—Choose either Mail Routing to enable Notes mailrouting between the servers, or SMTP Mail Routing to enable rout-ing in Internet mail to a server that can connect to the Internet

➤ Route at once if—The number of normal-priority messages that accu-mulate before the server routes mail. The default is 5.

Entering a value of 1 in the Route at Once field causes each mail message to routeas soon as it is received in MAIL.BOX.

➤ Routing Cost—The relative cost of this server connection. This fieldaffects the building of least-cost routes in the router’s routing tableson the server.

➤ Router Type—The router can route in one direction with either thePull or Push options, or the router can trigger two-way routing,with either the Pull Push or the Push Wait options. In the case ofthe Pull Push routing option, the router on the originating serverpushes mail to the destination server and then triggers the destina-tion server to route mail back again. With the Push Wait routingoption, the source server first pushes to the target server and thenwaits to receive a connection from the target. This last option isusually used between servers with dialup connections.

New connections or changes to existing Connection documents take effect after thenext router configuration update, which typically occurs every 5 minutes on theserver, when the routing tables are refreshed. To put the new setting into effectimmediately, reload the routing configuration by entering the following consolecommand:Tell router update config

04 0789729180 ch03 10/21/03 2:32 PM Page 39

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 340

Forcing Mail to Route to a Specific ServerTo force the server to immediately route all pending mail to another server, usethe Route command at the server console. Pending mail is mail that is sitting inthe MAIL.BOX waiting to be routed. The syntax of the command is as follows:Route servername

The Route command initiates mail routing with a specific server. This commandoverrides any mail-routing schedules that you create using Connection documents inthe Domino Directory. Use the Route command to send mail to or request mail froma server immediately.

Here are some examples of how to use the Route command:

➤ Route ServerA/Acme—Sends mail to ServerA in the Acme organization.The server console displays messages indicating when routing begins.

➤ Route “Server B/Acme”—Sends mail to Server B. Use quotes around servernames that are more than one word.

➤ Route *—Sends mail to all pending destinations.

In the exam questions, be sure to note which server is initiating the command. Aserver cannot successfully route mail to itself; for example, if the administrator wasusing the console on ServerA, the command Route ServerA would have no effect.The exam questions will test your ability to read and understand which server con-sole is being used to issue the commands.

If no mail is queued for routing, Domino ignores the Route command. Usethe Tell Router show command at the console to check for messages pendingfor local delivery or to check for held mail—messages that the administratorhas configured the router to hold in order to examine them. Often theadministrator will configure the router to hold undeliverable messages inorder to examine them before releasing them, as in the case of spam. Tocheck which servers have mail queued, use this command at the console:Tell Router show

As an alternative to using the console, the administrator can route mail directly fromthe Server, Status tab in the Domino Administrator client interface. This interfacemimics the Route command at the console.

To route mail directly from the Server, Status tab, follow these steps:

1. From the Domino Administrator, click the Server, Status tab.

2. If necessary, click Tools to display the toolbar and then click Server, RouteMail.

3. Under Route Mail with Server, enter the name of the server you want to routemail to, or select the name of the server from the list.

4. Click Route.

04 0789729180 ch03 10/21/03 2:32 PM Page 40

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 41

Monitoring and Maintaining Mail RoutingDomino provides the administrator with many tools to monitor and main-tain mail routing between Domino servers. This section is designed to givethe reader a broad overview of many of the tools. Consult DominoAdministrator Help for detailed descriptions of how to use each tool.

For the purposes of the exam, it’s important to understand what each tool does, butit’s not necessary to memorize each command or button in the interface. That beingsaid, the best way to study the monitoring tools is to use them in the DominoAdministrator interface so that you can recall the purpose of each tool.

Using the Messaging, Mail tabThe Domino Administrator client has an entire section dedicated to themonitoring and maintaining of mail. The Domino administrator uses thistab extensively during the work day. Using the Messaging, Mail tab, theadministrator can observe and monitor the following:

➤ Mail users—You can display a view of the Domino Directory that lists allusers by mail server and provides each user’s Notes mail address andmail filename. From this view, you can add, edit, and delete Person doc-uments and send upgrade notifications.

➤ Routing mailboxes—You can display the current contents of eachMAIL.BOX database on the server. Servers can be configured to havemultiple mailboxes using the Messaging Configuration document.MAIL.BOX databases on the server can contain three types of undeliv-erable messages: pending messages, designated with no icon; dead mes-sages, designated by a stop-sign icon; and held messages, designated by ared exclamation point.

➤ Pending messages—These messages are waiting to be routed by the routeron the server. Pending messages are not problematic for the administra-tor unless they start to pile up in the MAIL.BOX, indicating that thereis a routing problem.

➤ Dead messages—These messages are “stuck” in MAIL.BOX because theycan’t be delivered to the recipient and they can’t deliver their failure tothe originator of the message. The most common cause of dead mail isspam. The spammer guesses incorrectly the name of a person in yourmail system. When the router can’t deliver the message, it attempts todeliver a failure to the spammer. The spammer has purposely not pro-vided a way to return messages, so the message gets stuck in your serv-er’s mailbox. In the case of spam, the administrator usually uses the

04 0789729180 ch03 10/21/03 2:32 PM Page 41

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 342

information in the dead message to assist in blocking spam and thendeletes the dead message. Dead messages might also indicate networkingor other problems with the company. In that case, the administrator cor-rects the problem and then releases the dead message; the failure mes-sage then is attempted again.

➤ Held messages—These messages are held because the administrator hasconfigured the server to hold mail for manual transfer. This is anothersetting available in the Mail Configuration document. When you config-ure the router to hold messages, each held message remains inMAIL.BOX indefinitely and is processed only if an administrator releasesthe message.

You can improve mail performance significantly by creating multiple MAIL.BOXdatabases on a server. Using multiple MAIL.BOX databases removes contention fora MAIL.BOX, allows multiple concurrent processes to act on messages, and increas-es server throughput. As a further benefit, having multiple MAIL.BOX databases provides failover in case one MAIL.BOX becomes corrupted. Watch for the exam tomention using multiple MAIL.BOX databases as a way to improve messaging effi-ciency. When this feature is enabled, the mailbox databases are named MAIL1.BOX,MAIL2.BOX, and so on.

➤ Shared mail—You can display shared mail statistics from the ObjectStore Usage view of the server’s Notes Log database. Shared mail, some-times referred to as the Single Copy Object Store (SCOS), offers analternative to message-based mail, allowing servers to store a single copyof messages received by multiple recipients in a special central databaseor object store. By default, the Domino mail system employs a message-based model for mail storage, delivering a separate and complete copy ofevery document to each recipient’s mail file. To use disk space more effi-ciently, the administrator can set up shared mail on each mail serverafter setting up the Domino mail system.

➤ Mail routing status—You can displays a Java applet providing a graphicrepresentation of current mail.dead and mail.waiting statistics for thisserver. Domino refreshes the information in this view at intervals ofapproximately 1 minute.

➤ Mail routing events—You can display the Routing Events view of theserver’s Notes Log. This view enables the administrator to scan andsearch through all console messages related to mail.

➤ Mail routing topology—You can display Java applets providing graphicrepresentations of the available routing paths defined by Connectiondocuments and Notes Named Networks.

04 0789729180 ch03 10/21/03 2:32 PM Page 42

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 43

➤ Reports—You can display information from the server’s Reports database.For more information, see the section “Generating Mail UsageReports,” later in this chapter.

Message TrackingDomino administrators often get requests from users asking them to pin-point where a mail message is at any given point in time. Domino has a mes-sage-tracking system that is similar to the sophisticated tracking systems usedby courier companies to trace packages.

Message tracking enables the administrator to check the status of any messagethat has been routed within the Domino network. Message tracking is con-figured using the Message Tracking tab in the Messaging Configuration doc-ument. Because message tracking isn’t enabled by default, the administratormust enable it in the Configuration document and complete the fields toestablish the settings for message tracking.

When you configure mail tracking, you can specify which types of informa-tion Domino records. For example, Domino administrators can decidewhether to track message subjects, they can disable tracking for certaingroups of users, and they can decide who should be allowed to track messagesfrom server to server.

The Mail Tracker Collector task (MTC) reads special mail tracker log files(MTC files) produced by the router and copies certain messaging informationfrom them to the MailTracker Store database (MTSTORE.NSF). TheMailTracker Store database is created automatically when you enable mailtracking on the server. When an administrator searches for a particular mes-sage, Domino searches the MailTracker Store database to find the information.

The Mail Tracker Collector differs from the Statistics Collector (Collect task), which isresponsible for gathering statistical information about servers.

When Message Tracking has been enabled, the administrator can issue track-ing requests using the Messaging, Tracking Center tab of the DominoAdministrator client. The administrator issues the request by clicking theNew Tracking Request button and completing the fields in the NewTracking Request dialog box, as illustrated in Figure 3.1.

04 0789729180 ch03 10/21/03 2:32 PM Page 43

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 344

Figure 3.1 The Messaging, Tracking Center tab of the Domino Administrator.

The administrator clicks OK to complete the request. Domino then displayssummary results that include the sender’s name, recipient, delivery time, andmessage subject, if subject tracking is allowed. The administrator can thenselect a message and click Track Selected Message. When the message hasbeen found, Domino displays the following information about the message:delivery status, mailbox status, previous server, next server, unique messageID, inbound message ID, outbound message ID, inbound originator, out-bound originator, subject, disposition time, message arrival time, and mes-sage size in bytes.

Generating Mail Usage ReportsOver time, the Domino MailTracker Store database (MTSTORE.NSF)accumulates valuable data about message-routing patterns on the server. TheDomino administrator can then generate mail usage reports from this data.For example, you can generate reports of recent messaging activity, messagevolume, individual usage levels, and heavily traveled message routes. You canuse the Reports database (REPORTS.NSF) to generate and store mail usagereports. The Reports database is typically created automatically when you setup the first server in the domain, or the administrator can manually createthe Reports database from a template.

On the Messaging, Mail tab, the administrator locates the Reports databaseat the bottom of the left navigation pane and either generates a new report

04 0789729180 ch03 10/21/03 2:32 PM Page 44

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 45

with the New Report button or opens an existing report. The administratorthen completes all of the fields in the Create New Report dialog box. Hereis a list of some of the types of reports that can be created:

➤ Top 25 users by count

➤ Top 25 users by size

➤ Top 25 senders by count

➤ Top 25 senders by size

➤ Top 25 receivers by count

➤ Top 25 receivers by size

➤ Top 25 most popular “next hops”

➤ Top 25 most popular “previous hops”

➤ Top 25 largest messages

➤ Message volume summary

➤ Message status summary

Mail usage reports provide important information that you can use to resolveproblems and improve the efficiency of the mail network. In addition, thisinformation is valuable when you plan changes or expansions to the mail net-work. For example, you can generate reports that show the 25 users whoreceived the most mail over a given period of time (a day, a week, a month,and so forth) or the volume of mail sent by a specified user over some inter-val. With this information, you can identify users who might be misusing themail system. Other reports show the most frequently used next and previoushops, enabling you to assess compliance with mail-use policies.

Agents stored in the Reports database let administrators schedule reports ona one-time, daily, weekly, and monthly basis. By default, Domino generatesscheduled reports at midnight at the interval you specify—daily, weekly, ormonthly. When a report query is run, the active report agent examines thedata collected in the Domino MailTracker Store database to generate theresulting report. You can configure a report to save results in the Reportsdatabase or mail results to one or more administrators. Saved reports areorganized in the Reports database under several different views.

You cannot generate mail reports if servers are not configured to do message track-ing. Reports are generated using the information collected in MTSTORE.NSF on eachserver. For reporting and tracking to be most effective, message tracking should beenabled on all or most Domino servers in the domain.

04 0789729180 ch03 10/21/03 2:32 PM Page 45

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 346

Mail-Routing Event GeneratorsTo monitor a mail network, you can configure mail-routing event generatorsto test and gather statistics on mail routes. These event generators are alsoknown as mail probes. In essence, a mail probe “pokes” at a server’s router tosee how quickly that server responds to mail requests.

To test a mail route, the ISpy task sends a mail-trace message to a specifieduser’s mail server. This event generator creates a statistic that indicates theamount of time, in seconds, that it takes to deliver the message. If the mail-routing trace fails, the statistic has the value -1. If the Statistic Collector taskis running, the Monitoring Results database (STATREP.NSF) stores the sta-tistics. The format of a mail routing statistic is as follows:QOS.Mail.RecipientName.ResponseTime

In addition, the ISpy task monitors the local mail server by default and gen-erates events for traces that fail. To monitor other Domino mail servers, cre-ate a mail probe and set up an event handler to notify you when an event hasoccurred. Probes are created in Domino Administrator by clicking theConfiguration tab and then opening the Monitoring Configuration view.Open the Event Generators, Mail view; then click New Mail Routing EventGenerator and complete the fields.

The ISpy task must be running on the server to generate the statistics gathered by themail probe. To check whether this task is running on the server, enter Show Tasks atthe server console. If the ISpy task isn’t running, start the task using the commandLoad runjava ISpy. Add the ISpy task to the server’s NOTES.INI file if you want thetask to start up the next time the server restarts. The notation of the ISpy task is casesensitive; the task will not initiate if the command is entered as ispy or Ispy.

Troubleshooting Routing ProblemsA variety of error conditions can prevent Domino from properly sending anddelivering mail. These topics describe common mail-routing problems andtools you can use to help resolve them.

Delivery Failure ReportsA delivery failure is a message that is returned to the sender indicating that themessage was not delivered successfully. Delivery failures are generated forone of two reasons:

➤ The address of the mail recipient is incorrect.

➤ The connection to the recipient is not available or is not working.

04 0789729180 ch03 10/21/03 2:33 PM Page 46

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 47

Users should always try to resend a memo for which they receive a deliveryfailure report. In resending, the user is presented with the opportunity to fixthe address of the recipient. When a memo has been resent once and the useris certain that the address is correct, the user should alert the administratorto the problem so that the administrator can investigate mail connectionsand server routes.

Mail TraceTo troubleshoot mail routing or test mail connections, trace a mail delivery totest whether a message can be successfully delivered without actually sendinga test message. The results of the trace are returned to the administrator’s maildatabase in the form of a mail message, listing every server in the route.

1. From the Domino Administrator, click the Messaging, Mail tab.

2. If necessary, click Tools to display the toolbar.

3. From the toolbar, click Messaging, Send Mail Trace.

4. Address the message to the person you want to trace. Choose Last RouterOnly to receive a message from the last server to successfully route themessage; otherwise, you’ll receive a message from each server hop.

Mail-Routing Topology MapsMail-routing topology maps are useful to track mail-routing problemsbetween servers because the administrator has a pictorial view of the con-nections between servers in the domain. To create a mail-routing topologymap, follow these steps:

1. From the Domino Administrator, click the Messaging, Mail tab.

2. Choose one of the two available views:

➤ Mail Routing Topology by Connections

➤ Mail Routing Topology by Named Networks

Console Commands Used to Troubleshoot Mail RoutingIn the interest of saving time, many Domino administrators use consolecommands where possible instead of using the equivalent option in theDomino Administrator interface. For this reason, Lotus often includes sev-eral exam questions related to console commands in all exams. The follow-ing is a listing of console commands that are helpful in troubleshooting mail-routing problems or in displaying mail-related information:

04 0789729180 ch03 10/21/03 2:33 PM Page 47

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 348

➤ Tell Router Delivery Stats—Shows router delivery statistics

➤ Tell Router Compact—Compacts MAIL.BOX and cleans up open routerqueues. You can use this command to compact MAIL.BOX at any time.If more than one MAIL.BOX is configured for the server, eachMAIL.BOX database will be compacted in sequence.

By default, MAIL.BOX is automatically compacted at 4 a.m.

➤ Tell Router Show Queues—Shows mail held in transfer queues to specificservers and mail held in the local delivery queue.

➤ Tell Router Exit or Tell Router Quit—Stops the router task on a server.

➤ Load Router—Starts the router task on a server.

➤ Tell Router Update Config—Updates the server’s routing tables to imme-diately modify how messages are routed. This removes the 5-minutedelay before a router configuration change takes effect.

Basic Messaging SettingsThe following sections address a few of the basic settings that can be appliedto mail and messaging. Other messaging settings are covered in more detailin the Mail chapters in this book related to the other exams (Chapter 8,“Mail,” for Exam 621, and Chapter 17, “Resolving Server Problems,” forExam 622).

Creating Archiving PoliciesAn archiving policy is a document that defines and can control the settings formail archiving for users in the domain. For the first time in Domino Release6, administrators can centrally control mail file archiving using policies.Archiving is particularly useful for mail databases because users typically saveboth sent and incoming mail, causing the mail file to increase in size.Archiving the mail file frees up space and improves the performance of themail database by storing documents in an archive database when they are oldor not in use anymore.

04 0789729180 ch03 10/21/03 2:33 PM Page 48

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 49

The mail archive database is a Notes database and can be accessed like anyother Notes database. The views in a user’s mail archive mirror the views inthe mail file. The archive includes the folder hierarchy of the original maildatabase, enabling users to easily find and read messages in the archive.

Mail file archiving is a three-step process that includes selecting documents(deciding which ones should be archived), copying files to an archive data-base, and performing mail file cleanup.

When you use policies to manage archiving, you use either server-basedarchiving or client-based archiving. The terms server-based and client-baseddon’t refer to the storage location for the archive, but rather to where thearchiving process occurs: either on a server or on the client’s workstation.The server performs archiving using the Compact task. The administratortriggers the server to archive by scheduling the running of the Compact taskusing a Program document. Client-based archiving assumes that the user willbe initiating the archiving process, which means that the workstation mustbe running for archiving to be successful.

If the user schedules client-based archiving when the workstation is not running,archiving will not occur.

An Example of How to Use Policies to ManageMail ArchivingThe administrator at Acme Corporation has had difficulty controlling orsupporting users who want to archive mail. She plans to use policy-basedarchiving to solve some of the following problems and issues related to mailarchiving:

➤ Acme needs a centralized archive server.

➤ Space is limited on the current mail server.

➤ Because archiving increases network traffic, Acme wants all mail archivingto happen during off-peak hours.

➤ To ensure consistency, users must not be allowed to control their archivesettings. Archive settings will be implemented and changed only byadministrators.

➤ Users within different organizational units will need to have slightlydifferent archiving settings.

04 0789729180 ch03 10/21/03 2:33 PM Page 49

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 350

To resolve Acme’s archiving issues, the administrator uses these Archivepolicy settings and applies them to all users via organizational policies:

➤ Server-based archiving is enabled from a mail server to a designatedarchive server.

➤ Archive settings are centrally managed and enforced by the administra-tor; users are prohibited from changing or creating archive settings.

➤ Archiving is scheduled to be server-based and will occur during off-peakhours.

➤ Optionally, the administrator can implement pruning (removing attach-ments and body of mail, but leaving header information intact), whichmight help conserve server disk space.

Creating an Archive Policy Settings DocumentSetting up mail file archiving is a two-step process: You must create the fol-lowing three documents in the Domino Directory:

➤ The Archiving Settings document(s)—This specifies whether users areallowed to archive. If they are, all further archiving settings are createdin this document.

➤ The Archive Criteria Settings document(s)—This document is created fromwithin the Archiving Settings document. The criteria determine whichdocuments are archived and how the mail file is cleaned up.

➤ The Policy document that references the correct Archiving Settings document—This policy refers to the correct Archiving Settings document and mightalso refer to other Settings documents.

The Archiving Settings document specifies whether to allow archiving eithercentrally by administrators or privately by Notes users. If you prevent allarchiving, that is essentially the only setting listed in your Archiving Settingsdocument. You must then reference that Settings document in your Policydocument. If you prevent private archiving, the Archiving Settings documentdetermines how documents in the user’s mail file are archived, and users can-not change these settings or create private archive settings.

If you allow archiving, use the Archiving Settings document to definewhether archiving is server-based or client-based, to specify source and des-tination archive servers, and to set the archive schedule. You can also changethe name and location of the default archive log file if you want.

04 0789729180 ch03 10/21/03 2:33 PM Page 50

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 51

Implementing Mail QuotasUsers can receive and save a high volume of email, including their own sentmessages, in their mail files. Large mail files can overwhelm a server’s diskcapacity and reduce the performance of the mail client. Because you gener-ally cannot provide users with unlimited storage space, set a size limit, ordatabase quota, for each mail file; these limits are called mail quotas. Whendelivering mail to a user’s mail file, the router checks the current size of themail file against the specified mail quota.

You can set two types of size limits on a user’s mail file: a warning thresholdand an absolute quota size. Set a warning threshold to provide users withadvance notice when their mail files approach the designated mail file quota,so they can reduce the size of their mail files before message flow is inter-rupted. Set a quota if you intend to establish a policy of interrupting users’mail usage if their mail files exceed a specified size.

You must set a quota before you can set a warning threshold.

You can configure the router to respond in several ways when a mail fileexceeds its quota, each representing a higher level of enforcement. The leastrestrictive response is to have the router issue automatic notifications to userswhen their mail files exceed the quota. If users fail to respond to notifications,you can hold pending messages in MAIL.BOX or return messages to thesenders as undeliverable until the users reduce the size of their mail files.

Along with the methods the router uses to enforce quotas, the Notes clientdisplays a warning to any user who has exceeded the designated warningthreshold or quota whenever the user attempts to send mail.

Setting the Quota or Warning Threshold on a Mail DatabaseYou can set quota limits and warning thresholds in one of two ways:

➤ During registration—Quotas specified during registration apply only tonew users, not to existing users. You can also set mail quotas before reg-istration by listing the quota information in the Registration Policy doc-ument and applying this document during registration.

➤ Per database—Using the Domino Administrator, you can manually speci-fy the warning threshold and quota of one or more mail files. Thismethod works for any database, including the mail database. Quotas andwarning thresholds are set using the Quotas tool in the File Tab of theAdministrator client.

04 0789729180 ch03 10/21/03 2:33 PM Page 51

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 352

Understanding Mail EncryptionEncryption protects data from unauthorized access. Using Notes andDomino, you can encrypt the following:

➤ Mail messages sent to other users—Encryption can be applied to outgoingmessages, in which case an unauthorized user cannot read the messagewhile it is in transit. You can also encrypt saved and incoming messages.

➤ Network ports—Information can be encryption when being sent betweena Notes workstation and a Domino server, or between two Dominoservers, thereby preventing unauthorized users from reading the datawhile it is in transit.

➤ SSL transactions—You can use SSL to encrypt information sent betweenan Internet client, such as a Notes client, and an Internet server, to pre-vent unauthorized users from reading the data while it is in transit.

➤ Fields, documents, and databases—Application developers can encryptfields within a document, an entire document, and local databases,allowing only the specified users to read the information.

The Role of Public and Private Keys in Mail EncryptionDomino uses public and private keys so that data encrypted by one of thekeys can be decrypted only by the other. The public and private keys aremathematically related and uniquely identify the user. Both keys are storedin the ID file. The certificate containing the public key is also stored in theuser’s Person document in the Domino Directory, where it is available toother users.

Domino uses two types of public and private keys: Notes and Internet. Youuse the Notes public key to encrypt fields, documents, databases, and mes-sages sent to other Notes users; the Notes private key is used for decryption.Similarly, you use the Internet public key for S/MIME encryption and theInternet private key for S/MIME decryption. For both Notes and Internetkey pairs, electronic signatures are created with private keys and verified withpublic keys.

To properly understand mail encryption, it is best to use a scenario. Let’s saythat John wants to send an encrypted mail message to Carol. John and Carolboth work for Acme Corporation and are listed in the Domino Directory.John creates the mail message and chooses to encrypt it in the DeliveryOptions for the message. When he pushes the Send button, his Notes work-station encrypts the message by applying three keys:

04 0789729180 ch03 10/21/03 2:33 PM Page 52

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 53

1. John’s public key from his user ID

2. John’s private key from his user ID

3. Carol’s public key from her Person document in the Domino Directory

While the message is in transit, the body of the message is encrypted. WhenCarol receives the message, her workstation decrypts it using the private keylocated on her ID file.

Only the Body field in a mail message is encrypted. The only key that can decrypt themessage is the recipient’s private key, which is mathematically related to the public keyand is only stored on the ID file. The To, cc, bcc, and Subject fields are not encryptedand can be read by anyone who can access the message in the mail database.

In general, mail sent to users in an external domain cannot be encrypted.However, if the recipient of the mail uses Lotus Notes and the sender hasaccess to the recipient’s public key, the sender can encrypt the mail message.The recipient’s public key can be stored in the Domino Directory, in anLDAP directory to which the sender has access, or in the sender’s PersonalAddress Book. If a user attempts to send an encrypted message to someoneand the user can’t access the recipient’s public key, encryption will fail at thetime of sending, prompting the user with an error message that asks whetherto continue sending the message in unencrypted format.

User Messaging ConfigurationUsers can configure their workstations with a number of different settingsthat affect mail and mail routing. Nearly all of these settings are configuredusing documents in the user’s Personal Address Book (NAMES.NSF). Mostusers lack the expertise and interest to configure their own workstations, soadministrators often sit down at the user’s client machine to configure theworkstation on behalf of the user, for the sake of efficiency and accuracy. Forthe purposes of the exam, it’s important to be familiar with the documents inthe Personal Address Book that relate to messaging configuration: specifi-cally, the Location document and the Connection document.

User Preferences Related to MailUsers have a number of options available to them for dictating how the work-station processes and handles mail. The user accesses these settings by choos-ing File, Preferences, User Preferences, Mail. The following is a list of settingsin the General section of the User Preferences dialog box (see Figure 3.2):

04 0789729180 ch03 10/21/03 2:33 PM Page 53

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 354

➤ Configuration—Lists the user’s local address books and an optional alter-nate mail memo editor

➤ Sending—Indicates whether sent mail is saved and whether sent mail isautomatically signed or encrypted

➤ Forwarding—Indicates whether a forwarding prefix is used

➤ Receiving—Specifies the polling interval in minutes that the workstationuses to check for new mail

➤ When New Mail Arrives—Enables the user to choose the interfaceprompt for new mail: sound, pop-up, and so on

Figure 3.2 The Mail, General section of the User Preferences dialog box.

Additionally, an Internet mail preferences section lists preferences forInternet mail.

Setting Workstations for Different LocationsUsers can specify mail settings, such as whether to use their mail on a serveror use their local replica, from the Mail tab of a Location document. A Locationdocument contains communication and location-specific settings for usewith the Notes client. The user switches locations to change the way inwhich the workstation sends, receives, and stores mail.

Here is a brief description of the main fields on the Mail tab of the Locationdocument:

04 0789729180 ch03 10/21/03 2:33 PM Page 54

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 55

➤ Mail File Location—Select On Server to use the mail file directly on aserver, or select Local to use a local replica of the mail file. When theuser uses a local replica, Notes transfers outgoing mail to a local outgo-ing mailbox (MAIL.BOX) until replication occurs.

➤ Mail File—The path to the mail file. Notes opens the mail file that youspecified in this field when the user chooses a mail command from themain menu, clicks the Mail icon in the Bookmark bar or Welcome page,or forwards a mail message.

➤ Domino Mail Domain—The name of the Domino domain.

➤ Internet Domain for Notes Addresses When Connecting Directly to theInternet—The name of the Internet domain to use if the user has set upany Internet mail accounts.

➤ Recipient Name Typeahead—Where the typeahead feature looks for mailaddresses.

➤ Format for Messages Addressed to Internet Addresses—Notes Rich TextFormat allows all messages over the Internet to be sent as plain text,while MIME Format converts the message to MIME format beforesending.

04 0789729180 ch03 10/21/03 2:33 PM Page 55

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 356

Exam Prep Questions

Question 1


❍ A. Immediately


❍ C. According to the schedule in the Connection document


Answer A is correct. The router immediately routes mail to servers in thesame Notes Named Network. The messages are immediately routed fromthe MAIL.BOX file on the sender’s server to the MAIL.BOX file on therecipient’s server. Because servers in a Notes Named Network share a com-mon protocol and are always connected, you do not need to createConnection documents for mail routing.

Question 2

Debbie, the Domino administrator, has noticed that one of her servers is pro-cessing a huge volume of mail compared to the other two mail servers in herdomain. What can she do to increase mail throughput in the server?

❍ A. Enable multiple router tasks

❍ B. Enter the following setting in the server’s NOTES.INI:MailServerThreads = 3

❍ C. Change the users’ Location documents to send mail directly to thedestination server

❍ D. Enable multiple MAIL.BOX databases on the server

Answer D is correct. She can configure the Domino server to route mailusing multiple MAIL.BOX databases. A substantial performance improve-ment can be gained by multiple MAIL.BOX databases because the router canpush messages through more than one transfer point.

04 0789729180 ch03 10/21/03 2:33 PM Page 56

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 57

Question 3

A TCP/IP networking problem caused mail to stop transferring between ServerAand ServerB. After fixing the networking problem, what command should theadministrator use to manually router mail from ServerA to ServerB?

❍ A. Route Mail ServerB

❍ B. Route ServerB

❍ C. Tell Router Route ServerB

❍ D. Send Mail ServerB

Answer B is correct. The administrator can issue the Route command to ini-tiate mail routing with a specific server. Issuing the Route command overridesany mail-routing schedules that have been created using Connection docu-ments in the Domino Directory. For server names that contain multiplewords or spaces, enclose the entire name in quotes.

Question 4

Using the Domino console, what command can the Domino administrator useto determine which servers have mail waiting to be transferred in MAIL.BOX?

❍ A. Tell Router Config

❍ B. Tell Router Show Queues

❍ C. Load Router

❍ D. Tell Router Quit

Answer B is correct. To display mail held in transfer queues to specificservers, the administrator would issue the console command Tell Router ShowQueues.

Question 5

Where are Person documents stored?

❍ A. In MAIL.BOX on the server

❍ B. In the Domino Directory on the server

❍ C. In names.nsf on the workstation

❍ D. In log.nsf on the server

04 0789729180 ch03 10/21/03 2:33 PM Page 57

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 358

Answer B is correct. Person documents are stored in the Domino Directory(names.nsf) on the server. In previous releases, the Domino Directory wassometimes referred to as the Public Address Book or the Name and AddressBook (NAB).

Question 6

Sean needs to ensure that all mail is routed between servers in the sameDomino Named Network. How many Connection documents should he create?

❍ A. 1

❍ B. 2

❍ C. 0

❍ D. One for every pair of servers in the domain

Answer C is correct. Mail is routed immediately by the router to servers inthe same Domino Named Network. The messages are immediately routedfrom the MAIL.BOX file on the sender’s server to the MAIL.BOX file on therecipient’s server. Because servers in a DNN share a common protocol andare always connected, you do not need to create Connection documents formail routing.

Question 7

Which of the following best describes mail servers that the ISpy task monitorsby default?

❍ A. All mail servers

❍ B. The local mail server only

❍ C. All servers in the domain

❍ D. None

Answer B is correct. By default, the ISpy task monitors the local mail serveron which it is running. However, you can monitor other Domino mailservers by creating probe documents. The ISpy task must be running tomonitor the server.

04 0789729180 ch03 10/21/03 2:33 PM Page 58

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 59

Question 8

Sean needs to ensure that all mail is routed between ServerA and ServerB. Thetwo servers are not in the same Domino Named Network. What should Sean doto schedule mail routing between the two servers?

❍ A. Create Connection documents in the Domino Directory

❍ B. Create Connection documents in the names.nsf on his workstation

❍ C. Create a Domain document in the Domino Directory

❍ D. Nothing—the two servers will route mail automatically

Answer A is correct. When two servers are not in the same Domino NamedNetwork, mail routing must be configured using at least one Connectiondocument in the Domino Directory.

04 0789729180 ch03 10/21/03 2:33 PM Page 59

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 360

Need to Know More?Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBMRedbooks, 2002. Also available on the Web at www.redbooks.ibm.

com/. For references to mail, consult Chapter 9, “New MessagingAdministration Options.”

Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notesand Domino 6. Indianapolis, Indiana: Que Publishing, 2003.

Lotus Domino 6 Technical Overview: www-10.lotus.com/ldd/today.nsf/3c8c02bbcf9e0d2a85256658007ab2f6/

089a22f9f8a573af85256a1b00782950?OpenDocument. For references tomail, consult the section “Messaging.”

Webcast: “Lotus Live! Series: What’s New in Notes/Domino 6Administration.” http://searchdomino.techtarget.com/webcastsTranscriptSecurity/1,289693,sid4_gci857398,00.html.

Webcast: “Preparation and Test Taking Strategies with LotusEducation Managers.” http://searchdomino.techtarget.com/webcastsTranscriptSecurity/1,289693,sid4_gci876208,00.html.

04 0789729180 ch03 10/21/03 2:33 PM Page 60

Managing and Maintaining


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4

✓ Full-text index✓ Web server✓ HTML✓ Home URL✓ Character set mapping✓ Execution Control List (ECL)✓ Agent signer✓ Network compression✓ Design template✓ Refresh and Replace Design✓ Compact✓ Fault recovery✓ Fixup

✓ Program document✓ LOG.NSF✓ DOMLOG.NSF✓ Memory cache✓ Timeout✓ Web Site rule✓ Web Administrator✓ EVENTS4.NSF✓ Live console✓ Central directory✓ Distributed directory✓ Policy synopsis

Techniques you’ll need to master:✓ Deploying applications for the Notes client

and the Web client✓ Deploying applications based on other

characteristics, such as document size andcoding content

✓ Managing the design of a database usingboth the Design task and replication

✓ Understanding the role of the workstationECL

✓ Effectively monitoring application size

✓ Maintaining the integrity of a database✓ Monitoring the Domino server environ-

ment: monitoring server tasks, managingand monitoring log files, maintaining Webservices, and configuring administrationmonitoring tools

✓ Migrating from a distributed to a centraldirectory

✓ Creating a policy synopsis

05 0789729180 CH04 10/21/03 2:46 PM Page 61

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 462

In this chapter, we discuss many of the maintenance tasks that an adminis-trator would perform in order to maintain Domino servers and applications.Some of these tasks are performed on a scheduled basis—once a day or oncea week, for example—whereas others are performed in an ad hoc or on an as-needed basis.

In this chapter, we show you how to deploy many different kinds of Dominoapplications. We then show you how to manage and maintain an application’sdesign, size, and integrity. The latter half of the chapter is devoted to servermonitoring—all the different ways the administrator can monitor the tasksand processes running on a server.

This is likely one of the more tedious chapters you’ll read, because adminis-trators rarely enjoy maintenance and monitoring—configuring and trou-bleshooting are much more fun! However, the material presented here is justas important to an exam scenario as the material in other chapters. In fact,there are more competencies listed for this chapter than for any of the otherchapters for the 620 exam.

Application DeploymentOne of the administrator’s most critical day-to-day jobs is to ensure thatapplications are implemented and maintained properly, so that users andservers can access data in a timely manner. In the sections that follow, weshow how different kinds of Domino applications are deployed, based onwhere they are stored, what types of information they contain, and whichtypes of clients will access the application. For the purposes of this and otherchapters, the word “application” is synonymous with “database.”

Deploying Server-Based ApplicationsThe following are some of the tasks that an administrator should completein order to deploy a database in production. Domino Administrators musthave Manager access in the database Access Control List (ACL) to performthese tasks. Follow these steps to deploy server-based applications:

1. Set up the database ACL for users and servers that require access. Ifthere will be multiple replicas of a database, make sure that the data-base ACL lists the name of each server containing a replica. If thedatabase uses roles, all roles should be assigned to each server so thatthe server can successfully replicate all documents.

05 0789729180 CH04 10/21/03 2:46 PM Page 62

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing and Maintaining 63

2. Verify that server access is set up correctly in the Server document.Without proper access to the server, users and servers won’t haveaccess to databases on that particular server.

3. Copy the new database to a server. Consider server disk space, topolo-gy, and network protocols; for example, there must be adequate diskspace on the server to store the database, and the server’s resourcesmust be sufficient for the number of clients who will access the data-base. Placing a database on a cluster requires that you consider clusterresources.

4. Verify that the database appears in the Open Database dialog box asspecified in the Database Properties box.

5. Decide which servers require replicas of the database and then createthe replicas on those servers. Consider the purpose and size of thedatabase, the number and location of users who need access to thedatabase, and the existing replication schedules between servers.

6. Create or edit Connection documents to schedule replication. Formore information on scheduled replication, consult Chapter 5,“Replication,” in this book.

Optionally, the administrator might want to consider performing some or allof the following tasks, none of which are absolutely necessary to successfuldatabase deployment, but which may enhance the user’s experience with thedatabase.

➤ Create About This Database and Using This Database documents—Thesedocuments help to provide valuable information to the user about whereand how to seek out help for the database.

➤ Create a full-text index—A full-text index is a collection of files thatindexes the text in a database to allow Notes to process users’ searchqueries. Creating this index for the database allows users to performfull-text searches.

➤ Create a Mail-In Database document—If the database is designed toreceive mail, you must create a Mail-In Database document in theDomino Directory.

➤ List the database in the database catalog—This assists users in finding data-bases on different servers.

➤ Publish the database in a database library—Administrators can create data-base libraries that list the database name, filename, location, and a brief

05 0789729180 CH04 10/21/03 2:46 PM Page 63

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 464

description of the database. A library allows a user to “browse” througha listing of databases in order to find one of interest easily.

➤ Add the database to the Domain Index—If an application database will beuseful to a wide audience, include the database in the Domain Index.

➤ Notify users that the database is available—Provide the database title, file-name, and server location. Administrators can also provide a link to thedatabase in an email so that users can easily launch the database.

Deploying HTML-Based ApplicationsDomino provides an integrated Web application server that can host Websites that both Internet and intranet clients can access, and can serve pagesthat are stored in the file system or in a Domino database. When a Webbrowser requests a page in a Domino database, Domino translates the docu-ment into HTML. HyperText Markup Language (HTML) is an Internet-standard language that allows text to be rendered to the Web browser client.When a Web browser requests a page in an HTML file, Domino reads thefile directly from the file system. The Web server then uses HTTP to trans-fer the information to the Web browser. A Web server is a Domino serverthat is running the HTTP task to allow Web client access to data.

Domino looks for individual HTML, CGI, and icon files in specific directo-ries on the server’s hard drive. The administrator can change the URL pathfor icons and CGI program files. The URL path is where Domino looks foricons or CGI programs when it encounters a reference in the HTML codeto one of these.

Mapping rules are set in the Server document, on the Internet Protocols,HTTP tab, in the “Mapping” section. The following list offers a basicdescription of each of the mapping rules:

➤ Home URL—The URL command to perform when users access theWeb site without specifying a resource; for example, the user simplytypes http://www.acme.com.

➤ HTML Directory—The directory that will be used to find HTML files ifa URL does not specify a path; for example, http://www.acme.com/welcome.html. The default path is domino\html, relative to the Domino datadirectory.

➤ Icon Directory—The directory where icon files are located, either a rela-tive or fully qualified path.

05 0789729180 CH04 10/21/03 2:46 PM Page 64


➤ Icon URL Path—The URL path that is used to map to the icon directory.The default is /icons; for example, the URL http://servername/icons/abook.gif returns the file c:\lotus\domino\data\domino\icons\abook.gif.

➤ CGI Directory—The default directory where CGI programs are located.The default is domino\cgi-bin.

➤ CGI URL Path—The URL path that is used to map to the default CGIdirectory. The default is cgi-bin; for example, the URL http://servername/cgi-bin/test123.pl runs the CGI program c:\lotus\domino\data\domino\cgi-bin\test123.pl.

➤ Java Applet Directory—The directory where the Domino Java applets arelocated. The default is domino\java.

➤ Java URL Path—The URL path that is used to access files in the defaultJava directory. The default is /domjava.

Deploying Web Applications forInternationalizationDomino uses the default character set and character set mapping selection togenerate HTML text for the browser. Character set mapping is a “map” ortemplate used by the Web server to generate character sets for HTML text.For international users who need to see text in nonwestern languages, theadministrator needs to make changes to the settings. The character set set-ting affects all databases on the server.

Character set mapping is specified in the Server document on the Internetprotocols tab, on the Domino Web Engine tab, under “Character Set.” Thefollowing list describes the character set mapping options:

➤ Default Character Set Group—Choose a character set group to allow usersto choose their preferred character set when they create or edit docu-ments. The default is Western.

➤ Use UTF-8 for Output—Choose Yes to generate pages using UTF-8;choose No (default) to generate pages using the character set mappingselected by the administrator.

➤ Use Auto-Detection if Database Has No Language Information—Choose Yesto detect automatically the language to use for the database if no defaultlanguage is selected on the Design tab of the Database Properties box;choose No (default) to use the language specified by the Use UTF-8 forOutput field.

05 0789729180 CH04 10/21/03 2:46 PM Page 65

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 466

➤ Character Set in Header—Choose Yes (default) to add the character set tothe “Content-Type” HTTP header of an HTML page; choose No toexclude the characters from the HTTP header of an HTML page. Thisoption should be used if there are early versions of browsers that do notunderstand the character set tag in the HTTP header.

➤ Meta Character Set—Choose Yes to add the character set to the<META> tag of an HTML page; choose No (default) to exclude thecharacter set from the <META> tag of an HTML page.

Deploying Applications Based on Coding:Formula Language, LotusScript,JavaScript, CThere are several ways in which an administrator can protect and restrictusers and servers from executing unauthorized code. An administrator canrestrict and control how agents run on the Domino server, and the adminis-trator can also dictate which code gets executed on the client workstationthrough the deployment of an Execution Control List (ECL). The followingsections detail each of these methods.

Controlling Agents That Run on a ServerTo control the types of agents users can run on a server, the administratormust set up restrictions for server agents in the Security section of the Serverdocument. The fields in this section are organized hierarchically with regardto privileges. “Run Unrestricted Methods and Operations” has the highestlevel of privilege and “Run Simple and Formula Agents” has the lowest.

If the language is specified for a database on the Design tab of the DatabaseProperties box, Domino uses that language for text in the database.

A user or group name in one list will automatically receive the rights of the listsbeneath. Therefore, a name has to be entered in only one list, which then gives thatuser the highest rights.

Here is the list of fields in the Programmability Restrictions section of theSecurity tab on the Server document:

05 0789729180 CH04 10/21/03 2:46 PM Page 66


➤ Run Unrestricted Methods and Operations—The names of users and groupswho are allowed to select, on a per agent basis, one of three levels ofaccess for agents signed with their ID. Users with this privilege selectone of three access levels when they are using Domino Designer 6 tobuild an agent. Those levels include Restricted Mode, UnrestrictedMode, and Unrestricted Mode with Full Administration Rights.

To have the ability to run agents in Unrestricted Mode with Full Administration Rights,the agent signer should be listed in this field, or in the Full Access Administrator field,as well as have this mode selected in the Agent Builder. Being listed in the Full AccessAdministrator list alone is not sufficient to run agents in this mode. The agent signeris the last user to save the agent, thereby signing it with their user ID.

➤ Sign Agents to Run on Behalf of Someone Else—The names of users andgroups who are allowed to sign agents that will be executed on anyoneelse’s behalf. The default is blank, which means that no one can signagents in this manner.

This privilege should be used with caution because the name for whom the agent issigned is the name used to check ACL access in the database when the agent runs.

➤ Sign Agents to Run on Behalf of the Invoker of the Agent—The names ofusers and groups who are allowed to sign agents that will be executed onbehalf of the invoker, when the invoker is different from the agent sign-er. This setting is ignored if the agent signer and the invoker are thesame. This is used currently only for Web agents. The default is blank,which means that everyone can sign agents invoked in this manner (thisis for backward compatibility).

➤ Run Restricted LotusScript/Java Agents—The names of users and groupsallowed to run agents created with LotusScript and Java code, butexcluding privileged methods and operations, such as reading and writ-ing to the file system. This field should be left blank to deny access toall users and groups.

➤ Run Simple and Formula Agents—The names of users and groups allowedto run simple and formula agents, both private and shared. Leave thefield blank to allow all users and groups to run simple and formulaagents, both private and shared.

05 0789729180 CH04 10/21/03 2:46 PM Page 67

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 468

➤ Sign Script Libraries to Run on Behalf of Someone Else—The names of usersand groups who are allowed to sign script libraries in agents executed bysomeone else. For the purposes of backward compatibility, the defaultvalue is to leave the field empty, to allow all.

Be careful when studying fields on the Server document that allow or restrict access.For some fields, blank allows everyone, whereas for other fields, blank allows no one.

The Execution Control List (ECL)An ECL protects user workstations against active code from unknown or sus-pect sources, and can be configured to limit the action of any code that runson workstations. The ECL determines whether the signer of the code isallowed to run that code on a given workstation, and defines the access thatthe code has to various workstation functions. For example, an ECL can pre-vent another person’s code from running on a computer and damaging orerasing data. Figure 4.1 shows the ECL within the User Security dialog box.

Figure 4.1 The workstation ECL as displayed in the User Security dialog box.

There are two kinds of ECLs:

➤ The administration ECL, which resides in the Domino Directory

➤ The workstation ECL, which is stored in the user’s Personal AddressBook

05 0789729180 CH04 10/21/03 2:46 PM Page 68


The administration ECL is the template for all workstation ECLs. Theworkstation ECL is created when the Notes client is first installed. The setupprogram copies the administration ECL from the Domino Directory to theNotes client to create the workstation ECL. For this reason, the administra-tion ECL should be evaluated and modified prior to the installation of themajority of Notes clients.

A workstation ECL lists the signatures of trusted authors of code. “Trust”implies that the signature comes from a known and safe designer. For exam-ple, every system and application template shipped with Domino or Notescontains a signature for the Lotus Notes Template Development.Administrators should ensure that every template and database within theorganization contains the signature of either a trusted application developeror the administrator. Administrators can easily sign design elements usingthe Sign tool in the Files tab of the Domino Administrator.

Workstation ECLs can be altered and maintained even after they have beencreated on client setup. Administrators can deploy updates to the worksta-tion ECL through one of the following methods:

➤ Using a Security policy settings document (explained in detail at the endof Chapter 6, “Security”)

➤ Using the @Refresh ECL function, through a memo or common data-base event

➤ Having users update their ECLs through the User Security dialog box

Deploying Applications Based on DocumentCharacteristics: Document SizeWhen an administrator deploys an application and wants to reduce theamount of data transmitted between a Notes workstation and Domino serv-er or between two Domino servers, he can enable network compression foreach enabled network port. Network compression is a style of compressionthat speeds up data transmission either between a Notes client and a Dominoserver or between two Domino servers.

For compression to be successful, the administrator must enable it on bothsides of a network connection. To enable compression for a network port ona server, the administrator chooses the Configuration tab in the DominoAdministrator by selecting Tools, Server, Setup Ports. To enable compres-sion on network ports on Notes workstations, the administrator can use a

05 0789729180 CH04 10/21/03 2:46 PM Page 69

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 470

setup or Desktop policy settings document. The user can also enable net-work compression on client ports using the User Preferences dialog box.

The benefits of using network compression can only be realized if the data being trans-mitted is not already compressed. In the case of a network dial-up service such as theMicrosoft Remote Access Service (RAS), which includes built-in compression,enabling compression on Notes network ports does not provide any additional benefit.

There is also a new Domino R6 database property that the administrator canenable to save space in documents in a database, called “Use LZ1Compression for Attachments.” Administrators can now choose to compressattachments using the new LZ1 algorithm instead of the older Huffmanalgorithm. Because LZ1 compression can be performed quickly and effi-ciently, it is favored over the Huffman method.

If the administrator is working in an environment that uses different versions ofclient and server software (for example, a Lotus Domino Designer 6 client and anR5 server) and he chooses the LZ1 compression option, attachments are automat-ically recompressed on the server using the Huffman method. For best perform-ance, administrators should use LZ1 in primarily Domino 6 environments.

Managing Application DesignDesign changes are typically not made directly in a database after the data-base goes into production and there are users actively creating, editing, anddeleting documents. Usually a separate database called a template is createdto allow the designer to make and test new design changes before migratingthose changes to the production copy of the database.

Distributing Application Design ChangesUsing the Design TaskBefore design changes can be copied from the template to the productiondatabase, the administrator must designate the template as a Master Designtemplate in the Database Properties box. Then, he must set the DatabaseProperties of the Production database to inherit design changes from thetemplate.

The name that is used as the Master Design template name must match upwith the name used in the inheriting database. It often saves confusion if thetemplate name is the same as or similar to the filename of the template itself.

05 0789729180 CH04 10/21/03 2:46 PM Page 70


Figure 4.2 shows the Database Properties of a database that has been desig-nated as a Master Design template.

Figure 4.2 The Design tab of the Database Properties box showing a database designated as aMaster Design template.

Figure 4.3 depicts the properties of the production database that inheritsdesign changes from the template designated as the Master Design template(the properties of which you saw in Figure 4.2). Note that the template nameis exactly the same in each properties list.

After the relationship between the template and the production database hasbeen established through the database properties of both the template andthe database, the administrator is ready to update the design of the produc-tion database through a Design Refresh.

The administrator can refresh the design of a database either manually orautomatically. If the Master Design template and the production databaseare both located on the same server, the Design task on the server will initi-ate the Design Refresh automatically. The Design task is scheduled to runon the server every day at 1:00 a.m. The administrator can change the tim-ing of the Design tasks by editing the notes.ini file on the server, and chang-ing the number in the following line:ServerTasksAt1 = Design

05 0789729180 CH04 10/21/03 2:46 PM Page 71

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 472

Figure 4.3 The Design tab of the Database Properties box.

The administrator also has the option of scheduling the Design task using aProgram document. A Program document is a document that is used to auto-matically run a server task at a specific time.

If the Master Design template and the database are not located on the sameserver, the administrator must refresh the design of the production databasemanually by opening the production database and initiating the File,Database, Refresh Design command. The administrator is prompted tochoose the location of the template (server or local). The Design Refreshthen proceeds as long as there is a related template in the location specifiedby the administrator.

The Refresh Design command is similar to another command called Replace Design.The Refresh Design command updates the production database with any design ele-ments that have been added, changed, or deleted since the last Design Refresh. TheReplace Design command deletes the design of the production database and com-pletely replaces it with the design of the chosen template. The Replace Designcommand is often invoked when the administrator wants to upgrade a databasefrom one version of a template to another (for example, R5 to R6 mail), or when hesuspects that the database could be corrupted, and he wants to replace the designof the database without affecting the actual Data documents.

Watch out for exam questions that may try to confuse you as to how these com-mands differ. Refresh is a partial refresh based on changes, whereas Replace is com-plete replacement of design elements.

05 0789729180 CH04 10/21/03 2:46 PM Page 72


Replicating Design ChangesWhen the administrator invokes the Refresh Design command either man-ually or by scheduling the Design task, only the Design documents are trans-ferred from the Master Design template to the production database. Thistransfer happens only in one direction, and does not affect the ACL of thedatabase or the Data documents.

The administrator can also rely on replication to transfer design changesfrom one database to another. There are two major differences between theDesign Refresh and replication:

➤ Replication transfers the ACL, Design documents, and Data documents,not just the Design documents as in a Design Refresh.

➤ Replication can be bidirectional, whereas the Design Refresh can occurin only one direction.

Most designers prefer to manage design changes through the use of Designtemplates and Design Refreshes. This method provides designers severaladvantages:

➤ They can carry out rigorous testing of their design elements using sam-ple data in the template, without worrying about having that data trans-fer to the production database.

➤ They can maintain a separate ACL for the template.

➤ They can better manage and control the frequency of the design updatesthrough the Refresh command than with replication. You must have atleast Designer access to the production database to be able to initiate aDesign Refresh, but anyone with Depositor access and above could initi-ate a replication between replicas.

Application MaintenanceThere are many tasks that an administrator should perform on a daily, week-ly, and as-needed basis to keep database applications in good working order.In this section, we focus on some of the database maintenance tasks relatedto managing database size, maintaining data integrity, and maintaininggroups.

05 0789729180 CH04 10/21/03 2:46 PM Page 73

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 474

Monitoring Application SizeWhen an administrator effectively monitors and minimizes database size,database applications typically show increased performance. Database opera-tions require less I/O and fewer CPU resources, view indexing and updatingis faster, and memory and disk space allocation is improved. The maximumdatabase size in Domino R6 is 64GB on the Windows and Unix platforms.

The administrator has a variety of methods and tools at his disposal to helpcontrol and minimize database size:

➤ Compact databases—When documents and attachments are deleted froma database, Domino tries to reuse the unused space rather than immedi-ately reduce the file size. Administrators should regularly compact data-bases so that the fragmented or “white space” can be reused effectively.Compact is the process by which a database is compressed, in order toreclaim space freed by the deletion of documents and attachments. TheCompact command can be issued manually from within the databaseproperties or by invoking the Load Compact command at the serverconsole. Most administrators choose to schedule Compact to run at anoff-peak time on a daily or weekly basis through the use of a Programdocument.

➤ Set database size quotas to prevent databases from growing beyond a specifiedsize—Quotas are set using the tools on the Files tab of the DominoAdministrator client. When a database reaches its quota, users receive anerror message stipulating that the database has exceeded its quota. Datacannot be saved in the database until the file size has been reduced.

➤ Delete inactive documents using the document archiving tool or using agents—Archiving allows the administrator to move old or inactive documents toan archive database, thus freeing up space in the production database.

➤ Disable soft deletions in databases—Documents that have been soft deletedremain in the database until the specified time interval has passed.

➤ Disable the default user activity recording in databases—By default, eachdatabase logs and records information about each user who has read orwritten to and from the database. Disabling this feature in the databaseproperties reduces the size of the database.

To prevent Statlog from automatically recording activity in User Activity dialogboxes, add No_Force_Activity_Logging=1 to the NOTES.INI file on the server. Then,the administrator can enable activity recording per database, as needed.

05 0789729180 CH04 10/21/03 2:46 PM Page 74


The administrator can further control database size by setting database per-formance properties that also reduce database size. There are several settingsin the Database Properties box that can be set to help reduce database size:

➤ Allow Use of Stored Forms in This Database—This option should be dese-lected so that the form isn’t saved with every document in the database.

➤ Don’t Maintain Unread Marks—This option should be selected so thatthe database doesn’t have to track unread documents for each user.

➤ Limit Entries in $UpdatedBy Fields; Limit Entries in $Revisions Fields—Thisoption limits the entries in both of these fields, saving space.

In addition to the options in the preceding list that help control and reduceapplication size, the administrator should use the following tools on a dailyor as-needed basis to monitor database size:

➤ Domino Administrator Files tab—The Files tab lists all files stored on theDomino server, from the root data directory through all subdirectories.The administrator can use the Files tab to quickly glance at the databasesize as well as the quota and warning amounts set on each database. ThisFiles view can be sorted in ascending or descending order by size.

➤ Log file (LOG.NSF): Database—Sizes view—Similar to the Files tab, theNotes log for the server has a sizes view that lists each database with itscorresponding size. The Statlog task on a server runs by default once aday at 5:00 a.m., at which time it reports database activity for databaseson the server in Database Activity Log entries in the Usage—By Dateand Usage—By Size views of the log file (LOG.NSF) and to the UserActivity dialog box of individual databases.

Maintaining Data IntegrityDomino server crashes can cause data corruption in applications. New inDomino R6, the administrator can set up fault recovery to automatically han-dle server crashes. When the server crashes, it shuts itself down and thenrestarts automatically, without any administrator intervention. A fatal errorsuch as an operating system exception or an internal panic terminates eachDomino process and releases all associated resources. The startup scriptdetects the situation and restarts the server. Fault recovery is enabled on theBasics tab of the Server document. Here is a listing of the fields on the Serverdocument related to fault recovery:

➤ Fault Recovery—Specifies whether the server automatically restarts fol-lowing a crash.

05 0789729180 CH04 10/21/03 2:46 PM Page 75

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 476

➤ Cleanup Script Name—Specifies the name of an optional script that runsafter a crash and before any other cleanup takes place. Enter the com-plete path and script name, including file extension.

➤ Cleanup Script Maximum Execution Time—Specifies the time, in secondsthat the cleanup script is allowed to run. If the script does not completewithin the specified interval, it is stopped.

➤ Maximum Fault Limits—Specifies the number of times the server isallowed to restart during a specified time period, in minutes; for exam-ple, two faults within 7 minutes. If the number of crashes exceeds thenumber of allowed restarts for the interval, the server exits withoutrestarting.

➤ Mail Crash Notification to—Specifies the name of a user or group thatDomino sends mail to after server restart.

Domino records crash information in the data directory. When the serverrestarts, Domino checks to see if it is restarting after a crash. If it is, an emailis sent automatically to the person or group in the “Mail Fault Notificationto” field. The email contains the server name, the time of the crash, and, ifavailable, the FAULT_RECOVERY.ATT file is attached, detailing addition-al failure information from the cleanup script.

The fault-recovery system is initialized before the Domino Directory can be read.During this initialization, fault-recovery settings are read from the NOTES.INI file,and then later read from the Domino Directory and saved back to the NOTES.INIfile. Any changes to the Domino Directory or the NOTES.INI file become effectivewhen the Domino server is restarted.

When the server restarts after a crash, it quickly searches for any unloggeddatabases that were modified but improperly closed. A few minutes afterserver startup is complete, the Fixup task then runs on these databases toattempt to fix any inconsistencies that resulted from partially written opera-tions caused by a failure.

The administrator can also invoke the Fixup task manually with the follow-ing console command:Load fixup databasepath options

databasepath specifies the files on which to run Fixup and options indicates theFixup command-line options.

05 0789729180 CH04 10/21/03 2:46 PM Page 76


Domino Server Monitoring andMaintenanceNot only does the Domino Administrator monitor and maintain databaseapplications, but he must also monitor and maintain the Domino serversthemselves. Server monitoring can involve a huge range of tasks that are per-formed by the administrator or by a team of administrators. For the purpos-es of this exam, we examine how to monitor server tasks, how to manage logfiles, how to maintain and monitor Web services, and how to configure someof the available server monitoring tools.

Monitoring Server TasksServer tasks perform complex administration procedures, for example, com-pacting databases, updating indexes, transferring mail, gathering statistics,and running agents. The administrator has several options for invoking serv-er tasks:

➤ Run a server task manually by loading the task at the server console.

➤ Run a server task manually by using the Domino Administrator Task,Start tool.

➤ Run the task automatically when the server starts by adding the name ofthe task to the ServerTasks= line in the server’s NOTES.INI file.

➤ Run the task automatically by editing or adding ServerTasksAt settingsin the NOTES.INI file. (The number that follows the “At” is the timeaccording to the 24-hour clock.)

➤ Create a Program document in the Domino Directory to run a task atscheduled intervals.

To start tasks, administrators often use the console commands. To load a task, enterthe word load, followed by the task name; for example, load router, load adminp,load updall. To stop a task using the console, the administrator enters the tell taskquit command; for example, tell router quit, tell replica quit. By using the consoleinterface and memorizing the names of the most common commands, administratorscan quickly start and stop tasks.

The administrator can also use the Domino Server Monitor on the Server,Monitoring tab of the Administrator client (see Figure 4.4). This tab displaysreal-time statistics and provides a graphical representation of the status ofservers and server tasks. You can view all servers or a subset of servers, andyou can view the status by state or by time line. Many administrators use this

05 0789729180 CH04 10/21/03 2:46 PM Page 77

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 478

view when they first log in to get a quick, accurate picture of what is runningon each server.

Figure 4.4 The Server, Monitoring tab of the Domino Administrator.

Monitoring and Managing Log FilesEvery Domino server has a log file (LOG.NSF) that reports all server activi-ty and provides detailed information about databases and users on the serv-er. The log file is created automatically when you start a server for the firsttime. The server cannot start without a log. The log for each server can beaccessed on the Server, Analysis tab of the Domino Administrator client (seeFigure 4.5).

By default, the log file records information about the Domino server system.Because the log file can become quite large, it is important to manage its size.The administrator can control the size of the log file automatically, usingNOTES.INI settings, user preferences, and other settings. For example, theLog setting in the NOTES.INI file determines how long documents aremaintained before being deleted from the log file.

By default, documents in the log are deleted after seven days. You must do a com-plete backup of the information in the log at least once a week to ensure that youhave accurate historical log information for the server.

05 0789729180 CH04 10/21/03 2:46 PM Page 78


Figure 4.5 The Design Miscellaneous Events view of the Notes Log, shown in the Server, Analysistab of the Domino Administrator.

The Log setting in the NOTES.INI file on the server specifies the contentsof the log file and controls other logging actions. There is no UI option tocontrol this particular setting—the administrator must edit the INI filedirectly. The syntax of the command is as follows: Log = logfilename, log_option, not_used, days, size

The following list details each portion of the preceding command:

➤ logfilename—The log database file name, usually LOG.NSF

➤ log_option—The log options: 1 = Log to the console; 2 = Force databasefixup when opening the log file; 4 = Full document scan

➤ not_used—Always set to zero; this parameter is not currently used

➤ days—The number of days to retain log documents

➤ size—The size of log text in event documents

Example:Log = LOG.NSF,1,0,14,20000

This setting ensures that the log file documents are kept for 14 days and cancontain up to 20,000 bytes. All log information is also sent to the console.

05 0789729180 CH04 10/21/03 2:46 PM Page 79

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 480

In addition to monitoring the Domino server log (LOG.NSF), the adminis-trator also has the option of setting up logging for the Web server. Web serv-er logging is configured on the Server document on the Internet Protocols,HTTP tab, as shown in Figure 4.6. Domino Web server requests can belogged to a database or to text files. Remember the following points whenchoosing:

➤ Text files—Text files are smaller and can be used with third-party analysistools.

➤ Domino Web Server Log (DOMLOG.NSF)—Logging to a database allowsthe administrator to create views and view data in different ways.However, the size of the database can become large so that maintenancebecomes an issue.

Figure 4.6 The Log File Names section of the Server document.

The administrator can choose to log to both text files and to the DOMLOG.NSF data-base. These options are not mutually exclusive, but would result in duplicate infor-mation being logged.

Monitoring and Managing Web ServicesThe administrator has control over many settings that control the operationand performance of the Web server. A Domino server is considered to be aWeb server when it is running the HTTP task. The HTTP task can be start-ed automatically by adding it to the ServerTasks= line in the server’sNOTES.INI file, or by issuing the Load HTTP command at the server con-sole.

After the Web server has been started, the administrator can use differentdocuments in the Domino Directory to configure the Web server services.

05 0789729180 CH04 10/21/03 2:46 PM Page 80


Managing the Memory Cache on the Web ServerMapping information about databases and authenticating users can take valu-able server time. To optimize response time, Domino uses a memory cache(command cache) to store this information. The memory cache stores theinformation for quick access.

To monitor the effectiveness of the memory cache settings, the DominoAdministrator can look at the Domino.Cache statistics using the Server,Statistics tab of the Domino Administrator client.

To manage memory cache on a Web server, open the Server document andchoose Internet Protocols, Domino Web Engine. Under Memory Caches,complete the following fields:

➤ Maximum Cached Designs—The number of database design elements tocache for users. The default is 128.

➤ Maximum Cached Users—The number of users to cache. The default is 64.

➤ Cached User Expiration Interval—The time interval in seconds duringwhich Domino regularly removes usernames, passwords, and groupmemberships from the cache. The default is 120.

Specifying the Number of Threads Used by the Web ServerAn HTTP request is processed by a thread. A server thread, in turn, can han-dle a number of network connections. The administrator can specify thenumber of threads the Web server can process. In general, the number ofthreads specified is an indication of the number of users who can access theserver simultaneously.

If the number of active threads is reached, the Domino server queues newrequests until another request finishes and threads become available. The morepower the server machine has, the higher the number of threads the adminis-trator should specify. Web server threads are set and changed on the Serverdocument, on the Internet Protocols, HTTP tab. The administrator mustenter a number in the Number Active Threads field. The default number is 40,which means that there could only be approximately 40 users connected to theWeb server at one time.

Specifying Network Timeouts on the Web ServerOpen, inactive sessions can prevent other users from accessing the server.Administrators should specify time limits for activities between the DominoWeb server and clients or CGI programs so connections do not remain openif there is no network activity between them.

05 0789729180 CH04 10/21/03 2:46 PM Page 81

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 482

Network timeouts on the Web server are specified on the Server documenton the Internet Protocols, HTTP tab in the Timeouts section (see Figure4.7). A timeout is the amount of time that passes before Domino drops aninactive thread.

Figure 4.7 The Timeouts section of the Server document.

The following list describes the available timeout options:

➤ HTTP Persistent Connections—Indicates whether persistent HTTP con-nections should be enabled on the Web server.

➤ Maximum Requests per Persistent Connection—The maximum number ofHTTP requests that can be handled on one persistent connection. Thedefault is five.

➤ Persistent Connection Timeout—The length of time for which persistentconnections should remain active. The default is 180 seconds.

➤ Request Timeout—The amount of time for the server to wait to receivean entire request. The default is 60 seconds. If the server doesn’t receivethe entire request in the specified time interval, the server terminates theconnection.

➤ Input Timeout—The time, in seconds, that a client has to send a requestafter connecting to the server. The default is 15 seconds. If no request issent in the specified time interval, then the server terminates the con-nection. If only a partial request is sent, the input timer is reset to thespecified time limit in anticipation of the rest of the data arriving.

➤ Output Timeout—The maximum time, in seconds, that the server has tosend output to a client. The default is 180 seconds.

➤ CGI Timeout—The maximum time, in seconds, that a CGI programstarted by the server has to finish. The default is 180 seconds.

05 0789729180 CH04 10/21/03 2:46 PM Page 82


Running Web AgentsAdministrators can specify whether Web application agents, that is, agentstriggered by browser clients, can run concurrently. These include applicationagents invoked by the WebQueryOpen and WebQuerySave form events, andfor agents invoked by the URL command “OpenAgent.” If the administra-tor chooses to enable this option, the agents run concurrently; otherwise, theserver runs one agent at a time. Also, the administrator should set an execu-tion time limit for Web application agents. The purpose of the time limit isto prevent Web agents from running indefinitely and using server resources.

Web application agents options are set in the Server document on theInternet Protocols, Domino Web Engine tab under Web Agents using thefollowing two fields:

➤ Run Web Agents Concurrently?—Choose either Enabled to Allow MoreThan One Agent to Run on the Web Server Concurrently or Disabled(default) to Run Only One Agent at a Time.

➤ Web Agent Timeout—The maximum number of seconds (elapsed clocktime) for which a Web application agent is allowed to run. A 0 value(default value) allows Web application agents to run indefinitely.

The Web agent timeout setting has no effect on scheduled agents or other types ofserver or workstation agents.

Using Web Site RulesWeb Site rules are documents that help the administrator maintain the organ-ization of a Web site. Rules have two main uses:

➤ Enable the administrator to create a consistent and user-friendly naviga-tion scheme for a Web site, which is independent of the site’s actualphysical organization

➤ Allow parts of the site to be relocated or reorganized without breakingexisting links or browser bookmarks

There are four types of Web Site rules. If more than one type of Web Siterule has been created for a Web Site document, the Rules documents areevaluated in this order:

1. Substitution

2. Redirection

05 0789729180 CH04 10/21/03 2:46 PM Page 83

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 484

3. Directory

4. HTTP Response Header

Setting Up and Configuring AdministrationMonitoring ToolsDomino includes many server-monitoring features that work together toinform you about the processes, networks, and use of the Domino system.The administrator would use one of three tools to monitor the system:

➤ The Domino Administrator client

➤ The Web Administrator client

➤ The server

Using the Monitoring Tools in the Domino AdministratorClientIn “Monitoring Server Tasks,” earlier in the chapter, we described how to usethe Server, Monitoring tab to display a graphical picture of tasks and statis-tics for each server. In order for the Server, Monitoring tab to function prop-erly, the administrator should set their administration preferences correctlyfor their client.

The administrator can use the default monitoring preferences or can cus-tomize them by choosing File, Preferences, Administration Preferences. Onthe Monitoring tab, complete the following fields:

➤ Do Not Keep More Than <n> MB of Monitoring Data in Memory(4–99MB)—This option sets the maximum amount of virtual memory,in MB, used to store monitoring data. Default is 4 MB.

➤ Not Responding Status Displayed After <n> Minutes of Inactivity—Thisoption sets the amount of time after which the “not responding” statusdisplays. The default is 10 minutes.

➤ Generate Server Health Statistics—This option includes health statistics incharts and reports.

You must enable the Generate Server Health Statistics option to use the ServerHealth Monitor, which is part of the IBM Tivoli Analyzer for Lotus Domino. This partof the product is purchased and licensed separately.

05 0789729180 CH04 10/21/03 2:46 PM Page 84


➤ Monitor Servers—This option allows you to choose “From ThisComputer” to monitor servers from the local Domino Administratorclient, or choose “From Server” and then click Collection Server toselect the Domino server running the Collector task for the serversbeing monitored by the location you selected.

➤ Poll Server Every <n> Minutes (1-60 minutes)—This option sets the serv-er’s polling interval, in minutes.

➤ Automatically Monitor Servers at Startup—This option starts the DominoServer Monitor automatically when the Domino Administrator client isstarted, instead of relying on the administrator clicking the Start button.

There is also a monitoring section used to configure statistics and monitor-ing on the Configuration tab of the Administrator client. The administratorchooses the Monitoring Configuration section to access the MonitoringConfiguration database (EVENTS4.NSF), which includes a set of defaultdocuments used to set up system monitoring. The administrator can thenchoose to edit the default documents or use the configuration wizards in theMonitoring Configuration database to create new ones. The MonitoringConfiguration database includes these documents:

➤ Event Generator—Defines the parameters of an event

➤ Event Handler—Describes what action to take when an event occurs

➤ Event Notification Method—Defines the notification method to use whenthe Event Handler document prescribes notification

➤ Log Filter—Specifies events that you do not want to log

➤ Server Console Configuration—Sets the text, background, and color attrib-utes for the Domino server console

➤ Statistic Description—Describes a statistic

➤ Server Statistic Collection—Specifies one or more servers from which sta-tistics are collected and identifies the server that performs the collecting

Using the Web Administrator ClientThe Web Administrator client is almost identical to the DominoAdministrator client with very few exceptions. The user interface looks thesame, and most menu options, dialog boxes, and information boxes are iden-tical, although the Web Administrator may occasionally display additionalinformation. For example, the Mail tab in the Web Administrator offersadditional mail-specific statistics—Mail Routing Schedule, Mail Routing

05 0789729180 CH04 10/21/03 2:46 PM Page 85

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 486

Statistics, and Mail Retrieval Statistics. This information is available in theDomino Administrator; however, it is not displayed in the same way.

The Web Administrator includes most of the Domino Administrator func-tionality; however, the Domino Server Monitor and performance chartingare not available in the Web Administrator.

The Web Administrator uses the Web Administrator database (WEBADMIN.NSF). The first time the HTTP task starts on a Web server, Domino auto-matically creates this database in the Domino data directory; however, theadministrator needs to ensure that the Web browser and server meet the fol-lowing requirements for the Web Administrator to run:

➤ Web browser requirements include Microsoft Explorer 5.5 or higher onWindows 98, Windows NT 4, Windows 2000, or Windows XP; orNetscape 4.7x or higher on Windows 98, Windows NT 4, Windows2000, Windows XP, or on Linux 7.x.

➤ Domino server tasks that must be running on the server include

➤ The Administration Process (AdminP) task.

➤ The Certificate Authority (CA) process must be running on theDomino 6 server that has the Issued Certificate List database on it toregister users or servers.

➤ The HTTP task.

Using the Domino Administrator Server Console to MonitorEventsThe administrator can choose to create a Server Console Configuration doc-ument for the server they are monitoring in order to specify the text, back-ground, and color attributes that the Domino server console uses to displaymonitoring information.

To customize the appearance of the Domino server console, the administra-tor must access the Server, Status tab, open the Server Console view, andfrom the menu, select Live Console, Server, Console Attributes. The LiveConsole is the console interface to the Domino server that allows the admin-istrator to issue console commands from the Notes Administrator client. Theadministrator then selects a server and clicks the color palette to select a colorattribute for the background and event text. Color choices can be viewed inreal time at the console display beneath the palette.

When the administrator uses the Domino Administrator server console tomonitor events, they can set a stop trigger for an event. The stop trigger

05 0789729180 CH04 10/21/03 2:46 PM Page 86


causes the console to pause and display only the event and the next 10 linesof console text when the event occurs.

In addition, administrators can retrieve information about error messages,including possible causes and solutions, and create event handlers. All ofthese options can be set or changed by accessing the Server, Status tab,choosing Server Console and using the buttons or the options on the LiveConsole menu.

Other Maintenance TasksThe following topics are included in the Monitoring and Maintaining chap-ter topics for the exam but don’t necessarily fit into any of the other cate-gories or topics in this chapter.

Migrating from a Distributed Directory to aCentral DirectoryA central directory architecture is an optional directory architecture that canbe implemented in a Domino domain. This architecture is new to R6 anddiffers from the traditional distributed directory architecture in which everyserver in a domain has a full replica of the primary Domino Directory.

With a central directory architecture, some servers in the domain have selec-tive replicas of a primary Domino Directory. These replicas, which areknown as Configuration Directories, contain only those documents that areused to configure servers in a Domino domain, such as Server, Connection,and Configuration Settings documents. A server with a ConfigurationDirectory uses a remote primary Domino Directory on another server tolook up information about users and groups and other information related totraditional directory services.

A central directory architecture has the following key features:

➤ Provides secondary servers quick access to new information because theservers aren’t required to wait for the information to replicate to them

➤ Enables secondary servers to run on less powerful machines becausethey don’t have to store and maintain the primary Domino Directory

➤ Provides tighter administrative control over directory managementbecause only a few directory replicas contain user and group information

05 0789729180 CH04 10/21/03 2:46 PM Page 87

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 488

A server with a Configuration Directory connects to a remote server with aprimary Domino Directory to look up information in the following docu-ments that it doesn’t store locally—Person, Group, Mail-in Database,Resource, and any custom documents added by the administrator.

The administrator can set up a Domino Directory as either a primaryDomino Directory or a Configuration Directory in one of the followingways:

➤ For a new server, when an additional server is registered and set upwithin the domain. When the new server is set up for the first time, areplica of the Domino Directory is pulled from the Registration server.This replica can be configured as either a full directory or aConfiguration directory.

➤ For an existing server in the domain, use replication settings for thedirectory to change a primary Domino Directory to a ConfigurationDirectory or to change a Configuration Directory to a primary DominoDirectory. Figure 4.8 shows the Replication Settings dialog box with thesettings for a Configuration Directory.

Figure 4.8 The Replication Settings dialog box for a Configuration Directory.

Creating a Policy Synopsis to Determine anEffective PolicyThe effective policy for a user is a set of derived policy settings that aredynamically calculated at the time of execution. The field values in an effec-tive policy may originate from many different policy settings documents.Each hierarchical level can have an associated policy, so users may have a

05 0789729180 CH04 10/21/03 2:46 PM Page 88


combination of policy settings that include the values set at their OU level,and those inherited from a parent policy. The resolution of those settings,stepping up through the organizational hierarchy, determines the effectivepolicy for each user.

In addition to organizational policies, users may also have explicit policies assignedto them. In that case, the order of resolution is that all organizational policy settingsare resolved first, and any explicit policy settings are resolved next.

There are two tools that can help the administrator determine the effectivepolicy governing each user. The Policy Viewer shows the policy hierarchyand associated settings documents, and a Policy Synopsis report shows thepolicy from which each of the effective settings was derived. The adminis-trator can use the Policy Synopsis tool to generate a report that is written tothe Policy Synopsis Results database (POLCYSYN.NSF).

Maintaining UsersAdministrators will often find themselves in a situation in which they mustperform various maintenance tasks associated with usernames and ID files.The most common maintenance tasks are renaming a user, moving a user toanother certifier, and deleting a user. Domino has automated these types ofmaintenance tasks with something called the Administration Process. Thisprocess performs all of the routine maintenance steps for the administrator,which saves the administrator time and cuts down on errors. TheAdministration Process automates the following tasks:

➤ Name management tasks, such as rename person, rename group, deleteperson, delete group, delete server name, recertify users, and storeInternet certificate.

➤ Mail file management tasks, such as delete mail file and move mail file.

➤ Server document-management tasks, such as store CPU count, storeplatform, and place network protocol information in Server document.

➤ Roaming user management, such as roaming user setup, move roamingusers to other servers, upgrade a nonroaming user to roaming status,and downgrade roaming user to nonroaming status.

➤ User mail file management tasks, such as performing Access ControlList (ACL) changes and enabling agents. For example, the “Out ofOffice” agent is enabled and disabled by Notes client users.

05 0789729180 CH04 10/21/03 2:46 PM Page 89

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 490

➤ Person document management tasks, such as storing the user’s Notesversion and client platform information.

➤ Replica management tasks, such as create replica, move replica, or deleteall replicas of a database.

The Administration Process (also referred to as AdminP) must be configuredas follows:

1. There must be an Administration Server for the Domino Directory in thedomain—This step is done during installation. There is always oneserver in the domain that is responsible for making the changes to doc-uments in the Directory. Those changes are then replicated to theother servers in the domain.

2. The administrator must specify an Administration Server for other databasesin the domain—In order for AdminP to change database ACLs and doc-uments within databases, each database replica must be “covered” byan Administration Server, meaning that there is one server designatedto make the AdminP changes to that replica of the database.Administrators set the Administration Server in the Advanced tab ofthe database ACL.

3. Each server must have a replica of the Administration Requests database(ADMIN4.NSF)—ADMIN4.NSF is created on first server setup, and areplica is created on every other server in the domain on additionalserver setup. This database tracks and processes all AdminP requests.

4. NAMES.NSF and ADMIN4.NSF must be replicating around the domainfrequently—Ideally, these two databases should be replicating severaltimes a day, so that requests are replicated to the AdministrationServers for different databases.

5. Each server involved in the Administration Process must have a certificationlog (CERTLOG.NSF)—This database is created on first server setup,and keeps track of all AdminP tasks that involve certification of IDfiles.

6. The AdminP task must be running on all servers involved in the process—This task is designed to start up by default on server startup.

7. (Optional) The administrator can configure the settings and intervals for theAdministration Process on the Server document for each server—If theadministrator chooses not to alter any settings, then the default settingswill apply and the AdminP process will function properly.

05 0789729180 CH04 10/21/03 2:46 PM Page 90


After the Administration Process has been configured properly, all AdminPrequests should be processed automatically, without assistance from theadministrator. The administrator initiates the request using the DominoAdministrator client, and can then monitor the status of each request usingthe different views in the ADMIN4 database. The Administration Processshould always be used to rename and delete users, to save time, and to ensureaccuracy. Administrators initiate all AdminP requests using the Tools sectionwithin the People view of the People and Groups tab (see Figure 4.9).

Figure 4.9 The Tools section of the People and Groups tab in the Domino Administrator client,showing the Rename and Delete commands.

Maintaining GroupsAfter the Administration Process has been configured as described in thepreceding section, the administrator can use the Process to manage andmaintain groups. If groups need to be renamed or deleted, AdminP shouldbe used.

Administrators should not rename or delete groups manually. Group names couldbe referenced in many places—within other groups, in Server documents, inPerson documents, in ACLs, and so on. If the administrator doesn’t use theAdministration Process to initiate renaming or deleting, he may not “catch” everyinstance of the group name.

05 0789729180 CH04 10/21/03 2:46 PM Page 91

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 492

All AdminP requests associated with groups are initiated from the Tools sec-tion within the Groups view in the People and Groups tab of the DominoAdministrator (see Figure 4.10). The requests can then be monitored usingthe views within ADMIN4.NSF.

Figure 4.10 The Server, Analysis tab of the Domino Administrator, showing the Admin Requestsdatabase.

05 0789729180 CH04 10/21/03 2:46 PM Page 92


Exam Prep Questions

Question 1

Which of the following properties can be set to improve the database perform-ance of a database called TEST.NSF?

❍ A. Enable the Maintain Last Accessed property.

❍ B. Disable the database cache for TEST.NSF.

❍ C. Disable the Don’t Allow Headline Monitoring database property.

❍ D. Enable the Don’t Maintain Unread Marks database property.

Answer D is correct. The Notes & Domino 6 Administration Help recom-mends enabling the Don’t Maintain Unread Marks database property on sev-eral reference databases, such as the help databases, the Domino Directory,and the server’s log file (LOG.NSF), and on any other database in whichunread marks are not necessary.

Question 2

Which of the following is not a real Domino server task?

❍ A. Fixup

❍ B. Design

❍ C. Report

❍ D. HTTP

Answer C is correct. There is no such task as the Report task, although thistask did exist in Release 4 of the Domino product.

Question 3

Toby wants to administer the server using a Web browser. Which of the follow-ing fields on the Server document must reference his name?

❍ A. Administer server from a browser

❍ B. Access server from a browser

❍ C. Web browser administrator

❍ D. Database administrator

05 0789729180 CH04 10/21/03 2:46 PM Page 93

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 494

Answer A is correct. By default, the Domino server grants users listed in theAdministrators field of the Server document in the Domino Directory theability to administer the server from a browser when the Web Administratordatabase is created; however, if you need to add a new user and allow themto administer the server from a browser, you need to add their name to theAdminister Server from a Browser field on the Security tab of the Serverdocument, as well as add their name to the Access Control List (ACL) of theWEBADMIN.NSF database.

Question 4

Tom is creating a Web Site Rules document. Which of the following is not a validtype of rule?

❍ A. Redirection

❍ B. HTTP Response Header

❍ C. HTTP Request Header

❍ D. Substitution

Answer C is correct. The Web Site Rules document is created from withinthe corresponding Web Site document. The four types of Web Site Rulesdocuments are

➤ A Directory Rules document is used to direct incoming URLs to a spe-cific directory, and to assign an access level.

➤ A Redirection Rules document is used to specify that designated incom-ing URL patterns be redirected to a specified URL.

➤ A Substitution Rules document is used to replace a specified URL pat-tern with another specified URL pattern.

➤ An HTTP Response Header Rules document is used to specify HTTPheaders that are to be added to HTTP responses.

05 0789729180 CH04 10/21/03 2:46 PM Page 94


Question 5

Web users are complaining that they can’t seem to complete the download of alarge file from the Web server. Which of the following settings should bechanged to allow the downloads to work successfully?

❍ A. Decrease the Input Timeout setting.

❍ B. Increase the Output Timeout setting.

❍ C. Reduce the number of active threads.

❍ D. Decrease the CGI Timeout setting.

Answer B is correct. The Output Timeout setting is the number of secondsthat Domino can take to send output to requesting Web clients. The defaultvalue for this is 180 seconds.

Question 6

Which of the following is not true about Program documents?

❍ A. They are stored in ADMIN4.NSF.

❍ B. They are stored in NAMES.NSF.

❍ C. They can be used to run a server task at a regularly scheduled time.

❍ D. They can be used to run a command-line executable.

Answer A is correct. All Program documents are stored in the DominoDirectory and can be used to run tasks on a server at a regularly scheduledtime or at server startup and to run a command such as an OS/2 commandfile or a Unix shell script or program.

Question 7

Which of the following best describes the steps required to enable compressionfor file attachments?

❍ A. Enable the Use LZ1 Compression for Attachments option on theDatabase Properties box.

❍ B. Enable the Use LZ1 Compression for Attachments option on the FormProperties box.

❍ C. Enable the Use LZ1 Compression for Attachments option in the Serverdocument.

❍ D. Enable the Use LZ1 Compression for Attachments in the ReplicationSettings box.

05 0789729180 CH04 10/21/03 2:46 PM Page 95

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 496

Answer A is correct. To enable LZ1 compression for attachments, open theAdvanced Options tab of the database properties and select Use LZ1Compression for File Attachments. Doing this may increase the amount ofI/O overhead. By default, Notes uses a compression method known asHuffman Encoding when compressing file attachments. LZ1 (Lempzel/ZivLevel 1) compression replaces the current Huffman Encoding compressionalgorithm used by R5.

Question 8

Bob is interested in implementing a centralized directory structure. Which oneof the following statements best describes this structure?

❍ A. A centralized directory structure is not supported in R6.

❍ B. In a centralized directory structure, a small number of servers storefull Domino Directories, whereas a large number of servers storeConfiguration Directories.

❍ C. In a centralized directory structure, a large number of servers store fullDomino Directories, whereas a small number of servers storeConfiguration Directories.

❍ D. None of the answers are correct.

Answer B is correct. Notes & Domino 6 support both a distributed directo-ry architecture and a central directory architecture. In a distributed directo-ry architecture, all servers use the standard Domino Directory. In a centraldirectory architecture, many servers store Configuration Directories (con-tain configuration settings only) and then use the full Domino Directories onremote servers for lookups. Only a few servers store the full DominoDirectory.

Question 9

Timothy noticed the following line in the NOTES.INI file on the server. Given thisexample, how many days will documents be kept in the LOG.NSF?Log = LOG.NSF,1,0,10,20000

❍ A. 10

❍ B. 7

❍ C. 1

❍ D. Forever

05 0789729180 CH04 10/21/03 2:46 PM Page 96


Answer A is correct. The syntax for the LOG= key is as follows: log=logfilename, log_option, not_used, days, size

In this case, the number of days is 10.

Question 10

John, the administrator, moved a database from ServerA to ServerB. Now usersare complaining that they cannot find the database to be able to launch it for thefirst time. What should John do to fix this problem?

❑ A. He can create a database.

❑ B. He can ask users to launch the database from within the database cat-alog.

❑ C. He can publish the database in a library.

❑ D. He can create a Database Redirection document.

Answers A, B, and C are correct. Directory links and database links are textfiles that are created by an administrator and appear as directory or databaseicons in the Domino data directory. Using the Domino Administrator or theLotus Notes client Open Database dialog box in the Notes client, directorylinks appear to the user as a directory folder icon, and database links appearas a database icon. They provide a pointer to a new location of a directory ordatabase. The administrator can also point users to the catalog or a librarydatabase.

05 0789729180 CH04 10/21/03 2:46 PM Page 97

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 498


What’s in Store for the Domino R6 Database: www-10.lotus.com/ldd/today.nsf/8a6d147cf55a7fd385256658007aacf1/acc8a09b7e3e624f85256

af700621c8a?OpenDocument.

Webcast: Lotus Live! Series: What’s New in Notes/Domino 6 Admin-istration: http://searchdomino.techtarget.com/webcastsTranscriptSecurity/1,289693,sid4_gci857398,00.html.

Webcast: Preparation & Test Taking Strategies with LotusEducation Managers: http://searchdomino.techtarget.com/


05 0789729180 CH04 10/21/03 2:46 PM Page 98

ReplicationTerms you’ll need to understand:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5

✓ Replication✓ Replica ID✓ Replication history✓ Document-level sequence number✓ Field-level sequence number✓ ACL✓ Push✓ Pull-pull replication✓ Connection document

✓ Replication topologies✓ Source versus destination servers✓ Repeat interval✓ Replication conflict✓ Merge conflicts✓ Clustered replication✓ Event✓ Monitor

Concepts and techniques you’ll need to master:✓ Understanding document replication order✓ Using remote console commands to force

replication✓ Scheduling replication of databases

between servers using Connection docu-ments

✓ Understanding the relationship betweenthe Call at Times field and the RepeatInterval field on the Replication Connectiondocument

✓ Understanding how a server’s access levelin the database ACL affects replication

✓ Resolving replication conflicts keepingeither the main document or the conflictdocument

✓ Identifying the tools used for monitoringreplication

06 0789729180 ch05 10/21/03 2:38 PM Page 99

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5100

Replication involves the synchronization of data between two replica copies ofa database. Replicas can be stored either locally or on the Domino server.Replication between two server-based databases is called server-to-serverreplication. Replication involving a local database is called workstation-to-server replication. This chapter focuses mainly on server-to-server replication, which is typically administered and scheduled by the Dominoadministrator. Workstation-to-server replication is usually forced or sched-uled by the user, and the Notes client performs all of the work involved inpushing and pulling the data to the server-based replica.

For the purposes of the exam, it is important to remember that replicationnever happens automatically, as is the case with mail routing. Replicationmust be either forced or scheduled with a Connection document. You shouldmemorize all of the console commands to force replication, and you shouldbe familiar with all of the fields on the Connection document that relate toreplication and its schedule. The best way to understand replication is tostudy the case studies included in this chapter. Practice replication by creat-ing replicas on different servers and by forcing and scheduling replication tooccur. Then verify that replication has occurred by looking at the replicationhistory and at LOG.NSF on the server.

You can verify that two or more databases are replicas by comparing the replica IDsof the two databases using the second tab of the Database Properties box.Databases are replicas when the replica ID of each database is identical. A replicaID uniquely identifies a replica and is assigned when the replica is first created.Filenames of two or more replicas may be different, and a server can store morethan one replica of a database.

The Replica TaskThe server task involved in replication is the Replica task. The Replica taskinitializes on server startup and sits idle, waiting to perform replication tasks.You can enable multiple Replica tasks on a server to increase the amount ofreplication activity that the server can perform.

When replication is initiated, the Replica task first checks the time stamp ofthe last replication by reading the replication history. The replication historyis a record of successful replications, including the time stamp and the nameof the server involved in the replication. The Replica task then builds a listof documents in the database that have been changed, added, or deleted sincethe last successful replication. After creating this list in memory, the Replicatask performs a sophisticated examination of both document- and field-level

06 0789729180 ch05 10/21/03 2:38 PM Page 100

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 101

sequence numbers to determine which documents and fields to replicate. Adocument-level sequence number records the number of times the docu-ment has been edited, while the field-level sequence number records thenumber of times an individual field has been edited.

Replication then proceeds on a document-by-document basis at the fieldlevel; that is, field contents are replicated if they have been changed, added,or deleted since the last replication. The Replica task does not replicate fieldswithin documents that haven’t changed, thereby allowing replication to pro-ceed as quickly as possible.

Understanding DocumentReplication OrderIt is important to understand the order in which the Replica task on theDomino server proceeds with the replication of documents. The exam mayuse scenario questions to test your understanding of replication order, andit’s easy to become confused. You may want to consider jotting down the doc-ument order before you start the exam. The Replica task replicates docu-ments in the following order:

1. Access Control List (ACL) document

2. Design documents

3. Data documents

The Access Control List (ACL) is a listing of the users and servers that areauthorized to access the database. The document replication order can affectthe way in which replication continues between two replicas and can affectexactly which documents replicate. For example, if in replicating the ACLdocument the destination server is denied access to the database, replicationcould not proceed for the Design documents or the Data documents. Formore information, see “How Access Control Lists Affect Replication,” laterin this chapter.

Setting Up and ConfiguringReplication Through ForceIf replication must be performed immediately and cannot wait until the next scheduled replication, the Domino administrator has the option of

06 0789729180 ch05 10/21/03 2:38 PM Page 101

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5102

forcing replication between replicas. The administrator can force replicationmanually using several different methods.

Forcing Replication Using the ServerConsoleOne of the fastest ways to force replication between replicas on two differ-ent servers involves using replication commands at the console. You will like-ly encounter many exam questions that test your ability to use the console toforce replication. The best way to prepare for these types of questions is topractice entering the console commands so that you can easily recall the syn-tax of each command. Activate the live remote console on the Administratorclient by performing the following steps:


2. Open the Server Console view.

3. (Optional) Click the Live button to turn on the Live console.

Turning on the Live console enables the administrator to view console commandsin real time, as they are processed by the server. It is helpful to have the Live con-sole interface turned on before issuing console commands, to see the results thatfollow the initiation of the command. If you forget to turn on the Live console beforeissuing a command, you will simply receive the following message: “Command hasbeen executed on remote server. Use Live console option, in future, to viewresponses from the server.”

The Replicate CommandThe Replicate command is used to force two-way replication between twoservers—the server where you enter this command and the server specifiedin the command.

The syntax of this command is as follows:Replicate servername [databasename]

You should specify the server’s full hierarchical name. If the server name ismore than one word, enclose the entire name in quotes. You can also substi-tute a server group in place of a server name. If you specify a server group,the initiating server (the server where you enter this command) replicateswith each server in the list in the order in which the servers are listed in thegroup document.

06 0789729180 ch05 10/21/03 2:38 PM Page 102

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 103

If you don’t specify a database name, the Replica task replicates every data-base replica that the two servers have in common. To force replication of aparticular database replica, specify the database name after the server name.The initiating server (where you’re currently working) first pulls changesfrom the other server and then gives the other server the opportunity to pullchanges from it. This type of replication is also referred to as pull-pull repli-cation. Pull-pull replication is two-way replication that involves the Replicatask on both servers.

For example, if you are using the console on ServerA/Acme, the followingcommand would issue two-way replication of all databases in commonbetween ServerA/Acme and ServerB/Acme:Replicate ServerB/Acme

Alternatively, if you were using the console on ServerB/Acme, the followingcommand would issue two-way replication of the Administration Requestsdatabase between ServerB/Acme and ServerA/Acme:Rep ServerA/Acme admin4.nsf

The short form of the Replicate command is Rep.

For the exam, remember that when issuing replication commands through the con-sole, it is important to understand which server is initiating the command. The serv-er where you issue the console command is the initiator, also known as the sourceserver. The server or server group listed in the command itself is the destinationserver, also known as the target server. The exam questions will test your ability toread and understand which server is the source; for example, if the question indi-cates that the administrator is using the console on ServerA, the command RepServerA/Acme would have no effect because a server can’t replicate with itself. Makesure that you read the question carefully so that you know which server is the sourceserver. Then you can easily eliminate answer choices that don’t make sense.

The Pull CommandThe Pull command issues one-way replication between the server specifiedin the command and the server at which you issue the command. The syntaxof the command is as follows:Pull servername [databasename]

06 0789729180 ch05 10/21/03 2:38 PM Page 103

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5104

The initiating server receives data from the named server but doesn’t requestthat the other server pull data from it. This forces a server to replicate imme-diately with the initiating server, overriding any replication scheduled in theDomino Directory.

For example, if you are using the console on ServerA/Acme, the followingcommand would pull all changes, additions, and deletions from ServerB’sreplica of the Domino Directory. No changes, additions, or deletions wouldbe sent from ServerA to ServerB.Pull ServerB/Acme names.nsf

The Push CommandThe Push command is similar to the Pull command, except that it forces repli-cation in the opposite direction. The Push command instructs the initiatingserver to send data to the named server but doesn’t request data in return.The syntax of the command is as follows:Push servername [databasename]

Setting Up and ConfiguringReplication Through SchedulingDomino has the facility to allow the administrator to schedule replicationthrough a Connection document. A Connection document is a document thatcontains all of the settings necessary to schedule replication between servers.Connection documents can also be used to schedule mail routing. Whenreplication is scheduled, the server’s Replica task carries out replication withno prompting or initiation from the administrator.

For the purposes of the exam, it is important to remember that replicationnever happens automatically, as is the case with mail routing. If servers are inthe same Domino Named Network (DNN), mail routing happens automat-ically and the administrator never needs to create a Connection document toget mail routing working. Replication never happens automatically; it mustbe either forced or scheduled. Be careful to watch for exam questions that tryto confuse you into thinking that replication is automatic.

Replication TopologiesThe number of servers and database replicas in your Domino domain determines the type of topology the administrator chooses for scheduled

06 0789729180 ch05 10/21/03 2:38 PM Page 104

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 105

replication. A replication topology is the configuration an administrator uses toconnect servers for replication. A topology ensures that all servers are updat-ed in a timely and orderly manner instead of replicating haphazardly. As thenumber of servers and replicas increases, so does the amount of replicationrequired to distribute information across the network. Planning is requiredto determine how servers will connect to perform replication.

You can use several different configurations, or topologies, to control howreplication occurs between servers. Here are a few of the more commontopologies:

➤ Hub-and-spoke—This topology is generally the most common and effi-cient replication topology in larger organizations because it minimizesnetwork traffic. Hub-and-spoke replication establishes one central serveras the hub, which then schedules and initiates all replication with all ofthe other servers, or spokes. To set up replication in a hub-and-spokesystem, you create one Connection document for each hub-and-spokeconnection.

➤ Peer-to-peer—In this topology, replication is less centralized than in ahub-and-spoke configuration, with every server being connected toevery other server. Because peer-to-peer replication quickly distributeschanges to all servers, it is often the best choice for use in small organi-zations or for sharing databases locally among a few servers.

➤ Ring—Servers are connected in a circle, where documents replicate fromone server to another in a single direction.

Regardless of which replication topology you choose, you need to createConnection documents to connect servers for the purposes of automatingreplication.

Connection documents are used to connect servers for replication and for mail rout-ing. A single connection can be created to schedule the transfer of mail as well as thereplication of documents. If a single connection is created, both mail and replicationwill follow the same schedule. Where mail and replication follow different schedules,the administrator should consider creating separate connections. It is often easier totroubleshoot replication problems if the scheduling of replication is automatedthrough connections that do not include the routing of mail.

This chapter outlines the steps required to create connections for replication. Mailconnections were discussed in Chapter 3, “Mail.”

06 0789729180 ch05 10/21/03 2:38 PM Page 105

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5106

Creating a Replication ConnectionDocumentMany fields on the Connection document control the settings required toschedule replication. The best way to study for the exam is to create severalConnection documents, carefully filling out each field and using your mouseto point to the field help for instructions about the contents of each field.The exam won’t test your ability to memorize the contents of theConnection document, but it will likely have at least a couple of scenarioquestions that refer to scheduled replication. It’s important to be able to pic-ture the fields on the Connection document in your mind.

Follow these steps to create a Replication Connection document:

1. From the Domino Administrator, click the Configuration tab.

2. Click Server and then click Connections, or Click Replication and thenConnections.

3. Click the Add Connection button to create a new connection. To editan existing connection, click the connection you want to edit and thenclick Edit Connection.

To set basic options, choose from among these options on the Basics tab:

➤ Connection Type—Indicates how the servers will connect—for example,via network connection (LAN) or via dialup

➤ Usage Priority—Choose Normal to force the server to use the networkinformation in the current Connection document to make the connec-tion

➤ Source Server—Specifies the name of the calling server (the server initiat-ing the replication request)

➤ Source Domain—Specifies the name of the calling server’s domain

➤ Use the Port(s)—Specifies the name of the network port (or protocol)that the calling server uses

➤ Destination Server—Specifies the name of the target or destination server

➤ Destination Domain—Specifies the name of the target server’s domain

To configure replication or mail routing settings, choose from among theseoptions on the Replicating/Routing tab:

➤ Replication Task—Choose Enabled for scheduled replication

06 0789729180 ch05 10/21/03 2:38 PM Page 106

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 107

➤ Replicate Databases of Priority—If the administrator chooses to set a repli-cation priority for a database, replication of databases of different priori-ty can be scheduled at different times. A priority of Low, Medium, orHigh is set for each database in that database’s Replication Settings dia-log box.

➤ Replication Type—Four different types of replication exist. The type youchoose affects the direction of replication as well as which of the serversperforms the work of the replication.

➤ Pull Pull—Replication is bidirectional, whereby the source server initi-ates replication and pulls documents from the target server. The sourceserver then signals the target server’s Replica task to pull documents inthe opposite direction. Both servers are involved in the replication.

➤ Pull Push (default)—Replication is bidirectional, whereby the sourceserver’s Replica task performs all of the work, pushing and pulling docu-ments to and from the target server. The target server’s Replica task isnever engaged.

➤ Pull Only—Replication is one-way, whereby the source server pulls doc-uments from the target.

➤ Push Only—Replication is one-way, whereby the source server pushesdocuments to the target.

Pull-push replication is the only replication type in which the target server’s replica-tor is involved. The other three types of replication involve only the source server’sReplica task. Watch for exam questions that test your knowledge of whether replica-tion is one-way or two-way, and that ask you to figure out which server is doing allof the work. During the exam, it may be easier to figure out the replication scenarioif you draw a diagram of the servers, labeled with the servers’ names, and arrowsthat represent the direction of the replication.

➤ Files/Directory Paths to Replicate—These are the names of specific data-bases or directories of databases that you want to replicate. You can listeither database names or directories.

➤ Files/Directory Paths to Not Replicate—These are the names of specificdatabases or directories of databases that should be excluded from repli-cation. You can list either database names or directories.

➤ Replication Time Limit—This is the amount of time, in minutes, thatreplication has to complete. This setting is usually used only for dialupconnections.

06 0789729180 ch05 10/21/03 2:38 PM Page 107

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5108

To schedule the replication, choose from among these options on theSchedule tab:

➤ Schedule—Choose Enabled to enable the schedule; choose Disabled tosuspend the schedule.

➤ Connect at Times—Indicates times or a time range during which youwant the source server to initiate replication. This field can contain asingle time entry, a list of times separated by commas, or a time rangeseparated by the dash. Use this field in conjunction with the RepeatInterval field to determine how many times a day a server attempts toinitiate replication.

➤ Repeat Interval Of—Specifies the number of minutes between replicationattempts. If you specify a repeat interval of 0, the server connects onlyonce.

➤ Days of Week—Specifies the days of the week to use this replicationschedule; the default has all days of the week selected.

If you specify a time range during which a source server attempts replication, thenext replication attempt is made at the specified interval after which the replicationhas completed. For example, let’s say you specify a Connect at Times range of 7a.m. to 11 p.m., with a Repeat interval of 60 minutes. The source server attemptsto replicate at 7:00 and is successful in initiating the replication. The total time ofthe replication between servers takes 7 minutes. The source server then attemptsto call the target server again at 8:07 a.m.

For more examples of scheduled replication timing, consult the document titled“Scheduling Server-to-Server Replication” in the Lotus Domino AdministrationHelp database. The exam may have a scenario question asking about the timing ofscheduled replication.

How Access Control Lists AffectReplicationFor a server to replicate changes to documents in a database, that server musthave sufficient access in the replica’s Access Control List (ACL). Serversmust be listed explicitly or within a group in the ACL, with an access levelthat is appropriate for the documents the server is allowed to propagate toother replicas.

06 0789729180 ch05 10/21/03 2:38 PM Page 108

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 109

A server must have these types of access:

➤ Editor access to replicate changes to documents

➤ Designer access to replicate changes to design elements such as views,forms, and agents

➤ Manager access to replicate ACL changes

Guidelines for Assigning Server Access toDatabasesThe best way to explain the different access levels assigned to servers is to usea case study or a series of examples. These examples will help you prepare forthe exam by using scenarios similar to the scenarios used in many of the examquestions. Don’t attempt to memorize the different scenarios; use them totest your understanding of how server access in the ACL affects replication.Again, during the exam you may find it helpful to draw diagrams of theservers and databases, and label the diagrams with the servers’ access level, tohelp you arrive at the correct answer.

Let’s assume that there are two servers in our examples—ServerA/Acme andServerB/Acme. Let’s examine the implications of creating an ACL that liststhe different servers with different levels of access. We’ll refer to a discussiondatabase in this example called the Marketing Research Forum. This data-base is used by the Marketing group to share ideas about new promotionresearch for the company’s products. The ACL of the database contains references to servers and to a group for the administrators(LocalDomainAdmins), as well as to a group containing the company’sDomino developers (CorpDesigners).

Scenario 1: Both Servers Have Manager AccessHere is the ACL listing for this scenario:

ServerA/Acme: Manager

ServerB/Acme: Manager

LocalDomainAdmins: Manager

CorpDesigners: Designer

Marketing: Author

In this scenario, both servers are capable of replicating any changes to ACL,Design, or Data documents in any direction. For example, if Joe

06 0789729180 ch05 10/21/03 2:38 PM Page 109

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5110

Smith/Acme in the LocalDomainAdmins group changed the ACL onServerB’s replica, ServerB/Acme could successfully replicate that ACLchange to ServerA/Acme. If Susan Jones/Acme in the CorpDesigners groupchanged the background color of a form on ServerA’s replica, ServerA/Acmecould replicate that form design change to ServerB/Acme. Data documentscould be changed, added, or deleted on either server and would replicate suc-cessfully to the other server.

Scenario 2: One Server Has Manager Access and the OtherHas Designer AccessHere is the ACL listing for this scenario:


ServerB/Acme: Designer



Marketing: Author

In this scenario, both servers are capable of replicating any changes toDesign or Data documents in any direction, but ServerA/Acme is the onlyserver capable of replicating changes to the ACL. For example, if JoeSmith/Acme in the LocalDomainAdmins group changed the ACL onServerB’s replica, that ACL change would not replicate to ServerA/Acme. IfJoe made that same ACL change on ServerA’s replica, the change wouldreplicate to ServerB/Acme. All other design or data changes would replicateas in Scenario 1.

Scenario 3: One Server Has Manager Access and the OtherHas Editor AccessHere is the ACL listing for this scenario:


ServerB/Acme: Editor



Marketing: Author

In this scenario, ServerA/Acme is the only server capable of replicating theACL and the Design documents. For example, if Joe Smith/Acme in theLocalDomainAdmins group changed the ACL on ServerB’s replica, that

06 0789729180 ch05 10/21/03 2:38 PM Page 110

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 111

ACL change would not replicate to ServerA/Acme. If Susan Jones/Acme inthe CorpDesigners group created a shared view on ServerA’s replica,ServerA/Acme could replicate that new view to ServerB/Acme. But if shemade that same change on ServerB’s replica, the change couldn’t replicate toServerA/Acme. In a hub-and-spoke configuration, the spoke servers areoften given Editor access, while the hub has Manager access. All ACL anddesign changes would have to be made on the hub.

Scenario 4: One Server Has Manager Access and the OtherHas Reader AccessHere is the ACL listing for this scenario:


ServerB/Acme: Reader



Marketing: Author

In this scenario, replication of changes, additions, and deletions can happenin only one direction: from ServerA/Acme to ServerB/Acme. If any docu-ments are changed, added, or deleted by administrators, designers, or userson ServerB/Acme, the documents will not replicate to ServerA/Acme. In ahub-and-spoke configuration, when the spoke servers are given Readeraccess, they effectively become “read-only” servers. In this scenario, allchanges, additions, and deletions would need to be made on the hub serverto propagate to the spokes.

Scenario 5: Both Servers Have Editor AccessHere is the ACL listing for this scenario:

ServerA/Acme: Editor




Marketing: Author

In this scenario, each server can replicate only changes, additions, and dele-tions involving Data documents. Design elements will never replicate. Thisscenario is effective when a company wants to maintain two different ACLsor designs for a database on two different servers. For example, Susan

06 0789729180 ch05 10/21/03 2:38 PM Page 111

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5112

Jones/Acme in the CorpDesigners group could create two different sets ofviews in each replica of the database. But the documents added by users inthe Marketing group would continue to replicate between servers.

During the exam, if you encounter replication questions that involve analyzing accesscontrol scenarios, you might find it helpful to draw a diagram with the servers, repli-cas, and ACL listings. Draw three documents in each replica—one each for the ACL,Design documents, and Data documents. Then you can draw arrows among thereplicas as you analyze the replication scenario.

Other Access Control Settings That AffectReplicationSeveral other settings can affect the way documents replicate from server toserver. The following settings are worth mentioning here, but it’s unlikelythat the exam questions would test your knowledge of these finer points.

Appropriate Access to Intermediate ServersIf replication occurs through an intermediate server, the intermediate serveracts first as a destination server and then as a source server, and must havethe access level necessary to pass along the changes. For example, if you wantACL changes on ServerA’s replica to replicate to ServerC by way of ServerB,ServerB’s replica must give Manager access to ServerA, and ServerC’s repli-ca must give Manager access to ServerB.

Enforcing a Consistent ACLYou can ensure that an ACL remains identical on all database replicas onservers by selecting the Enforce a Consistent Access Control List setting onthe Advanced tab of the ACL. Setting this option ensures that the replicawhose server has Manager access to other replicas will keep the AccessControl List the same across all server replicas of a database. If you select areplica whose server does not have Manager access to other replicas, replica-tion fails because the server has inadequate access to replicate the ACL.

Read Access Lists for Database Design Elements andDocumentsSimply put, if the server can’t read something in the database, it can’t repli-cate it. Replication problems sometimes arise when a database designerrestricts the reading of design elements such as forms and views but forgetsto include the server or a server group in the read access lists. Similarly, if thedesigner restricts reading of documents with a Readers field, he must ensure

06 0789729180 ch05 10/21/03 2:38 PM Page 112

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 113

that the servers are listed in that field if the servers should be replicating thedata to other server-based replicas.

Resolving Replication and SaveConflictsA replication conflict occurs when two or more users edit the same documentand save the changes in different replicas between replications. A save con-flict occurs when two or more users open and edit the same document at thesame time on the same server, even if they’re editing different fields. Whenthese conditions occur, Domino stores the results of one editing session in amain document and stores the results of additional editing sessions asresponse documents. These response documents have the title Replication orSave Conflict.

The exam will test your ability to understand how conflicts are generated and howthey can be resolved. Remember that conflicts are created because too many peoplehave too high of a level of access to documents. Domino R6 includes a new featurecalled document locking that enables a user to lock a document during editing so thatother users cannot save edits to the document. Document locking can help reducesave conflicts, in which more than one person edits the same document in the samereplica; however, this feature can’t help with replication conflicts, when more thanone person edits the same document in different replicas.

When a conflict is generated, Domino applies the following rules in order todetermine whether a document is saved as the main document (the “winner”)or a conflict document (the “loser”):

1. The document edited and saved the most times becomes the main doc-ument; other documents become Replication or Save Conflict docu-ments.

2. If all of the documents are edited and saved the same number of times,the document saved most recently becomes the main document, andthe others become Replication or Save Conflict documents.

3. If a document is edited in one replica but is deleted in another replica,the deletion takes precedence unless the edited document is editedmore than once or the editing occurs after the deletion.

06 0789729180 ch05 10/21/03 2:38 PM Page 113

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5114

Choosing Which Document to KeepWhen a conflict is generated, the administrator (or someone with enoughaccess to edit the documents in the database) must choose which documentshould be kept and which one should be deleted. If the main document isyour “winner,” you can simply delete the conflict. If the conflict documentshould be the real winner, you must promote the conflict document to be amain document before you delete the original main document. Because theconflict document is saved as a response to the main document, the conflictwill be “orphaned” and will disappear from the view if the main document isdeleted while the conflict is still a child.

To save the main document, follow these steps:

1. Copy any information that you want to save from the ReplicationConflict document into the main document.

2. Delete the conflict document.

To save the Replication or Save Conflict document, do this:

1. Copy any information that you want to save from the main documentinto the Replication Conflict document.

2. Save the conflict document. If you didn’t make any changes to the con-flict, you must “force” a save by choosing File, Save. The conflict doc-ument then becomes a main document.

3. Delete the original main document.

Using Design or Administration Techniquesto Prevent Replication or Save ConflictsYou can reduce or eliminate replication conflicts by using either designer oradministrator techniques. Although this is an administration exam, it’s possi-ble that the exam may also test your knowledge of design techniques thatminimize replication. The following designer techniques can reduce or elim-inate replication conflicts:

➤ Select the form property Merge Conflicts from the Conflict Handlingfield on the first tab of the Form Properties box to automatically mergeconflicts into one document if no fields conflict. When this property isturned on, Domino can combine the changed fields into a single docu-ment and does not generate a conflict, as long as different fields are

06 0789729180 ch05 10/21/03 2:38 PM Page 114

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 115

changed in the documents. If the same field is changed in two docu-ments in different replicas, a conflict is generated. This form property isnot turned on by default. To view the properties of a design element, youneed to install and use the Designer client.

➤ Specify a form property for versioning so that edited documents auto-matically become new documents.

➤ Use LotusScript to write a custom conflict handler.

As an administrator, you can use these techniques to resolve or avoid repli-cation conflicts:

➤ Assign users Author access or lower in the database ACL to preventusers from editing other users’ documents.

➤ Keep the number of replicas to a minimum.

Clustered ReplicationClustered replication refers to replication that happens between servers that areclustered for failover. Replication in a cluster is quite different from standardreplication. Cluster replication is event-driven rather than schedule-driven,so replication happens in real time instead of according to a schedule. Thestandard Replica task is replaced with the Cluster Replica task. To start theClustered Replicator, the administrator enters the following console com-mand:LOAD CLREPL

When the Cluster Replicator learns of a change to a database, it immediate-ly pushes that change to other replicas in the cluster. If there is a backlog ofreplication events, the Cluster Replicator stores these in memory until it canpush them to the other cluster servers. If a change to the same databaseoccurs before a previous change has been sent, the Cluster Replicator poolsthese changes and sends them together to save processing time.

In addition, the Cluster Replicator does not honor the settings on theAdvanced panel in the Replication Settings dialog box. Therefore, you can-not disable the replication of specific elements of a database, such as theACL, agents, and design elements. The Cluster Replicator always attemptsto make all replicas identical so that users who fail over do not notice thatthey failed over. Failover refers to Domino’s capability to redirect a user toanother server’s replica for database access if the server is down or is too busy.

06 0789729180 ch05 10/21/03 2:38 PM Page 115

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5116

Replication with a cluster is more reliable than replication with an individualserver because Domino replicates with any server in the cluster that containsa replica of the database it is processing. Therefore, if a server in the clusteris unavailable, replication can still proceed if another replica exists in thecluster. Replication with a cluster can also improve performance becauseDomino uses workload balancing when choosing a server with which toreplicate.

Monitoring and MaintainingReplicationSeveral tools can be used to monitor replication. Some of the tools, such asthe replication history and the log file, are historical, meaning that they pro-vide the administrator with information about how replication has happened.The replication monitor document allows the administrator to be notified ifreplication hasn’t happened within a specified time period. Viewing replica-tion schedules and topology maps provides the administrator with a graphi-cal view of the replication schedule for the domain.

Monitoring Replication HistoryA database’s replication history can be accessed from the Basics tab of theDatabase Properties box or by choosing File, Replication, History. The firsttime one server replica successfully replicates with a replica on another serv-er, Domino creates an entry in the replication history. The entry contains thename of the other server, as well as the date and time of the replication.Separate entries are created when a replica sends information and when areplica receives it.

On each subsequent replication with a specific server, Domino updates theentry in the history to reflect the most recent replication time. If a databasedoesn’t replicate successfully, Domino doesn’t update the replication history.Domino uses the replication history to determine which documents to scanfor changes during the next replication.

If you have Manager access to a database, you can clear the database replica-tion history if you think the database doesn’t contain all the documents thatit should or if the database replication history is not synchronized with thatof other replicas.

06 0789729180 ch05 10/21/03 2:38 PM Page 116

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 117

Clear the replication history only as a last resort to solve replication problems. If youclear the history, during the next replication Domino must make a more comprehen-sive evaluation of documents to use for candidates for replication. Normally, youwould clear this setting only if you suspect time/date problems with server or clientclocks.

Viewing the Replication Events View in theLog FileThe replication log entries in the Replication Events view of the log file(LOG.NSF) display detailed information about the replication of specificdatabases (see Figure 5.1). For each database that has replicated on a speci-fied server, a replication log shows the access the server has to the database;the number of documents added, deleted, and modified; the size of the dataexchanged; and the name of the replica that this database replicated with.The Events section of a replication log shows any problems that occurredwhen a specific database replicated. For example, the Events section showswhether replication is disabled or whether the database ACL is preventingreplication.

Figure 5.1 The Replication Events view of LOG.NSF as shown on the Server, Analysis tab of theDomino Administrator.

06 0789729180 ch05 10/21/03 2:38 PM Page 117

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5118

Using an Event Generator to MonitorReplicationA database event generator can monitor database use and ACL changes. If anadministrator creates a database event generator and checks off the MonitorReplication field, he can choose to be notified if replication doesn’t occurwithin a specified time period. A more correct name for this monitor isDatabase Replication Failure Monitor. A server administrator creates data-base event generators as a part of configuring the Event Monitor task. Allmonitor documents are created in events4.nsf.

To create a database event generator from the Domino Administrator, per-form the following steps:

1. Click the Configuration tab, and then open the MonitoringConfiguration view.

2. Open the Event Generators, Database view, and then click NewDatabase Event Generator.

3. On the Basics tab in the Databases to Monitor section, select MonitorReplication. In the field labeled Filename, enter the name(s) of data-bases to monitor (see Figure 5.2).

4. On the Replication tab, select which servers to monitor, and then entera time period in hours, which represents the maximum time allowed toelapse between replications.

Viewing Replication SchedulesYou can see a graphical representation of the replication schedules of theservers in your Domino system. To view replication schedules, from theDomino Administrator, click the Replication tab.

Replication-Topology MapsView a replication-topology map to display the replication topology andidentify connections between servers. To view replication topology maps,from the Domino Administrator, click the Replication tab (see Figure 5.3).You must load the Topology Maps task before you can view a replicationtopology map. Use this graphical view to verify that each server is connect-ed for replication.

06 0789729180 ch05 10/21/03 2:38 PM Page 118

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 119

Figure 5.2 The Database Event Generator document.

Figure 5.3 The Replication Topology, By Connections view on the Replication tab of the DominoAdministrator.

06 0789729180 ch05 10/21/03 2:38 PM Page 119

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5120

Exam Prep Questions

Question 1

Dave wants to force one-way replication from ServerA to ServerB. Assumingthat he’s using the console on ServerA, what command would he issue?

❍ A. Push ServerB

❍ B. Push ServerA

❍ C. Pull ServerA

❍ D. Pull ServerB

Answer A is correct. By issuing Push ServerB at the server console, the admin-istrator forces a one-way replication from the server they are on to the spec-ified server in the command. This command forces one-way replication of allreplicas in common between the two servers. An optional parameter allowsreplication of a single database from the server you are on to the specifiedserver. For example, Push Server1 ADMIN4.NSF forces a one-way replication ofADMIN4.NSF from the server they are on to the specified server in thecommand.

Question 2

Jenny, the Lotus Domino administrator, has just finished rebooting ServerBafter a crash. She now wants to pull all of the documents created on ServerAwhile ServerB was down. Which one of the console commands can she issue?

❍ A. Documents cannot be pulled from one replica to another after a servercrash.

❍ B. Push ServerA

❍ C. Pull ServerA

❍ D. Replicate ServerB, ServerA

Answer C is correct. By issuing Pull ServerA at the server console, the admin-istrator forces a one-way replication from the specified server (the targetserver) to the server referenced in the command (the source server). Thiscommand forces one-way replication of all replicas in common between thetwo servers since the last replication. This command can be issued after aserver has crashed and rebooted.

06 0789729180 ch05 10/21/03 2:38 PM Page 120

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 121

Question 3

Which of the following are valid types of replication as listed in the ReplicationConnection document? (Choose all that apply.)

❑ A. Push Wait

❑ B. Pull Only

❑ C. Push Only

❑ D. Replicate

Answers B and C are correct. Four types of replication can be scheduled in aConnection document: pull-pull, push-pull, pull only, and push only. PushWait is a type of mail connection choice, and Replicate doesn’t exist as anoption for scheduled replication, although it is one of the commands anadministrator can issue for forced replication.

Question 4

What can a database designer do to minimize replication conflicts? (Choose allthat apply.)

❑ A. Enable the form property Merge Conflicts

❑ B. Enable the database property Merge Replication Conflicts

❑ C. Specify a form property for versioning so that edited documents auto-matically become new documents

❑ D. Specify a database property for versioning so that edited documentsautomatically become new documents

❑ E. Write custom code using LotusScript to prevent documents frombeing edited.

Answers A, C, and E are correct. Merge Replication Conflicts andDocument Versioning are both form properties, not database properties.LotusScript is a language that can trap for the moment that a user tries toedit a document, thereby enabling the designer to write a custom conflicthandler. Also, this release of Domino supports document locking.

06 0789729180 ch05 10/21/03 2:38 PM Page 121

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5122

Question 5

Which of the following commands could the Domino administrator use to startthe Clustered Replicator task on the server?

❍ A. Replicate Cluster

❍ B. Load CLREPL

❍ C. Load Updall

❍ D. Start CLUSTREPL

Answer B is correct. Answers A and D are not recognized console com-mands. The Updall task is the task on the server that updates view indexesand full-text indexes.

Question 6

Which one of the following can the Domino administrator use to view detailedinformation about replication of a database between two servers?

❍ A. names.nsf

❍ B. log.nsf

❍ C. noteslog.nsf

❍ D. admin4.nsf

Answers B is correct. The Domino Directory (names.nsf) stores informationabout replication connections but doesn’t track replication information.There is no database called noteslog.nsf. The Administration Requests data-base (admin4.nsf) tracks information about requests processed by adminp.The adminp process can be used to create replicas on servers but doesn’t trackinformation about replication activity.

Question 7

Users are complaining that there are many replication conflicts in a database.What can a Domino administrator do to minimize replication conflicts?

❑ A. Decrease or limit the number of replicas on servers

❑ B. Increase the number of replicas on servers

❑ C. Grant Editor access to all users of the application

❑ D. Grant Author access to all users of the replicas

06 0789729180 ch05 10/21/03 2:38 PM Page 122

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 123

Answers A and D are correct. The fewer the number of replicas there are,the less potential there is for multiple users to be opening the same docu-ment on different replicas. Ensuring that users have only Author access tothe application means that users can edit only their own documents, not doc-uments being edited by other users. Granting Editor access to users of anapplication increases the potential for conflicts because multiple users couldedit any document in any replica.

Question 8

Acme Corporation has just rolled out an inventory-tracking database to allow itsIT department to track equipment within the organization. Acme has decided tocreate three replicas across three servers to allow IT staff across the country toaccess the database. Replicas are created on the following servers:Server1/Acme, Server2/Acme, and Server3/Acme.

John, the Domino administrator, wants to make sure that he sets the ACL cor-rectly to allow documents in the tracking database to replicate across servers.He wants all ACL changes and design changes to be made on Server2/Acme.Users should be able to add, edit, and delete documents on any of the threeservers. Data documents should then replicate around to the other replicas.How should he grant access to the three servers in the ACL of the tracking data-base?

❑ A. Server1/Acme: Reader; Server2/Acme: Manager; Server3/Acme:Reader

❑ B. Server1/Acme: Author; Server2/Acme: Manager; Server3/Acme: Author

❑ C. Server1/Acme: Editor; Server2/Acme: Manager; Server3/Acme: Editor

❑ D. All three servers should have Manager access in the ACL.

Answer C is correct. If Server1/Acme and Server3/Acme had either Readeror Author access in the ACL, neither server would be capable of replicatingadditions, changes, or deletions made by users on those servers. A servermust have a minimum of Editor access to replicate Data document changes.Granting Manager access would allow ACL and design changes to be madeon all replicas, when the question specified that those types of changes wereto be made only on Server2/Acme.

06 0789729180 ch05 10/21/03 2:38 PM Page 123

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5124

Question 9

Dawn is setting up scheduled replication between ServerA and ServerB. She hasspecified a Connect at Times range of 6 a.m. to 8 p.m., with a repeat intervalof 120 minutes. Give the first and second replication times, assuming the following:

The first replication connection was successful.

The first replication took 8 minutes to complete.

❍ A. 6 a.m., 7 a.m.

❍ B. 6 a.m., 8 a.m.

❍ C. 6 a.m., 8:08 a.m.

❍ D. 6:08 a.m., 8:08 a.m.

Answer C is correct. If the first replication connection was successful andcompleted in 8 minutes, the second replication would occur 120 minutesafter the completion of the first replication.

06 0789729180 ch05 10/21/03 2:38 PM Page 124

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 125

Need to Know More?Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notesand Domino 6. Indianapolis, Indiana: Que Publishing, 2003.


6af700621c8a?OpenDocument.

Webcast: “Lotus Live! Series: What’s New in Notes/Domino 6Administration.” http://searchdomino.techtarget.com/


Webcast: “Preparation and Test Taking Strategies with LotusEducation Managers.” http://searchdomino.techtarget.com/


06 0789729180 ch05 10/21/03 2:38 PM Page 125

06 0789729180 ch05 10/21/03 2:38 PM Page 126

SecurityTerms you’ll need to understand:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6

✓ Physical security✓ Server access✓ ACL✓ Roles✓ Encryption✓ Public key✓ Private key✓ ID file✓ Certificates✓ Domino Directory✓ File protection document

✓ Anonymous access✓ Basic name-and-password authentication✓ Session-based name-and-password

authentication✓ Authors field✓ Readers field✓ Group document✓ Deny Access group✓ User type✓ Security settings document✓ Policy document

Techniques and concepts you’ll need to master:✓ Understanding each layer of the Domino

security model✓ Securing an application using password

encryption✓ Securing Domino resources using Notes

authentication and Web authentication✓ Understanding the role of Domino

Directory in the security model✓ Describing the different types of Domino

administrators and the tasks they can per-form

✓ Controlling access to the server using theServer document

✓ Troubleshooting techniques for both serverand database access

✓ Understanding the ACL, roles, user types,and the different levels of access withinthe ACL

✓ Providing security through the use ofgroups

✓ Understanding the role of Authors andReaders fields in securing edit and readaccess for documents

07 0789729180 ch06 10/21/03 2:31 PM Page 127

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6128

The security model within the Domino environment is designed to protectresources. Information about access rights and privileges is stored with eachprotected resource; thus, a given user or server can have different sets ofaccess rights, depending on the resources to which that user or serverrequires access.

Five basic layers make up the Domino security model:

1. Physical security

2. Network and operating system security

3. Authentication

4. Server access

5. Database (application) access

This chapter explores the basic security settings that apply first to physicalsecurity and then to the Domino server and the Domino application. We fin-ish with a brief discussion of security policies. For exam purposes, it’s impor-tant to remember that security is applied in a “top-down” method throughthe security layers in order. You may want to jot down the security layersbefore you begin to write the exam. You’ll also need to remember each of theseven database access levels and what they mean. Most of the exam questionswill present scenarios involving the different layers.

Physical SecurityPhysical security involves securing the Domino server’s hardware and softwarefrom local, physical access. Physically securing servers and databases is asimportant as preventing unauthorized user and server access. Unauthorizedusers or servers must be prevented from having direct physical or networkaccess to Domino servers. All Domino servers should be locked away in aventilated, secure area. Without physical security in place, unauthorizedusers could circumvent the database ACL and access applications directly onthe server, use the operating system to copy or delete files, or physically dam-age the server hardware itself. Physical network security concerns should alsoinclude disaster planning and recovery.

07 0789729180 ch06 10/21/03 2:31 PM Page 128

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 129

Securing Domino Applications Based onPassword EncryptionPassword encryption for databases is designed to prevent unauthorizedaccess to locally stored databases. Encryption protects data from unauthorizedaccess, using a dual-key system to secure (encrypt) and decode (decrypt) data.Database encryption provides an additional layer of security because AccessControl List (ACL) settings do not necessarily protect locally stored databas-es. The ACL is a listing of the users and servers that are authorized to accessthe database.

Database encryption uses a public-key algorithm. Encryption generates arandom encryption key, encrypts this key with the public key associated witha specific user ID, and appends the resulting key to the specified database.The public key is the key that is used to encrypt the data. A user can accessan encrypted database only if the user’s private key can decrypt the appendedkey. The private key is used to decrypt the data and is mathematically relat-ed to the public key so that only the holder of the private key can properlydecrypt that data. You can also use local encryption to encrypt databases ona server with the server ID if you fear that those databases could be accessedlocally using the network operating system. In this case, only those Dominoadministrators with access to the server ID can read the database.

Local databases are often encrypted if they are stored on a portable computer becausethe security of a portable computer is easily compromised. For example, let’s say thatsomebody steals a laptop computer from the vice president of sales. The VP storesreplicas of his mail database and the Domino Directory, as well as the Corporate SalesTracking database, all of which contain sensitive information. If the local replicas havenot been encrypted with the ID file and password of the owner, anyone who canaccess the operating system files can read the data in the databases.

Local database encryption is applied by accessing the Database Propertiesbox and choosing the Encryption Settings button.

Domino Server SecurityThe Domino server is the most critical resource to secure. Server access is thecollection of security settings that control access to the server’s resources.You can specify which users and servers have access to the server and restrictactivities on the server; for example, you can restrict who can create newdatabases and use passthru connections.

07 0789729180 ch06 10/21/03 2:31 PM Page 129

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6130

You can also restrict and define administrator access by delegating accessbased on the administrator duties and tasks. For example, you can enableaccess to operating system commands through the server console for systemadministrators, and you can grant database access to those administratorswho are responsible for maintaining Domino databases.

Securing Domino Resources Based onNotes AuthenticationA Notes or Domino ID uniquely identifies a user or server. Domino uses theinformation contained in IDs to control the access that users and servershave to other servers and applications. One of the administrator’s responsi-bilities is to register and protect IDs and to make sure that unauthorizedusers do not use them to gain access to the Domino environment.

An ID file is a file that uniquely identifies a certifier, server, or user within theDomino security environment, using certificates stored on the ID. Threedifferent types of ID files can be generated by the Domino Administrator,using the Administrator client:

➤ Certifier ID—Used as a “stamp” to register a new server or user ID

➤ Server ID—Used to identify each unique server in the organization

➤ User ID—Used to identify each unique person in the organization

An ID file contains the following components:

➤ The owner’s name

➤ A permanent license number. This number indicates that the owner haspurchased a legal Domino/Notes license for the software and specifieswhether the owner has a North American or international license to runDomino or Notes.

➤ At least one Notes certificate from a certifier ID. A Notes certificate is adigital signature added to a user ID or server ID.

➤ A private key. Notes uses the private key to sign messages sent by theowner of the private key, to decrypt messages sent to its owner, and, ifthe ID belongs to a certifier, to sign certificates.

➤ (Optional for the Notes client only) Internet certificates. An Internetcertificate is used to secure SSL connections and to encrypt and signS/MIME mail messages. An Internet certificate is issued by aCertification Authority (CA) and verifies the identity of the user.

07 0789729180 ch06 10/21/03 2:31 PM Page 130

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 131

➤ (Optional) Secret encryption keys. These are keys created and distrib-uted by developers to allow other users to encrypt and decrypt fields in adocument.

When two Domino servers want to authenticate, or when a user authenti-cates with a server, each party presents its ID file to the other to verify thatthey hold a certificate in common. A fairly complex but rapid comparisonprocess between the two entities involves generating random numbers usingcertificates and keys. When the two entities have ascertained that they havea certificate in common, authentication proceeds.

If the authentication process fails, the error message that results on the clientor in the log always has the word authenticate in it—for example, “ServerAdoes not have any certificates capable of authenticating you.”

Securing Domino Resources Based on theDomino DirectoryThe Domino Directory is the most important administrative application in theDomino environment. The Directory contains a listing of all of the docu-ments that help to control security and mail routing for the entire Dominodomain: Server documents, Person documents, file protection documents,certificates, and so on. Anyone who can add documents to or edit documentsin the directory can control access to many of the resources in the system.The Domino Directory is protected from unauthorized editing by the fol-lowing security features:

➤ The ACL and roles

➤ A file protection document

Understanding the Domino Directory’s Access Control List(ACL) and RolesAccess Control Lists define the users and servers who are authorized toaccess the database and are discussed in detail in a later section. We brieflyillustrate the features of the ACL for the Domino Directory here, since theexam competencies specify that the ACL for the Domino Directory must beexamined in detail. To save confusion, we’ve kept all topics related to theDirectory together in the chapter; however, you may want to reread this sec-tion after reading the more detailed explanation of the ACL. Figure 6.1shows a typical Directory’s default ACL.

07 0789729180 ch06 10/21/03 2:31 PM Page 131

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6132

Figure 6.1 The ACL of a Domino Directory.

Here are the points to remember about the major features of the ACL:

➤ The Default access level for the Directory is typically set to Author, withno Create or Delete privileges checked in the check boxes and no Rolesassigned. This level allows the average user to read all of the documentsin the Directory, to effectively address mail. Users can also edit theirown Person documents in the Directory, allowing them to change cer-tain fields such as their Internet password and address information.Users are allowed to edit only their own Person documents because theyare listed in an Authors field for that document (see the section onAuthors fields later in this chapter).

➤ The Anonymous access level is usually assigned the level No Access.This level prevents Web users from accessing the Directory.

➤ Servers and server groups listed in the ACL are typically assignedManager access, with all of the Create and Delete privileges and Rolesassigned. This high level of access ensures that servers can replicatechanges, additions, and deletions to the Directory to other replicas onother servers.

➤ There is also typically an Administrators group listed in the Directory’sACL (or perhaps several Person groups). Different groups of adminis-trators are typically assigned different access levels and roles within theACL. The Domino Directory ACL includes Creator and Modifier rolesthat can be assigned to administrators so that they have the authority tocreate and edit specific types of documents.

07 0789729180 ch06 10/21/03 2:31 PM Page 132

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 133

Roles are useful when groups of administrators have specialized responsibili-ties. A role defines a set of users and/or servers, and is unique to each data-base. For example, senior administrators might have all of the roles assigned,allowing them to create and modify every type of Directory document, whilejunior administrators might have only the GroupCreator andGroupModifier roles to allow them to create and modify groups.

Here is a complete listing of all of the roles within the Directory’s ACL:

➤ GroupCreator—Can create Group documents

➤ GroupModifier—Can edit Group documents

➤ NetCreator—Can create all documents except Person, Group, Policy, andServer documents

➤ NetModifier—Can edit all documents except Person, Group, Policy, andServer documents

➤ PolicyCreator—Can create Policy documents

➤ PolicyModifier—Can edit Policy documents

➤ PolicyReader—Can read Policy documents

➤ ServerCreator—Can create Server documents

➤ ServerModifier—Can edit Server documents

➤ UserCreator—Can create Person documents

➤ UserModifier—Can edit Person documents

The access defined in the ACL by a role never exceeds a general access level. Forexample, even if you give the UserCreator role to an administrator who has Readeraccess in the ACL, the administrator cannot use the Create menu to create Persondocuments.

Securing the Directory with a File Protection DocumentA file protection document is created in the Domino Directory during initialserver startup. This document provides administrators with Write, Read, andExecute access to the Domino Directory. Other users are assigned NoAccess. The file protection document is a security feature that protects thefiles on a server’s hard drive by controlling the Web clients’ access to files.The file protection document for the Directory ensures that Web users can-not access or edit any of the documents in the Directory using a browser.

07 0789729180 ch06 10/21/03 2:31 PM Page 133

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6134

Securing Domino Resources Based on WebAuthenticationWeb users authenticate with the Domino server using their name and anInternet password. The name and Internet password are stored in a Persondocument in the Domino Directory for the server’s domain. This type ofWeb authentication is called name-and-password authentication.

To set up name-and-password authentication for Web clients, one of twomethods can be used:

➤ Basic name-and-password authentication uses the name and passwordrecorded in the user’s Person document in the Directory. These Persondocuments either can be created by the administrator or can be createdvia agents using some kind of registration database.

➤ Session-based name-and-password authentication is a more sophisticatedauthentication model that includes additional functionality that is notavailable with basic name-and-password authentication.

A session is the time during which a Web client is actively logged onto a serv-er with a cookie. The administrator has two options when enabling session-based authentication in the Server document:

➤ Single Server—Causes the server to generate a cookie that is honoredonly by the server that generated it

➤ Multiserver—Generates a cookie that allows single sign-on with anyserver that shares the Web SSO configuration document

To use session-based authentication, Web clients must use a browser thatsupports cookies. Domino uses cookies to track user sessions.

Web clients can also authenticate with the Domino server anonymously. Toset up Web clients for anonymous access, you set up either the Internet site orthe server for anonymous access, and then set up database ACLs to includethe entry Anonymous with an access level of at least Depositor. Anonymousaccess means that a Web browser client is not required to enter a name andpassword to access the Web page. If you do not allow anonymous access anda user tries to access the server anonymously, the user is prompted to authen-ticate, as shown in Figure 6.2.

07 0789729180 ch06 10/21/03 2:31 PM Page 134

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 135

Figure 6.2 The Web Authentication dialog box.

Setting Up and Configuring Server AccessAn administrator can configure many settings to control access to theDomino server. After a user successfully authenticates with the server, thatuser must negotiate the server access layer to gain access to resources storedon the server.

Securing the Server ConsoleYou can password-protect the server console to force administrators to knowthe console password to enter console commands. The syntax of the com-mand for doing so is as follows:Set Secure currentpassword

After the console has been password-protected, administrators can’t use theLoad, Tell, Exit, Quit, and Set Configuration server commands until they enterthe password. Console security remains in effect until the password is clearedby entering a second Set Secure command with the same password.

Here are some examples of the how the Set Secure command can be used:

➤ Set Secure TesTing123—Password-protects the console if no password iscurrently in effect. In this case, the new password is TesTing123.

➤ Set Secure TesTing123 456neWpassWord—Changes the existing passwordfrom TesTing123 to 456neWpassWord.

➤ Set Secure TesTing123—If the console is already protected by a password—in this case, TesTing123—entering a second Set Secure com-mand with the same password clears the password.

07 0789729180 ch06 10/21/03 2:31 PM Page 135

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6136

Restricting Administrator Access to the ServerYou can specify various access levels for different types of administrators inyour organization. For example, you might want to give only a few peoplehigh administrative access, while all of the administrators on your team aredesignated as database administrators.

Administrators are listed either as individuals or as members of groups in thedifferent administrator fields on the Security tab of the Server documentlocated in the Domino Directory. Here is a list of the administrator fieldsthat control administrative access to the server:

➤ Full-access administrators—These administrators have full access toadminister the server. This is the highest level of administrative privilege.

The feature to assign full-access administrators replaces the need to run a Notesclient locally on a server. Full-access administrators are automatically assignedManager access with all roles in every database ACL, thus allowing them full accessto every application on the server. This feature is new in Release 6 and will probablyappear in at least one exam question because it is new and gives a great deal ofpower to the administrator. Be sure to study the different administrator fields andknow what each type of administrator is allowed to do.

➤ Administrators—Administrators listed here have the following rights:

Manager access to the Web Administrator database (WEBADMIN.NSF)

Capability to create, update, and delete folder and database links

Create, update, and delete directory link ACLs

Compact and delete databases

Create, update, and delete full-text indexes

Create databases, replicas, and master templates

Get and set certain database options (for example, in/out of service, data-base quotas, and so on)

Use message tracking and track subjects

Use the console to remotely administer Unix servers

Issue any remote console command

➤ Database administrators—These administrators are responsible foradministering databases on the server. Users listed here have the follow-ing rights only:

Create, update, and delete folder and database links

Create, update, and delete directory link ACLs

07 0789729180 ch06 10/21/03 2:31 PM Page 136

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 137

Compact and delete databases

Create, update, and delete full-text indexes

Create databases, replicas, and master templates

Get and set certain database options (for example, in/out of service, data-base quotas, and so on)

Database administrators are not automatically granted Manager access to databaseson the server, nor do they have any access to the Web Administrator database. Onthe exam, make sure that you don’t confuse this level with the level of full-accessadministrators, which is the only type of administrator that can bypass the ACL.

➤ Full remote console administrators—These administrators can use theremote console to issue commands to the server.

➤ View-only administrators—These administrators can use the remote con-sole to issue only those commands that provide system status informa-tion, such as SHOW TASKS and SHOW SERVER. View-only administrators cannot issue commands that affect the server’s operation.

➤ System administrators—These administrators are allowed to issue a fullrange of operating system commands to the server.

➤ Restricted system administrators—These administrators are allowed toissue only the operating system commands that are listed in theRestricted System Commands field.

Allowing and Denying Access to the ServerTo control user and server access to other servers, Domino uses the settingsspecified on the Security tab in the Server document. If a user or server canauthenticate and the settings in the Server document allow access, the useror server is allowed access to the server.

The administrator can specify Notes users and Domino servers that areallowed to access the server, as well as users who access the server usingInternet protocols (HTTP, IMAP, LDAP, POP3). All of these settings arespecified in the Security section of the Server document in the DominoDirectory.

Notes user and Domino server access to a Domino server is controlledthrough the following fields in the Security section of the server document:

➤ Access Server—The administrator can allow server access to users listedin all trusted directories, or only to specific Notes users, servers, andgroups. If the Access Server field is left blank, all users and servers thatcan authenticate can access the server.

07 0789729180 ch06 10/21/03 2:31 PM Page 137

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6138

➤ Not Access Server—These users, servers, and groups are denied access tothe server. Again, administrators also have the option of using the aster-isk notation. The default value for this field is blank, which means thatall names entered in the Access Server field can access the server.

Some administrators use an asterisk followed by a certificate name to controlaccess to the server; for example, */Sales/Acme would give all users in the SalesOU access. An asterisk followed by the name of a view, such as *($Users), wouldgive all names that appear in a specific view in the Domino Directory access. It ishandy to be able to use this reference within an ACL to save the time of adding sev-eral groups to the ACL. For example, instead of having to maintain and update anAll Users group in the Directory, the administrator can use */Acme to refer to allusers in the company.

Remember that names entered in the Not Access Server field take precedence overnames entered in the Access Server field. For example, if you enter a group name inthe Access Server field and enter the name of an individual member of this group inthe Not Access Server field, the user will not be capable of accessing the server.

Typically, the Domino Administrator lists a Deny Access group in this field to denyaccess to servers within the company for people who have left the company. See thediscussion about groups and group types later in this chapter.

➤ Create Databases and Templates—These specific servers, users, and groupsare allowed to create databases with the File, Database, New command.Typically, this capability is restricted to administrators or designers. Thedefault value for this field is blank, which means that all users can createnew databases.

➤ Create New Replicas—These specific servers, users, and groups areallowed to create replicas using the File, Replication, New Replica com-mand. The default value for this field is blank, which means that no onecan create new replicas.

➤ Create Master Templates—These specific servers, users, and groups areallowed to create master design templates. Servers, users, and groupswho cannot create new databases or replicas on the server cannot createor update templates. The default for this field is blank, which means thatno one can create master design templates on the server.

Controlling Access to a Specific Network PortAdministrators can use a port access list to allow or deny Notes user andDomino server access to a specific network port. If the administrator usesboth a port access list and a server access list, users and servers must be list-ed on both to gain access to the server.

07 0789729180 ch06 10/21/03 2:31 PM Page 138

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 139

Access to a specific port is controlled using these NOTES.INI settings:Allow_Access_portname = namesDeny_Access_portname = names

Here, portname is the name of the port, and names is a list of users, servers, andgroups to which you want to deny or allow access. These names must be con-tained in the Domino Directory.

Monitoring and Maintaining Server AccessControlNot too many hands-on tools provided with the Domino Administratorclient are designed to assist the administrator with monitoring or maintain-ing access control for servers. But the administrator can put in place somestrategies and plans to help keep a tight rein on server security.

Develop strategies to protect your computing environment. When youunderstand the potential threats to your Domino environment, you can cre-ate procedures to protect each part of your Domino computing infrastruc-ture. This can include developing procedures and rules for some of the following areas:

➤ Limits on physical access to the Domino servers

➤ Network access and protection

➤ Messaging infrastructure, through the use of antispam and antivirusproducts

➤ Change control, to help manage changes to your security model

➤ User training for organizational security rules and technology

➤ Security incident reporting

➤ Development of incident-handling procedures

➤ Planning and delivery of employee security training

➤ Keeping security processes and documentation current and up-to-date

Domino administrators should periodically review the Administrator fieldson the Server document, as well as the fields on the Security section of theServer document, to assess whether access to the server is being properlygranted or denied.

07 0789729180 ch06 10/21/03 2:31 PM Page 139

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6140

Troubleshooting Common Server AccessProblemsMany scenarios illustrate situations in which users and servers can have dif-ficulty accessing Domino servers. The following sections illustrate thesepotential problems. Each section lists a common error resulting in a serveraccess problem and documents the solutions to those problems.

The Administrator Can’t Enter Commands at the ServerIf an administrator can’t run the workstation program on the server, runstandalone server programs, or use the Load, Tell, or Set Configuration com-mands, the console has likely been password-protected. The administratorneeds to use the Set Secure command at the console or use the DominoAdministrator client to clear the password. The administrator must know thepassword to clear it.

An administrator might also fail to enter commands at the console becausehe isn’t listed as an administrator in the Administrator fields in the Serverdocument, or he might be listed as a view-only administrator, with limitedaccess to enter console commands.

Users Can’t See a New Server in the List of ServersIf users can’t see a new server when they try to add, create, copy, or replicatea database, the administrator should make sure that the Domino Directorycontains a Server document for the new server and that the information inthe document is accurate and correctly spelled. If no Server document exists,the administrator should register the new server and ensure that the Serverdocument gets added to the Directory and then replicated to other servers inthe domain. If a Server document exists and contains accurate informationfor the new server, the administrator can check the log file on both the user’shome server and the inaccessible server to see if there are network problems.

The Server Is Not RespondingThe message “Server not responding” might appear when you install a clientor try to open any database on a particular server. Here are some strategiesfor resolving this problem, listed in the order in which they should beattempted:

1. Check that the Domino server and the network are running.

2. Check whether the server has been renamed or recertified. When auser tries to open a database on a server that has been recertified orrenamed, the message “Server not responding” might appear.

07 0789729180 ch06 10/21/03 2:31 PM Page 140

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 141

3. If the client and server are using NetBIOS, make sure that the protocolis configured properly and that it’s running on the workstation andserver. The workstation and the server must use the same version ofNetBIOS, and the server must be enabled for sufficient NetBIOS ses-sions.

The User Received the Error Message “You Are NotAuthorized to Access the Server”When this message appears, the most likely cause is that the user or server isbeing denied access to the server through the Deny Access field in the Serverdocument. Check the names and groups listed in that field, and, if necessary,remove the name from the field or from the group.

Any direct changes to the Server document require that the server be restarted for thechanges to take effect. For example, if Joe Smith/Acme was listed in the Deny Accessfield on the Server document and the administrator removed his name from the field,the server would need to be restarted for Joe to gain access to the server. But if Joewas listed as a member of a group in the Deny Access field and the administratorremoved him from the Group document, the server would not need to be restarted forJoe to gain access to the server. Groups are usually used to grant and deny access tothe server so that the server doesn’t need to be restarted each time someone is addedor removed from the group.

Domino Application SecurityAs the final layer in the Domino security model for resources, administratorsmust understand how to apply security to the database, also known as theapplication. The security for the database itself is also multilayer, beginningwith the database Access Control List. Within the database, security can alsobe provided for design elements (views, forms, agents, and so on), docu-ments, sections of documents, and fields. The following sections of thischapter focus on three main security features: the database ACL with bothindividual and group listings, Authors fields, and Readers fields.

Understanding the ACLEvery database has an Access Control List (ACL) that specifies the level ofaccess that users and servers have to that database. Only someone withManager access can create or modify the ACL.

Although the names of access levels are the same for users and servers, those levelsassigned to users determine the tasks that they can perform in a database. Thoseassigned to servers determine what information within the database the servers canreplicate.

07 0789729180 ch06 10/21/03 2:31 PM Page 141

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6142

To control the access rights of Notes users, select the access level, user type,and access-level privileges for each user or group in a database, within theACL by choosing File, Database, ACL. Access levels assigned to users in adatabase ACL control which tasks users can perform in the database. Access-level privileges enhance or restrict the access level assigned to each name inthe ACL. For each user, group, or server added in the ACL, you select theuser type and access level in the User Type and Access drop-down lists. Tofurther refine the access, you select a series of access privileges by selectingor deselecting the various check boxes located on the right side of the Basicstab of the ACL. If the application designer created roles, assign them to theappropriate users, groups, or servers. Figure 6.3 shows the ACL of a data-base.

Figure 6.3 A database ACL showing entries for groups and individuals.

All changes to the ACL are tracked through the ACL log, which can beaccessed within the ACL itself by choosing File, Database, ACL and choos-ing the Log tab. Each entry in the list shows when the change occurred, whomade the change, and what changed. The log stores only 20 lines of changes,not the complete history. Only users who have manager access in the ACLcan view the ACL log.

Access Levels in the ACLHere is a listing of the seven access levels, from lowest to highest, along witha brief description of what each level means:

07 0789729180 ch06 10/21/03 2:31 PM Page 142

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 143

➤ No Access—Denies access to the database. The error message thatappears to the user is “You are not allowed to access this database.”

The exception to the No Access level is the Public Access level. If the designer of thedatabase creates Public Access forms and documents are created with these forms,the documents are marked as Public. Anyone in the ACL with Public Access can reador write Public documents. The Public Access level is granted by checking the Reador Write Public Documents check box in the ACL. This technology is used in the Maildatabase, where calendar documents get marked as public documents so that accessto those documents can be controlled separately from access to mail messages. Becareful when selecting the Public Access option—you should check with the data-base designer to see if public access forms were used in the database so that accessto those documents can be properly set in the ACL.

➤ Depositor—Allows the writing or adding of documents only. Users can-not read, edit, or delete documents, with the exception of public docu-ments.

➤ Reader—Allows the reading of documents only. Users cannot add, edit,or delete documents.

➤ Author—Allows users to read documents and to edit documents in whichthey are listed in an Authors field (see the topic later in this chapterregarding Authors fields). Optionally, users may create or delete docu-ments.

➤ Editor—Allows the creating, reading, and editing of all documents. Thisis the highest level of access to the document data, but it does not grantaccess to design documents or to the ACL.

➤ Designer—Includes all the rights of Editors, as well as access to create,edit, and delete all Design documents in the database such as forms,shared views, navigators, and so on.

➤ Manager—Includes all the rights of designers, as well as the capability tomodify the ACL and delete the database from the server using the clientuser interface commands (File, Database, Delete).

Users and servers who are granted Reader access or higher can be allowed ordenied access to read documents through the use of a Readers field. See the topiclater in this chapter regarding Readers fields.

In some cases, users can have high access to a database that is not defined in thedatabase ACL. Administrators who are designated as full-access administrators inthe Server document have manager access to all databases, with all privileges androles enabled, regardless of whether they are listed in the database ACLs.

07 0789729180 ch06 10/21/03 2:31 PM Page 143

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6144

User Types in the ACLA user type identifies whether a name in the ACL is for a person, server, orgroup. A user type is assigned to a name to associate an ID type with thatname so that only that type of ID can access the application. For example, ifyou entered a value of Training as the ACL entry and assigned a user type ofServer, the Training server could gain access to the database, but the persongroup called Training couldn’t gain access. The user types are Person,Server, Mixed Group, Person Group, Server Group, and Unspecified. Thedefault group in the ACL is always assigned Unspecified as the user type. Ifyou have added Anonymous to the ACL, it should have a user type ofUnspecified.

Administrators who are designated as administrators or database administrators inthe Server document are allowed to delete any database on the server or modify thedatabase (for example, designate an administration server or create a full-text index),even if they are not listed as managers in the database ACL. Don’t forget about thesespecial database privileges when answering exam questions related to databasesecurity and ACLs.

User types provide additional security for a database. For example, assigning thePerson user type to a name other than Unspecified prevents an unauthorized userfrom creating a group document with the same person name, adding his or hername to the group, and then accessing the database through the group name.Designating a name as a server or server group prevents a user from using theserver ID at a workstation to access a database on the server.

Securing Applications with GroupsMost administrators control access to databases through the use of groups.Group documents are created in the Domino Directory to create a single ref-erence point for people and servers for easy citation within ACLs and mailmessages. An administrator must have at least Author access to the Directorywith the GroupCreator role to create groups. Using groups can help simpli-fy many administration tasks. Figure 6.4 shows a sample Group document.

Groups are lists of users, groups, and servers that have common traits. Groupsare given a name, group type, description, domain, and Internet address. Theadministrator then lists the members of the group in the Members field. Thetwo group types that are suitable for ACLs are Multipurpose and AccessControl List Only. It’s important to provide a description for the group sothat administrators can keep track of the purpose of each group in theDirectory.

07 0789729180 ch06 10/21/03 2:31 PM Page 144

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 145

Figure 6.4 A Group document in the Domino Directory.

One of the group types in the Group Type list is the Deny List Only group. The DenyAccess group is typically listed in the Not Access Server field in the Server docu-ment, and it is used to deny access to servers for people who have left the compa-ny. These groups cannot be seen within the Groups view. Deny Access groups arelocated within their own view in the Directory called Deny Access Groups. To see thisview, you must be assigned the GroupModifier role. Watch out for references to thisgroup type on the exam, and remember that these groups are always located withintheir own, separate view.

After the group has been created, the Administrator can easily add the groupto the ACL and assign access privileges to it. It is much easier to add andremove members from a Group document than it is to add and remove indi-vidual users from the ACL.

When someone is listed in the ACL more than once, the following rulesapply:

➤ If the user or server is listed in the ACL as an individual, that user orserver gets the access level assigned as an individual, regardless ofwhether the user or server is also listed in one or more groups. Forexample, if Jim Smith/Acme is listed in the ACL as a Reader but is alsoin the group called Acme Employees with an assigned level of Authoraccess, Jim will get Reader access to the database. If his individual accesslevel is Designer, he will get Designer access to the database.

07 0789729180 ch06 10/21/03 2:31 PM Page 145

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6146

➤ If the user or server is not listed in the ACL as an individual but is listedin more than one group, that user or server gets the highest of the groupaccess. For example, if Jim Smith/Acme is listed in the Acme Employeesgroup with Reader access and in the Administrators group with Manageraccess, he will have Manager access to the database.

Securing Applications with Authors FieldsAn Authors field works in conjunction with Author access in the databaseACL, and it is used to grant access to edit a document. For someone withAuthor access to edit a document, that person must be listed in an Authorsfield on that document. In a typical scenario, someone with Author accesshas the Create Document privilege and can create documents in the data-base. Usually the designer of the database places an Authors field on theform, and computes and stores the name of the user who created the docu-ment. That user then can edit the document later. The Authors field can alsobe editable, in which case the creator or editor of a document can enter othernames into the Authors field, thus allowing those users to edit the document.

Always remember that Authors fields apply only to users who have Author access inthe ACL. Entries in an Authors field cannot override the database ACL; they can onlyrefine it. Users who have been assigned Reader access or lower in an ACL can neveredit a document, even if they are listed in an Authors field. Users who have Editoraccess or higher in the ACL can edit all the documents in the database and are notaffected by an Authors field.

If the designer of the database chooses not to place an Authors field on theform, users with Author access to the database might be able to create docu-ments but will never be able to edit those documents after they have beencreated and saved in the database.

Securing Applications with Readers FieldsA designer can limit reading on a per-document basis by including a Readersfield on the form. A Readers field can be populated with the name of a group,role, user, or server name. If any group, role, user, or server is listed in theReaders field, only that entity can read the document, regardless of some-one’s access level in the database ACL.

For example, a designer could architect the Main Topic form of a Discussiondatabase with a button called Mark Private that would allow any author of aMain Topic document to mark a document so that it was visible only to thatauthor, and a Mark Public button that would make the document visible to

07 0789729180 ch06 10/21/03 2:31 PM Page 146

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 147

all readers of the database. When the user pushes the Mark Private button inany document that he is capable of editing, a Readers field gets populatedwith the name of the user who pushed the button. When that user then savesthe document, that user is the only person who can read the document.Other users who have access levels in the database that range from Readerright up to Manager cannot see or read the document.

There are several exceptions to the rules surrounding Readers fields:

➤ If someone is listed in an Authors field on the document, that personcan read the document, regardless of whether he is listed in the Readersfield.

➤ If the Readers field on a document is empty, everyone with Readeraccess and higher to the database can read the document.

➤ Full-access administrators can always read all the documents in a data-base, regardless of whether they are listed in a Readers field for thosedocuments.

Don’t forget that servers also need to read documents to replicate them. Readersfields are useful when the designer wants to ensure that some documents can beread only by certain people or groups. But many designers forget that servers alsoneed to read documents to replicate them. If a designer decides to use a Readersfield on a form, that designer should always ensure that a server or server group iscomputed in a Readers field so that servers can replicate all the documents in thedatabase to other servers.

Form Read Access ListsA Form Read Access List lists users, server, roles, or groups that can readdocuments created with the form. Many people confuse the Readers fieldwith the Form Read Access List. Every form in a database contains a sectionin which the designer can list users, server, roles, or groups that can read doc-uments created with the form. You can access this list on the last tab (theSecurity tab, marked with a key icon) of the Form Properties box, as shownin Figure 6.5.

If the designer removes the check mark from the box All Readers and Aboveand places the check mark next to one of the entries in the list, any docu-ments saved with the form are saved with a $Readers field. This field con-tains the names of all the entries checked in the form’s Read Access List. The$Readers field achieves the same result as the Readers field, restricting readaccess for the document to those users listed in the field.

07 0789729180 ch06 10/21/03 2:31 PM Page 147

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6148

Figure 6.5 The Security tab of the Form Properties box.

Troubleshooting Data Access ControlProblemsMany scenarios can cause problems for users and servers who are attemptingto access or perform tasks in a database. The following sections discuss someof the more common complaints that relate to application access control.

Servers Aren’t Replicating Document Deletions to OtherReplicasTo receive document deletions, the ACL on a destination server replica mustgive the source server Editor access or higher and must have the access-levelprivilege Delete Documents selected. If servers don’t have adequate access tothe database, they might not be capable of properly replicating changes,additions, or deletions to the database.

Users Are Complaining That They Can’t Seem to LockDocuments in a DatabaseWhen administrators set the database property Allow Document Locking,users with Author access or higher can lock documents in that database aslong as they are listed in an Authors field for that document. Locking a doc-ument prevents editing and replication conflicts by ensuring that the personwho locks the document has exclusive rights to modify the document.Managers of a database cannot edit a locked document; however, managerscan unlock documents that are locked. If a user is experiencing difficultywhen attempting to lock a document, the most likely problem is that the userdoesn’t have enough access to edit the document.

07 0789729180 ch06 10/21/03 2:31 PM Page 148

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 149

Users Complain That They Can’t Seem to “See” All theDocuments in the DatabaseIf users cannot locate or read documents in a database, they likely have beenexcluded from reading a document because they aren’t listed in the Readersfield for those documents. If the user needs to be able to read certain docu-ments, that user needs to find out how to get added to the Readers field—likely through the use of a role or group.

A User Complains That He Cannot Edit a Document That HeCreated in the DatabaseIf a user has Author access in the database and cannot edit a document thathe originally created, that user likely isn’t listed in an Authors field on thatdocument. The user should look at the database documentation or consultwith the designer or manager of the database. Perhaps the database has beenarchitected to prevent users from editing their own documents for businessreasons that support the business rules for the application. Or perhaps thedesigner has omitted the Authors field by mistake, in which case the design-er will need to add an Authors field to the form(s) and run agents in the data-base to populate the Authors fields on existing documents. When the user’sfull hierarchical name has been stored in the document, that user should beable to edit that document.

Users Complain That They Can’t Create Agents in theDatabaseIf a user can’t create agents in a particular database, the administrator shouldcheck the database ACL to see if the user has the access level required to cre-ate agents in that database. To create personal agents, a user must have atleast Reader access to the database, with the Create Private Agents privilegechecked. To create shared agents, a user must have at least Designer access.If the designer wants to create agents that use either LotusScript or Javacode, the Create LotusScript/Java Agents privilege also must be checked.

Creating Security PoliciesDomino policies are a way of distributing administrative settings, standards,and configurations to users, groups, or entire organizations. A policy documentis a collection of administrative settings that addresses an administrative area.An administrator can then use this document to establish and enforce admin-istrative standards and to distribute them throughout the organization. Theadministrator can easily modify and maintain security standards across an

07 0789729180 ch06 10/21/03 2:31 PM Page 149

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6150

organization by simply editing a security settings document. Security settingsdocuments can be used to control the management and deployment of thefollowing security settings:

➤ Execution control lists (ECLs)

➤ Notes and Internet password settings and synchronization

The security settings document has two major sections: the PasswordManagement tab and the Execution Control List tab. Here is a summary andbrief explanation of the fields on the Password Management tab:

➤ Allow Users to Change Internet Password over HTTP—Allows users to use aWeb browser to change their Internet passwords

➤ Update Internet Password When Notes Client Password Changes—Allowsusers to use the same password to log in to both Notes and the Internet

➤ Check Notes Password—Requires Notes client IDs to use a password forNotes authentication

➤ Enforce Password Expiration—Enables or disables password expiration forNotes only, Internet only, or both Notes and Internet passwords

If password expiration has been enabled, the administrator must completethe following fields:

➤ Required Change Interval—The number of days a password can be ineffect before it must be changed.

➤ Allowed Grace Period—The number of days users have to change anexpired password before being locked out.

➤ Password History (Notes only)—The number of expired passwords to store.Storing passwords prevents users from reusing old passwords.

➤ Required Password Quality—Sets password quality or length requirementsfor passwords.

An ECL protects user workstations against active code from unknown orsuspect sources, and can be configured to limit the action of any code thatruns on workstations. The ECL determines whether the signer of the codeis allowed to run that code on a given workstation, and it defines the accessthat the code has to various workstation functions. For example, an ECL canprevent another person’s code from running on a computer and damaging orerasing data. The following settings are set on the Execution Control Listtab of the security settings document:

07 0789729180 ch06 10/21/03 2:31 PM Page 150

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 151

➤ Admin ECL—Choose Edit to edit the default administration ECL, orchoose New to create a new administration ECL.

➤ Update Mode—Choose Refresh to update workstation ECLs withchanges made to the Administration ECL, or choose replace to over-write the workstation ECL with the Administration ECL.

➤ Update Frequency—Choose Once Daily, When Admin ECL Changes, orNever to control how often the workstation ECL is updated.

07 0789729180 ch06 10/21/03 2:31 PM Page 151

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6152

Exam Prep Questions

Question 1

Which of the following best describes the role of the full-access administrator?

❍ A. Performs database creation and deletion.

❍ B. Performs user registration and deletion.

❍ C. Performs day-to-day database maintenance.

❍ D. Performs any administrative task, including full access to all databas-es. Can be used for emergency use.

Answer D is correct. Full-access administrators have Manager access with allroles to all databases on the server, regardless of the database ACL. Thisadministrative access level can be for emergency use, when the administratorneeds to be able to access data for troubleshooting purposes.

Question 2

Which of the following is not a valid level of administrative access to the Dominoserver?

❍ A. Database administrator

❍ B. Domino administrator

❍ C. Restricted system administrator

❍ D. Full-access administrator

Answer B is correct. Domino administrators is not a valid option on the serv-er document. The valid options are:

Full-Access Administrators

Administrators

Database Administrators

Full Remote Console Administrators

View-Only Administrators

System Administrator

Restricted System Administrator

07 0789729180 ch06 10/21/03 2:31 PM Page 152

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 153

Question 3

Colin, a Notes user, wants to lock a document in a database. Which of the fol-lowing is the lowest level of access he can have to the database that allows himto lock the document?

❍ A. Reader

❍ B. Editor

❍ C. Author

❍ D. Manager

Answer C is correct. To lock a document in Notes, you must be able to editthe document. The lowest level of database access that allows document edit-ing is Author access. Colin’s name would also need to be listed in an Authorsfield on the document to allow him to edit it. Additionally, document lock-ing must be enabled for the database.

Question 4

Which of the following statements about password synchronization is true?

❍ A. Users can synchronize their Notes and Internet passwords in the UserSecurity dialog box in the Notes client.

❍ B. Users can synchronize their Notes and Internet passwords by access-ing their own Person document in the Directory.

❍ C. Notes and Internet passwords can be synchronized by the administra-tor if he creates a security settings document specifying that bothpasswords should be synchronized, and applies that security settingthrough the use of a policy document.

❍ D. Notes and Internet passwords cannot be synchronized.

Answer C is correct. The Domino administrator can choose to synchronizethe Internet password with the Notes password through the use of policiesand security settings, thus giving the end user the same password to log intoboth Notes and the Internet.

07 0789729180 ch06 10/21/03 2:31 PM Page 153

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6154

Question 5

Wendy needs to change some of the fields on a security settings document.Which of the following roles does she need to make the changes?

❍ A. PolicyEditor

❍ B. PolicyModifier

❍ C. PolicyCreator

❍ D. PolicyAuthor

Answer B is correct. Three ACL roles are associated with policies: thePolicyCreator role, the PolicyReader role and the PolicyModifier role. The PolicyCreator role is required to create a policy document. ThePolicyModifier role is required to modify a policy document. ThePolicyReader role is required to read a policy document.

Question 6

Beth, one of the Domino administrators in the Acme Corporation, needs to usethe Domino Administrator client to create a replica of a Discussion database onServerB/Acme. Which of the following best describes the rights she needs toaccomplish this task?

❍ A. She must be listed in the Access Server field for ServerA/Acme.

❍ B. She must be listed in the Create New Databases and Templates fieldfor ServerB/Acme.

❍ C. She must be listed in the Create Replica Databases field forServerB/Acme.

❍ D. She must be added to the Administrators group in the Directory.

Answer C is correct. The Create Replica Databases field contains a list ofusers who are authorized to create new replica databases on the Dominoserver. If the field is blank, no one can create replica databases. Answer Disn’t necessarily correct because we don’t know whether the Administratorgroup is listed in the Create Replica Databases field.

07 0789729180 ch06 10/21/03 2:31 PM Page 154

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 155

Question 7

Bob just finished creating a group within the Domino Directory, but he can’tlocate the group within the Groups view. Which type of group did he create?

❍ A. Multipurpose

❍ B. User

❍ C. ACL Only

❍ D. Deny List Only

Answer D is correct. The Deny List Only group denies access to users listedin the group when the group name is used within a server access list. A DenyList Only group usually contains the names of former employees of compa-nies. The Deny List Only group type doesn’t display in the Groups view ofthe Domino Directory, but rather displays within the Deny Access Groupsview. To see this view, you must be assigned to the GroupModifier role.

Question 8

Susan locked a document within a database and then went on vacation the nextday. She isn’t scheduled to return to the office for another two weeks, and Jesseneeds to be able to edit the document in her absence. Which of the followingaccess levels does Jesse need to unlock the document?

❍ A. Manager

❍ B. Designer

❍ C. Editor

❍ D. Author

Answer A is correct. Document locks prevent any users from immediatelyediting the document, including those with Manager access to the database.However, a user with Manager access to a database can unlock a locked doc-ument, and then proceed to edit it.

07 0789729180 ch06 10/21/03 2:31 PM Page 155

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6156

Question 9

Joey enters the following command at the server console:Set secure passwordabc

Which of the following statements is true?

❑ A. If the console was password-protected using the password password-abc, then by entering this command, Joey has cleared the currentpassword and the console is no longer protected.

❑ B. If the console was password-protected using the password 123abcdef,then by entering this command, Joey has reset the console passwordto passwordabc.

❑ C. If the console was not password-protected, then by entering this com-mand, Joey has protected the console with the password pass-word123.

❑ D. Joey has not used the correct syntax for the set secure command;therefore this command will have no effect at the server console.

Answers A and C are correct. If a the console is already password-protected,you must enter the set secure command with the current password to unlockthe console. If the console isn’t password-protected, entering the set securecommand with a password secures the console with that password. To reseta password on a secure console, you must enter the following command:Set secure “oldpassword” “newpassword”

07 0789729180 ch06 10/21/03 2:31 PM Page 156

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 157

Need to Know More?Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBMRedbooks, 2002. Also available on the Web at www.redbooks.ibm.com/.For references to security, consult Chapter 10, “Security.”

Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notesand Domino 6. Indianapolis, Indiana: Que Publishing, 2003.

Policy-based system administration with Domino 6: www-10.lotus.com/ldd/today.nsf/8a6d147cf55a7fd385256658007aacf1/d78ede75b351cf8100256b

e9005b7d35?OpenDocument.

Lotus Domino 6 Technical Overview: www-10.lotus.com/

ldd/today.nsf/3c8c02bbcf9e0d2a85256658007ab2f6/089a22f9f8a573af8525

6a1b00782950?OpenDocument. For references to security, consult the sec-tion “New Security Features.”

Accessing and protecting the file system: www-10.lotus.com/

ldd/today.nsf/f01245ebfc115aaf8525661a006b86b9/a115026680fd74498525

6b34000f4c1b?OpenDocument.

Webcast: “Lotus Live! Series: What’s New in Notes/Domino 6 Administration.” http://searchdomino.techtarget.com/


Webcast: “Preparation and Test Taking Strategies with LotusEducation Managers.” http://searchdomino.techtarget.com/


07 0789729180 ch06 10/21/03 2:32 PM Page 157

07 0789729180 ch06 10/21/03 2:32 PM Page 158

PART IIExam 621

7 Installing and Configuring

8 Mail

9 Monitoring Server Performance

10 Replication

11 Security

08 0789729180 Pt 2 10/21/03 2:31 PM Page 159

08 0789729180 Pt 2 10/21/03 2:31 PM Page 160

Installing and ConfiguringTerms you’ll need to understand:✓ Domino server types✓ Transaction logging✓ Domino clustering✓ Domino Welcome page✓ Certificate authority✓ Multiuser support

Techniques you’ll need to master:✓ Capacity planning based on performance✓ Setting up and configuring a Notes/Domino Release 6 Server✓ Installing a Notes/Domino Release 6 server✓ Setting up servers of different types✓ Setting up/configuring Directories✓ Deploying a corporate standard Welcome page✓ Creating/registering certificates✓ Creating/registering users✓ Certifying with a CA key✓ Setting up multiuser support✓ Setting up workstations for different clients✓ Setting up/configuring calendaring and scheduling✓ Setting up/configuring transaction logging✓ Setting up servers for load balancing and failover✓ Setting up servers for sharing resources✓ Applying policy documents to existing users✓ Migrating from a distributed directory to a central directory

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

09 0789729180 CH07 10/21/03 2:45 PM Page 161

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7162

In this chapter, we cover how to install and configure the prime componentsof a Domino domain. Topics discussed include setting up and installing aserver, the different server types available, and how to ensure that you haveplanned properly for the maximum performance throughout the domain.

Capacity Planning Based onPerformanceCapacity planning in a Domino domain consists of establishing the parame-ters that will be used to make sure the servers and network are running atoptimum efficiency. Domino is a powerful application, but it must be set upproperly to achieve peak performance. Before beginning the setup of aDomino server, take the time to map out the domain and plan accordingly todeploy a premium installation. Items to consider when creating a capacityplan for the domain include

➤ Create a map of the proposed Domino network and the anticipatednumber of users as well as the proposed size of the databases as thedomain grows. Engage a Domino consultant if necessary to assist withthe project scope to help determine the manner in which the networkshould be defined.

➤ Configure the server with the fastest processor or multiple processorsavailable if possible. Specific Domino tasks, such as the indexer andreplicator, perform more efficiently on faster machines and reduce theperformance overhead.

➤ Domino can be disk intensive. Use high-speed disk arrays with RAIDstriping enabled to achieve the quickest reads and writes in the disk sub-system. Use drives with a low seek time and install disk controllers withdisk caching.

➤ Most programs use memory if it is available and Domino is no excep-tion. Using large amounts of memory with Domino causes less diskswapping to occur because the paging file requires minimal access;therefore, having the most memory available is the optimal choice.

➤ User and servers are required to connect to the server, so network infra-structure should be a prime consideration when deploying the servers.Setting up servers on a congested network causes problems from thestart, so take the time to perform proper network diagramming beforeinstalling the servers.

09 0789729180 CH07 10/21/03 2:45 PM Page 162


➤ Consider the work hours of the user community when scheduling sys-tem tasks such as server backups. Domino has specific tasks, such asCompact or Fixup, that run more efficiently when the server access islow, so Lotus schedules these programs to run in the early morninghours when the server load is light. Backing up the system is no differentand proper care should be taken to schedule backups so that they willstart when users are logged off the server and before the nightly mainte-nance routines launch.

After the server has been built and the Domino server software has beeninstalled, consider these options to gain the maximum performance in thedomain:

➤ Certain tasks are loaded by default when the server is built. If not allservices are being used, remove them from the server configuration toallow the server to process only the necessary tasks. For instance, if cal-endaring and scheduling is not being used in the server, remove Calconnand Sched from the Notes.ini file. Take a look at all tasks that are beingloaded and remove what isn’t necessary.

➤ Take advantage of special codes that Lotus has written to maximize theperformance of the server. For instance, if the server only has a singleprocessor installed, set the SERVER_MAXSESSIONS to a specificnumber to manage the number of concurrent Notes client sessions.

Lotus has created an entire white paper, “Maximizing Domino Perfor-mance” that addresses these issues as well as other recommendations. Thepaper is available at http://www-10.lotus.com/ldd/.

Installing a Notes/Domino Release6 ServerLotus has spent a considerable amount of time making it as easy as possiblefor an administrator to install the server. These are the major phases of thesetup process:

When planning for a Domino installation, make sure that the network cards in theserver can make the best use of the available bandwidth. Using a 10Mbps card ona 100Mbps network will not allow the server to participate on the network effi-ciently.

09 0789729180 CH07 10/21/03 2:45 PM Page 163

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7164

➤ Creation of the Domino Directory

➤ Creation of the ID files, including the server ID, certifier ID, and theadministrator ID

➤ Creation of the Domino log

➤ Definition of appropriate network configurations

Before beginning the install, make sure that thought has been given to the require-ments needed for the most efficient hardware platform to provide the optimum per-formance. Copious amounts of RAM, adequate bandwidth, and fast drive arrays arewell worth the investment to building a premium server.

Lotus has provided multiple server types to allow administrators to have variousoptions for creating a Domino domain that will perform as needed based on theuser’s requirements. Make sure that you are familiar with these different types andthat you install each of them in your development environment when studying for theexam.

Setting Up Servers of Different TypesBefore launching the setup program, consider the type of server that needsto be running based on the needs of the organization. There are three typesof servers that can be installed:

➤ Domino Utility Server—Select this server type if the requirement is forapplication services only and no messaging services. This selection doessupport Domino clustering. The Utility server is a new product typeprovided by Domino release version 6.

➤ Domino Messaging Server—Select this server type if the requirement isfor messaging services only. The Messaging server does not supportDomino clustering.

➤ Domino Enterprise Server—Select this server type if the requirement is forapplication services, messaging services, and Domino clustering services.

Running the Installation ProgramAfter launching the installation program, the setup utility will guide theadministrator through the following steps:

1. The setup program unpacks the installation files to a temporary direc-tory. This is an automatic process and requires no intervention fromthe administrator.

09 0789729180 CH07 10/21/03 2:45 PM Page 164


2. The Lotus Domino program dialog box appears after the files aredecompressed. Click Next to continue.

3. The license agreement appears next. Read the agreement and click Yesto continue.

4. A dialog box appears asking for your name, company name, and acheck box allowing the administrator to choose a partitioned server ifrequired. Complete the fields and select Next to continue.

5. The next screen that appears allows the administrator to select theserver locations for the Program folder and the Data folder. Typically,the Program folder is small in size and can be placed on a system vol-ume. The Data folder contains all the databases on the server andshould be placed on the fastest drives on the server where there is suffi-cient room for growth. Select the destination folders and click Next tocontinue.

6. A dialog box appears allowing the administrator to select the type ofserver to install (see “Setting Up Servers of Different Types,” earlier inthis chapter). As each server type is selected, the text next to theCustomize button at the bottom of the dialog box changes, allowingeach server type to be set up as needed based on custom selections thatare chosen. Select the server type and click Next to continue.

7. The next screen provides the choices for Program folders. Either typethe name of a new folder or select an existing folder from the list.Click Next to continue. The setup program will now install the server.

8. After the software installation program has finished, click Finish to exitthe setup program.

Setting up and configuring a Domino server is a key skill needed by an experiencedadministrator. Carefully review the information in the following section when prepar-ing for the exam. If it has been some time since you have installed a server, makesure you spend time drilling on these concepts and, as stated before, install a serv-er in your development environment. Real-world, hands-on experience is the bestteacher, but the information here can help extend your knowledge.

Setting Up and Configuring aNotes/Domino Release 6 ServerAfter the server software is installed, it needs to be configured. To start theconfiguration process, select the Lotus Domino Server selection on theProgram menu and follow these steps:

09 0789729180 CH07 10/21/03 2:45 PM Page 165

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7166

1. The Server Setup screen loads. On this screen, there is an option tochange the fonts if desired. Click Next to continue.

2. Server Setup now needs to know if this is the first server in a domainor is a server being added to an existing domain. The two choices are

➤ Set up the first server or a stand-alone server. This will set up a newDomino server and a new Domino domain.

➤ Set up an additional server. This will setup an additional Dominoserver into an existing Domino domain. This requires that the serv-er is already registered in the Domino Directory. (You may need toobtain additional information from your Domino administrator.)

Select “Setup the first server or a stand-alone server” and click Next tocontinue.

Selecting the option to set up an additional server requires a server ID that has alreadybeen created from the domain’s registration server. If this option is being chosen,make sure that the ID is available before continuing. The setup program will thenmake a connection to the registration server and obtain a copy of the DominoDirectory to finish the setup. To get a true understanding of the total process involvedin setting up a server from scratch, we are going to assume that we are selecting thefirst option and setting up the first server in a domain.

3. At this time, a server name and title need to be provided. In the ServerName field, enter a unique name for the server, keeping in mind thatthe name chosen is difficult to change and should be reflective of thepurpose of the server, such as “Sales Hub” or “Primary DomainServer.” The default name populated in this field is the host name ofthe server but should be changed as necessary to provide a logicaldomain name.

4. An optional field on this page is the Server Title. Use this field to pro-vide a description of this server’s purpose. A check box also exists in theevent that an existing server ID is available. Complete the requiredfields and click Next to continue.

5. The next screen allows the administrator to select the organizationname. Each server and user ID has the organization name as a compo-nent of its name, so care should be taken to use a short name identifier.Complete the Organization Name field. This is an active field.Directly below the Input field, the setup program displays an exampleof a server name as well as a username.

6. The other two fields on this page are related to the OrganizationCertifier password. Enter a password, a minimum of five characters,

09 0789729180 CH07 10/21/03 2:45 PM Page 166


and then enter it again in the Confirm Password field. A check boxexists in the event that a certifier ID that the administrator would wantto use with this domain already exists.

7. Select the Customize button and the Advanced Organization Settingsscreen loads. Enter the Organizational Unit name in the blank field.

8. Enter an Organization Certifier password, using a minimum of fivecharacters, and then enter it again in the Confirm Password field. Acheck box exists in the event that a certifier ID that the administratorwould want to use with this domain already exists.

9. If this server is going to be used in a country other than the UnitedStates, select a Country code from the drop-down box at the bottom ofthe page and click OK to continue. The setup program now returns tothe Organization Name page. If an Organizational Unit name was cho-sen, it is now displayed on this page with the example names. ClickNext to continue.

10. The setup program now needs to define the Domino domain name.The Choose the Domino Domain Name dialog box appears. There isonly one field on this page to be completed. Enter the name of theDomino domain and click Next to continue.

11. Domino now requires the identification of an administrator beforecontinuing the setup process. The Specify an Administrator Name andPassword dialog box appears. Enter the first name, middle initial, andlast name of the person who will serve as the administrator for theserver.

12. The other two fields on this page are related to the OrganizationCertifier password. Enter a password, a minimum of five characters,and then enter it again in the Confirm Password field. Check boxes onthis page allow the saving of a local copy of the ID file to a location ofthe administrator’s choice, or allow an existing administrator ID to beused if one exists. Complete the selections on this page and click Nextto continue.

13. The next screen is used to determine what Internet services this serverwill offer. The default services available on the screen include

➤ Web Browsers (HTTP Services)

➤ Internet Mail Clients (SMTP, POP3, and IMAP Services)

➤ Directory Services (LDAP Services)

09 0789729180 CH07 10/21/03 2:45 PM Page 167

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7168

In addition, this screen has a Customize button that opens theAdvanced Domino Services dialog box, which is used to selectadvanced Domino services to run on the server. The following servicesare available:

➤ Database Replicator

➤ Mail Router

➤ Agent Manager

➤ Administration Process

➤ Calendar Connector

➤ Schedule Manager

➤ Statistics

➤ DIIOP CORBA Services

➤ DECS Domino Enterprise Connection Services

➤ DOLS Domino Offline Services

➤ Billing

➤ HTTP Server

➤ IMAP Server

➤ Ispy

➤ LDAP Server

➤ POP3 Server

➤ Remote Debug Server

➤ SMTP Server

➤ Stats

➤ Statistics Collector

➤ Web Retriever

➤ Change Manager

Select the desired choices for this server and click OK to return to theInternet Services screen. Click Next to continue.

14. The Domino Network Settings dialog box now appears and displaysenabled port drives and host names. To change these settings, click theCustomize button. The Advanced Network Settings dialog box is

09 0789729180 CH07 10/21/03 2:45 PM Page 168


displayed. Make the changes as needed for the server and click OK.Click Next to continue.

15. Security is now set using the Secure Your Domino Server dialog box.Two check boxes are available on this page.

➤ Prohibit Anonymous Access to All Databases and Templates

➤ Add LocalDomainAdmins Group to All Databases and Templates

Select the desired options and click Next to continue.

16. A summary page now appears with the choices that have been selectedduring setup. If changes need to be made, select the Back button toreturn to the setup page needing to be changed, make the desiredchanges, and click Next to return to this page. If everything is correct,click Setup.

17. Server setup now starts and a progress bar is displayed until the processis completed. The setup summary screen reappears when the process isfinished. Click Finish to close the setup.

Setting Up/Configuring DirectoriesThe primary application on the Domino server is the Domino Directory.The first server in a domain always starts with the primary Directory in thedomain and is sometimes known as a Hub server. Without the Directory, theserver is unable to function, so care should be taken to maintain it and set itup properly. The Directory contains information about users, servers, andgroups, as well as information needed to communicate with other servers inthe domain and the Internet. Administrators use the Domino Directory tomaintain security throughout the domain and control how the servers oper-ate. Mail routing, database replication, and Web access are all controlledwithin the Directory. The default database name associated with theDirectory is NAMES.NSF and the template used for the design of theDirectory is PUBNAMES.NTF.

The Domino Directory can be configured by accessing the database fromthe client workspace, by using the Administrator client or by accessing theserver with a Web browser. The Directory contains the following sectionsthat can be modified:

➤ People

➤ By Organization

➤ Alternate Languages

09 0789729180 CH07 10/21/03 2:45 PM Page 169

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7170

➤ Certificate Expiration

➤ Policies

➤ Groups

➤ By Organization

➤ Deny Access Groups

➤ Configuration

➤ Servers

➤ Messaging

➤ Replication

➤ Directory

➤ Policies

➤ Web

➤ Clusters

➤ Certificates

➤ Miscellaneous

Editing the Directory consists of selecting a section, opening the documents,making the changes, and then saving the changes by clicking the Save &Close button.

Deploying a Corporate StandardWelcome PageIn these days of Web pages and Program menus, there are some users whoare intimidated by the sight of the Lotus Workspace. In an effort to accom-modate these users, Lotus has given administrators the ability to modify theWelcome page and customize it so that users can easily access the informa-tion they need to do their daily job. The Welcome Page is a customizableapplication interface that allows users to easily run these programs by usingicons and dialog buttons. To create the Welcome page, perform the follow-ing steps:

09 0789729180 CH07 10/21/03 2:45 PM Page 170


1. Launch the Domino Administrator. Open the File menu, selectDatabase, and then select New. Complete the following fields:

➤ Server field—Leave this set to Local.

➤ Title field—Enter a name for the database.

➤ File Name field—The File Name field populates automatically basedon the Title field. It can be changed if necessary to be a moredescriptive filename.

2. Click the check box at the bottom of the page to select advanced tem-plates.

3. Scroll down the window to select the Bookmarks (6) template.

4. Click OK to create the Welcome Page database. The Welcome Pagenow displays three options:

➤ 1—Click Here to Create a New Welcome Page

➤ 2—Click Here to See What’s New in Lotus Notes 6

➤ Check mark—No Thanks, Just Give Me the Defaults

5. Click selection 1 to create a custom Welcome page.

6. A New Page dialog box appears. Enter the name of the new page inthe field provided and click Next.

7. Decide how the page should be displayed. Select Frames or PersonalPage and click Next. If you selected Personal Page, go to step 8 to fin-ish the process; if you selected Frames, complete steps 9 through 13 tofinish the process.

8. Select a layout from the Welcome Page gallery and click Next; thenclick Finish to launch the new Welcome page.

9. Select the Frame contents to be displayed on the page and select Next.

10. Choose a frame layout and click Next.

11. Select the content on the Content Placement page to place it on theWelcome page.

12. Check the box to either load the Launch Pad and/or the Action Barbuttons and click Next to continue.

13. Click Finish to launch the new Welcome page.

09 0789729180 CH07 10/21/03 2:45 PM Page 171

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7172

Figure 7.1 This is an example of a very basic Welcome page.

Creating/Registering CertificatesLotus uses certificates to allow users and servers to be identified with aunique digital signature. Servers and user IDs contain at least one certificatethat will be set to expire within a specific amount of time. Certificates arecreated when IDs are created and can also be added when a user or serverneeds to access a new resource that requires a common certificate to exist.Certificate information can be determined by selecting File, Security, UserSecurity, and then selecting Your Identity, Your Certificates. The followinginformation is shown in this view:

➤ Certificate names

➤ Issue date

➤ Issuer

➤ Activation date

➤ Expiration date

➤ Type

➤ Key identifier

09 0789729180 CH07 10/21/03 2:45 PM Page 172


As mentioned earlier, in the event that Domino organizations are required toexchange data, they need to share a common certificate. This is accom-plished by using an organization certifier ID file. Cross certifying a user orserver ID with an organizational certifier guarantees that both IDs have acommon certificate. Domino uses two types of certifier IDs related to organ-izations:

➤ Organization certifier ID—The default name for this ID file is CERT.ID.This ID file is created when the server is deployed. This ID typicallyincludes the company name and is the highest point on the hierarchytree.

➤ Organizational Unit certifier IDs—This level of organizational certifier istypically used to delineate the next level on the hierarchy tree, usuallyidentifying county or department names.

Creating an Organization Certifier IDTo create a new organization certifier ID, follow these steps:

1. Using the Administrator client, select the Configuration tab and openthe Tools pane. Select Registration, and then click Organization.

2. In the dialog box that appears, complete the following information:

➤ Organization name

➤ Country code (optional)

➤ Certifier password

3. Use the Password quality slide bar to determine the quality of pass-word security to assign to the ID file. The default location of the slideris to the extreme left, which is no password and a value of 0. Slidingthe bar to the extreme right forces a very strong password and a valueof 16.

4. Choose a Security type; the two choices are North American andInternational.

5. In the Mail Certification Requests to (Administrator) field, supply thename of the administrator.

6. Optionally, complete the Location and Comments fields.

7. Click Register to create the new certifier ID.

09 0789729180 CH07 10/21/03 2:45 PM Page 173

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7174

Creating an Organizational Unit Certifier IDTo create a new Organizational Unit certifier ID, complete these steps:

1. Using the Administrator client, select the Configuration tab and selectthe Server document for the server to be recertified.

2. Open the Certification menu option under the Tools pane and selectOrganizational Unit; a dialog box appears.

3. Click the Server button to select the registration server and click OK.Choose one of these two options:

➤ Supply Certifier ID and Password—A file navigation dialog boxappears when this option is selected. Navigate to the required certi-fier ID and select OK.

➤ Use the CA Process—This option allows the administrator to recertifythe ID without having access to the certifier ID or the certifier pass-word. A drop-down box is provided to allow the administrator toselect a CA-configured certifier from the ones available on the server.

4. After you’ve selected one of the two options, click OK. If SupplyCertifier ID and Password is chosen, a dialog box appears requiring thecertifier password. Enter the password and select OK to continue.

5. The Register Organizational Unit Certifier dialog box appears; selectthe registration server.

6. Select the certifier ID.

7. Select Set ID File to define the location for the new certifier ID beingcreated.

8. Complete the Organizational field.

9. Complete the Certifier Password field.

10. Use the Password quality slide bar to determine the quality of passwordsecurity to assign to the ID file. The default location of the slider is tothe extreme left, which is no password and a value of 0. Sliding the barto the extreme right forces a very strong password and a value of 16.

11. Choose a Security type; the two choices are North American andInternational.

12. Complete the Mail Certification Requests to (Administrator) field.

13. Optionally, complete the Location and Comment fields.

14. Click Register to create the new ID file.

09 0789729180 CH07 10/21/03 2:45 PM Page 174


Creating/Registering UsersTo create a new user, follow these steps:

1. Launch the Domino Administrator and select the People & Groups tab.

2. Using the Tools pane, select People and Register. A dialog box appearsrequiring the certifier password. Enter the password and click OK tocontinue.

3. The Register Person—New Entry dialog box appears. Enter the rele-vant user information related to name and password.

4. Select the Create a Note ID for This Person option and then clickRegister.

5. A dialog box appears asking if you want to add the new person to thepending registration queue. Click Yes to continue and create the IDand register the user.

Certifying with a CA KeyA certificate authority is used to issue a trusted certificate that will be used toenable a client and a server or two servers to communicate in a secure man-ner. A CA key, or Certificate Authority key, is made available to the domain viaa Domino Web server. To provide CA certification, follow these steps:

1. Configure the server to act as a Web server. Make sure the HTTP taskis running.






4. Scroll down the window to select the Domino Certificate Authority (6)template (CCA50.NTF).

5. Click OK to create the Certificate Authority Setup application.

09 0789729180 CH07 10/21/03 2:45 PM Page 175

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7176

6. Select Create a CA Key Ring File and CA Certificate.

7. Complete the fields on the form and click Create Certificate AuthorityKey Ring. A summary page is generated containing information aboutthe CA key. Click OK to continue.

8. Open the Configurations tab and select the Server document.

9. Open the Server document, navigate to the Ports document, and selectthe Internet Ports tab.

10. Complete the SSL information on this tab and select Save & Close toenable certificate authentication.

Setting Up Multiuser SupportMultiuser support allows users to share a workstation but still retain their ownsettings and desktop when logging into the server. It is only supported onDomino clients that are loaded on Microsoft Windows operating systems.

Setting up multiuser support requires extra work for the administrator on theDomino workstation. The Multiuser installation is only available in theNotes installation kit. A single instance of the Notes client software isinstalled on the workstation, but each user has his own data directory toretain their distinct settings. System administrator access is required toinstall the Multiuser installation.

Setting Up Workstations forDifferent ClientsHistorically, the most common way to access the Domino server has been touse the Domino client. Over time, Lotus has provided multiple solutions toaccess the server. The various ways to access the server include

➤ Notes clients—This option includes the Administrator and Designerclients.

➤ IMAP clients—The most common IMAP client in use today is probablyMicrosoft Outlook. Using IMAP clients requires the IMAP service andthe SMTP listener task to be active.

09 0789729180 CH07 10/21/03 2:45 PM Page 176


➤ POP3 clients—Typically known as Internet mail clients, examples includeMicrosoft Outlook and Netscape Messenger. The POP3 service and theSMTP listener task need to be active.

➤ Web browsers—Internet Explorer and Netscape Communicator are sup-ported.

➤ iNotes Web Access clients—This option is used by users whose mail file wascreated using the iNotes Web Access (R6.0) template (iNotes60.ntf).This client requires the HTTP service to be running on the server.

➤ iNotes Web Access for Microsoft Outlook—Users running MicrosoftOutlook can access the server if their mailbox was created using theExtended Mail (R6) template (mail6ex.ntf). Domino Offline Services, orDOLS, must be running on the server.

Setting Up/Configuring Calendaringand SchedulingCalendaring and scheduling is used on the server to allow users to coordinatetheir schedules and plan meetings, schedule resources such as conferencerooms, and plan vacations and holidays. The Schedule Manager task (Sched)and the Calendar Connector task (Calconn) are loaded by default when anew server is deployed and added to the ServerTasks line in the Notes.ini file.The Schedule Manager then creates the Free Time database and assigns itthe name BUSYTIME.NSF for nonclustered servers and CLUBUSY.NSFfor clustered servers. The database is then populated with the names of allusers who have completed a Calendar Profile.

The Calendar Profile dictates who can access the user’s free time informa-tion and displays the time that a user may be free for a meeting invitation.

Setting Up Servers for SharingResourcesDomino uses the Resource Reservations database to facilitate resourcescheduling within the domain. As discussed previously, resources can be con-ference rooms, but can also include equipment or even fleet cars. Using areservation system, users can select a resource and schedule it as needed

09 0789729180 CH07 10/21/03 2:45 PM Page 177

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7178

without having to involve someone in the process by simply letting Dominomanage the task. To create the Resource Reservations database, follow thesesteps:






3. Scroll down the window to select the Resource Reservations (6) tem-plate and click OK to create the database.

Defining the Database ACLAfter the database is created, access needs to be defined to determine whocan modify the database. Follow these steps to define the database ACL:

1. Open the File menu, select Database, and then select Access Control.

2. Add the groups or users who will be allowed to create Resources andSite Profile documents and assign the CreateResource role to theirname. Click OK to continue.

Completing the Site ProfileThe Resource Reservations database uses Site Profile documents to deter-mine the location of the resources to be shared. The Site Profile must be cre-ated before resources can be reserved. Follow these steps to complete theSite Profile document:

1. Select Site and click New Sites; the Site Profile is displayed.

2. Complete the Site Name fields, to indicate the physical location of theresource.

3. Complete the Domain Name field (enter the domain name of the data-base).

09 0789729180 CH07 10/21/03 2:45 PM Page 178


4. The Resource Reservation Server and Resource Reservation File Namefields should autocomplete with the name of the server hosting thedatabase and the name of the Reservation database.

5. Click Save & Close to continue.

Resource documents can now be created and reservations can be made asneeded.

Setting Up/Configuring TransactionLoggingTransaction logging is available for Domino servers running release 5 or laterand databases using release version 5 or later On Disk Structure (ODS).Database changes are sent to a transaction log database and then written laterto the target database. Transaction logging provides the following benefitsfor system activities:

➤ Backup throughput is increased because transaction logs back up quickerthan normal databases.

➤ Disaster recovery is more complete in that data that was stored in thetransaction log can be supplemented to the full system recovery so datais not lost. Data that is stored in the transaction log file is written to thedatabase when the log file is recovered from tape.

➤ Database views are stored in the log file so database views may not needto be rebuilt.

If the domain name is not automatically populated, edit the current location documentbeing used on the desktop. Navigate to the Mail tab and enter the domain name onthe Domino Mail Domain tab. Save and close the document, close the Reservationdatabase, reopen it, and reopen the site document. The domain field should now bepopulated properly.

Although transactional logging is a form of backup, it does not replace a true archiv-ing system, such as tape or optical media. In the event of a server crash, full systembackups will be needed to recover. In addition, special backup software is requiredthat specifically backs up the transactional log, so make sure that it is supported bythe software vendor. Transaction logging may also cause an increase in the amount oftime required to boot the server.

Transactional logging also creates a unique database instance ID (DBIID)for each database. When transactions are added to the log, the DBIID is

09 0789729180 CH07 10/21/03 2:45 PM Page 179

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7180

assigned so that the source database can be recorded. DBIID tags areassigned at each of these times:

➤ The first time transaction logging occurs

➤ In some instances when the Compact task is executed

➤ When Fixup is used to correct a corrupted database

➤ When a database is moved to a server using transaction logging

Transaction logging is a powerful component of Domino. Be certain that you arefamiliar with its planning and implementation when preparing for the exams.

Planning the Transaction LoggingImplementationTransaction logging needs to be properly planned before it can be imple-mented. Steps to consider before implementing include

➤ Make sure the server hardware is properly configured. Use a disk arraywith at least RAID 1 support and a dedicated disk controller.

➤ Define a backup plan and use software that supports Domino serversrunning transaction logging.

➤ Plan on using logging on all available databases, but remember that onlydatabases using the R5 ODS or later will be able to use transaction log-ging.

You also must decide which version of logging to use. You can choose fromthese three versions:

➤ Circular—This version of logging uses up to 4GB of disk space and thenbegins writing over the oldest log information in the database. Thetransaction log database should be backed up daily using this deploy-ment version.

➤ Linear—This version of logging is similar to circular logging, but canuse more than 4GB of disk space.

➤ Archived—This version of logging creates transaction logs as needed.Log files are not overwritten; they are archived. Ensure that the logs arebeing backed up regularly or the server may run out of disk space.

09 0789729180 CH07 10/21/03 2:45 PM Page 180


Setting Up Transaction Logging on theServerTo set up transaction logging on the server, follow these steps:

1. Using the Domino Administrator, select the Configuration tab, selectthe Server document, and click Edit Server Document.

2. Select the Transactional Logging tab.

3. In the Transactional Logging field, select either Enabled or Disabled.

4. In the Log Path field, enter the explicit path to the transaction logdatabase.

5. In the Logging Style field, select either Circular, Linear, or Archived.

6. Make a selection in the Use All Available Space On Log Device area(the default selection is No); if you select Yes, the next option,Maximum Log Space, is removed as a valid selection.

7. If the Maximum Log Space area remains active, enter the amount ofspace in MB to be used for the transaction log database.

8. Choose to enable or disable Automatic Fixup of Corrupt Databases.

9. Choose a Runtime/Restart Performance option; valid options areFavor Runtime, Standard, and Favor Restart Recovery Time.

10. Choose a Quota Enforcement option; valid options are Check SpaceUsed in File when Adding a Note, Check Filesize when Extending theFile, and Check Filesize when Adding a Note.

11. Select Save & Close to start transaction logging.

Setting Up Servers for LoadBalancing and FailoverDomino addresses the issue of load balancing and failover by utilizing clus-ter technology. A Domino cluster is a group of servers set up so that a user canattach to any server in the group and access data. Replicas are stored on allservers and load balancing is set up so that the work is shared equally amongthe servers so that no single server in the group is overworked. When a data-base in the cluster is updated, all replicas are updated so that the next time auser accesses the data, the information is updated regardless of which server

09 0789729180 CH07 10/21/03 2:45 PM Page 181

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7182

they access. Performance is usually improved and the domain can increase insize simply by adding additional servers to the cluster. Lotus lists the bene-fits of the Domino cluster with these points:

➤ High availability of important databases

➤ Workload balancing

➤ Scalability

➤ Data synchronization

➤ Analysis tools

➤ Ease of changing operating systems, hardware, or versions of Domino

➤ Data backup and disaster planning

➤ Easy administration

➤ Use of any hardware and operating system that Domino supports

In the event that a server crash occurs or a server’s performance is degradeddue to heavy use, users are redirected to other servers in the cluster using afailover process. Domino uses a process called the Cluster Manager to mon-itor the cluster and direct users to the available resource with the best per-formance.

Lotus states the following conditions exist when failover does not occur:

➤ A server crash or network outage occurs while a user has a databaseopen.

➤ A user chooses File, Database, Properties or File, Database, Open on aspecific database on a distinct server in the cluster.

➤ The mail router tries to deliver mail and mail routing failover has beendisabled or the parameter MailClusterFailover in the Notes.ini file is setto 0.

➤ The domain template server is unavailable because of a crash or networkoutage and an attempt is made to create a new database.

➤ A server crash or network outage occurs while agents are beingprocessed.

➤ A server crash or network outage occurs while the AdministrationProcess (AdminP) is processing requests.

➤ An attempt is made to replicate with a server that has access denied bythe administrator.

09 0789729180 CH07 10/21/03 2:45 PM Page 182


Applying Policy Documents toExisting UsersPolicy documents are used to regulate how users can access the system andperform specific functions. Policy documents can be changed after they areassigned and are then applied to all policy users.

All clients and servers participating in policy document deployment must be runninga minimum of version 4.67a or greater or directory replication errors will occur.

Policy documents that can be applied to users include

➤ Archiving—Defines policy settings related to users’ ability to archivemail.

➤ Desktop—Enforces consistent client settings. If a client setting is changedand then the workstation logs out of the server, the settings are reset thenext time the user logs into the server.

➤ Registration—Implements these policies when a new user is created dur-ing registration.

➤ Setup—Enforces settings in the client’s location document.

➤ Security—Defines password management and ECL setup.

Types of Domino policies to consider include

➤ Explicit policies—Use this type of policy when specific groups or users inthe organization may need specific access; explicit policies define theiraccess. Use this policy when making changes to users already defined inthe domain.

➤ Organizational policies—Use this type of policy when specific settings arerequired for users in a specific organization.

Migrating from a DistributedDirectory to a Central DirectoryIn the event there is a need to have a single central directory instead of a distrib-uted directory configuration, there are several items that should be considered.

09 0789729180 CH07 10/21/03 2:45 PM Page 183

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7184

First, consider the consequences of moving to a single, central directory.How will users be affected by now having to access a single directory on aserver? Can the server handle the load of all the users in the domain nowaccessing the server at a single location? Make sure that a high-powered serv-er with abundant memory and disk space is used to handle the load of themigration. Second, how will it affect other servers inside and outside of thedomain? Much the same as a user, if the servers are going to a single point ofaccess for the directory, make sure the server can handle the added load of allusers and servers using a single directory for authentication and server tasks.To migrate to a central directory, follow these general guidelines:

➤ If the server is being retired, follow the steps listed in this book relatedto decommissioning a server covered in Chapter 14, “ManagingServers.”

➤ If a manual migration is being done, be sure that all Connection docu-ments and Program documents are changed to reflect the new configu-ration.

➤ Notify all users of the planned change and carefully document therequired changes before proceeding. Ensure that a valid backup of thedirectory exists and has been verified. Perform the migration during off-hours so users are not affected by the change. After the migration iscomplete, test all connections and make sure mail is routing.

09 0789729180 CH07 10/21/03 2:45 PM Page 184


Exam Prep Questions

Question 1

Which server component affects how well Domino tasks, such as the indexerand the replicator, perform?

❍ A. Memory

❍ B. Disk Array Controller

❍ C. Processor

❍ D. Redundant Bit Arrays

Answer C is correct. Specific Domino tasks, such as the indexer and replica-tor, perform more efficiently on machines with fast processors and reducethe performance overhead.

Question 2

Which of the following incidents are not supported by failover?

❍ A. A server crash

❍ B. A network outage

❍ C. Excessive users on the system

❍ D. A server crash that occurs while a user has a database open

❍ E. None of the above

Answer D is correct. When a server crashes or a network outage occurs whilea user has a database open, failover will not execute for the user.

Question 3

What is the database template name that is used to create the Welcome Pagedatabase?

❍ A. Welcome.ntf

❍ B. Bookmark.ntf

❍ C. Bookmarks (6)

❍ D. Welcome Local.ntf

09 0789729180 CH07 10/21/03 2:45 PM Page 185

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7186

Answer C is correct. The database template name used to create theWelcome database is Bookmarks (6). The filename for the template is book-mark.ntf.

Question 4

What amount of disk space can linear transaction logging utilize on the server?

❍ A. 1GB

❍ B. < 4GB

❍ C. 3GB

❍ D. > 4GB

Answer D is correct. Linear logging is similar to circular logging but can usemore than 4GB of disk space.

Question 5

How does Domino present CA keys to users in the domain?

❍ A. Via email

❍ B. Using a Web server

❍ C. SSL Transport mechanisms

❍ D. Domino Offline Services

Answer B is correct. A CA key, or Certificate Authority key, is made availableto the domain via a Domino Web server.

Question 6

What server type supports application services, messaging and Domino clus-tering?

❍ A. Domino Hub Services

❍ B. Domino Cluster Controller

❍ C. Domino Messaging

❍ D. Domino Enterprise

Answer D is correct. Domino Enterprise Server provides support for appli-cation services, messaging services, and Domino clustering services.

09 0789729180 CH07 10/21/03 2:45 PM Page 186


Question 7

Which of the following selections does the Domino setup program create?

❑ A. Domino Directory

❑ B. Server ID

❑ C. SMTP Connection documents

❑ D. Domino log

❑ E. All of the above

Answers A, B, and D are correct. The Domino setup program creates the fol-lowing items during setup: the Domino Directory, ID files, and the log file.

Question 8

How does Lotus provide users with digital signatures?

❍ A. Encrypted signature encoding

❍ B. Certificates

❍ C. Layered ID scripting

❍ D. Digital key multifaceted encryption

Answer B is correct. Lotus uses certificates to allow users and servers to beidentified with a unique digital signature.

Question 9

Which of the following items are considered to be a benefit of Domino clustering?

❍ A. High availability of important databases

❍ B. Workload balancing

❍ C. Scalability

❍ D. All of the above

Answer D is correct. High availability of important databases, workload bal-ancing, and scalability are all benefits of Domino clustering.

09 0789729180 CH07 10/21/03 2:45 PM Page 187

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 7188

Need to Know More?The Lotus Developers Domain: www-10.lotus.com/ldd.

Maximizing Domino Performance White Paper: www-10.lotus.com/ldd.

Upgrading to Domino 6: Performance Benefits: www.ibm.com/redbooks.

09 0789729180 CH07 10/21/03 2:45 PM Page 188

MailTerms you’ll need to understand:✓ Domino Named Network (DNN)✓ Connection document✓ Notes Remote Procedure Calls (NRPC)✓ MAIL.BOX✓ Routing tables✓ Adjacent domain✓ Non-adjacent domain✓ Message tracking✓ Mail Tracking Collector (MTC)✓ MTSTORE.NSF✓ Mail-In Database document

Techniques you’ll need to master:✓ Defining the role of the DNN in message transfer✓ Scheduling mail routing between servers using Connection

documents✓ Scheduling and restricting mail routing between adjacent and

non-adjacent domains✓ Controlling mail file size by implementing mail quotas✓ Configuring message tracking using the Configuration

document✓ Enabling a database to receive mail using a Mail-In Database

document

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8

10 0789729180 CH08 10/21/03 2:30 PM Page 189

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 8190

This chapter on mail is one of the shorter chapters in the book simplybecause there aren’t many exam competencies related to mail listed for thisparticular exam. We begin with an explanation of how Notes mail routesbetween servers. This discussion is explored in more depth in Chapter 3,“Mail” (for Exam 620) so refer to that chapter for a more detailed review ofmail routing concepts. We then discuss mail quotas and how to change them.We discussed mail quotas briefly in Chapter 3, but we expand our discussionon quotas in more detail for the purposes of this exam. This chapter finisheswith a description of how to configure mail tracking and instructions on howto deploy mail-enabled applications.

For the purposes of the exam, you may want to consider using both this chap-ter and Chapter 3 as study tools for preparing for both the 620 and 621exams. There is some overlap in topics related to mail between these twoexams, and you may find it helpful to know the “complete picture” regardingmail routing before attempting either exam.

Setting Up and Configuring MessageDistribution Using Notes-Based MailConfiguring the Domino servers for mail routing involves understandinghow mail routes between servers based on the server’s Domino Named Network(DNN). A DNN is a group of servers in a given Domino domain that sharea common protocol and are constantly connected. Mail routing betweenservers in the same DNN happens automatically, without any configurationby the administrator. The administrator must create Connection documentsto enable mail routing between servers that are in different DNNs. AConnection document is a document that contains all the settings necessary toschedule mail routing between servers in different DNNs.

By default, Domino uses Notes Remote Procedure Calls (NRPC), also calledNotes routing, to transfer mail between servers. Notes routing uses informa-tion in the Domino Directory to determine where to send mail addressed toa given user. Notes routing moves mail from the sender’s mail server to therecipient’s mail server.

A user creates a mail message in the mail database. When the user sends themessage, a workstation task called the MAILER transfers the message to theMAIL.BOX database on the user’s server (also known as the user’s mail serv-er or home server). MAIL.BOX is the transfer point for all messages beingrouted to and from a server. The Router task polls MAIL.BOX and asks twoquestions about the messages waiting to be routed:

10 0789729180 CH08 10/21/03 2:30 PM Page 190

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 191

➤ Where this message should be delivered—To which recipients on whichservers?

➤ How this message should be delivered—Which routes and connectionsshould be used?

The Router consults its routing tables to determine where the recipient’smail database is stored. Routing tables are built in memory on the server whenthe router first starts and are refreshed every few minutes. These routingtables are built using information in various documents in the DominoDirectory—Person documents, Connection documents, Domain docu-ments, and so on. The location of the recipient’s mail database determineshow the message is dispatched by the router. A recipient’s mail database canbe stored in any of the following locations:

➤ On the same server as the sender’s mail database—If the sender and therecipient share the same mail server, the message is delivered immedi-ately and the Router task is not involved in the message transfer. TheRouter task is invoked only for transfer to another server.

➤ On a different server in the same DNN—If the two servers share a DNN,the Router immediately routes the message from the MAIL.BOX file onthe sender’s server to the MAIL.BOX file on the recipient’s server.

➤ On a server in a different DNN within the local Domino domain—Whenservers are members of two different DNNs, the Domino Administratormust create Connection documents between the two networks.

➤ On a server in an external Domino domain—In this case, the Router mustfind a Connection document between domains or must route the mes-sage using SMTP, configured to route outside of the local domain.

In most cases, if the mail message is leaving the current domain, it is routed viaSMTP. The Router is capable of routing both NRPC and SMTP mail. Message trans-fer over SMTP routing is performed as a point-to-point exchange between twoservers. The sending SMTP server contacts the receiving SMTP server directly andestablishes a two-way transmission channel with it. The sending server looks up thedomain name of the addressee in a Domain Name Service (DNS) and transfers themessage using the destination IP address provided by the DNS via an MX record.

For this exam, SMTP is not listed in the required competencies; however, it’s usefulto understand the basics of SMTP routing to use as a comparison with Notes routing,and so that you understand that the Router is capable of routing any type of mail mes-sage, whether internal or external, NRPC or SMTP.

Notes Routing to External DomainsAlthough not explicitly listed in the exam competencies, the exam may makemention of Notes routing to adjacent or non-adjacent domains. An adjacent

10 0789729180 CH08 10/21/03 2:30 PM Page 191

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 8192

domain is another Domino domain with which you can establish a physicalconnection. Non-adjacent domains are Domino domains that are not direct-ly connected, but have an intermediary domain, to which both domains canconnect. For example, if Domain A can connect to Domain B, and DomainB can connect to Domain C, then A and B are adjacent, and B and C are adja-cent, but A cannot connect to C; therefore, A and C are non-adjacent andcan connect only through Domain B. Sometimes, an administrator whomanages multiple domains will configure routing using NRPC andConnection documents, rather than with SMTP and a DNS.

To route mail to an adjacent domain, the administrator simply creates aConnection document, specifying the external domain’s server name anddomain name as the target server. The process of creating a Connection doc-ument is described in detail in Chapter 3 in the “Setting Up and ConfiguringMessage Distribution Using Schedules” section. The process used to createConnection documents between servers in different domains is no differentthan creating Connection documents between servers in different DNNs.

The administrator can further restrict mail routing between adjacentdomains using an Adjacent Domain document. For example, if you are inDomain B and want to prevent mail from an adjacent Domain A from tra-versing your domain to reach another adjacent Domain C, create anAdjacent Domain document that names C as the adjacent domain and deniesmail from A.

Adjacent Domain documents do not provide connectivity between adjacent domains,and are not required to enable connections between adjacent domains. To defineroutes between adjacent domains, create Connection documents. Watch out forexam questions that refer to using an Adjacent Domain document to connect two dif-ferent domains. Adjacent Domain documents are used only when the administratorwants to restrict or deny mail from adjacent domains.

To create an Adjacent Domain document from the Domino Administrator,click the Configuration tab, expand the Messaging section, choose Domains,and then click Add Domain. Then complete the fields on both the Basics andRestrictions tabs.

Figures 8.1 and 8.2 show an Adjacent Domain document created in DomainB’s Directory, denying mail addressed from Domain A from going toDomain C, as in the scenario described previously.

10 0789729180 CH08 10/21/03 2:30 PM Page 192

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 193

Figure 8.1 The Basics tab of the Domain document, showing “Adjacent Domain” as the Domain typeand Domain C as the adjacent domain.

Figure 8.2 The Restrictions tab of the same Adjacent Domain document, showing that mail is beingdenied from Domain A.

10 0789729180 CH08 10/21/03 2:30 PM Page 193

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 8194

Administrators can enable message transfer between non-adjacent domainsusing a Non-adjacent Domain document. A Non-adjacent Domain docu-ment serves three functions:

➤ Specifies a routing path to the non-adjacent domain by supplying next-hop domain information

➤ Restricts mail from other domains from routing to the non-adjacentdomain

➤ Defines the Calendar server used to enable free time lookups betweentwo non-adjacent domains

If an administrator for Domain A wanted to route mail to non-adjacentDomain C using adjacent Domain B as the relay, he would create a Non-adjacent Domain document in the Directory. To create a Non-adjacentDomain document from the Domino Administrator, click the Configurationtab, expand the Messaging section, choose Domains, and then click AddDomain. Specify “Non-adjacent Domain” as the domain type, and completethe fields on the Basics tab. Figure 8.3 shows the Non-adjacent Domain doc-ument for the preceding scenario, routing from A to C through B.

Figure 8.3 The Basics tab of the Domain document, showing “Non-adjacent Domain” as the Domaintype, and specifying the route to Domain C through Domain B.

10 0789729180 CH08 10/21/03 2:30 PM Page 194

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 195

Implementing and Changing MailQuotasYou can set two types of size limits on a user’s mail file: a warning thresholdand an absolute quota size. Set a warning threshold to provide users withadvance notice when their mail files approach the designated mail file quota,so they can reduce the size of their mail files before message flow is inter-rupted. Set a quota if you intend to establish a policy of interrupting users’mail usage if their mail files exceed a specified size.

Administrators can configure the Router to respond in several ways when amail file exceeds its quota, each representing a higher level of enforcement.The least restrictive response is to have the Router issue automatic notifica-tions to users when their mail files exceed the quota. Quota controls enablethe Router to selectively hold or reject mail if the destination mail file hasexceeded its quota. When the Router has new mail to deliver to a user whosemail file is already full, it checks the Configuration Settings document todetermine the appropriate action. By default the Router continues to delivermail, even after a mail file exceeds its quota. To change the default behavior,you must configure the Router to refuse or hold mail. If users fail to respondto notifications, you can hold pending messages in MAIL.BOX or returnmessages to the senders as undeliverable until the users reduce the size oftheir mail files.

For the purposes of the exam, it’s important to remember the interface steps for set-ting quotas on mail databases, and how the router enforces those quotas. It’s alsointeresting to note that quotas were never enforced on mail databases prior toDomino R5, so it’s possible that the exam questions may try to make you think thatthe Router doesn’t obey mail quotas, which is false. To prepare for this topic, walkthrough the methods for setting quotas using the Domino Administrator client, andthen examine the settings related to Router management of quotas in theConfiguration Settings document for each mail server. The steps for performing allof these operations are listed in this chapter.

Administrators can set quotas and warning thresholds in one of two ways:

➤ During registration—Quotas specified during registration apply only tonew users’ mail files, not to existing users’ mail files. Figure 8.4 showsthe Mail tab of the User Registration dialog box.

10 0789729180 CH08 10/21/03 2:30 PM Page 195

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 8196

Figure 8.4 The User Registration dialog box, Mail tab, showing how the administrator can set aquota and/or warning threshold during registration.

➤ Using the Quotas tool in the Domino Administrator client—The administra-tor can use this method to either set an initial quota or to change anexisting quota on a mail database.

To set a size quota on a mail database, perform the following steps from with-in the Domino Administrator:

1. Click the Files tab.

2. Select the mail databases for which you want to set quotas.

3. In the Tools pane on the right, select Database, Quotas.

4. Below “Database Size Quotas,” click “Set Database Quota to x MB”and specify a maximum size in megabytes the selected databases canattain.

5. Optionally, below “Quota Warning Thresholds,” click “Set WarningThreshold to x MB” and specify a size in megabytes at which a mes-sage appears in the log file (LOG.NSF).

6. Click OK. When processing is complete, a dialog box indicates howmany databases were affected and if any errors occurred.

To configure how the Router responds to a mail quota, edit theConfiguration document for the Domino server that stores the mail data-base, and perform the following steps:

10 0789729180 CH08 10/21/03 2:30 PM Page 196

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 197

1. Click the Router/SMTP, Restrictions and Controls, Delivery Controlstab.

2. In the Quota Controls section, complete these fields:

➤ Over Warning Threshold Notifications—Specifies how often theRouter delivers notifications to users who exceed their warningthreshold

➤ Warning Interval—Specifies how long the Router waits to send thenext over warning threshold notification

➤ Over Quota Notification—Specifies how often the Router deliversnotifications to users who exceed their quota

➤ Over Quota Enforcement—Specifies the action the Router takes whenreceiving new mail for a user whose mail file is larger than the speci-fied quota

3. If the administrator selects the Hold Mail and Retry option in theOver Quota Enforcement field, there are additional fields to complete:

➤ Attempt Delivery of Each Message—Specifies whether the Routerdelivers messages small enough to fit the available space in a desti-nation mail file.

➤ Maximum Number of Messages to Hold Per User—Specifies the maxi-mum number of messages that the Router will hold in MAIL.BOXfor a given mail file. After the number of pending messages reachesthe specified number, the Router returns a delivery failure report tothe sender of each additional message in first-in, first-out order.

➤ Maximum Message Size to Hold—Specifies the maximum size, in KB,of messages that the Router can hold in MAIL.BOX for over quotausers. If a message larger than the specified size is received for theuser, the Router returns a delivery failure report to the sender.

A user attempting to access a mail database that has exceeded its quota receives thefollowing message: “Cannot allocate database object—database would exceed its diskquota.”

Configuring Message TrackingMessage tracking allows the administrator to track specific mail messages todetermine if the intended recipients received them.

10 0789729180 CH08 10/21/03 2:30 PM Page 197

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 8198

The administrator enables message tracking in the Configuration documentfor the server. After the administrator configures the server for messagetracking and restarts the server, the Mail Tracking Collector (MT Collector orMTC task) starts up automatically. The MT Collector automatically createsthe Domino MailTracker Store database (MTSTORE.NSF) in the MTDATAsubdirectory of the Domino data directory. The MTC task collects messag-ing information from raw data accumulated in special mail tracker log files(MTC files) produced by the Router. This message summary data includesinformation about the originators, recipients, arrival times, and delivery sta-tus of the messages processed by the server. At scheduled intervals, the MTCollector writes this information to the Domino MailTracker Store data-base. Administrators use the information stored in the Domino MailTrackerStore database to complete mail tracking requests and to generate mail usagereports.

The administrator should not edit the MailTracker Store database directly. This data-base is designed to act as a data repository. The data in this database is queried bythe Mail Tracking interface in Domino Administrator when a tracking request isissued. If the administrator edits the information in MTSTORE.NSF directly, they risk“breaking” the functionality of the Tracking request option.

To configure a server for message tracking, perform the following steps:

1. Edit the Configuration document for the mail server or servers forwhich you want to configure message tracking; then click theRouter/SMTP, Message Tracking tab.

2. Complete the following fields, save and close the document, and thenrestart the server:

➤ Message Tracking—Choose enabled to start the MTC task, whichstarts logging mail information to MTSTORE.NSF.

➤ Don’t Track Messages for—Enter the names of users and/or groupswhose messages will not be logged and, therefore, cannot betracked. The default (blank) means that administrators can trackmessages for all users and groups on all servers that are enabled formail tracking.

On servers running the ISpy task to test mail connectivity, this task sends tracemessages at 5-minute intervals. To prevent the Domino MailTracker Store databasefrom filling up with entries for these trace messages, enter the name of the ISpyMail-In Database on the server in this field, for example, ISpy on ServerA.

10 0789729180 CH08 10/21/03 2:30 PM Page 198

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 199

➤ Log Message Subjects—Choose Yes to have the MTC task log mes-sage subjects; choose No to have subjects ignored by the MTC task.

➤ Don’t Log Subjects for—Enter the names of users and/or groupswhose message subjects will not be logged and, therefore, cannot betracked.

➤ Message Tracking Collection Interval—Enter a number that representshow often, in minutes, you want to log message tracking activity inthe MailTracker Store database. The default is 15 minutes.

➤ Allowed to Track Messages—Enter the names of servers and/or usersallowed to track messages on this server.

If you leave this field blank (default), only members of the LocalDomainServersgroup are authorized to track messages on this server. If you add any entries to thisfield, you must list all servers and/or users that are allowed to track messages on thisserver. Watch for the exam to test your knowledge of whether “blank allows all,” or“blank allows no one”—these fields appear in both the Configuration document andthe Server document. In the case of message tracking, the default of blank actuallyprevents administrators from using this feature, so most administrators enter theLocalDomainAdmins group at a minimum.

➤ Allowed to Track Subjects—Enter the names of servers and/or usersallowed to track messages by subject on this server. Again, in thiscase, blank means no one is allowed to track messages by subject.

To issue a tracking request, the administrator uses the Mail, Tracking Centertab in the Domino Administrator and clicks the New Tracking Request button.

Deploying Applications Based onRouting FundamentalsThe administrator may be required to provide administrative support fordatabases that must receive mail. For example, a developer could create anExpenses database into which employees must mail a copy of expensereports. For a database to receive mail, it must have an identity in theDomino Directory in order to be known to the Router. The administratormust create a Mail-In Database document in the Domino Directory so that theRouter can deliver mail to the target database.

Let’s assume that the administrator must enable the Expenses database justmentioned to receive mail. The name of the database is EXPENSE.NSF,

10 0789729180 CH08 10/21/03 2:30 PM Page 199

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 8200

and it is being stored on ServerA/Acme in the Acme domain. The adminis-trator would complete the following steps to create a Mail-In Database doc-ument in the Directory. The administrator must have at least Author accesswith the Create Documents privilege in the Access Control List for theDirectory.

1. From the People & Groups tab of the Domino Administrator, chooseCreate, Server, Mail-In Database.

2. On the Basics tab, shown in Figure 8.5, complete the Mail-In Namefield—the entry for this database in the Domino Directory. Users andapplications use this name to send documents to the database; forexample, ExpenseDB.

3. Choose a preference for Internet Message Storage; No Preference isthe default setting, but you can choose Prefers MIME or Prefers NotesRich Text.

4. In the Internet Address field, add an SMTP address (in the [email protected]) if you want Internet users to be able tosend messages to the database; for example, [email protected].

5. In the Domain field, type the name of the Domino domain of the serv-er in which the database resides; for example, Acme.

6. Complete the Server field by typing the fully distinguished hierarchicalname of the server in which the database resides; for example,ServerA/Acme.

7. In the File Name field, type the path and filename of the database rela-tive to the Domino Directory; for example, if the database namedEXPENSE.NSF is in the MAIL directory of the DATA directory,enter MAIL\EXPENSE.NSF.

8. In the Encrypt Incoming Mail field, type Yes or No. Mail sent to themail-in database is encrypted with the Notes certified public keyentered in the “Notes Certified Public Key” field on theAdministration tab.

9. Open the Administration tab.

10. In the Owners field, list the fully distinguished hierarchical name ofusers allowed to modify this document.

11. In the Administrators field, list users or groups who can edit this docu-ment.

12. Choose an option in the Foreign Directory Sync Allowed area. Yesallows entry to be exchanged with foreign directories; for example, a

10 0789729180 CH08 10/21/03 2:30 PM Page 200

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 201

cc:Mail directory, so that users on the other system can look up theMail-In Database in the cc:Mail post office directory and send mail to it.

13. In the Notes Certified Public Key field, enter the certified public keyto use when encrypting mail sent to this database. To copy a certifiedpublic key from the Domino Directory to this field, click GetCertificates and choose a name.

Figure 8.5 The Basics tab of the Mail-In Database document for the Expenses database.

The administrator must give the name of the database to users and develop-ers so they can enter it in the SendTo field of messages destined for the data-base.

To test to see whether the Mail-In Database document is working, the administra-tor should attempt to send a mail message to the database from his own mail data-base. Address the memo to the name assigned to the database, in this caseExpenseDB.

Exam questions will test your knowledge of where and how to create a Mail-InDatabase document. Prepare for the exam by creating a Mail-In Database documentfor a database on a server, and then send a mail message to that database to ensurethat it arrived. Ask a developer to assist you in building a view using the DominoDesigner client in order to show your mailed-in document because the documentmay not show in any of the existing views in the database. You will need to enlist adeveloper’s help in order to write the correct view column and view selection formu-las for the view.

10 0789729180 CH08 10/21/03 2:30 PM Page 201

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 8202

Exam Prep Questions

Question 1

Bob needs to ensure that all mail is routed between servers in the same DominoNamed Network. How many Connection documents are required?

❍ A. 0

❍ B. 1

❍ C. 2

❍ D. One for every pair of servers in the domain

Answer A is correct. Mail is routed immediately by the router to servers inthe same Domino Named Network. The messages are immediately routedfrom the MAIL.BOX file on the sender’s server to the MAIL.BOX file on therecipient’s server. Because servers in a DNN share a common protocol andare always connected, you do not need to create Connection documents formail routing.

Question 2


❍ A. Immediately


❍ C. According to the schedule in the Connection documents


Answer A is correct. The router immediately routes mail to servers in the sameNotes named network. The messages are immediately routed from theMAIL.BOX file on the sender’s server to the MAIL.BOX file on the recipient’sserver. Because servers in a Notes named network share a common protocoland are always connected, you do not need to create Connection documentsfor mail routing.

10 0789729180 CH08 10/21/03 2:30 PM Page 202

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 203

Question 3

Sean needs to ensure that all mail is routed between ServerA and ServerB. Thetwo servers are not in the same Domino Named Network. What should Sean doto schedule mail routing between the two servers?

❍ A. Create Connection documents in the Domino Directory.

❍ B. Create Connection documents in the names.nsf on his workstation.

❍ C. Create an Adjacent Domain document in the Domino Directory.

❍ D. Do nothing—the two servers will route mail automatically.

Answer A is correct. When two servers are not in the same Domino NamedNetwork, mail routing must be configured using at least one Connectiondocument in the Domino Directory. Adjacent Domain documents are usedto restrict routing between domains, not for scheduling routing.

Question 4

Bonnie is reviewing the NOTES.INI file on her server and notices the entry “MTC”in the “ServerTasks=” line. Which of the following best describes what MTC is?

❍ A. The MTC task reads log files and writes information to MTSTORE.NSF.

❍ B. This task was used in Domino R5 and is no longer used in R6.

❍ C. The MTC task routes mail from one non-adjacent domain to another.

❍ D. The MTC task is engaged when an administrator sends a mail tracemessage to another server.

Answer A is correct. The Mail Tracking Collector (MTC) task reads specialmail tracker log files (MTC files) produced by the Router and copies certainmessaging information from them to the MailTracker Store database(MTSTORE.NSF). The MailTracker Store database is created automatical-ly when you enable mail tracking on the server. When an administrator oruser searches for a particular message, either a message tracking request or amail report, Domino searches the MailTracker Store database to find theinformation.

10 0789729180 CH08 10/21/03 2:31 PM Page 203

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 8204

Question 5

Joe has been asked to configure the server so that mail can be delivered to thebug tracking database, called BUGS.NSF. What must he do to enable users tomail bug tracking reports to the database?

❍ A. He must install and configure Lotus Workflow 3.0 on the Domino server.

❍ B. He must enable the Domino Enterprise Connection Services (DECS) onthe server.

❍ C. He doesn’t need to do anything. The BUGS database is automaticallycapable of receiving mail.

❍ D. He must create a Mail-In Database document in the Directory listingBUGS.NSF as the mail-in database.

Answer D is correct. The Mail-In Database document defines the propertiesand location of a database that can receive mail. Whenever you define a data-base as being able to receive mail, you must create a corresponding Mail-InDatabase document.

Question 6

How often does the MTC task log information to MTSTORE by default?

❍ A. Every 5 minutes


❍ C. Once per hour

❍ D. Continuously

Answer B is correct. The Mail Tracking Collector task (MTC) reads specialmail tracker log files (MTC files) produced by the Router and copies certainmessaging information from them to the MailTracker Store database(MTSTORE.NSF). When you enable message tracking in the Configurationdocument, the default collection interval is 15 minutes.

10 0789729180 CH08 10/21/03 2:31 PM Page 204

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail 205

Need to Know More?Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBMRedbooks, 2002. Also available on the Web at www.redbooks.ibm.com/.For references to mail, consult Chapter 9 within this redbook, “NewMessaging Administration Options.”

Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notesand Domino 6. Indianapolis, IN: Que Publishing, 2003.

Lotus Domino 6 Technical Overview: www-10.lotus.com/ldd/

today.nsf/3c8c02bbcf9e0d2a85256658007ab2f6/089a22f9f8a573af85256a1b

00782950?OpenDocument. For references to mail, consult the section on“Messaging.”



Webcast: Preparation & Test Taking Strategies with LotusEducation Managers: http://searchdomino.techtarget.com/


10 0789729180 CH08 10/21/03 2:31 PM Page 205

10 0789729180 CH08 10/21/03 2:31 PM Page 206

Monitoring Server Performance


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9

✓ Archiving✓ Explicit policies✓ Organizational policies✓ Style sheets✓ JavaScript Libraries✓ NON-NSF Libraries✓ Adjacent Domain document✓ Non-Adjacent Domain document✓ Foreign Domain document✓ Foreign SMTP Domain document✓ Global Domain document

✓ Update✓ Updall✓ Fixup✓ Compact✓ In-place compacting✓ Copy style compacting✓ jconsole✓ Distributed directories✓ Centralized directories✓ Hybrid directories

Techniques you’ll need to master:✓ Adding/moving/upgrading/deleting databases✓ Applying policy documents to existing users✓ Backing up/verifying and restoring databases✓ Creating archiving policies✓ Deploying applications based on coding✓ Deploying applications based on design

elements✓ Deploying applications based on design

elements: shared versus nonshared✓ Deploying applications based on how

attachments are handled✓ Deploying applications based on replication

fundamentals✓ Deploying based on the NSF structure: NSF

components✓ Deploying server-based applications: HTML✓ Distributing application design changes

based on design✓ Enabling/disabling compression✓ Maintaining Domino server IDs✓ Maintaining Domino user IDs

✓ Managing users✓ Monitoring server tasks✓ Monitoring/maintaining domains✓ Monitoring/maintaining mail routing✓ Monitoring/maintaining/repairing databases✓ Monitoring/modifying application access

control✓ Setting up authentication✓ Setting up/configuring/monitoring monitors✓ Troubleshooting Administration Process

problems✓ Troubleshooting clustering problems✓ Troubleshooting network/protocol problems✓ Troubleshooting partitioning problems✓ Troubleshooting port (modem) problems✓ Troubleshooting user problems✓ Using a Java-based Domino Console✓ Using distributed and centralized directories✓ Using the remote console✓ Managing user passwords✓ Monitoring/maintaining domain access

11 0789729180 CH09 10/21/03 2:45 PM Page 207

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9208

To ensure that the Domino domain is running at peak efficiency, a Dominoadministrator must understand the requirements for monitoring a server andthe steps that can be taken to optimize performance. This chapter discusseshow to check and make sure the server is running correctly and also instructsthe reader in correcting issues that may cause a server to experience per-formance issues.

Adding/Moving/Upgrading/DeletingDatabasesThis section covers the steps required to perform specific database tasks.Database maintenance is more than just running system utilities such asFixup or Updall. It also includes adding databases, upgrading their design,moving them in the domain, and deleting them. This section covers thesetasks. To add a new database to the server, complete the following tasks:

1. Launch the Domino Administrator. Open the File menu, selectDatabase, and then select New.

2. In the Server field, indicate the destination server; keep the default set-ting of Local, or change it to the required destination server. Makesure that access is set up on the destination server that allows the cre-ation of new databases from the source server.

3. In the Title field, enter a name for the database.

4. The File Name field populates automatically based on the Title field.It can be changed if necessary to be a more descriptive filename.


6. Scroll down the window and select the database template to be usedfor the database.

7. Click OK to create the new database.

An existing database can also be added to other servers in the domain by forc-ing new replicas to the servers. Access rights must be set equal to CreateDatabase access in the Server document of the target server and Reader accessin the database of the source server. Databases can also be replicated betweenservers by using the Administrator and dragging them. Select the database tobe copied from the Files tab and drag it to the destination server in the leftpane. The Administration Process then copies the server to the new location.

11 0789729180 CH09 10/21/03 2:45 PM Page 208

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Monitoring Server Performance 209

Occasionally, it’s necessary to move a database to another server. Followthese steps to move the database:

1. Launch the Domino Administrator and open the File tab.

2. Select the databases to be moved in the main view window.

3. Expand the Tools pane on the right. Select Database and then clickMove.

4. The Move Database dialog box appears. Select the Destination data-base and server. Fill in the destination file path.

5. Two check boxes are available, Copy Access Control List and CreateFull Text Index for Searching. Select either check box if desired andclick OK to move the databases.

Although it is not necessary to upgrade a Lotus database to R6 format, thereare distinct advantages to doing so. Lotus has added a more efficient com-pression format, LZ1, along with other features that an administrator shouldconsider in moving to R6. To upgrade a database, issue the Compact com-mand and the system upgrades the ODS to version 6. If the database needsto remain in a pre-R6 ODS format, there are three options available:

➤ Issue the Compact command with a -R option to retain the current ODSstructure.

➤ Make a copy of the database and rename the file extension to NS4 toprohibit upgrading.

➤ Do not run the compact task on the database at all.

To delete a database:

1. Launch the Domino Administrator and select the File tab. Select thedatabase to be deleted and select Delete from the Tools pane.

2. The Confirm Database Delete dialog box appears. A check box is avail-able to delete all replicas on all servers. Check the box and click OK todelete the database.

Policy documents are used to regulate how users can access the system and performspecific functions. Policy documents can be changed after they are assigned and willthen be applied to all policy users. For a complete description of the policy documentsthat can be applied to users and the types of Domino policies, see the “Applying PolicyDocuments to Existing Users,” section in Chapter 7, “Installing and Configuring.”

11 0789729180 CH09 10/21/03 2:45 PM Page 209

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9210

Backing Up/Verifying and RestoringDatabasesAlthough it is true that a replica of a database is, in effect, a backup copy ofthe database, in the event that corruption of a database is replicated, be surethat a backup exists on some type of archival media, such as digital tape oranother form of reliable media. Be certain that the backup software has theability to back up open files and has been certified to back up Domino data-bases. Be certain that the Domino C API Toolkit is supported and that allmedia is verified after the backup.

Creating Archiving PoliciesNew to Domino 6 is central mail file archiving. Archiving is beneficial foradministrators and users in that it frees up database space by storing docu-ments in an archive database. Physical database size is smaller and perform-ance increases because the database is smaller and easier to search. The database structure is the same as the user’s database, so the views and foldersare the same.

The three components of mail archiving are

➤ Document selection—Selects the documents to be archived based on howoften they are accessed and whether the folder they are stored in isbeing accessed

➤ Copying—Chooses documents to be copied from the original database tothe archive database

➤ Mail file clean up—Reduces the size of the original database by deletingdocuments after they are moved to the archival database

Two types of archiving are available:

➤ Client-based—This type of archiving allows the user to archive the maileither on the server, an archival server, or on their local workstation.

➤ Server-based—This type of archiving allows the server to store the archivefile, or allows storing of the archive file on a designated archival server.

Setting up mail archiving requires defining a policy in the Domino Directory. Editoraccess with either the PolicyCreator role or PolicyModifier role defined for the admin-istrator is required.

11 0789729180 CH09 10/21/03 2:45 PM Page 210


To set up mail archiving, follow these steps:

1. Launch the Administrator client, select the People & Groups tab, andnavigate to the Settings view.

2. Click the Add Settings view and select Archive from the drop-downmenu.

3. In the Basics tab, complete the Name and Description fields.

4. Optionally, select Prohibit Archiving to prohibit archiving. ProhibitPrivate Archiving Criteria is another setting, which you can use toprohibit users from creating private archives.

5. Choose an Archiving Will Be Performed On option; select eitherUser’s Local Workstation or Server.

6. Choose an Archiving Source Database Is On option; select eitherLocal, Specific Server, or Mail Server Where the File Is Located. Ifyou choose Specific Server, a new dialog box appears at the bottom ofthe page allowing the administrator to choose the source server from adrop-down menu.

7. Choose a Destination Database Is On option; select either Local,Specific Server, or Mail Server Where the File Is Located. If SpecificServer is selected, a new dialog box appears at the bottom of the pageallowing the administrator to choose the source server from a drop-down menu.

8. Navigate to the Selection Criteria tab and select either New Criteria,Add Criteria, or Remove Criteria and complete the information foreach tab.

9. Navigate to the Logging tab and select Log All Archiving into a LogDatabase.

10. At the bottom of the page is an Include Document Links to ArchivedDocuments check box. Checking this field allows users to openarchived documents from the log database. Leaving it deselected causesusers to open the archive database itself to view archived documents.

11. If you decided to use client-based archiving, navigate to the Scheduletab and complete the options to schedule the times that archiving willoccur. In the Location section, specify Any Location or SpecificLocation to determine where the archiving source should be located.

12. Navigate to the Advanced tab. There is one option on this page: Don’tDelete Documents That Have Responses. Selecting this check box

11 0789729180 CH09 10/21/03 2:45 PM Page 211

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9212

does not delete documents that contain responses; leaving it deselecteddeletes documents containing responses.

13. After completing all desired selections, click Save & Close to save thedocument.

Deploying Applications Based onCodingTypically, the roles of administrator and developer are supported by separateemployees in the organization. Administrators should create a process thatdevelopers can follow that allows applications to be created and deployed asefficiently as possible.

Developers who are upgrading applications should take the proper steps tomake sure that users don’t experience downtime while the upgrade occurs.When deploying new code in applications

➤ Be certain that any changes being made are communicated to theadministrator and scheduled using a change control process.

➤ Test all changes in a development environment and pilot the changeswith a group of users before moving it to the production environment.

➤ Communicate with the users of the application upgrade and create a for-mal plan for dealing with issues that occur.

Deploying Applications Based onDesign ElementsApplication design is the cornerstone of Domino and proper planning isrequired to ensure that the application meets the user’s requirements andperforms optimally within the domain. Consider the following items whenplanning the deployment of a new application:

➤ Gather a set of requirements from the users and then review therequirements to make sure that there is a common understanding ofwhat is expected and the delivery date. Create a baseline for the usersbased on how they expect the application to perform and define a main-tenance window for future application upgrades and enhancements.

11 0789729180 CH09 10/21/03 2:45 PM Page 212


➤ Determine how the users will access the application. Plan the applica-tion design to perform optimally based on whether users will be using aNotes client or a Web browser.

➤ If the application is going to be used by dial-up users who may have abandwidth limitation, be sure to consider this during the design phase.

➤ International use of an application can cause an added layer of complexi-ty. In the event that global users will be using the application, be certainthat the design is easy to understand and that the verbiage used in theapplication is written either in easy-to-understand English or is translat-ed to the country in which the users reside.

➤ Don’t add unneeded layers of design to the application. Keep unneces-sary designs out of the application and use lean coding.

When making design changes to applications, be prepared to test the changesbefore rolling them out to the production environment. Consider thesepoints when rolling out design element changes to Domino applications:

➤ If the application is going to be Web-based, be certain that the test planincludes using the possible browser configurations that may be used toaccess the system. Test the application using Netscape and InternetExplorer as these are the most commonly used browsers. The require-ments for previewing design work using a browser include

➤ Windows 95, 98, 2000, XP , or NT workstation.

➤ A database ACL must be set to at least Reader to allow a developerto preview pages, framesets, documents, navigators, and views. Toview forms, an ACL needs to be set up with Author access.Typically, Default or Anonymous user types are used for this testingprocess.

➤ The server must be running the HTTP task where the database isrunning.

➤ The design elements being changed must not be marked with hid-den attributes to keep them from being viewed by the browsers.

➤ Verify that the design element changes and how they affect client ver-sions are clearly communicated to users. If the changes require a specificversion of the client, be sure that all users are notified.

➤ Use the Design preview option in the Designer client or test the code inthe Web browsers before moving the changes to the production server.

11 0789729180 CH09 10/21/03 2:45 PM Page 213

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9214

Deploying Applications Based onDesign Elements: Shared VersusNonsharedDesigners might not be working in the same location or might be required towork on the same database with other developers. To share design elementswith other designers, Lotus has implemented the following data components:

➤ Style sheets—Used to allow the designer to control the look and feel ofvarious design features

➤ JavaScript libraries—Used to store and share common JavaScript pro-grams and codes

➤ Non-NSF libraries—Used to share Non-NSF libraries across databases toallow the designer to have increased flexibility in the design of the appli-cation

There are occasions when designers will want to have absolute control overan application while it is being created or updated. To accomplish this task,they can lock out all other designers by changing the ACLs on a database, orthey can lock design elements so that they cannot be changed. To provide theability to lock design elements, follow these steps:

1. Open the database and select File, Database, and then Properties.

2. Navigate to the Design tab and select Allow Design Locking and clickthe X to close the Properties window and save the change.

At this point, a designer can now highlight a design element in the databaseand lock the element when necessary.

Deploying Applications Based onHow Attachments Are HandledUsers might need to access a database to download or launch an attachment.To create an attachment in a database, follow these steps:

1. Open the database in the Domino Designer client.

2. Open the page, form, or subform where the attachment should belocated.

11 0789729180 CH09 10/21/03 2:45 PM Page 214


3. Select the location in the form where the attachment should reside andplace the cursor in that location.

4. Select File from the menu and choose Attachment. A file navigationmenu appears. Select the attachment and click OK. Press Escape to exitand save the new form with the attachment inserted.

Deploying Applications Based onReplication FundamentalsDatabase design changes can be made by each database in the domain byapplying a completely new template to the database or by replicating changesmade by the designer. The most efficient way to perform the upgrades is bymaking the changes in one database and letting them replicate throughoutthe domain so that there are no errors made by the designer manually mak-ing the changes in each replica. Keep in mind that based on the amount ofdesign changes being made, the replication could take a lot of time, so sched-ule the changes to be made at a time when the server is not experiencing apeak amount of traffic. Items to consider when replicating a design changeinclude

➤ Create the initial designs on a test database in a development environ-ment so that users are not affected. Be sure that a pilot group of users is selected to test the design changes before the database moves to pro-duction.

➤ Use a master template in the design process and then apply the templateto the database.

➤ Be certain that backups are being completed and verified in the eventthat databases need to be restored due to a design error.

Deploying Based on the NSFStructure: NSF ComponentsAlthough Lotus does supply templates that can be used to create databases,there are times when a special application will need to be created and the pro-vided templates will not be able to address the requirements needed for theapplication. In the event that this situation occurs, follow these steps to use ablank template to design the application:

11 0789729180 CH09 10/21/03 2:45 PM Page 215

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9216

1. Launch the Domino Designer client and select File, Database, New.The New Database dialog box appears.

2. Leave the Server field set to Local, or change it to the required desti-nation server. Be sure that access is set up on the destination serverthat allows the creation of new databases from the source server.

3. In the Title field, enter a name for the database.

4. The File Name field populates automatically based on the Title field.It can be changed if necessary to be a more descriptive filename.


6. Scroll down the window and select Blank for the template to be usedfor the database.

7. Click OK to create the new database.

Deploying Server-BasedApplications: HTMLThe Domino design process provides multiple ways to include HTML datain an application. To include existing HTML code in the application, com-plete the following steps:

1. Convert Domino data to HTML and then use an HTML editor tomodify the code.

2. Use existing Web data by importing it directly into the application.

3. Paste existing Web data directly into a Domino page, form, or sub-form.

4. Code HTML directly into the application.

Distributing Application DesignChanges Based on DesignLotus provides the Replace Design option to distribute design changes todatabases that use a template for design inheritance. Designer access in the

11 0789729180 CH09 10/21/03 2:45 PM Page 216


ACL of the database is required to replace the database’s design. The fol-lowing components are not replaced by default using the Replace Designoption:

➤ Database icon

➤ Database title and category

➤ Database ACL and encrypt database settings

➤ Using Database and About Database documents

➤ Design elements protected from updates

➤ Design elements that inherit from a template

➤ List as Advanced Template in “New Database Dialog” option

➤ Options on the Advanced tab of the File, Database Properties box exceptDocument Table Bitmap Optimization and Don’t Support SpecializedResponse Hierarchy

The following components are replaced by default using the Replace Designoption:

➤ Forms, fields, form actions, and event scripts

➤ Pages

➤ Views, folders, and view actions

➤ Agents

➤ Navigators

➤ Framesets

➤ Shared fields

➤ Database Properties selections, except the Advanced Template option

➤ All options on the Design tab of the File, Database Properties box,except List as Advanced Template in ‘New Database’ Dialog

➤ Options Document Table Bitmap Optimization and Don’t SupportSpecialized Response Hierarchy on the Advanced tab of the File,Database Properties box

To replace the design of a database, follow these steps:

1. Select the database using either the Designer client or by choosingFile, Database, Replace Design.

11 0789729180 CH09 10/21/03 2:45 PM Page 217

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9218

2. The Replace Database Design dialog box appears. Select the templateto be used to redesign the database and click Replace to continue.

3. A Caution dialog box reminds the designer that the database views,forms, agents, fields, and roles will be changed based on the templatebeing used. Select Yes and the database’s design will be replaced.

Enabling/Disabling CompressionTo allow a minimal amount of bandwidth to be used between workstations orservers, Lotus has created the ability for network ports to compress the databeing exchanged. Compression must be enabled at both ends of the data pathor it doesn’t work. If a user wants to use port compression, then it must beenabled on the client as well as on the server. Compression only increases thespeed at which the data is transmitted if the data is not already compressed.Precompressed data does not see a performance increase. Data compressionalso causes an increase in server load on the memory and the processor, soevaluate whether the extra overhead on the server is worth enabling theprocess.

To enable compression, complete these steps:

1. Open the Domino Administrator, select the Configuration tab, andchoose the Server document for the server requiring network compres-sion.

2. Open the Tools pane and select Server, Setup Ports. The Port Setupdialog box appears.

3. Select the Port to be compressed, click the Compress Network Datacheck box, and then click OK. A dialog box appears stating “You mustrestart port(s) or the server for changes to take effect.” Click OK tocontinue.

4. Select the Server tab and then select the Status tab. Select the port thathas compression enabled and click Restart on the Tools pane. A RestartPort verification dialog box appears. Click OK to continue. The serverport will now restart and compression will be enabled.

Maintaining Domino Server IDsPeriodically, certificates associated with a server ID will expire. When this occurs, the ID needs to be recertified. To recertify a server ID, the

11 0789729180 CH09 10/21/03 2:45 PM Page 218


administrator must have either Author access to the Domino Directory andthe ServerModifier role assigned or Editor access to the directory. In addi-tion, the administrator must have Author access or greater to theCertification log. Follow these steps to recertify a server ID:

1. Using the Administrator client, select the Configuration tab and thenselect the Server document for the server to be recertified.

2. Open the Certification tab under the Tools pane and select Certify toopen the Certify dialog box.

3. Click the Server button to select the registration server and click OK.

4. Choose one of these two options:

➤ Supply Certifier ID and Password—A file navigation box appears whenthis option is selected. Navigate to the required certifier ID andselect OK.

➤ Use the CA Process—This option allows the administrator to recertifythe ID without having access to the certifier ID or the certifier pass-word. A drop-down menu is provided to allow the administrator toselect a CA-configured certifier from the ones available on the server.

5. Click OK. If you chose the Supply Certifier ID and Password option, adialog box appears requiring the certifier password. Enter the passwordand select OK to continue.

6. A file navigation box appears prompting for the ID to be certified.Select the server’s ID file and click OK.

7. The Certify ID dialog box appears. The configurable options in thebox are

➤ Expiration Date—This field determines when the server will need tobe recertified. The default time is two years, but can be changed asneeded.

➤ Subject Name List—This field allows the administrator to assign acommon name if desired. This is an optional field.

➤ Password Quality—A slide bar is available here to determine thequality of password security to assign to the ID file. The defaultlocation of the slider is to the extreme left, which is no passwordand a value of 0. Sliding the bar to the extreme right forces a verystrong password and a value of 16. Although it is true that this isoptimal for servers, each time the server is loaded, a password isrequired at the console before the server will start.

11 0789729180 CH09 10/21/03 2:45 PM Page 219

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9220

8. Select Certify to continue and recertify the ID.

9. A dialog box appears asking if the administrator wants to certify anoth-er ID. Select Yes to certify more IDs or No to exit the certificationprocess.

Maintaining Domino User IDsFollow these steps to recertify a user ID:

1. Launch the Domino Administrator and select the People & Groupstab. Click People; in the Tools pane, select People and Recertify.

2. In the Choose a Certifier dialog box, choose one of the followingoptions:

➤ Server—This option is used to select the registration server.

➤ Supply Certifier ID and Password—This option is used to use a certifi-er ID file. A dialog box is available under this option that allows theadministrator to navigate to the ID on the server.

➤ Use the CA Process—Using the CA process allows the changes to bemade without having access to a certifier ID file.

3. Click OK to continue. If the option to use a certifier ID was selected, adialog box appears requesting the password. Enter the password andclick OK to continue.

4. The Renew Certificates in Selected Entries dialog box appears. In theNew Certificate Expiration Date field, change the date to reflect thedesired expiration date and select OK to continue.

5. A Recertify User dialog box appears showing the common name andthe qualifying org unit. Click OK to continue.

6. The user ID recertification is processed and a Processing Statistics dia-log box appears displaying the results of the change process. Click OKto close the dialog box and continue.

Managing UsersUser mail files might need to be moved when a user changes departments ormoves to another location in the country that supports his new Dominoneeds. Domino provides a tool that moves the user’s mail file and changes the

11 0789729180 CH09 10/21/03 2:45 PM Page 220


Directory to reflect the new mail file location. To move a user’s mail file, fol-low these steps:

1. Launch the Domino Administrator and select the People & Groupstab. Click People and using the Tools pane, select People and Move toanother server.

2. The Move Users(s) to Another Server dialog box appears. The selecteduser is displayed in the box along with a drop-down menu that allowsthe administrator to select the destination server.

3. Optional selections to be completed are

➤ Move Roaming Files into This Folder on “Server Name”

➤ Move Mail Files into This Folder on “Server Name”

➤ Link to Object Store

➤ Delete Old Replicas in Current Cluster

4. Make the required selections and click OK to complete the process ofmoving the mail file.

Creating and Setting Up Roaming UsersRoaming users are able to access Notes from multiple clients in the domainand retain their personal information. A roaming server is used and the user’sfiles are stored on this server. When a user logs onto the server as a roaminguser, their information is retrieved from the server and presented to the user.When a roaming user makes changes, they are replicated to the server so thatthey are available when the user logs in at a later time.

Roaming users are created during user registration. To define the settings forroaming users, follow these steps:


2. Using the Tools pane, select People and Register. A dialog box appearsrequiring the certifier password. Enter the password and click OK tocontinue.

3. The Register Person—New Entry dialog box appears. Enter the rele-vant user information related to name and password and then selectEnable Roaming for This Person.

4. Check the Advanced button and a new menu displays on the left.Select the Roaming button to configure the Roaming settings.

11 0789729180 CH09 10/21/03 2:45 PM Page 221

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9222

5. Choose Put Roaming User Files on Mail Server or click the RoamingServer button to select the location to store the files.

6. Enter the personal roaming folder name.

7. Choose a subfolder format.

8. Choose to Create Roaming Files Now or Create Roaming Files inBackground.

Selecting the Create Roaming Files Now option instructs the server toexecute the file creation task immediately, causing the administrator towait until the task is completed. If the Create Roaming Files inBackground option is selected, the server creates the files in a separatethread and allows the administrator to continue with the setup option.

9. You can select Roaming Replicas if a Domino cluster is available. Thisfield is optional and should be ignored if a Domino cluster is notinstalled.

10. Select a Clean-up option.

11. Click Done to create the roaming user.

Maintaining User ProfilesFrom time to time, users change departments or leave the company. Whenthis happens, administrators are required to perform regular maintenance onthe user profile—in this case, changing how a user is defined in a group.Editing a group requires ACL access to the Domino Directory with one ofthe following defined security assignments:

➤ At least Editor with Create Documents privilege

➤ The UserModifier role

Follow these steps to change group membership assignments:

1. Using the Domino Administrator client, navigate to the People &Groups tab.

When Roaming users are created, the files Personal Address, Bookmark, and Journalare also created and stored based on the settings on the Roaming tab.

11 0789729180 CH09 10/21/03 2:45 PM Page 222


2. Expand the Domino Directories item and select Groups. A list of thevalid groups on the server displays in the main navigation window.Select the group that needs to be edited and then click Edit Group.

3. On the Basics tab, edit the Group Name (the assigned name of thegroup) if appropriate; this should not be changed unless absolutely nec-essary because changing the group name also requires changing theACLs in databases associated with this name. The maximum length forgroup names is 62 characters.

4. Choose a new Group Type if appropriate. The available group types are

➤ Multipurpose—Used for multiple types of users; the default selection

➤ Access Control List Only—Exclusively used to maintain database andserver authentication

➤ Mail Only—Exclusively used for mail users

➤ Server Only—Exclusively used for Connection documents and theAdministrator client’s group domain bookmarks

➤ Deny List Only—Exclusively used for denying access to the server

5. In the Category field, Administration is the only selection.

6. Edit the Description field if appropriate; this is a free form field usedto provide a description of the group.

7. In the Mail Domain field, enter the name of the mail domain used bythis group.

8. If appropriate, complete the Internet Address field; this field is used toidentify the group with an Internet address so that it can receiveInternet mail.

9. Edit the Members field by adding or removing member users’ namesas appropriate.

10. Click Save & Close to save the group changes.

Changing User NamesUsers may also require a name change to their account information in theDomino Directory. To change a user’s name, follow these steps:

1. Launch the Domino Administrator and select the People & Groupstab. Click People and choose the user to be changed.

11 0789729180 CH09 10/21/03 2:45 PM Page 223

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9224

2. Using the Tools pane, select People and Rename. In the People andRename dialog box, choose from among the following three options:

➤ Upgrade to Hierarchical

➤ Change Common Name

➤ Request Move to New Certifier

3. At the bottom of the dialog box is an Honor Old Names for Up to XXDays option. The default value for this selection is 21 days, but thevalue can be changed to reflect a number from 14 to 60 days.

4. Select Change Common Name to continue. In the Choose a Certifierdialog box, select from these options:

➤ Server—This option is used to select the registration server.

➤ Supply Certifier ID and Password—This option is used to use a certifi-er ID file. A dialog box is available under this option that allows theadministrator to navigate to the ID on the server.

➤ Use the CA Process—Using the CA process allows the changes to bemade without having access to a certifier ID file.

5. Click OK to continue. If the option to use a certifier ID was selected, adialog box appears requesting the password. Enter the password andclick OK to continue.

6. The Certificate Expiration Date dialog box appears. The default set inthis box is two years from the current date. Change the date if requiredor leave it at the default and click OK to continue.

7. A Rename Person dialog box appears with fields to be completed.Complete these fields:

➤ First Name

➤ Middle Name

➤ Last Name

➤ Qualifying Org Unit (optional)

➤ Short Name (optional)

➤ Internet Address (optional)

➤ Rename Windows NT User Account (optional)

8. Click OK. The name change is processed and a Processing Statisticsdialog box appears displaying the results of the change process. ClickOK to close the dialog box and continue.

11 0789729180 CH09 10/21/03 2:45 PM Page 224


Deleting UsersDeleting a user requires an administrator to have:

Author access with the Create Documents privilege to the Certification logand Author access with the ability to delete documents and the UserModifierrole assigned

Or

Editor access to the Domino Directory

The following steps should be taken to delete a user from the DominoDirectory:

1. Launch the Domino Administrator and select the People & Groupstab. Click People and select the user to be deleted.

2. Select People from the Tools pane and choose Delete. The DeletePerson dialog box appears.

3. In the What Should Happen To The User’s Mail Database? section,choose from these options:

➤ Do Not Delete the Database

➤ Delete the Mail Database on the User’s Home Server

4. Optionally, choose to Add Deleted Users To Deny Access Group.

5. If appropriate, choose to Delete User’s Windows NT/2000 Accounts,if existing.

6. If appropriate, choose to Delete Users from This Domino DirectoryImmediately.

7. Click OK to delete the user.

Using the Administration ProcessThe Administration Process helps you manage users by automating many ofthe associated administrative tasks. For example, if you rename a user, theAdministration Process automates changing the name throughout databasesin the Notes domain by generating and carrying out a series of requests,which are posted in the Administration Requests database (ADMIN4.NSF).Changes are made, for example, in the Person document, in databases, inACLs, and in Extended ACLs. However, the Administration Process can beused only if the database is assigned an administration server.

11 0789729180 CH09 10/21/03 2:45 PM Page 225

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9226

Monitoring Server TasksDomino uses events to determine when a server task is in need of attention.The database EVENTS4.NSF is used to define which system tasks needmonitored and at what point a system alarm is generated. The Dominoadministrator defines the threshold state for each event. The Event Monitorwatches the system and sends events to the database as they occur. When thethreshold is reached, the action that is defined for that event is executed. Ifan event takes place and no event generator is defined, no action takes place.The Event Monitor loads automatically when the server starts.

In previous versions of Domino, the Event Monitor was known as the Event task.

Event generators can be defined to monitor the following:

➤ Database—Database space and access as well as replication history aremonitored. ACL changes are also recorded.

➤ Domino Server—Network health, including port status, is monitored.

➤ TCP Server—TCP services are monitored and statistics are generatedreporting response time for the running services. The time is recordedin milliseconds.

➤ Mail Routing—Statistics are reported stating the time required to route amail message. The time is recorded in seconds.

➤ Statistics—Specified Domino statistics are monitored.

➤ Task Status—Specified Domino tasks are monitored.

Event handlers are used to determine which tasks occur when an event istriggered. EVENTS4.NSF includes predefined events that can be used tomonitor the server, but the most efficient use of the handler task is when anadministrator defines events specific to the domain he is monitoring. Anadministrator may decide to just log events and then maintain them weekly,or he may decide to be alerted immediately when an event occurs so that hecan resolve the issue.

The EVENTS4.NSF database includes wizards that assist administrators increating event handlers, creating event generators, and troubleshootingcommon configuration errors.

11 0789729180 CH09 10/21/03 2:45 PM Page 226


➤ Event Handler Wizard—Creates a new event handler that generates anotification when a specified event occurs

➤ Database and Statistic Wizard—Creates an event generator that fireswhen something happens to a server or database

➤ Mail Routing and Server Response Wizard—Creates an event generatorthat generates statistics or fires an event based on the availability of aresource

➤ Troubleshooting Wizard—Identifies some common configuration errors inthe EVENTS4.NSF database and suggests possible resolutions

Event handlers can also be created by using the Domino Administrator andnavigating to the Configuration tab and selecting the MonitoringConfiguration, Event Handler view. Each event has a Basics, Event, andAction tab that must be completed.

In addition to event generators and event handlers, Domino provides othermethods that allow an administrator to gather information about the healthof a server. For instance, executing a show server command from the serverprompt on a test server displays the following information:

➤ Server name: R6Test/R6TestOrg—R6Test

➤ Server directory: C:\r6server\data

➤ Partition: C.r6server.data

➤ Elapsed time: 21:57:45

➤ Transactions/minute: Last minute: 0; Last hour: 0; Peak: 86

➤ Peak # of sessions: 2 at 07/26/2003 02:28:55 PM

➤ Transactions: 357 Max. concurrent: 20

➤ ThreadPool Threads: 40

➤ Availability Index: 100 (state: AVAILABLE)

➤ Mail Tracking: Not Enabled

➤ Mail Journaling: Not Enabled

➤ Shared mail: Not Enabled

➤ Number of Mailboxes: 1

➤ Pending mail:0 Dead mail: 0

➤ Waiting Tasks: 0

11 0789729180 CH09 10/21/03 2:45 PM Page 227

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9228

➤ Transactional Logging: Not Enabled

➤ Fault Recovery: Not Enabled

➤ Activity Logging: Not Enabled

➤ Server Controller: Enabled

This is a typical example of tasks running on a new server with the defaulttasks running. This list can vary based on the tasks that have been launchedby server tasks or manually by an administrator.

Server information can also be found in various databases on the serverincluding these

➤ Domino Log database

➤ Statistics database

➤ Events database

Tools available on the server to provide information on demand include

➤ Server Monitor

➤ Mail-in statistics

➤ Paging

Monitoring/Maintaining DomainsDomino domains consist of a group of servers that have the same DominoDirectory shared between them. Monitoring the domain is similar to moni-toring a single server, but requires the administrator to keep track of replica-tion and mail routing processes between all servers. The Domino Consolecan be used to monitor the domain or an administrator can check theDomino log file to verify that replication and mail routing is running prop-erly. Examples of tasks required by an administrator include

➤ Registering users

➤ Solving replication issues

➤ Correcting mail routing issues, including dead mail

➤ Maintaining groups

➤ Adding and decommissioning servers

11 0789729180 CH09 10/21/03 2:45 PM Page 228


Domains are defined by creating Domain documents. Multiple documenttypes are available based on the requirements needed to route mail. The fol-lowing types of documents are available:

➤ Adjacent Domain document—This document is used to route mailbetween servers that are not in the same Notes named network.

➤ Non-adjacent Domain document—This document serves three functions:

➤ Supplies next-hop routing information to route mail

➤ Prohibits mail from routing to the domain

➤ Provides Calendar server synchronization between two domains

➤ Foreign Domain document—This document is used for connectionsbetween external applications. Typical applications used would be a faxor pager gateway.

➤ Foreign SMTP Domain document—This document is used to routeInternet mail when the server does not have explicit DNS access.

➤ Global Domain document—This document is used to route mail toInternet domains. Configuration information regarding message conver-sion rules are defined in the document.

Monitoring/Maintaining MailRoutingThe most common task related to mail routing is making sure that mail ismoving through and outside of the Domino network. A typical sign that mailrouting is not working correctly is a report from a user that he is not receiv-ing mail or cannot send mail. Suggestions for troubleshooting mail routingissues include

➤ Request a delivery failure report from the user. Examine the informationin the report to determine how the problem may be resolved.

➤ Perform a mail trace to determine where the mail is stopping along theroute and correct the problem.

➤ Check the Domino Directory and ensure that mail routing is enabled.

➤ Verify that the settings in the Connection documents are configuredproperly for mail routing between servers.

➤ Make sure that the mail.box file on the server is not corrupted.

11 0789729180 CH09 10/21/03 2:45 PM Page 229

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9230

➤ Check the server and make sure that there is sufficient disk space toallow the server to process the mail.

➤ Examine the Domino log to see if errors are occurring in the MailRouting Events section.

➤ Check the mail.box file for undeliverable mail and examine the errorsthat are occurring to determine how to correct the problem.

Tracking MessagesDomino provides the capability for administrators as well as users to tracktheir messages. The tool that enables this is the Mail Tracking Collector.From time to time, users may state that mail is not being delivered in a time-ly fashion, or may not be reaching the intended recipient at all. When thisoccurs, one of the tools that can be used to determine the problem is mailtracking.

The database used for this task is the MailTracker Store database, orMSTORE.NSF. The database is populated by data that is fed from the MailTracking Collector task, or MTC. The MTC processes log files generatedby the Router task and then copies specific data to the MSTORE.NSF data-base. When a message-tracking request is generated, Domino uses theMSTORE.NSF database to perform the trace. When a trace is initiated, itstarts at the user or Administrator client and continues through the entiredomain until the route expires. When the trace is completed, the user is pre-sented with one of the following delivery status messages:

➤ Delivered—Delivery was successful.

➤ Delivery failed—Delivery was unsuccessful.

➤ In queue—Domino has queued the message in the Router task.

➤ Transferred—The message was sent to the next defined mail hop.

➤ Transfer failed—The message could not be transferred.

➤ Group expanded—A group message sent to the server was expanded to allrecipients.

➤ Unknown—The status of the delivery is not known.

Although it is true that users and administrators can track mail, users can track onlytheir own mail.

11 0789729180 CH09 10/21/03 2:45 PM Page 230


Resolving Mail Routing ErrorsMail routing errors can occur for various reasons. Server configurationerrors, client configuration errors, and network issues can all be possibleproblems. The key to resolving the issue is to use the tools provided byDomino to correct the problem. If the MAIL.BOX database has dead orpending mail, the most common things to check first include the following:

➤ System logs detailing delivery failures and mail traces.

➤ Errors in the Directory itself, possibly related to connection configura-tions. Also be certain that the Mail Routing field is enabled on theBasics tab of the Server document.

➤ Errors in the recipient’s address.

➤ Network configuration errors prohibiting correct routing paths.

➤ System errors, such as full disks or memory errors.

➤ Shared mail configuration errors.

Tools available to administrators to troubleshoot routing problems includethe following:

➤ Delivery Failure Reports, which contain a description of why the mes-sage failed

➤ Mail Trace from the Domino Administrator

➤ Mail routing topology maps that display routes by connections andnamed networks

➤ Mail Routing status in the Domino Administrator

➤ Mail routing events in the Domino server log

Monitoring/Maintaining/RepairingDatabasesApplication, or database, size can directly affect the manner in which a sys-tem performs. A database that has grown in size and isn’t maintained regu-larly causes the server to have performance issues.

11 0789729180 CH09 10/21/03 2:45 PM Page 231

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9232

Monitoring Database SizeThe maximum database size on Windows and Unix servers is 64GB. Tocheck the size of a database, follow these steps:

1. On the Domino workspace, select the database; then navigate to theFile menu, select Database, and then select Properties.

2. The Database Properties box opens. Database size is listed on the sec-ond tab, the Info Tab, labeled with an “i.” This tab displays:

➤ The database size

➤ The number of documents in the database

➤ The database creation date

➤ The last day the database was modified

➤ The replica ID of the database

➤ The ODS version of the database

➤ % used—Displays the amount of the database in use calculated inpercent

➤ Compact—Initiates a compact on the database

➤ User Detail—Shows information related to the owner of the data-base

Additional ways to check database size are

➤ View the database size on the Files tab of the Domino Administrator

➤ Check the database size in the Domino log file

➤ View the statistics reports in the Statistics database

Using Database Maintenance UtilitiesDatabase issues can occur if they are not maintained properly. Database per-formance and data loss can be attributed to not performing regular databasehousekeeping tasks. Database usage and replication can be tracked in theDomino log file, typically named LOG.NSF.

Domino has system tasks that can be scheduled at predefined times to ensurethat all databases are performing at an optimum level. Key system tasksinclude Update, Updall, Fixup, and Compact. The following sectionsdescribe these database utilities in detail.

11 0789729180 CH09 10/21/03 2:45 PM Page 232


UpdateThe purpose of Update is to update a database’s view indexes. Update runsautomatically when the server is started and continues to run while the serv-er is up. Update waits about 15 minutes before processing the database sothat all changes in the database are finished processing. When the views areupdated, it then searches the domain for databases set for immediate orscheduled hourly index updates. When Update finds a corrupted view or full-text index, it rebuilds the full-text index and tries to solve the issue.

UpdallUpdall is used to rebuild corrupted views and full-text index searches, as Updatedoes, and has various options that can be defined when launched by using asoftware switch. Updall is executed by default at 2:00 a.m. and, unlike Update,can be run manually. Deletion stubs are removed, and views that haven’t beenused for 45 days are deleted unless they are protected by the database designer.Setting the parameter Default_Index_Lifetime_Days in the Notes.ini file enablesan administrator to determine when Updall removes unused views.

FixupFixup is used to repair databases that were open when a server failureoccurred. Fixup runs automatically when the server starts, but it can also berun from the Domino Console, when necessary. Databases are checked fordata errors generated when a write command to the database was issued anda failure occurred causing a corruption in the database. When Fixup is run-ning on a database, user access is denied until the job completes. Fixup shouldbe run if Updall does not fix the database errors.

CompactCompact can be used to recover space in a database after documents are delet-ed. Deleting documents from a Domino database does not actually decreasethe size of the database. A deletion stub is created and the document isremoved permanently when Compact is run, and the size of the database isthen reduced. Three types of compacting are available:

➤ In-place compacting with space recovery—Unused space is recovered, but thephysical size of the database remains the same. Unlike with Update andUpdall, access to the database is not denied while the Compact task isrunning. When Compact is launched without switches or with a -bswitch, in-place compacting with space recovery is the type of compact-ing used. The DBIID, or database instance ID used to identify the data-base, remains the same. In-place compacting is used for databases thathave the system configured to run transaction logging.

11 0789729180 CH09 10/21/03 2:45 PM Page 233

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9234

➤ In-place compacting with space recovery and reduction in file size—This ver-sion reduces the physical database size and recovers unused space, but ittakes longer to complete. The DBIID is changed with this Compactversion. Running Compact without a software switch option compactsdatabases not associated with transaction logging.

➤ Copy-style compacting—A copy is created, and when the compact is com-plete, the original database is deleted. Because of this, there needs to besufficient disk space available to make the copy of the database, or anerror will occur and the compact will not work. During this type ofcompacting, a new database is created and a new DBIID is assigned.Because a new database is actually being created, this option locks out allusers and servers from editing the database. Access using this version ofCompact for read only can be enabled if the -L switch is used at the timeit is run.

Use in-place compacting when possible because it is the quickest and generates thesmallest amount of system activity.

Compact should be run on all databases at least weekly, if possible, but it shouldbe run at a minimum of once a month using the format compact -B to minimize theamount of disk space. If Fixup does not correct a database problem, runningCompact with the switch of -c can attempt to correct the problem.

Other Database Maintenance TasksDatabases should be monitored on a regular basis to make sure that they areperforming efficiently. In addition to using the database maintenance utili-ties described in the preceding section, these tasks and practices can aid inmaintaining strong database performance:

➤ Move the database to another server in the domain, if necessary. Makesure that the server itself is tuned occasionally and running at peak effi-ciency. Defragment disk drives and run preventive maintenance tasks onthe server to foresee any possible hardware problems that may occur.Also make sure that backups are scheduled to complete before nightlyDomino server tasks launch.

➤ Domino 6 database design provides a significant speed improvement. Ifpossible, upgrade the database to version 6 if it’s running as an earlierversion.

11 0789729180 CH09 10/21/03 2:45 PM Page 234


➤ Implement transaction-based logging, if the hardware configurationmakes it a possible solution as this is very processor, memory, and diskaccess intensive.

➤ Schedule nightly system tasks to complete before users access the systemat the start of a workday.

➤ Verify that a task such as Compact or Updall isn’t stuck on a database,expending system resources.

➤ Monitor database usage. A database used constantly by many usersmight need separate replicas on other servers in the domain, to makesure that access is not creating an unneeded system load.

➤ Examine the database design to see if any improvements can be madethat would allow it to perform better.

➤ Check the Database, Enhanced tab to see if any options can be enabledto improve performance.

➤ Create a replica of a database if Fixup, Update, and Updall don’t correctthe problem. If all else fails, restore the database from backup.

Monitoring/Modifying ApplicationAccess ControlDomino provides multiple ways for administrators to monitor databases andapplications in the domain. Administrators can access the Domino log file orcan set up applications to automatically inform them when issues occur.Typically, when ACLs are defined, users will not experience problems unlesssomething changes on the server or on the user’s workstation. This sectionof the book offers administrators ways to monitor application access.

Data access control problems can cause users as well as servers to be deniedaccess to a specific database, a server, or an entire domain. Administrators canensure that database access is constant by making sure that Enforce aConsistent Access Control List is selected on the database ACL Advanced tab.

Although enforcement of a consistent ACL does assist in maintaining ACL integrity,it’s not a complete solution. If a user replicates a copy of a database to his localmachine, group membership does not replicate along with the database. If the userthen wanted to share that replica with another user, the new user would not to be ableto access the database because group information would not be inherited. One otherthing to keep in mind is local replica security. Because a uniform ACL is not imposedon the database, a local replica should be encrypted to maintain security.

11 0789729180 CH09 10/21/03 2:45 PM Page 235

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9236

Administrators can get a complete view of all database ACLs by accessing theAccess Control List in the database catalog file, typically called CATA-LOG.NSF. The CATALOG.NSG database is populated by the CATALOGtask. These three views are available:

➤ By Database—This is an alphabetical list of all databases in the domain,sorted by the actual filename on the server.

➤ By Level—This is a list of all databases, sorted by access level.

➤ By Name—This is a list of all valid ACLs on the system, sorted by eachspecific type.

Setting Up AuthenticationDomino provides for multiple types of authentication in the domain. Followthese steps to set up authentication:

1. Launch the Domino Administrator, select the Configuration tab, andopen the Server document.

2. Select Ports and choose Internet Ports. A subpage opens for Webs,Directory, Mail, and IIOP.

3. Choose the protocol to set up authentication. Navigate to theAuthentication Options section and change the Name and Passwordfields to Yes. Perform the same task on all required protocol pages.

4. Click Save & Close to save the document.

Setting Up/Configuring/MonitoringMonitorsAs discussed previously in this chapter, Domino uses events to determinewhen a server task is in need of attention. The database EVENTS4.NSF isused to define which system tasks are monitored and at what point a systemalarm is generated. Thresholds created by the administrator are monitoredand alarms for system alerts are generated when the thresholds are met orexceeded.

Lotus has provided a tool called the Domino Server Monitor for systemadministrators to watch the status of the servers and make sure no problems

11 0789729180 CH09 10/21/03 2:45 PM Page 236


exist. The Server Monitor displays statistics in real time and allows adminis-trators to view server status in a graphical format. The Server Monitor canbe set up to allow statistics to be viewed by a specific timeline, or by the stateof the servers. The Server Monitor has monitoring criteria set up by default,but administrators also have the option of choosing which criteria they wantto monitor and then saving those settings for later use.

For the exam, remember that the Server Monitor is only available using the DominoAdministrator client. The Domino Web Administrator client cannot access the ServerMonitor.

Server monitoring is accessed using the Domino Administrator and navigat-ing to the Server, Monitoring tab. The Server Monitor is displayed on thistab and can be started by clicking the green arrow. The server is stopped byclicking the red stop button.

To start the server automatically, select File, Preferences, AdministrationPreferences. After the Administration Preferences dialog box has appeared,check the Automatically Monitor Servers at Startup check box at the bottomof the dialog box. This automatically starts the Server Monitor and does notrequire the administrator to manually start the monitor.

Troubleshooting AdministrationProcess ProblemsThe Administration Process is a tool provided by Lotus that automates var-ious administrative tasks on the server. Examples of such tasks include usermanagement, group management, and database management.

As we have discussed earlier in this book, a server that does not have theproper hardware configuration can cause a myriad of problems. TheAdministration Process is a memory-intensive process and care should betaken to ensure that the server has an adequate amount of memory to exe-cute the task. Possible problems that may need attention regarding theAdministration Process are new users not being registered properly or groupchanges that are not propagating. To troubleshoot possible problems withthe Administration Process, follow these steps:

1. Make sure that no system changes have been made at the operatingsystem level or to the network infrastructure that could cause commu-nication failures within the domain.

11 0789729180 CH09 10/21/03 2:45 PM Page 237

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9238

2. Configuration errors on the server may be causing problems. Try run-ning the Administration Process on a different server in the domain tosee if the problem persists.

3. Type show tasks at the server prompt and check to make sure that theAdminP task is running.

4. Verify that an administration server is defined in the Directory and inall databases in the domain. If the Administration Server is not definedin the databases, the AdminP process will not be able to run againstthem.

5. Check the replication events in the Domino log file to make sure thatthe Directory and the Administration Requests database is replicatingproperly in the domain.

Troubleshooting ClusteringProblemsThis section addresses some problems that may occur related to Dominoclusters. Problems that may occur can be related to authentication, databasereplication, or failover in the event of a server outage.

When troubleshooting clustering problems, follow these steps:

1. Make sure that the Cluster Replicator task is running on all of theservers in the cluster.

2. Ensure that the database exists on all servers in the cluster and that thereplica IDs are the same.

3. Check the log files to see if errors are occurring related to the replica-tion task. Check to see if there is an excessive amount of replicationrequests queued that may hint at a server performance issue.

4. Examine the Cluster Database Directory and make sure that the data-bases are enabled for replication.

5. Make sure there is only one copy of the database on each cluster.

6. Verify that the ACLs in the databases are set correctly to allow serversto communicate. The User type for servers must be set to Server orServer group.

11 0789729180 CH09 10/21/03 2:45 PM Page 238


7. Check the Server documents on all servers in the cluster and make surethat each server is assigned a valid, unique IP address and that all IPaddresses related to the Cluster Manager are defined properly.

8. Verify that all servers in the cluster are running.

Troubleshooting Network/ProtocolProblemsNetwork problems can manifest themselves as users unable to access servers,servers unable to communicate, or mail unable to route inside or outside ofthe domain. Check these items when communication problems are occur-ring:

➤ Verify that the server is able to communicate with other network devicesby launching a Web browser and accessing a Web site. Ping a networkdevice such as another server or a router and also run a trace route toensure that the network is available and that the network hardware isworking properly.

➤ Perform a mail trace from the client as well as the server to make surethat there is not an error.

➤ Check the Domino Directory for save/replication errors. Verify that allof the information in the Server documents related to network informa-tion and port information is set up correctly.

➤ Check the Domino log for possible errors that may be occurring.

Troubleshooting PartitioningProblemsTypical problems that can appear when running Domino on a partitionedserver include partitions in use and communication infrastructure/setupissues.

Here are some guidelines for troubleshooting partitioning problems:

➤ Only one server can be running per partition. If an error occurs statingthat a partition is already in use, verify that a server process is notalready running on the server. A server reboot may be required to cor-rect this issue.

11 0789729180 CH09 10/21/03 2:45 PM Page 239

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9240

➤ Verify that the server is running in the event that users are receiving anerror that the server is unreachable.

➤ If a port-mapping server is sharing the same network card as the desti-nation server, make sure that the server is running.

➤ Verify that information in the NOTES.INI file related to port-mappingis set up correctly.

➤ Verify that all the information related to the communications set up forthe server is correct in the Domino Directory.

Troubleshooting Port (Modem)ProblemsThere will be occasions when a dial-up connection is needed on the serverfor specific tasks. In the event that modem problems are occurring, followthese steps to troubleshoot the problem:

1. Enable call logging in the Domino log file.

2. Check the messages in the log file to determine the cause. Check theMiscellaneous view for problems that may be occurring. Check thePhone Calls view to see if errors are being logged.

3. Install a handset on the modem line to determine if there is a dial toneand that a voice call can be made on the line. If call waiting is enabledon the line, disable it.

4. Check the documentation for the modem to determine further trou-bleshooting ideas.

5. Reboot the server to see if the problem corrects itself.

6. If the server is using the modem to dial out, ensure the phone numberinformation is set up correctly.

7. Verify that the information in the Domino Directory is set up correctlyrelated to ports in the Server document and User Preferences. Alsoverify that the information in Connection documents using the modemexists and is configured properly.

11 0789729180 CH09 10/21/03 2:45 PM Page 240


Troubleshooting User ProblemsTroubleshooting user problems can be challenging if the administrator doesnot have a complete understanding of possible issues and how they can becorrected. When considering troubleshooting user problems, the followinglist includes items that should be considered by an administrator:

➤ Tracking user mail messages and resolving mail routing problems

➤ Correcting server access problems by users and servers

➤ Fixing connection issues for servers and users

➤ Maintaining databases and how they are accessed

➤ Correcting issues related to workstation problems

➤ Verifying that an actual technical problem is occurring and that usertraining is not required to solve the issue.

The information here is just a summary of the topic of troubleshooting userproblems. For a detailed discussion of this topic and each of the items in thepreceding list, see Chapter 18, “Resolving User Problems.”

Using a Java-Based DominoConsoleOne of the tools available to maintain a server is the Domino Console. TheDomino Console is an application that enables administrators to send com-mands to the server as if they were using the console on the server itself. TheDomino Console is installed when the Domino server is installed or whenthe Administrator client is installed. The Console is a Java application andcan also be loaded as a Windows Service when running Windows 2000 orWindows XP.

Launching jconsoleThe application provided by Lotus to run the Domino Console is called jconsole. To start the Domino Console manually, change to either the clientor server directory and run the jconsole executable. The Domino server mustbe running. If you are running a server controller, the Domino Consolestarts automatically.

11 0789729180 CH09 10/21/03 2:45 PM Page 241

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9242

As mentioned earlier, the Domino Console enables administrators to sendcommands to the server as if they were using the console on the server itself.Typical commands such as show server and show tasks can be sent to the serv-er and then are displayed in the Console window. The Console window alsodisplays server events, such as AdminP processes, as they are launched. Asample Console window is shown in Figure 9.1.

You can launch the Console in four ways:

1. Launch the jconsole application by selecting the program icon in the serveror admin client directory when the server is already running.

2. Create a shortcut or execute nserver -jc at the command prompt to runthe server controller, the Domino server, and the Console.

3. Create a shortcut or execute nserver -jc -c at the command prompt torun the server controller and the Domino server.

4. Create a shortcut or execute nserver -jc -s at the command prompt torun the server controller and the Console.

5. Create a shortcut or execute nserver -jc -c -s to run the server con-troller by itself.

Figure 9.1 The Domino Console allows administrators to execute commands on the server and tomonitor the server in real time.

Using jconsoleThe Console has predefined commands available via the File menu or theCommands button at the bottom of the Console.

11 0789729180 CH09 10/21/03 2:45 PM Page 242


The following options are available using the File menu:

➤ Open Server

➤ Disconnect

➤ Show Users

➤ Show Processes

➤ Broadcast—Sends a message to all server users

➤ Local Logging

➤ Stop Server

➤ Kill Server

➤ Quit Controller

➤ Refresh Server List

➤ Exit the Console Program

The Commands button has the typical commands that an administratorwould use to manage the server, as well as an option to create and save cus-tom commands.

You can configure the Console to show the following views:

➤ Header—Specifies the user, platform type, server name, and release num-ber

➤ Bookmarks—Includes the available icons Connect Local Server,Connected Servers, and Domain

➤ Event Filter—Displays one of the following at the bottom of the Consoleof the events monitored: Fatal, Failure, Warning (High), Warning(Low), Normal, and Unknown

➤ Secure Password—Is an empty field used by the administrator to securethe Console

➤ Connected Servers—Lists the servers available to the Console

➤ Domain—Provides a hierarchical graphical view of the domain structureavailable to the Console

➤ Debug Output Window—Launches an active Debug window used fortroubleshooting

➤ Look and Feel—Changes the theme used to display the Console window

11 0789729180 CH09 10/21/03 2:45 PM Page 243

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9244

An example of the Console window with these commands is shown inFigure 9.2.

Figure 9.2 Lotus has provided commonly used commands for administrators to assist them inusing the Domino Console.

Exiting from jconsoleTo stop the Console, select Exit from the File menu (Alt+Q). After you haveselected to shut down the Console, you are presented with a dialog box toeither shut down the Console itself or shut down the Console and the serv-er controller simultaneously. Three additional buttons are available on theWeb Administrator: Logout, Preferences, and Help.

Although the Domino Console is a powerful tool, it is still limited in its uses. You stillneed either the Domino Administrator client or the Web Administrator client to main-tain the server.

Using Distributed and CentralizedDirectoriesDomino provides multiple options when presenting directories in the domain.The key point to remember is that the Domino Directory is accessed by all

11 0789729180 CH09 10/21/03 2:45 PM Page 244


users as well as servers, so care should be taken to ensure that access is opti-mal. Three ways to provide directory access are

➤ Distributed—This method assumes that each server has a replica copy ofthe directory on each server in the domain. This method is optimalwhen many users are on the network or the communications infrastruc-ture may have many points of congestion.

➤ Centralized—This method uses the administration server as the centralpoint for the directory and configuration directories. Configurationdirectories host Server, Connection, and Configuration Setting docu-ments. Typically, a second server also has these directories for disasterrecovery in the event that the registration server fails.

➤ Hybrid—This method uses a combination of distributed and centralizeddirectories. Local users may use the centralized directory while remoteusers would have a local copy of the directory on their server so thatbandwidth would not be an issue.

Using the Remote ConsoleThe Domino Web Administrator allows remote administration using only abrowser client. Although the Web Administrator is essentially the same asthe Administrator client, the navigation is slightly different, so make sure youare familiar with it. To use the Web Administrator, the following browserconfigurations are required:

➤ Microsoft Internet Explorer 5.5 or greater on Windows 98, 2000, XP, orNT4

➤ Netscape Navigator 4.7 or greater on Windows 98, 2000, XP, or NT4

Even though Release 6 does support the Web Administrator client on NT4, you mustalso install the Microsoft Windows Management Instrumentation SoftwareDevelopment Kit (WMI SDK) before the task will work properly. We recommendmigrating to Windows 2000 or XP before installing the Domino application becauseMicrosoft support for NT4 is scheduled to expire over the next 18 months.

Even though Release 6 supports the Web Administrator client on NT4, you must alsoinstall the Microsoft Windows Management Instrumentation Software DevelopmentKit (WMI SDK) before the task will work properly. We recommend migrating toWindows 2000 or XP before installing the Domino application because Microsoftsupport for NT4 is scheduled to expire over the next 18 months. To check the expiration schedule of software platforms, Microsoft provides this link:http://www.microsoft.com/windows/lifecycle.mspx.

11 0789729180 CH09 10/21/03 2:45 PM Page 245

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9246

Here are some keys things to remember about the differences between theWeb Administrator and the Web client:

➤ The Messaging tab on the Web client now has a task tool that enablesyou to issue Tell, Start, Stop, and Restart commands on the mail servertasks.

➤ The Messaging tab on the Web client also has a task tool that enablesyou to issue Tell, Start, Stop, and Restart commands on the replicationserver tasks.

➤ The Mail tab on the Web client displays mail statistics differently than inthe Administrator client. Mail routing, retrieval, DNSBL (DNS blacklistfilter), and destination routing statistics are available on this tab.

➤ Server Monitor and performance charts are not available in the Webclient.

AdminP, CA (Certificate Authority), and the HTTP task must all be runningon the Domino server for the Web Administration client functionality tooperate. In addition, the WEBADMIN.NSF database ACLs need to be con-figured to allow administrators to access the server.

When the WEBADMIN.NSF database is created, these default ACLs arecreated:

➤ Administrators and full access administrators, the Named server, andLocalDomainServers are set as Manager.

➤ Default, OtherDomainServers, and Anonymous are all set to No Access.

The HTTP task updates the WEBADMIN.NSF database with ACL changesgenerated from the modification of the Domino Directory’s Server documentabout every 20 minutes. You can also force an immediate update for admin-istrator access by editing the Security tab on the Server document. Editingthe ACLs in the WEBADMIN.NSF database also permits immediate access.Select a user, define the user as a manager, and then add the roles requiredfor the managers to have access.

After the ACL access has been defined, you need to define the authenticationmethod that will be used to access the server. The two options are to definean Internet password in the Person document or to define an SSL certificate.

When you have finished the configuration, make sure that the HTTP task isrunning on the server and then enter the URL of your server followed by/webadmin.nsf; for example, http://r6test.test.com/webadmin.nsf, or https://r6test.test.com/webadmin.nsf if SSL authentication is enabled.

11 0789729180 CH09 10/21/03 2:45 PM Page 246


The first screen that is presented is a server status screen. This is helpful fora quick glimpse of server health, but you must access the other tabs to actu-ally perform maintenance activities.

Managing User PasswordsWhen new users are registered, a password is required to be assigned.Password quality is determined by a slide bar to determine the quality ofpassword security to assign to the ID file. The default location of the slideris to the extreme left, which is no password and a value of 0. Sliding the barto the extreme right forces a very strong password and a value of 16.Although it is true that this is optimal for servers, each time the server isloaded, a password is required at the console before the server will start.

Passwords for Internet users are defined in Person documents in the DominoDirectory. The passwords can be changed manually or by using a SecuritySettings policy document. Users can be required to change their passwords,and standards can be set to determine the type and quality of passwordrequired. Domino provides password synchronization for users that are Webusers as well as Notes client users.

Domino allows administrators to

➤ Allow users to change their passwords based on security policies

➤ Force users to change their passwords within a specific amount of time

➤ Allow users to access the servers without having to enter a password

➤ Lock out users

➤ Require users to verify their passwords

Monitoring/Maintaining DomainAccessDomains are used to define user groups that share the same DominoDirectory. Setting up a domain depends on the configuration of the Dominonetwork. Typically, a single domain exists for a company and all users andservers are registered in this domain. This works well for small- and medium-sized companies. A large company may need to deploy multipledomains in order to keep distinct users and groups segmented from other

11 0789729180 CH09 10/21/03 2:45 PM Page 247

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9248

parts of the company. Domains may also need to be segmented based on howa company’s network infrastructure is defined. A remote group may need alocal domain with their own Directory if they are only able to communicateover a modem back to the company’s home network and are primarily inde-pendent, so they do not have a need to be constantly connected.

Domains are defined by creating Domain documents, as described earlier inthis chapter (see “Monitoring/Maintaining Domains”).

Domain access is supported by using groups or user authentication definedin the Domino Directory. Users must be authenticated to the Directorybefore they are able to access the domain. After they have access to thedomain, Lotus has created levels of security that prohibit the user fromaccessing data unless they are authorized. Examples of this include:

➤ A user may be prohibited from accessing the domain using a Web clientif the administrator has not defined his access in the Directory.

➤ A user might be able to authenticate to the domain via the directory, buthe might not be able to access all the databases in the domain becausehe does not have ACL access.

➤ A user may be completely prohibited from the domain by entering theusername in a Deny Access list.

Domain access can be monitored in real time at the Domino Console orchecked manually in the Domino Log database. Attempts to access thedomain are included with the username as well as the time the accessattempts occurred. Administrators can then determine if the user has incor-rect access or is simply attempting to access prohibited data. After the deter-mination has been made, they can contact the user to approve access to theresource or can lock out the user entirely if they suspect malicious behavior.

11 0789729180 CH09 10/21/03 2:45 PM Page 248


Exam Prep Questions

Question 1

Which of the following options can be used to keep a database from upgradingto the R6 ODS database format?

❍ A. Compact the database with a -N option.

❍ B. Copy the database and rename the file extension with .NS4.

❍ C. Rename the database filename.

❍ D. Edit the Notes.ini file and add the line R6_Database_Version = 0.

Answer B is correct. The following steps can be taken to ensure that a data-base retains its ODS database format:

➤ Issue the Compact with a -R option to retain the current ODS structure.

➤ Make a copy of the database and rename the file extension to NS4 toprohibit upgrading.

➤ Do not run the compact task on the database at all.

Question 2

Which of the following selections are not valid policy document types that canbe applied to users?

❍ A. Archiving

❍ B. Desktop

❍ C. Registration

❍ D. Setup

❍ E. Security

❍ F. All of the above are valid

Answer F is correct. The valid policy document types that can be applied tousers include:

➤ Archiving—Defines policy settings related to users’ ability to archivemail.


11 0789729180 CH09 10/21/03 2:45 PM Page 249

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9250




Question 3

What is a primary requirement for data port compression to work properly?

❍ A. The communication driver must be RPC level 3 compliant.

❍ B. The server must have a compression client loaded.

❍ C. Compression must be enabled at both ends of the data stream.

❍ D. CRC error checking must be established before transmitting data.

Answer C is correct. Compression must be enabled at both ends of the datapath or it will not work.

Question 4

What is the maximum size of a database on Windows and Unix servers?

❍ A. The only limitation is the size of the server.

❍ B. 100GB

❍ C. 1TB

❍ D. 64GB

Answer D is correct. The maximum database size on Windows and Unixservers is 64GB.

Question 5

Which of the following choices are valid options when renaming a user?

❍ A. Migrate to Hierarchical

❍ B. Change Common Name Length

❍ C. Request Move to New Certifier

❍ D. Qualify User for Web Access

11 0789729180 CH09 10/21/03 2:45 PM Page 250


Answer C is correct. The available options when renaming a user are




Question 6

Which database is used to define what system tasks are monitored?

❍ A. MONITOR.NSF

❍ B. EVENTTASKS.NSF

❍ C. LOG.NSF

❍ D. EVENTS4.NSF

Answer D is correct. The database EVENTS4.NSF is used to define whichsystem tasks will be monitored and at what point a system alarm is generated.

Question 7

What view is used in the Domino log file to display possible problems with usersand servers connecting with modems?

❍ A. Modem calls

❍ B. Phone call

❍ C. Data calls

❍ D. Dial-up calls

Answer B is correct. Check the Phone Calls view to see if errors are beinglogged.

Question 8

Where are passwords defined for Domino users who access the server using aWeb browser?

❍ A. INTERNET.NSF

❍ B. The Domino Directory

❍ C. PASSWORDS.NSF

❍ D. The Domino Catalog

11 0789729180 CH09 10/21/03 2:45 PM Page 251

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 9252

Answer B is correct. Passwords for Internet users are defined in Person doc-uments in the Domino Directory.

Question 9

Which database is used to determine who can use the Domino WebAdministrator to access the server?

❍ A. ADMIN.NSF

❍ B. ACCESS.NSF

❍ C. WEBADMIN.NSF

❍ D. ADMINWEB.NSF

Answer C is correct. Access using the Domino Web Administrator is main-tained by the database WEBADMIN.NSF.

Question 10

What are domains used for?

❍ A. For mail storage

❍ B. To define users sharing the same Domino Directory

❍ C. For replication scheduling and error checking

❍ D. For application performance balancing

Answer B is correct. Domains are used to define user groups that share thesame Domino Directory.

11 0789729180 CH09 10/21/03 2:45 PM Page 252




11 0789729180 CH09 10/21/03 2:45 PM Page 253

11 0789729180 CH09 10/21/03 2:45 PM Page 254

ReplicationTerms you’ll need to understand:✓ Replication✓ Pull✓ Push✓ Source server✓ Target server✓ Connection document✓ Streaming replication✓ Extended Access Control List (xACL)

Techniques and concepts you’ll need to master:✓ Using client commands to force replication✓ Scheduling replication of databases between servers using

Connection documents✓ Planning applications based upon how selective replication

settings can affect the documents distributed to different replicas

✓ Understanding streaming replication✓ Understanding how a server’s access level in the database ACL

affects replication✓ Understanding how an Extended ACL affects replication✓ Using replication to distribute design changes✓ Identifying the tools used for monitoring replication

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10

12 0789729180 CH10 10/21/03 2:50 PM Page 255

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10256

Replication involves the synchronization of data between two replica copies ofa database. Replicas can be stored either locally or on the Domino server.Replication between two server-based databases is called server-to-serverreplication. Replication involving a local database is called workstation-to-server replication. This chapter focuses mainly on server-to-server replica-tion, which is typically administered and scheduled by the DominoAdministrator. Workstation-to-server replication is usually forced or sched-uled by the user, and the Notes client performs all of the work involved inpushing and pulling the data to the server-based replica.

Several of the topics in this chapter are also addressed in Chapter 5,“Replication.” As with the mail topic, you may want to consider reading bothchapters on replication before taking either Exam 620 or Exam 621, for amore complete understanding of this subject area. Any duplication of topicsbetween both chapters has been carefully noted in the appropriate section.

For the purposes of the exam, it is important to remember that replicationnever happens automatically, as is the case with mail routing. Replicationmust either be forced or scheduled with a Connection document. You shouldmemorize all of the console commands to force replication, and be familiarwith all of the fields on the Connection document that relate to replicationand its schedule. The best way to understand replication is to study the casestudies included in this chapter, which are similar to the case studies inChapter 5.

For the exam, you’ll need to understand the impact of different databasesecurity features on replication, such as the Access Control List (ACL) andReaders and Authors fields. You will also need to focus on learning all aboutthe Extended ACL (xACL), which is new to R6. You can prepare for theexam by practicing many of the techniques in this chapter with a minimumof two servers and an Administration client. Replication can’t be tested orlearned in a single server environment.

Setting Up and ConfiguringReplication Through ForceThis topic was covered extensively in Chapter 5, so I’ve chosen to repeat asummary of the most important points here in this chapter.

Replication never happens automatically, and must either be forced or sched-uled by the user or administrator. Administrators usually schedule server-to-server replication in order to avoid having to be present to manually force

12 0789729180 CH10 10/21/03 2:50 PM Page 256

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 257

replication using commands; however, there are many times when adminis-trators may want to force replication immediately. It is useful for adminis-trators to know how to force replication immediately, so that documents canbe distributed to different replicas without delay.

Replication can be forced by the administrator in a number of differentways—using the Notes client and using the Administrator client. Using theNotes client to force server-to-server replication limits the administrator tomanually replicating one database at a time, but this method is useful if forsome reason the administrator doesn’t have access to the Administratorclient. Using the Domino Administrator client, the administrator can accessthe remote console and force replication using console commands. Thismethod is faster, and allows the administrator to force replication of data-bases, directories of databases, or every database in common with a server ora server group.

Forcing Replication Using the Notes ClientThe administrator can force server-to-server replication using the Notesclient by performing the following steps:

1. Open a database or select a database from the workspace.

2. Choose File, Replication, Replicate.

3. Select one of the following choices:

➤ Choose Replicate via Background Replicator to allow replicate tooperate as a background workstation task, replicating with the lastserver with which replication was successful.

➤ Choose Replicate with Options to be presented with a dialog boxwhereby the administrator can choose the server with which toreplicate, as well as which documents will replicate, and whether tosend or receive or both.

4. Choose OK to initiate replication.

Many users use the Replicator page to force replication of several databases at once.This interface can be activated using the Replicator page bookmark button.Unfortunately, this interface is designed to force workstation-to-server replication, notserver-to-server replication. Database replicas are automatically added to this pageupon local replica creation. If the administrator wants to force server-to-server repli-cation of several databases at once, he must use the Administrator client.

12 0789729180 CH10 10/21/03 2:50 PM Page 257

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10258

Forcing Replication Using the DominoAdministrator ClientThe Domino Administrator client gives the administrator access to theremote console. Using the remote console to force replication allows theadministrator to use a command-line interface for forcing replicationbetween one or more servers, for one or more databases.

Activate the live remote console on the Administrator client by performingthe following steps:


2. Open the Server Console view.

3. (Optional) Click the Live button to turn on the Live console.

Turning on the Live console enables the administrator to view console commandsin real time, as they are processed by the server. It is helpful to have the Live con-sole interface turned on before issuing console commands, to see the results thatfollow the initiation of the command. If you forget to turn on the Live console beforeissuing a command, you will simply receive the following message: “Command hasbeen executed on remote server. Use Live console option, in future, to viewresponses from the server.”

The administrator can use the following commands at the console to forcereplication:

➤ Replicate (Rep)—Forces two-way replication whereby the initiating server(also known as the source server) pulls updates, changes, and deletionsto the target server, and then gives the other server the opportunity topull changes from it. This type of replication is also referred to as pull-pull replication. Pull-pull replication is two-way replication that involvesthe Replica task on both servers.

➤ Pull—Forces one-way replication whereby the source server pullsupdates, changes, and deletions from the target server.

➤ Push—Forces one-way replication whereby the source server pushesupdates, changes, and deletions from the target server.

The syntax of the three commands is as follows:Replicate servername [databasename] or Rep servername [databasename]

Pull servername [databasename]

Push servername [databasename]

12 0789729180 CH10 10/21/03 2:50 PM Page 258

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 259

For the servername parameter, the administrator should specify the server’sfull hierarchical name. If the server name is more than one word, enclose theentire name in quotes. You can also substitute a server group in place of aserver name. If you specify a server group, the initiating server (the server atwhich you enter this command) replicates with each server in the list in theorder in which the servers are listed in the group document.

If you don’t specify a database name, the Replica task replicates every data-base replica that the two servers have in common. To force replication of aparticular database replica, specify the database name after the server name.You also have the option of specifying a directory instead of a database name.

Remember that replication synchronizes changes, additions, and deletions for threedifferent types of documents: the ACL document, Design documents, and Data docu-ments, in that order.

Here is a list of examples of the console commands, along with an explana-tion of what each command would accomplish. For each of the commands,assume that the administrator is using the console on ServerA/Acme.

➤ Rep ServerB/Acme—Replicates all replicas in common betweenServerA/Acme and ServerB/Acme.

➤ Pull ServerC—Pulls all updates, changes, and deletions fromServerC/Acme to ServerA/Acme, for all replicas in common. Note thatthe common name of the server is used instead of the fully distinguishedname, which will work, but we don’t know whether ServerC is a serveror a server group.

➤ Rep AllServers names.nsf—Forces two-way replication betweenServerA/Acme and every server listed in the server group called“AllServers,” for only the Domino Directory database (NAMES.NSF).

➤ Push ServerB/Acme apps\support.nsf—Pushes all updates, changes, anddeletions from ServerA/Acme to ServerB/Acme, for the Support data-base, which is located in the \apps directory within the Domino datadirectory.

12 0789729180 CH10 10/21/03 2:50 PM Page 259

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10260

Setting Up and ConfiguringReplication Through SchedulingAgain, this topic is repeated from Chapter 5, so much of the material in thissection is repeated and summarized from that chapter.

Domino has the facility to allow the administrator to schedule replicationthrough a Connection document. A Connection document is a document thatcontains all of the settings necessary to schedule replication between servers.Connection documents can also be used to schedule mail routing. Whenreplication is scheduled, the server’s Replica task carries out replication withno prompting or initiation from the administrator.

For the exam, remember that when issuing replication commands through theconsole, it is important to understand which server is initiating the command. Theserver at which you issue the console command is the initiator, also known as thesource server. The server or server group listed in the command itself is the desti-nation server, also known as the target server. The exam questions test your abilityto read and understand which server is the source; for example, if the question indi-cates that the administrator is using the console on ServerA, the command “RepServerA/Acme” would have no effect because a server can’t replicate with itself. Becertain that you read the question carefully so that you know which server is thesource server. Then, you can easily eliminate answer choices that don’t make sense.

For the purposes of the exam, it is important to remember that replication never hap-pens automatically, as is the case with mail routing. If servers are in the sameDomino Named Network (DNN), mail routing happens automatically and the admin-istrator never needs to create a Connection document to get mail routing working.Replication never happens automatically, and must be either forced or scheduled. Becareful to watch for exam questions that try to confuse you into thinking that repli-cation is automatic.

Connection documents are used to connect servers for replication and for mail rout-ing. A single connection can be created to schedule the transfer of mail as well as thereplication of documents. If a single connection is created, both mail and replicationwill follow the same schedule. Where mail and replication follow different schedules,the administrator should consider creating separate connections. It is often easier totroubleshoot replication problems if the scheduling of replication is automatedthrough connections that do not include the routing of mail.

This chapter outlines the steps required to create connections for replication. Mailconnections were discussed in Chapter 3, “Mail” and in Chapter 8, “Mail.”

To create a Connection document, perform the following steps from withinthe Domino Administrator:

12 0789729180 CH10 10/21/03 2:50 PM Page 260

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 261

1. Click the Configuration tab.

2. Click Server and then click Connections, or Click Replication and thenConnections.

3. Click the Add Connection button to create a new connection. To editan existing connection, select the connection you want to edit and thenclick Edit Connection.

To set basic options, choose from among these options on the Basics tab:

➤ Connection Type—Indicates how the servers will connect—for example,via network connection (LAN) or via dial-up

➤ Usage Priority—Forces the server to use the network information in thecurrent Connection document to make the connection (if you chooseNormal)

➤ Source Server—Specifies the name of the calling server (the server initiat-ing the replication request)

➤ Source Domain—Specifies the name of the calling server’s domain

➤ Use the Port(s)—Specifies the name of the network port (or protocol)that the calling server uses

➤ Destination Server—Specifies the name of the target or destination server

➤ Destination Domain—Specifies the name of the target server’s domain

To configure replication and/or mail routing settings, choose from amongthese options on the Replicating/Routing tab:

➤ Replication Task—Choose Enabled for scheduled replication.

➤ Replicate Databases of Priority—If the administrator chooses to set a repli-cation priority for a database, replication of databases of different priori-ty can be scheduled at different times. A priority of Low, Medium, orHigh is set for each database in that database’s Replication Settings dia-log box.

➤ Replication Type—Four different types of replication exist. The type youchoose affects the direction of replication as well as which of the serversperforms the work of the replication.

➤ Pull Pull—Replication is bidirectional, whereby the source server initi-ates replication and pulls documents from the target server. The sourceserver then signals the target server’s Replica task to pull documents inthe opposite direction. Both servers are involved in the replication.

12 0789729180 CH10 10/21/03 2:50 PM Page 261

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10262

➤ Pull Push (default)—Replication is bidirectional, whereby the sourceserver’s Replica task performs all of the work, pushing and pulling docu-ments to and from the target server. The target server’s Replica task isnever engaged.

➤ Pull Only—Replication is one-way, whereby the source server pulls doc-uments from the target.

➤ Push Only—Replication is one-way, whereby the source server pushesdocuments to the target.

➤ Files/Directory Paths to Replicate—These are the names of specific data-bases or directories of databases that you want to replicate. You can listeither database names or directories.

➤ Files/Directory Paths to NOT Replicate—These are the names of specificdatabases or directories of databases that should be excluded from repli-cation. You can list either database names or directories.

➤ Replication Time Limit—This is the amount of time, in minutes, thatreplication has to complete. This setting is usually used only for dial-upconnections.

To schedule the replication, choose from among these options on theSchedule tab:

➤ Schedule—Enables or suspends the schedule by choosing Enabled orDisabled, respectively.

➤ Connect at Times—Indicates times or a time range during which youwant the source server to initiate replication. This field can contain asingle time entry, a list of times separated by commas, or a time rangeseparated by the dash. Use this field in conjunction with the RepeatInterval field to determine how many times per day a server attempts toinitiate replication.

➤ Repeat Interval of—Specifies the number of minutes between replicationattempts. If you specify a repeat interval of 0, the server connects onlyonce.

➤ Days of Week—Specifies the days of the week to use this replicationschedule; the default has all days of the week selected.

12 0789729180 CH10 10/21/03 2:50 PM Page 262

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 263

Streaming ReplicationStreaming replication is new to Domino R6. Streaming replication allows thereplicator task to send multiple changes in one request, and to replicatesmaller documents first. This method of replication has two distinct advan-tages:

1. It is faster than replication that is nonstreaming.

2. It allows users to access and use documents that are replicated first,while replication continues until all documents are available.

Streaming replication requires no additional configuration by the adminis-trator, but it is only used when the replication type is Pull-Pull or Pull only.For this reason, many administrators are revising their Connection docu-ments after upgrading to R6 and changing the replication type to Pull-Pull.

If you specify a time range during which a source server attempts replication, thenext replication attempt is made at the specified interval after which the replicationhas completed. For example, let’s say you specify a Connect at Times range of 7:00a.m. to 11:00 p.m., with a Repeat interval of 60 minutes. The source server attemptsto replicate at 7:00 a.m. and is successful in initiating the replication. The total timeof the replication between servers takes 7 minutes. The source server then attemptsto call the target server again at 8:07 a.m.

For more examples of scheduled replication timing, consult the document titled“Scheduling Server-to-Server Replication” in the Lotus Domino Administration Helpdatabase. The exam may have a scenario question asking about the timing of sched-uled replication.

During Pull-Pull replication, both the source and the target server’s Replica tasks areinvolved in doing the work of replication. Administrators should ensure that eachserver participating in Pull-Pull replication has enough server resources to performthe task properly. Streaming replication won’t increase replication performance if oneof the servers doesn’t have enough server resources to do the pulling in a timely way.

Planning Applications Based on theImpact of Replication on DocumentDistributionAdministrators might encounter times when they don’t want replication tosynchronize every document in every replica. Administrators can applyreplication settings to selectively replicate a subset of documents to differentreplicas.

12 0789729180 CH10 10/21/03 2:50 PM Page 263

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10264

For example, the Acme Company has a database called Product Ideas onServerA/Acme, which it uses to post information about ideas for new prod-ucts. The database displays suggestions made by customers (as opposed toemployee ideas) in a view called Customer Suggestions. Acme has twoservers at satellite sales offices: ServerEast/Acme and ServerWest/Acme. Thesatellite sales offices are only interested in customer suggestions and not inother product ideas; therefore, Acme wants to replicate only the contents ofthe Customer Suggestions view to these servers.

To accomplish this limited distribution of the data, the administrator mustfirst plan and diagram which servers will store subsets of the data, and whatthat subset will be. He can then customize replication settings for multiplereplicas of a database from one central source replica and then replicate thesecustom settings to the appropriate replicas. This approach to customizingreplication allows for centralized replication management.

Changing centrally administered replication settings requires two replications for thechanges to take effect: the first replication to replicate the new settings from thesource server to the target servers and a second replication to replicate based on thenew settings. The second replication doesn’t occur until the source database is updat-ed in some other way; to force the new settings to take effect if the source databaseisn’t updated, clear the replication history.

To change replication settings for multiple replicas, perform the followingsteps:

1. Ensure you have Manager access in the ACL of the central sourcereplica, and ensure that the central source replica has Manager accessin the ACL of all destination replicas.

2. Open the central source replica, and then choose File, Replication,Settings to modify existing replication settings. Choose the Advancedsection.

3. To specify a destination server, click the computer icon next to “WhenComputer,” specify the name of the destination server, select AddServer, and then click OK.

4. To specify a source server, click the computer icon next to “Receivesfrom,” specify the name of a source server, select Add Server, and thenclick OK.

5. To delete a server, click either computer icon, select a server, selectDelete Server, and then click OK.

12 0789729180 CH10 10/21/03 2:50 PM Page 264

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 265

6. To have the specified destination replica receive a subset of documents,click “Documents in Specified Views or Folders” or “Documents bySelection Formula” or “Selected Documents.”

7. To specify which nondocument elements the replica should receive,select appropriate options under “Receive These Elements from OtherReplicas.” You must select “Replication Formula.”

8. Repeat steps 3 through 7 for each additional destination/source servercombination. Click OK.

Figure 10.1 shows the Advanced tab of the Replication Settings dialog box.

Figure 10.1 The Advanced tab of the Replication Settings dialog box.

For the purposes of studying for the exam, make sure that you have studiedeach tab of the Replication Settings dialog box, with a special focus on theAdvanced tab. Try to set up selective replication between servers by attempt-ing a scenario like the one described previously.

Understanding How the ACL AffectsReplicationAgain, much of the information in this particular section is repeated fromChapter 5; however, to help practice for the exam we’ve created differentcase study examples. These case studies supplement the material fromChapter 5 and help test your ability to understand how a server’s access levelin the Access Control List affects replication.

12 0789729180 CH10 10/21/03 2:50 PM Page 265

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10266

For a server to replicate changes to documents in a database, that server musthave sufficient access in the replica’s ACL. Servers must be listed explicitly orwithin a group in the ACL, with an access level that is appropriate for thedocuments the server is allowed to propagate to other replicas.

A server is usually assigned one of these levels of access:

➤ Editor access to replicate changes to documents

➤ Designer access to replicate changes to design elements such as views,forms, and agents

➤ Manager access to replicate ACL changes

Guidelines for Assigning Server Access toDatabasesThe best way to explain the different access levels assigned to servers is to usea case study or a series of examples. These examples will help you prepare forthe exam by using scenarios similar to the scenarios used in many of the examquestions. Don’t attempt to memorize the different scenarios; rather, usethem to test your understanding of how server access in the ACL affectsreplication. Again, during the exam, you may find it helpful to draw diagramsof the servers and databases and label the diagrams with the server’s accesslevel, to help you arrive at the correct answer.

Let’s assume that there are two servers in our examples—ServerA/Acme andServerB/Acme. Let’s examine the implications of creating an ACL that liststhe different servers with different levels of access. We’ll refer to a databasein this example called the Product Support database. This database is used bythe Help Desk to share ideas about how to support Acme’s many productofferings. The ACL of the database contains references to servers and to agroup for the administrators (LocalDomainAdmins), as well as to a groupcontaining the company’s Domino developers (CorpDesigners). The ACLalso makes reference to a group of Help Desk technicians (HelpDesk).

Scenario 1: Both Servers Have Manager AccessHere is the ACL listing for this scenario:


ServerB/Acme: Manager



HelpDesk: Author

12 0789729180 CH10 10/21/03 2:50 PM Page 266

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 267

In this scenario, both servers are capable of replicating any changes to ACL,Design, or Data documents in any direction. For example, if Bob Jones/Acmein the LocalDomainAdmins group added a new group to the ACL onServerB’s replica, ServerB/Acme could successfully replicate that ACLchange to ServerA/Acme. If Susan Brown/Acme in the CorpDesigners groupadded a new view to ServerA’s replica, ServerA/Acme could replicate that newdesign element to ServerB/Acme. Data documents could be changed, added,or deleted by the Help Desk users on either server and would replicate suc-cessfully to the other server.

Scenario 2: One Server Has Manager Access and the OtherHas Editor AccessHere is the ACL listing for this scenario:





HelpDesk: Author

In this scenario, ServerA/Acme is the only server capable of replicating theACL and the Design documents. For example, if Bob Jones/Acme in theLocalDomainAdmins group added a group to the ACL on ServerB’s replica,that ACL change would not replicate to ServerA/Acme. If SusanBrown/Acme in the CorpDesigners group created a new shared agent onServerA’s replica, ServerA/Acme could replicate that new agent toServerB/Acme. But if she made that same change on ServerB’s replica, thechange couldn’t replicate to ServerA/Acme. In this scenario, all ACL anddesign changes need to be made on ServerA/Acme in order to have themreplicate to ServerB/Acme. But the Help Desk users could continue to cre-ate, edit, and delete documents on either server’s replica, and all Data docu-ment changes would successfully replicate between servers.

Scenario 3: One Server Has Manager Access and the OtherHas Reader AccessHere is the ACL listing for this scenario:





HelpDesk: Author

12 0789729180 CH10 10/21/03 2:50 PM Page 267

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10268

In this scenario, replication of changes, additions, and deletions can happenin only one direction: from ServerA/Acme to ServerB/Acme. If any docu-ments are changed, added, or deleted by administrators, designers, or userson ServerB/Acme, the documents will not replicate to ServerA/Acme. In thisscenario, ServerB/Acme has effectively become a “read-only” server. Allchanges, additions, and deletions would need to be made on ServerA/Acmein order to propagate to ServerB/Acme.

Scenario 4: Both Servers Have Reader AccessHere is the ACL listing for this scenario:

ServerA/Acme: Reader




HelpDesk: Author

In this case, the administrators, designers, and Help Desk users could allmake changes to the ACL, Design documents, and Data documents, respec-tively, on either ServerA/Acme or ServerB/Acme. But neither server wouldbe able to propagate any changes to the other server. Over time, the tworeplicas would become very unsynchronized, because neither server wouldbe able to replicate any changes. This isn’t a likely scenario because therewould be no replication between the two replicas.

Scenario 5: One Server Has Manager Access and the OtherHas No AccessHere is the ACL listing for this scenario:


ServerB/Acme: No Access



HelpDesk: Author

This scenario produces the same result as Scenario 4—replication would notproceed between the two servers. The administrators, designers, and HelpDesk users could all make changes to the ACL, Design documents, and Datadocuments, respectively, on either ServerA/Acme or ServerB/Acme. But nei-ther server would be able to propagate any changes to the other server. Overtime, the two replicas would become very unsynchronized, because neither

12 0789729180 CH10 10/21/03 2:50 PM Page 268

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 269

server would be able to replicate any changes. This scenario is no more like-ly than the previous one because there would be no replication between thetwo replicas.

Understanding Changes to xACLReplicationAn Extended Access Control List (xACL) is an optional directory access-controlfeature available for a Domino Directory or an Extended Directory Catalog.The extended ACL is new to Domino R6 and can only be accessed using theACL dialog box using a Notes 6 Client or a Domino Administrator 6 client.The xACL can restrict or refine a user’s access to the database, but it cannotbe used to increase the access the database ACL allows. The xACL can beused to set access for the following:

➤ All documents with hierarchical names at a particular position in thedirectory name hierarchy; for example, all documents whose names endin OU=East/O=Acme

➤ All documents of a specific type; for example, all group documents

➤ A specific field within a specific type of document

➤ A specific document

An Extended ACL allows the administrator to extend access in the followingways:

➤ Delegate Domino administration; for example, allow a group of admin-istrators to manage only documents named under a particularOrganizational Unit.

➤ Set access to precise portions of the directory contents.

➤ Set access to documents and fields easily and globally at one source,rather than requiring the administrator to control access through fea-tures such as multiple Readers and Authors fields.

➤ Control the access of users who access the directory through any sup-ported protocol: Notes (NRPC), Web (HTTP), LDAP, POP3, andIMAP.

To enable extended access for a Domino Directory or Extended DirectoryCatalog, perform the following steps:

12 0789729180 CH10 10/21/03 2:50 PM Page 269

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10270

1. Open the database, and choose File, Database, Access Control.

2. Click Advanced, and then select Enable Extended Access.

3. At this prompt, click Yes to continue: “Enabling extended access con-trol enforces additional security checking. See Domino AdministratorHelp for more details. Do you want to continue?”

4. At this prompt, which appears only if the advanced database ACLoption “Enforce a Consistent Access Control List Across All Replicas”is not yet enabled, click Yes: “Consistent access control must beenabled first. Do you want to enable it now?”

5. At this prompt, click OK: “If more than one administrator managesextended access control for this database, enable document locking onthe database to avoid conflicts.”

6. Click OK in the Access Control List dialog box.

7. At this prompt, click OK: “Enabling extended access control restric-tions. This may take a while.” Look at the status bar on the client tosee the status of this process.

Enabling an Extended ACL for a Directory or a Directory Catalog has someeffects on the way in which that Directory replicates:

➤ To ensure that the database replicates properly, extended access requiresthe use of the advanced database ACL option “Enforce a ConsistentAccess Control List Across All replicas.” This option forces the ACL ofevery replica to be identical. If a change is made to the ACL of a replicaon any server, that change replicates to other servers in order to main-tain the same ACL on every replica.

➤ After an administrator enables extended access, changes cannot be madeto a replica of the database on a server running an earlier Dominorelease because the changes can’t replicate to a Domino R6 server. If youenable extended access, administrators must make directory changesonly to a replica on a Domino R6 server.

Replicating Design ChangesThere are two ways to update design changes from one database to another:

➤ Use a database design template (this database is not a replica).

➤ Use replication to update design elements from one replica to another.

12 0789729180 CH10 10/21/03 2:50 PM Page 270

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 271

Most administrators rely on both methods to distribute design changesaround to the servers in the company. Typically, a designer creates a designtemplate that is not a replica in order to implement and test design changes.After the designer is satisfied with the design changes, these changes aretransferred over to a production version of the database using the RefreshDesign method.

When the administrator invokes the Refresh Design command either man-ually or by scheduling the Design task, only the Design documents are trans-ferred from the Master Design template to the production database. Thistransfer happens only in one direction, and does not affect the ACL of thedatabase or the Data documents.

After design changes have successfully migrated from the template to theproduction database, the administrator can then use replication to transferdesign changes from that first production replica to other replicas. Theadministrator can either force replication manually or can schedule replica-tion through the use of Connection documents. There are two major differ-ences between the Design Refresh and replication:

1. Replication transfers the ACL, Design documents, and Data docu-ments, not just Design documents as in a Design Refresh.

2. Replication can be bidirectional, whereas the Design Refresh can occurin only one direction.

Remember that if a server needs to replicate design changes to another replica, thesource server must have at least Designer access in the ACL of the database. Watchout for exam questions that test your knowledge of replication as it involves designelements. Most of these types of questions involve some kind of Access Control Listscenario. Refer to the scenarios earlier in this chapter to confirm your understand-ing of which documents transfer via replication based on ACL settings.

Monitoring and MaintainingReplicationThis topic was covered in detail, along with supporting screen shots inChapter 5. Rather than repeat the entire topic here, we simply summarizethe monitoring and maintenance tasks that relate to replication, and referyou to Chapter 5 for detailed explanations.

Because replication never occurs automatically and must always be forced orscheduled, the administrator must also devote some time to monitoringreplication, and making adjustments as required. The Domino

12 0789729180 CH10 10/21/03 2:50 PM Page 271

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10272

Administrator client offers many tools and interfaces to assist the adminis-trator in these maintenance efforts. The following list summarizes thosetools:

➤ Monitor Replication History—Choose File, Replication, History to view ahistory of successful replications with other servers. If you have Manageraccess to a database, you can clear the database replication history if youthink the database doesn’t contain all the documents that it should or ifthe database replication history is not synchronized with that of otherreplicas. Normally, you would clear this setting only if you suspecttime/date problems with server or client clocks.

➤ View the Replication Events View in the Log File—The server log(LOG.NSF) contains detailed information about the replication of server-based databases, such as the number of documents added, deleted,and modified; the size of the data exchanged; and the name of the repli-ca that this database replicated with.

➤ Use an Event Generator to Monitor Replication—A database event genera-tor can monitor database use and ACL changes. If an administrator cre-ates a database event generator and checks the Monitor Replicationfield, they can choose to be notified if replication doesn’t occur within aspecified time period.

➤ View Replication Schedules—You can see a graphical representation of thereplication schedules of the servers in your Domino system. To viewreplication schedules from the Domino Administrator, select theReplication tab.

➤ Replication-Topology Maps—View a replication-topology map to displaythe replication topology and identify connections between servers. Toview replication topology maps from the Domino Administrator, clickthe Replication tab. Use this graphical view to verify that each server isconnected for replication.

12 0789729180 CH10 10/21/03 2:50 PM Page 272

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 273

Exam Prep Questions

Question 1

Bob is setting up scheduled replication between ServerA and ServerC. He hasspecified a Connect at Times range of 9:00 a.m. to 11:00 p.m., with a repeatinterval of 60 minutes. Give the first and second replication times, assuming thefollowing:

The first replication connection was successful.

The first replication took 12 minutes to complete.

❍ A. 9:00 a.m., 11:00 a.m.

❍ B. 9:00 a.m., 10:00 a.m.

❍ C. 9:00 a.m., 10:12 a.m.

❍ D. 9:12 a.m., 10:12 a.m.

Answer C is correct. If the first replication connection was successful andcompleted in 12 minutes, the second replication would occur 60 minutesafter the completion of the first replication.

Question 2

Acme Company has just rolled out an inventory-tracking database to allow its ITdepartment to track equipment within the organization. Acme has decided tocreate three replicas across three servers to allow IT staff across the country toaccess the database. Replicas are created on the following servers:Server1/Acme, Server2/Acme, and Server3/Acme.

John, the Domino administrator, wants to make sure that he sets the ACL cor-rectly to allow documents in the tracking database to replicate across servers.He wants all ACL changes to be made on Server1/Acme. He wants all designchanges to be made on Server1/Acme or Server2/Acme. Users should be ableto add, edit, and delete documents on any of the three servers. Data documentsshould then replicate around to the other replicas. How should he grant accessto the three servers in the ACL of the tracking database?

❍ A. Server1/Acme: Reader; Server2/Acme: Manager; Server3/Acme:Reader

❍ B. Server1/Acme: Author; Server2/Acme: Manager; Server3/Acme: Author

❍ C. Server1/Acme: Manager; Server2/Acme: Designer; Server3/Acme:Editor

❍ D. All three servers should have Manager access in the ACL.

12 0789729180 CH10 10/21/03 2:50 PM Page 273

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10274

Answer C is correct. If Server1/Acme and Server3/Acme had either Readeror Author access in the ACL, neither server would be capable of replicatingadditions, changes, or deletions made by users on those servers. A servermust have a minimum of Editor access to replicate Data document changes.Granting Manager access would allow ACL changes to be made on all repli-cas, when the question specified that those types of changes were to be madeonly on Server1/Acme. Granting Designer access to Server2/Acme ensuresthat design changes could be made and propagated by either Server1 orServer2.

Question 3

Which of the following options are valid types of replication as listed in theReplication Connection document?

❑ A. Push Only

❑ B. Pull Only

❑ C. Push Wait

❑ D. Replicate

Answers A and B are correct. Four types of replication can be scheduled in aConnection document: pull-pull, push-pull, pull only, and push only. PushWait is a type of mail connection choice, and Replicate doesn’t exist as anoption for scheduled replication, although it is one of the commands anadministrator can issue at the console for forced replication.

Question 4

Amanda wants to force one-way replication from ServerA to ServerB. Assumingthat she’s using the console on ServerB, what command would she issue?

❍ A. Push ServerB

❍ B. Push ServerA

❍ C. Pull ServerA

❍ D. Pull ServerB

Answer C is correct. By issuing Pull ServerA at ServerB’s console, the admin-istrator forces a one-way replication from the target server to the serverwhere she is using the console. This command forces one-way replication ofall replicas in common between the two servers. An optional parameter

12 0789729180 CH10 10/21/03 2:50 PM Page 274

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 275

allows replication of a single database from the server you are on to the spec-ified server. For example, Pull Server1 ADMIN4.NSF forces a one-way replica-tion of ADMIN4.NSF from Server1 to the server the administrator is using.

Question 5

Warren wants to view an updated replication-topology map for his domain.Which task must be running on the server in order to generate a topology map?

❍ A. MTC

❍ B. Maps

❍ C. Design

❍ D. Catalog

Answer B is correct. To view the replication topology of a Domino environ-ment using the Domino Administrator client, the MAPS task must be run-ning on the server. The topology information is refreshed every night atmidnight. (Though you only read a summary of this topic in this chapter, thecross-reference to Chapter 5 pointed you toward complete information; keepin mind how closely the information in these chapters is related, as you studyfor the exam.)

Question 6

Which one of the following can the Domino administrator use to view detailedinformation about replication of a database between two servers?

❍ A. admin4.nsf

❍ B. log.nsf

❍ C. noteslog.nsf

❍ D. names.nsf

Answer B is correct. The Domino Directory (names.nsf) stores informationabout replication connections but doesn’t track replication information.There is no database called noteslog.nsf. The Administration Requests data-base (admin4.nsf) tracks information about requests processed by AdminP.The AdminP process can be used to create replicas on servers but doesn’t trackinformation about replication activity.

12 0789729180 CH10 10/21/03 2:50 PM Page 275

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 10276

Question 7

Which of the following types of replication support streaming replication?

❑ A. Pull-Pull

❑ B. Pull-Push

❑ C. Pull Only

❑ D. Push Only

Answers A an C are correct. Streaming replication is only supported by thePull-Pull and Pull Only replication types.

12 0789729180 CH10 10/21/03 2:50 PM Page 276

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Replication 277



6af700621c8a?OpenDocument.





12 0789729180 CH10 10/21/03 2:50 PM Page 277

12 0789729180 CH10 10/21/03 2:50 PM Page 278

Security

Terms you’ll need to understand:✓ Authentication✓ ID file✓ Basic name-and-password authentication✓ Session-based name-and-password authentication✓ ID backup and recovery✓ Mail-in database✓ Password verification✓ Issued Certificate List (ICL)✓ Certificate Revocation List (CRL)✓ Agent✓ Agent log✓ Activity logging✓ Role

Techniques and concepts you’ll need to master:✓ Understanding each layer of the Domino security model✓ Setting up authentication for Notes and Web clients✓ Backing up and recovering user ID files✓ Managing user passwords✓ Using the ICL and CRL✓ Configuring access to the server✓ Configuring access to the application using the ACL, roles, and

Authors and Readers fields✓ Designing a secure application, and understanding the difference

between design elements that control security versus design ele-ments that simply deter a user from finding data

✓ Configuring, monitoring, and maintaining agent access✓ Troubleshooting a user’s access to an application

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11

13 0789729180 CH11 10/21/03 2:41 PM Page 279

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11280

As with other chapters covering Exam 621, there are a few topics in thischapter that are also mentioned in Chapter 6, “Security.” Again, you mightwant to read both Chapter 6 and Chapter 11 before attempting either Exam620 or Exam 621, in order to get the full picture of security. We specificallypoint out when there is a topic that appears in both chapters, and indicatewhether the topic is dealt with in more or less detail in this chapter. If you’vealready read Chapter 6, you’ll be able to use this chapter as a review of somesubject areas, and you can test your understanding of those subjects as youread.

One reason that Lotus has chosen to test your knowledge of security on twodifferent exams is that security is a huge subject area that spans many partsof the Domino product. It would have been impossible to outline the entiresecurity model in only one chapter.

Remember that five basic layers make up the Domino security model:

1. Physical security

2. Network and operating system security

3. Authentication

4. Server access

5. Database (application) access

As with Chapter 6, we take a “top-down” approach to security in this chap-ter, starting with authentication and moving into server security, databasesecurity, and finally security for documents and design elements within thedatabase. We do not discuss the first two layers—physical or network andoperating system security. Refer to Chapter 6 for a discussion of those twolayers.

Setting Up AuthenticationAuthentication was covered in detail in Chapter 6, so we briefly review thattopic here. An ID file is a file that uniquely identifies a certifier, server, or userwithin the Domino security environment, using certificates stored on the ID.Authentication refers to the process by which ID files are checked to see ifthey are trusted; that is, that they have a certificate in common.

Domino uses the information contained in IDs to control the access thatusers and servers have to other servers and applications. One of the admin-istrator’s responsibilities is to register and protect IDs and to make sure that

13 0789729180 CH11 10/21/03 2:41 PM Page 280

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 281

unauthorized users do not use them to gain access to the Domino environ-ment. Three different types of ID files can be generated by the administra-tor, using the Domino Administrator client:

➤ Certifier ID—Used as a “stamp” to register a new server or user IDs

➤ Server ID—Used to identify each unique server in the organization

➤ User ID—Used to identify each unique person in the organization

To set up authentication between servers and users within a company, theadministrator must create ID files. During the first server setup, the first cer-tifier IDs are created, along with the ID file for the first server and firstadministrator. The certifier ID for the organization is created, and is used tocreate other OU certifiers, depending on the naming scheme that the admin-istrator will use. The administrator then uses a certifier ID to register everyother server and user within the organization. Each ID file will contain a cer-tificate for the top-level organization certifier, so that every server and userin the organization will have a certificate in common, and can authenticate.

For a more detailed description of how to register both servers and users,refer to Chapters 2 and 7, both titled “Installing and Configuring.”

Web users don’t use Notes ID files to authenticate with the Domino server—they simply use their name and an Internet password, both of whichare stored in a Person document in the Domino Directory for the server’sdomain. This type of Web authentication is called name-and-passwordauthentication.

To set up name-and-password authentication for Web clients, one of twomethods can be used:

➤ Basic name-and-password authentication uses the name and passwordrecorded in the user’s Person document in the Directory.

➤ Session-based name-and-password authentication is a more sophisticatedauthentication model that uses cookies to track user sessions.

A session is the time during which a Web client is actively logged onto a serv-er with a cookie. The administrator has two options when enabling session-based authentication in the Server document:

➤ Single Server—Causes the server to generate a cookie that is honoredonly by the server that generated it

➤ Multiserver—Generates a cookie that allows single sign-on with anyserver that shares the Web SSO Configuration document

13 0789729180 CH11 10/21/03 2:41 PM Page 281

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11282

Setting Up and Configuring IDBackup and RecoveryTo recover from loss of, or damage to, an ID file, administrators must keepbackup copies of server and user ID files in a secure place; for example, on adisk stored in a locked area. Losing or damaging an ID file or forgetting thepassword to an ID has serious consequences. Without an ID, users cannotaccess servers or read messages and other data that they encrypted with thelost ID. To prevent problems that occur when users lose or damage ID filesor forget passwords, administrators can set up Domino to recover ID files.This process is called ID backup and recovery.

Before ID files can be recovered, an administrator must perform the follow-ing steps to set up for recovery:

➤ An administrator who has access to the certifier ID file(s) must specifyrecovery information for those files.

➤ A mail-in database must be created to store recoverable copies of all IDfiles.

➤ The user ID files themselves must be made recoverable. There are threeways to enable this feature:

➤ At registration, administrators create the ID file with a certifier IDthat contains recovery information.

➤ Administrators export recovery information from the certifier IDfile and have the user accept it. This is usually accomplishedthrough the use of Notes mail messages.

➤ Users authenticate to their home server after an administrator hasadded recovery information to the certifier. This method appliesonly for servers using the server-based certification authority.

Specifying Recovery Information for aCertifier ID File and Creating a Mail-InDatabase to Store Backup ID FilesDomino stores ID recovery information in the certifier ID file. The infor-mation stored includes the names of administrators who are allowed torecover IDs, the address of the mail or mail-in database where users send an

13 0789729180 CH11 10/21/03 2:41 PM Page 282

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 283

encrypted backup copy of their ID files, and the number of administratorsrequired to unlock an ID file.

For an administrator to eventually recover a backup copy of an ID file, theseIDs must be stored somewhere safe. When the administrator enables recov-ery for certifier IDs, he is automatically prompted to create a mail-in databaseto use as the storage container for ID file copies. A mail-in database is a data-base that can receive mail because it is known to the Router via a Mail-InDatabase document in the Directory. The administrator should perform thefollowing steps before anyone loses or corrupts an ID, ideally before regis-tering users.

1. From the Domino Administrator, click the Configuration tab, and thenclick Certification.

2. Click Edit Recovery Information.

3. In the Choose a Certifier dialog box, click Server and select the regis-tration server name from the Domino Directory.

4. Choose the certifier for which you are creating recovery information.If you are using a server-based certification authority, click Use the CAProcess and select a certifier from the drop-down list. You must be aCertificate Authority (CA) administrator for the certifier in order tochange ID recovery information. If you are not using a server-basedcertification authority, click Supply Certifier ID and Password. If thecertifier ID path and filename does not appear, click Certifier ID,select the certifier ID file, and enter the password.

5. Click OK. The Edit Master Recovery Authority List dialog boxappears (see Figure 11.1).

6. Enter the number of recovery authorities that are required to recoveran ID file. It is recommended that you choose at least three.

7. Click Add and select the names of the administrators who are the des-ignated recovery authorities.

8. Choose whether you want to use an existing mailbox for recoveryinformation or create a new one.

9. If you have a mail or mail-in database already set up for recovery infor-mation, click I Want to Use an Existing Mailbox. Click Address andselect the database from the Domino Directory.

13 0789729180 CH11 10/21/03 2:41 PM Page 283

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11284

Figure 11.1 The Edit Master Recovery Authority List dialog box.

10. If you want to create a new database to store recovery information,click the Address button, then choose I Want to Create a NewMailbox. In the Create New Mailbox dialog box, enter the name of theserver on which the database is to be created and the database title. Youcan use the filename that is created from the database title, or you cancreate a new one. Click OK.

11. If you are using a server-based certification authority, you must enterthe following console command to start the CA process with the newrecovery information, or refresh it if it is already running:load ca

12. Enter this console command to process the request to add recoveryinformation to the certifier:tell adminp process all

The CA process is discussed briefly later in this chapter.

Making User ID Files RecoverableIf the administrator performs the preceding steps before registering users, acopy of every user ID is mailed to the mail-in database every time a user isregistered. The new user ID automatically contains the recovery informationinherited from the certifier ID with which it was registered.

If there were user ID files that existed within the company before recoveryinformation was specified for the certifiers, then those ID files must be

13 0789729180 CH11 10/21/03 2:41 PM Page 284

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 285

updated with the new recovery information, and a copy of the ID must bemailed to the mail-in database. This process involves both the administratorand the user. The administrator must initiate a mailout that exports the newrecovery information to each user. Then, the user must accept the recoveryinformation and mail a copy of their ID file back to the database.

The administrator performs the following steps to send recovery informa-tion to the user:

1. From the Domino Administrator, click the Configuration tab, and thenclick Certification. Click Edit Recovery Information.

2. In the Choose a Certifier dialog box, if the correct server name doesnot appear, click Server and select the registration server name fromthe Domino Directory.

3. Choose the certifier for which you are creating recovery information.If you are using a server-based certification authority, click Use the CAProcess and select a certifier from the drop-down list. If you are notusing a server-based certification authority, click Supply Certifier IDand Password. If the certifier ID path and filename do not appear, clickCertifier ID and select the certifier ID file and enter the password.

4. Choose Export, and then enter the certifier ID’s password twice

5. Complete the To field with the names of the users whose ID files youwant to update and back up, and enter a Subject and Body withinstructions for the user (or accept the default instructions); then clickSend.

The user completes the following steps to accept recovery information in theID file:

1. After the administrator sends the recovery information, open the mes-sage in the mail database.

2. Choose Actions, Accept Recovery Information from the menu bar, andthen enter the password for the ID file.

Domino automatically sends the encrypted backup ID file to the mail-in databasespecified by the administrator. The backup ID is encrypted with the administrator’spublic key. You can store multiple copies of the ID file in the centralized mail or mail-in database. Domino creates a new document every time an ID file is backed up. Whenattempting to recover an ID file, you should use the most recent backup. If this fails,you can try to use the older versions.

13 0789729180 CH11 10/21/03 2:41 PM Page 285

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11286

Recovering an ID FileIf a user loses or damages an ID file or forgets a password, the user can workwith administrators to recover the ID file from backup. Some of the recov-ery steps are performed by the user, whereas others are performed by theadministrator.

The user completes the following steps:

1. Contact the administrator to obtain the password(s) needed to recoverthe ID. The recovery password is randomly generated and unique toeach recoverable ID file and administrator. If the user can’t access theuser ID file, the administrator must provide the user with a copy of thebackup ID from the mail-in database. Then, the user can proceed withrecovery to unlock the password, if necessary.

2. When the user first logs in to Notes and the Password dialog boxappears, do not enter the password; simply click OK.

3. Click Recover Password in the Wrong Password dialog box.

4. Select the user ID file to recover in the Choose ID File to Recoverdialog box.

5. Enter the password(s) given to you by your administrator(s) in theEnter Passwords dialog box, and repeat until all passwords have beenentered, at which time the user is prompted to enter a new passwordfor the user ID.

6. Enter a new password for the user ID, and confirm the password whenprompted.

The user should immediately replace all backups and copies of the user ID file withthe newly recovered user ID file; otherwise, the user will need to perform the recov-ery steps for each copy of the ID, which is time-consuming.

The administrator performs the following steps:

1. When contacted by the user, detach the encrypted backup of the user’sID file from the mail or mail-in database to the local hard drive.

2. If the user’s ID file is damaged, send a copy of the ID file from thecentralized mail or mail-in database to the user.

3. From the Domino Administrator, click the Configuration tab, andchoose Certification, Extract Recovery Password.

13 0789729180 CH11 10/21/03 2:41 PM Page 286

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 287

4. Enter the password to the administrator’s ID file.

5. Specify the ID file you want to recover. This is the same ID youdetached in Step 1.

6. Give the user the recovery password that is displayed.

Users and administrators usually exchange the recovery password over the phone,because users who can’t access their ID files also can’t access their mail.

Managing User PasswordsAdministrators can manage user passwords by enabling a feature called pass-word verification so that a Notes user can authenticate with a server only afterproviding the correct password that is associated with the user ID. If anunauthorized user obtains an ID and learns the ID’s password, the author-ized owner of the ID can immediately change the password thus preventingthe unauthorized user from continuing to use the ID with the old passwordto authenticate with servers. The next time the unauthorized user tries to usethe ID with the old password to access a server, the server verifies the pass-word, determines that the password entered does not match the new pass-word, and denies the unauthorized user access to the server. Also, if theadministrator sets up password verification, he can require users to changethe passwords on their IDs on a regular basis. As the time for the requiredpassword change approaches, a prompt appears to remind the user to changethe password. When users change the password, the current ID and Persondocument are updated with the new password.

If a user has multiple ID files, the user must change the password in each ofthem to match the new password. Each time a user changes a password, theuser must specify a unique password. Notes keeps a record of up to 50 pass-words that have been previously used. If the administrator enables passwordhistory checking through the use of a Security Settings document, he canconfigure the number of new passwords that must be used before a givenpassword can be reused.

Password verification during authentication will not work for Internet users becausethey do not have Notes user IDs (unless their Notes and Internet passwords havebeen synchronized).

13 0789729180 CH11 10/21/03 2:41 PM Page 287

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11288

Password verification relies on the Administration Process to update docu-ments in the Domino Directory. When you enable password verification fora user, the Administration Process creates a “Set Password Information”request in the Administration Requests database. This request enables pass-word-checking by entering values in the Check Password, Required ChangeInterval, and Grace Period fields in the Administration section of the user’sPerson document. The first time the user logs onto a server that requirespassword verification, the Administration Process generates a “Change UserPassword in Domino Directory” request in the Administration Requestsdatabase. This request enters a corresponding password digest in thePassword Digest field in the Administration section of the Person document.It also records the date the user provided the password in the Last ChangeDate field in the Administration section of the Person document. To authen-ticate with servers that are enabled for password verification, the user mustprovide the password that corresponds to the digest.

From that point forward, when a user changes a password, theAdministration Process generates a new “Change User Password in DominoDirectory” request in the Administration Requests database. This requestupdates the Password Digest and Last Change Date fields in the Person doc-ument.

Administrators can enable password verification through the use of aSecurity Policy Settings document, which allows them to enable this featurefor multiple users, or they can enable password verification for individualsusing the Domino Directory. Administrators also have the option of lockingout a user’s ID, which prevents the user from authenticating with the server.

To enable password verification for individual users, perform the followingsteps:

1. Ensure that password verification is enabled on the servers with whichthe users authenticate. This setting is enabled on the Server document,Security tab, Security Settings section, Check Passwords on Notes IDsfield.

2. From the Domino Administrator, click People & Groups.

3. Select each Person document for which you want to enable passwordchecking.

4. Choose Actions, Set Password Fields, and then click Yes to continue.

5. In the Check Notes Password field, select Check Password.

6. Complete the following fields, and then click OK:

13 0789729180 CH11 10/21/03 2:41 PM Page 288

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 289

➤ Required Change Interval—Enter the length of time, in days, that apassword can be in effect before it must be changed. The default iszero.

➤ Allowed Grace Period—Enter the length of time, in days, that usershave to change an expired password before being locked out. Thedefault is zero.

Using the ICL and the CRLInstead of managing ID files using the Domino Administrator client and tra-ditional certifier ID files, administrators can set up a Domino certifier thatuses a server task, the CA process, to manage and process certificate requests.The CA process runs as an automated process on Domino servers that areused to issue certificates. When setting up a Notes or Internet certifier,administrators can link it to the CA process on the server in order to takeadvantage of CA process activities. Only one instance of the CA process canrun on a server; however, the process can be linked to multiple certifiers.

The CA process offers the following advantages:

➤ Provides a unified mechanism for issuing Notes and Internet certificates.

➤ Supports the registration authority (RA) role, which you use to delegatethe certificate approval/denial process to lower-echelon administratorsin the organization.

➤ Does not require access to the certifier ID and ID password. After youenable certifiers for the CA process, you can assign the registrationauthority role to administrators, who can then register users and managecertificate requests without having to provide the certifier ID and pass-word.

➤ Simplifies the Internet certificate request process through a Web-basedcertificate request database.

➤ Issues certificate revocation lists, which contain information aboutrevoked or expired Internet certificates.

➤ Creates and maintains the Issued Certificate List (ICL), a database thatcontains information about all certificates issued by the certifier.

➤ Is compliant with security industry standards for Internet certificates; forexample, X.509 and PKI.

13 0789729180 CH11 10/21/03 2:41 PM Page 289

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11290

The Issued Certificate List (ICL)Each certifier has an Issued Certificate List (ICL) that is created when the cer-tifier is created or migrated to the CA process. The ICL is a database thatstores a copy of each unexpired certificate that it has issued, certificate revo-cation lists, and CA Configuration documents. Configuration documents aregenerated when you create the certifier and sign it with the certifier’s publickey. After you create these documents, you cannot edit them.

CA Configuration documents include the following:

➤ Certificate profiles, which contain information about certificates issuedby the certifier.

➤ CA Configuration document, which contains information about the cer-tifier itself.

➤ RA/CA association documents, which contain information about the RAswho are authorized to approve and deny certificate requests. There isone document for each RA.

➤ ID file storage document, which contains information about the certifi-er ID.

Another CA Configuration document, the Certifier document, is created inthe Domino Directory when you set up the certifier. This document can bemodified.

For the purposes of the exam, it’s important to remember that the CA process is analternative way to manage ID files. Learn what the acronyms ICL and CRL mean, anddon’t confuse them with other Domino terms such as ICM, which stands for InternetCluster Manager, and has nothing to do with the CA process. We could create anentire chapter on how the CA process works; instead, this exam simply requires youto have an understanding that the process exists as an alternative to the traditionalcertifier ID management system, and assumes that you understand the basic termsand concepts involved in the CA process.

Certificate Revocation List (CRL)A Certificate Revocation List (CRL) is a time-stamped list identifying revokedInternet certificates; for example, certificates belonging to terminatedemployees. The CA process issues and maintains CRLs for each Internet cer-tifier. A CRL is associated with a certifier, is signed by that certifier, andresides in the certifier’s ICL database. A copy of the CRL is also stored in theDomino Directory, where it is used to assert certificate validity by entitiesthat require certificate authentication.

13 0789729180 CH11 10/21/03 2:41 PM Page 290

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 291

You configure the CRL when you create a new Internet certifier. You canspecify the length of time for which a CRL is valid and the interval betweenpublication of new CRLs. After CRLs are configured, the certifier issuesthem on a regular basis and they operate unattended.

Using CRLs, you can manage the certificates issued in your organization.You can easily revoke a certificate if the subject of the certificate leaves theorganization or if the key has been compromised. HTTP servers and Webbrowsers check the CRLs to determine whether a given certificate has beenrevoked, and is, therefore, no longer trusted by the certifier. When you useInternet Site documents to configure Internet protocols on Domino, you canalso enable CRL-checking for each protocol.

There are two kinds of CRLs: regular and nonregular. For regular CRLs, youconfigure a duration interval—the time period for which the CRL is valid—and the interval at which new CRLs are issued. Each certifier issues a CRLat the specified time, even if no certificates have been revoked since the lastCRL was issued. This means that if an administrator revokes a certificate, itappears in the next scheduled CRL issued by the certifier. The CRL durationperiod should be greater than the time period between each CRL issuance.This ensures that the CRL remains valid. Otherwise, the CRL could expirebefore a new one is issued.

Setting Up and Configuring ServerAccessThis particular topic was covered extensively in Chapter 6. We take the timehere to offer a condensed version of the points made in that chapter, torefresh your memory. For a complete description of each point, you maywant to read through this section of Chapter 6 again.

An administrator can configure the following settings to control access to theDomino server:

➤ Secure the Server Console—The administrator can password-protect theserver console to force administrators to know the console password toenter console commands. After the console has been password-protect-ed, administrators can’t use the Load, Tell, Exit, Quit, and SetConfiguration server commands until they enter the password. Consolesecurity remains in effect until the password is cleared by entering a sec-ond Set Secure command with the same password.

13 0789729180 CH11 10/21/03 2:41 PM Page 291

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11292

➤ Restrict Administrator Access to the Server—You can specify various accesslevels for different types of administrators in your organization. Forexample, you might want to give only a few people high administrativeaccess, whereas all of the administrators on your team are designated asdatabase administrators. Administrators are listed either as individuals oras members of groups in the different administrator fields on theSecurity tab of the Server document located in the Domino Directory.The different types of administrators are as follows: full-access adminis-trators, administrators, database administrators, full remote consoleadministrators, view-only administrators, and system administrators.

➤ Allow and Deny Access to the Server Through Fields on the ServerDocument—To control user and server access to other servers, Dominouses the settings specified on the Security tab in the Server document.The following fields control access to the server:

➤ Access Server—Lists groups and individuals who are authorized toaccess the server. If the Access Server field is left blank, all users andservers that can authenticate can access the server.

➤ Not Access Server—Lists users, servers, and groups who are deniedaccess to the server. The default value for this field is blank, whichmeans that all names entered in the Access Server field can accessthe server.

Remember that names entered in the Not Access Server field take precedence overnames entered in the Access Server field. For example, if you enter a group name inthe Access Server field and enter the name of an individual member of this group inthe Not Access Server field, the user will not be able to access the server.

Typically, the Domino administrator lists a Deny Access group in this field to denyaccess to servers within the company for people who have left the company. See thediscussion about groups and group types later in this chapter.

➤ Create Databases and Templates—Lists specific servers, users, andgroups who are allowed to create databases with the File, Database,New command. Typically, this capability is restricted to administra-tors or designers. The default value for this field is blank, whichmeans that all users can create new databases.

➤ Create New Replicas—Lists specific servers, users, and groups whoare allowed to create replicas using the File, Replication, NewReplica command. The default value for this field is blank, whichmeans that no one can create new replicas.

13 0789729180 CH11 10/21/03 2:41 PM Page 292

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 293

➤ Create Master Templates—Lists specific servers, users, and groupswho are allowed to create Master Design templates. Servers, users,and groups who cannot create new databases or replicas on the serv-er cannot create or update templates. The default for this field isblank, which means that no one can create Master Design templateson the server.

➤ Control Access to a Specific Network Port—Administrators can use a portaccess list to allow or deny Notes user and Domino server access to aspecific network port. If the administrator uses both a port access listand a server access list, users and servers must be listed on both to gainaccess to the server. Access to a specific port is controlled using serverNOTES.INI settings:Allow_Access_portname = namesDeny_Access_portname = names

Troubleshooting Common ServerAccess ProblemsThis section is worth repeating from Chapter 6, to remind you of the differ-ent scenarios that illustrate situations in which users and servers can have dif-ficulty accessing Domino servers. The following sections illustrate thesepotential problems. Each section lists a common error resulting in a serveraccess problem and documents the solutions to those problems.

The Administrator Can’t Enter Commands atthe ServerIf an administrator can’t run the workstation program on the server, runstandalone server programs, or use the Load, Tell, or Set Configuration com-mands, the console has likely been password-protected. The administratorneeds to use the Set Secure command at the console or use the DominoAdministrator client to clear the password. The administrator must know thepassword to clear it.

An administrator might also fail to enter commands at the console becausehe isn’t listed as an administrator in the Administrator fields in the Serverdocument, or he might be listed as a view-only administrator, with limitedaccess to enter console commands.

13 0789729180 CH11 10/21/03 2:41 PM Page 293

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11294

Users Can’t See a New Server in the List ofServersIf users can’t see a new server when they try to add, create, copy, or replicatea database, the administrator should make sure that the Domino Directorycontains a Server document for the new server and that the information inthe document is accurate and correctly spelled. If no Server document exists,the administrator should register the new server and ensure that the Serverdocument gets added to the Directory and then replicated to other servers inthe domain. If a Server document exists and contains accurate informationfor the new server, the administrator can check the log file on both the user’shome server and the inaccessible server to see if there are network problems.

The Server Is Not RespondingThe message “Server not responding” might appear when you install a clientor try to open any database on a particular server. Here are some strategiesfor resolving this problem, listed in the order in which they should beattempted:

1. Check that the Domino server and the network are running.

2. Check whether the server has been renamed or recertified. When auser tries to open a database on a server that has been recertified orrenamed, the message “Server not responding” might appear.

3. If the client and server are using NetBIOS, make sure that the protocolis configured properly and that it’s running on the workstation andserver. The workstation and the server must use the same version ofNetBIOS, and the server must be enabled for sufficient NetBIOS ses-sions.

Adding Security to an ApplicationThis section describes the many security features that can be used to securean application. Some of these features are actually implemented by designersas opposed to administrators; however, in order for administrators to supportand troubleshoot application access, they must have a basic understanding ofmost database security features. The exam tests your ability to rememberwhich element is controlled by each security feature. Pay special attention tothe features that involve design elements, such as agents, view access, andform access.

13 0789729180 CH11 10/21/03 2:41 PM Page 294

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 295

Designing a Secure Application—SecurityVersus DeterrenceAn application developer can further restrict access to design elements with-in an application using the Domino Designer. Application design securitytakes effect once users gain access to an application. Some of these designfeatures provide true security to the application by restricting access to data.Other features conveniently manipulate the user interface to “hide” certainparts of the interface, without actually restricting access to that element. Thefirst technique provides true security, whereas the second technique detersthe user from finding the information easily.

The following is a list of true security features, with a brief explanation ofwhat each feature does and how it is configured. Some of these features areexplored in more depth later in the chapter.

➤ Read Access Lists for Forms—On the Security tab of the Form Propertiesbox, designers can specify which Notes and Internet/intranet users canread documents created with a specific form. When this property isenabled, a $Readers field is created on the document, storing the nameof the creator or editor of the document. The $Readers field acts in thesame way as the Readers field—it controls read access to the document.If a user, group, or role is listed in the $Readers field, only that user,group, or role can read the document. Figure 11.2 shows the Securitytab of the Form Properties box.

Figure 11.2 The Form Read Access List on the Form Properties box.

➤ Readers fields—Designers can add a field of type Readers to control readaccess to the document. If a user, group, or role is listed in the Readers

13 0789729180 CH11 10/21/03 2:41 PM Page 295

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11296

field, only that user, group, or role can read the document. If theReaders field is empty, then everyone can read the document.

➤ Authors fields—Designers can add a field of type Authors to control editaccess to the document. If a user, group, or role has Author access in theACL and is listed in the Authors field, only that user, group, or role canedit the document. If the Authors field is empty, then only someonewith Editor access or higher in the ACL can edit the document. Userswith Editor access and above can always edit documents, and are notaffected by the Authors field.

➤ Signed fields—Designers can enable signing on a field to verify that theNotes user who originated the data is the author and that no one hastampered with the data. When the document is saved, a digital signatureis generated from the ID file of the user saving the document, andstamped in the Signed field.

➤ Encrypted fields—Designers can control read access at the field level withencrypted fields. For a field value to be encrypted, the designer mustenable encryption for that field, and must apply an encryption key to it.He must then distribute the key to every user who must encrypt anddecrypt the data in the encrypted field(s).

➤ Edit Access Lists for Sections—Designers can use controlled-access sectionsto control a section of fields on a document for editing. To edit thefields in a section, a user must be in the authorized editors list for thatsection.

The following settings serve to conveniently manipulate the user interface todeter the user from finding information, but the techniques do not secure theinformation from the user:

➤ Read Access Lists for Views—Designers can control who has access to aview using a View Read Access List, located on the Security tab of theView Properties box. The view access list restricts access to the viewitself, not to the documents in the view. If a user can’t find the docu-ments in the view, he can build himself a private view to see the docu-ments. A view access list conveniently hides certain views from someusers.

➤ Hidden fields—Designers can control which Notes and Internet/intranetusers can view data in a document or page. Hiding is used extensively bydesigners to selectively show and hide text, buttons, actions, and soforth. This convenient manipulation of the user interface allows design-ers to present data for different clients based on different conditions, but

13 0789729180 CH11 10/21/03 2:41 PM Page 296

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 297

hiding does not secure the data. If a user can read a document, he canview the contents of any field on that document using the DocumentProperties box.

➤ Create Access Lists for Forms—Using the Form Properties box, the design-er has the option of choosing who can use the form to create docu-ments. This list of creators conveniently prevents unauthorized usersfrom using the form to enter document data; however, if the user has atleast Author access to the database, he can add or edit documents in thedatabase by copying and pasting or by importing, which circumvents theuse of the form.

Setting Up and Configuring Agent AccessAgents are design elements that automate processing within an application.Administrators generally don’t create or write agent code, but they areresponsible for ensuring that agents run properly within databases onservers. The administrator controls the settings for the following:

➤ Who Can Create Agents Within a Database—The administrator can con-trol which users get to create agents using the privileges within theAccess Control List for the application. The following access levels andprivileges are required to create different types of agents:

➤ Private Agents—Users need Reader access or higher and must havethe Create Private Agents privilege.

➤ Private Agents Using LotusScript and Java—Users need Reader accessor higher and must have the Create Private Agents and CreateLotusScript/Java Agents privileges.

➤ Shared Agents Using Simple Actions and Formulas—Users must haveDesigner access or higher.

➤ Shared Agents Using LotusScript or Java Agents—Users must haveDesigner access or higher and must have the CreateLotusScript/Java Agents privilege.

➤ Who Can Run Agents on the Server—To control the types of agents userscan run on a server, administrators must set up restrictions for serveragents. Agent restrictions are controlled through fields on the Serverdocument.

To set up agent restrictions from the Domino Administrator, click theConfiguration tab, and open the Server document. Click the Security tab,

13 0789729180 CH11 10/21/03 2:41 PM Page 297

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11298

and in the Programmability Restrictions section, complete one or more ofthese fields, and then save the document:

➤ Run Unrestricted Methods and Operations—Enter the names of users andgroups who are allowed to select, on a per agent basis, one of three lev-els of access for agents signed with their ID. Users with this privilegeselect one of these access levels when they are using Domino Designer 6to build an agent: restricted mode, unrestricted mode, or unrestrictedmode with full administration rights.

➤ Sign Agents to Run on Behalf of Someone Else—Enter the names of usersand groups who are allowed to sign agents that will be executed on any-one else’s behalf. The default is blank, which means that no one can signagents in this manner.

➤ Sign Agents to Run on Behalf of the Invoker of the Agent—Enter the namesof users and groups who are allowed to sign agents that will be executedon behalf of the invoker, when the invoker is different from the agentsigner. This setting is ignored if the agent signer and the invoker are thesame. This is used currently only for Web agents. The default is blank,which means that everyone can sign agents invoked in this manner.

➤ Run Restricted LotusScript/Java Agents—Enter the names of users andgroups who are allowed to run agents created with LotusScript and Javacode, but excluding privileged methods and operations, such as readingand writing to the file system. Leave the field blank to deny access to allusers and groups.

➤ Run Simple and Formula Agents—Enter the names of users and groupswho are allowed to run simple and formula agents, both private andshared. Leave the field blank to allow all users and groups to run simpleand formula agents, both private and shared.

➤ Sign Script Libraries to Run on Behalf of Someone Else—Enter the names ofusers and groups who are allowed to sign script libraries in agents exe-cuted by someone else. For the purposes of backward compatibility, thedefault value is to leave the field empty, to allow all.

Unrestricted Java and LotusScript agents can potentially violate security because ofthe potential for the code to access the file system. Only a limited number of trustedusers should have unrestricted rights.

It’s important to understand how agent restrictions are applied as well aswhose access rights are checked when the agent is run in the system. For

13 0789729180 CH11 10/21/03 2:41 PM Page 298

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 299

exam purposes, read these next few paragraphs carefully, as this topic is oftenmisunderstood because it crosses over into the realm of Domino design.

Domino checks the server security restrictions in the Server document dif-ferently depending on whether the agent is

➤ Running locally or on the server

➤ Started from the Web or the Notes client

Local AgentsAn agent runs locally during the following conditions:

➤ It runs within a Notes client database.

➤ You choose “Local” from the “Run on” list for a scheduled agent.

➤ A user starts the agent from the Actions menu in the Notes client, fromthe Agent, Run menu in Designer, from the “When Documents HaveBeen Pasted” trigger, or from calling the agent by agent.run.

When an agent runs locally, Notes does not check security restrictions,unless you have set the Enforce ACL option. To enforce a consistent ACL,refer to the topic “Securing Applications with Consistent ACLs” later in thischapter.

Server-based AgentsAn agent runs on the server when it is running in a database stored on a serv-er and it is started by one of the following agent triggers:

➤ Before new mail arrives

➤ After new mail arrives

➤ If documents have been created or updated

➤ On any schedule

➤ Called by an agent via agent.runonserver (the agent being called mustreside on the server)

If the agent is running on a server, Domino checks all security restrictions.

Agents Running from the Notes Client or the Web ClientAgents run in the Notes client or on the Web based on the rights of theeffective user. The effective user’s rights determine what the agent canaccomplish within the database.

13 0789729180 CH11 10/21/03 2:41 PM Page 299

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11300

The effective user depends on the environment in which the agent runs.When a user runs an agent from the Notes client, the agent runs with therights of the effective user, which is the current user ID. For example, JoeSmith/Acme runs an agent in a database POLICIES.NSF. Joe has Readeraccess to the database. The agent code calls a method that edits all of thedocuments in the database. When Joe invokes the agent, his access rights arechecked within the database ACL, and because he has only Reader access, nodocuments will be changed by the agent.

A scheduled agent runs with the access rights of the person who last saved theagent, also known as the signer. The designer has the option to override theagents signer by specifying that the agent should run on behalf of someoneelse, as per the name listed on the Security tab of the Agent Properties box.

When a Web user runs an agent, the agent also runs using the rights of theeffective user. However, you can set up the agent so that Domino checks theinvoker’s rights to access the database instead of the effective user’s rights.Checking the invoker’s rights can provide more security. To have Dominoverify the invoker’s access to the database, click on the Security tab of theAgent Properties box and enable the Run as Web User check box. WhenRun as Web User is checked, Domino prompts Web users for their name andpassword when they attempt to run the agent. Domino uses the login infor-mation to check for the invoker’s rights in the database ACL.

The exam will likely test your ability to recognize when an agent is run using therights of the invoker, as opposed to the rights of the signer of the agent. Watch forquestions that outline a scenario whereby the signer of the agent doesn’t haveenough access to execute the agent code in the system, either in the database ACLor in the agent restrictions in the Server document.

Monitoring and Maintaining AgentsWhenever an agent won’t run, administrators can check the Agent log to seewhen the agent last ran and whether it completed. For additional informa-tion, they can check the server console or the Miscellaneous events in the logfile (LOG.NSF) for messages from the Agent manager.

Logging for Agents in LOG.NSFTo enable agent logging in the log file (LOG.NSF), edit the NOTES.INIfile to include the Log_AgentManager setting, which specifies whether ornot the start of agent execution is recorded in the log file and displayed onthe server console. It’s important to monitor the server console or log forinformation from the Agent manager because error and warning messagesare generated by the Agent manager on behalf of the agent.

13 0789729180 CH11 10/21/03 2:41 PM Page 300

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 301

Using Agent Server Console CommandsAdministrators can use the following server commands to troubleshootagents:Tell amgr schedule

This command shows the schedule for all agents scheduled to run for thecurrent day. In addition, the command shows the agent trigger type, the timethe agent is scheduled to run, the name of the agent, and the name of thedatabase on which the database runs.Tell amgr status

This command shows a snapshot of the Agent manager queues and displaysthe Agent manager settings in the Server document.Tell amgr debug

This command displays either the current debug settings for the Agent man-ager or lets you set new ones. When using this command to set debug val-ues, you can use the same flags used by the Debug_AMgr command in theNOTES.INI file.

Reviewing the Agent LogThe Agent log is a view in a database that shows the last time an agent ran anddescribes if the agent completed or not. To review the Agent log, followthese steps:

1. In the database, choose View, Agents.

2. In the Design view that lists all the agents, choose the agent.

3. Choose Agent, Log.

Activity LoggingAdministrators can monitor agent activity using activity logging. Agent activ-ity logging generates a record for each Domino server-based agent that runssuccessfully. The record shows the name of the agent, the name of the data-base that contains the agent, the amount of time it took to run the agent, andthe name of the person who last saved the agent. The record does not showthe types of activities the agent performed.

Domino does not generate activity logging records for agents that run on aWeb server, for agents that you run manually from a client, or for agents thatare scheduled to run locally on a client.

13 0789729180 CH11 10/21/03 2:41 PM Page 301

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11302

Activity logging is configured by editing the Configuration Settings docu-ment. To edit the document, follow these steps:

1. From the Domino Administrator, click the Configuration tab; thenexpand Server and click Configurations.

2. In the Results pane, select the Configuration Settings document youwant, and click Edit Configuration.

3. On the Configuration Settings document, click the Activity Loggingtab.

4. Select Activity Logging Is Enabled.

5. In the Enabled Logging Types field, select the types of activity youwant to log and click Save & Close.

Setting Up and Configuring DatabaseAccess Using the ACLEvery database has an Access Control List (ACL) that specifies the level ofaccess that users and servers have to that database. Only someone withManager access can create or modify the ACL.

Although the names of access levels are the same for users and servers, those levelsassigned to users determine the tasks that they can perform in a database. Thoseassigned to servers determine which information within the database the servers canreplicate.

To control the access rights of Notes users, select the access level, user type,and access-level privileges for each user or group in a database within theACL by choosing File, Database, ACL. Access levels assigned to users in adatabase ACL control which tasks users can perform in the database. Access-level privileges enhance or restrict the access level assigned to each name inthe ACL. For each user, group, or server added in the ACL, you select theuser type and access level in the User Type and Access drop-down lists. Tofurther refine the access, you select a series of access privileges by selectingor deselecting the various check boxes located on the right side of the Basicstab of the ACL. If the application designer created roles, assign them to theappropriate users, groups, or servers listed within the ACL.

Here is a listing of the seven access levels in the ACL, from lowest to high-est, along with a brief description of what each level means:

13 0789729180 CH11 10/21/03 2:41 PM Page 302

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 303

➤ No Access—Denies access to the database. The error message thatappears to the user is “You are not allowed to access this database.”

The exception to the No Access level is the Public Access level. If the designer of thedatabase creates Public Access forms and documents are created with these forms,the documents are marked as Public. Anyone in the ACL with Public Access can reador write Public documents. The Public Access level is granted by checking the Reador Write Public Documents check box in the ACL. This technology is used in the maildatabase where Calendar documents get marked as Public documents so that accessto those documents can be controlled separately from access to mail messages. Becareful when selecting the Public access option—you should check with the data-base designer to see if Public Access forms were used in the database so that accessto those documents can be properly set in the ACL.

➤ Depositor—Allows the writing or adding of documents only. Users can-not read, edit, or delete documents, with the exception of Public docu-ments.

➤ Reader—Allows the reading of documents only. Users cannot add, edit,or delete documents.

➤ Author—Allows users to read documents and to edit documents inwhich they are listed in an Authors field (see the topic later in this chap-ter regarding Authors fields). Optionally, users may create or delete doc-uments.

➤ Editor—Allows the creating, reading, and editing of all documents. Thisis the highest level of access to the document data, but does not grantaccess to Design documents or to the ACL.

➤ Designer—Includes all the rights of Editors, as well as access to create,edit, and delete all Design documents in the database, such as forms,shared views, navigators, and so on.

➤ Manager—Includes all the rights of designers, as well as the ability tomodify the ACL and delete the database from the server using the clientuser interface commands (File, Database, Delete).

Securing Applications with Consistent ACLsAdministrators can ensure that an ACL remains identical on all databasereplicas on servers, as well as on all local replicas that users make on work-stations or laptops by enforcing a consistent ACL. Selecting this setting ona replica whose server has Manager access to other replicas keeps the AccessControl List the same across all server replicas of a database.

If a user replicates a database locally, the database ACL recognizes that user’saccess because it is known to the server and enforces the access on the local

13 0789729180 CH11 10/21/03 2:41 PM Page 303

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11304

replica. If a consistent ACL is not enforced, then the user has Manager accessto their local replica.

Enforcing a consistent Access Control List does not provide additional security forlocal replicas. To keep data in local replicas secure, users should locally encrypt thedatabase.

To enforce or disable a consistent Access Control List for multiple databas-es, administrators should perform the following steps from the DominoAdministrator:

1. Click the Files tab, and select one or more databases from the Dominodata directory.

2. Click Tools, Database, Manage ACL, and then click Advanced.

3. Select the Modify Consistent ACL Setting option.

4. To enforce a consistent ACL, select Enforce a Consistent AccessControl List Across All Replicas of This Database.

5. To disable a consistent ACL, select Do Not Enforce a ConsistentACL.

6. Click OK.

Securing Applications with RolesRoles are one of the most misunderstood topics in the Domino system. InChapter 6, we discussed roles within the Domino Directory. In this chapter,we discuss roles in general, within any application.

A database designer typically uses roles to assign special access to databasedesign elements and database functionality. A role defines a set of usersand/or servers. Roles are similar to groups that you can set up in the DominoDirectory; however, unlike groups, roles are specific to the database in whichthey are created. It’s important to remember that a role isn’t always associat-ed with a security element; a role may simply be used to selectively hide orshow information.

To successfully use roles within a database, these three steps must be fol-lowed:

1. The role must be created within the database ACL—Roles are typically cre-ated in the ACL by either the administrator or the designer. You musthave Manager access to the database to create roles. To create a role,

13 0789729180 CH11 10/21/03 2:41 PM Page 304

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 305

choose File, Database, Access Control, and then click Roles. To createa role, click Add, and type a name for the role. Follow a similar processto rename or delete roles with the Rename and Delete buttons, andthen click OK twice.

2. The role must be assigned to entries within the ACL—After roles have beencreated, someone with Manager access must assign the role to groups,people, or servers within the ACL. To assign a role, select an entry inthe ACL and place a check mark next to the role name in the lower-right corner of the ACL dialog box.

3. The role name must be referenced by the designer within the applicationitself—Designers can use the role in dozens of ways within the applica-tion. They can use the role name to restrict access to forms, views, anddocuments; they can use the role to hide text and buttons; and they canuse the role name in code to calculate who is a member of a certainrole in order to restrict functionality within the database. For adminis-trators to understand how to assign roles to entries in the ACL, thedesigner should provide documentation to indicate how the role wasused within the application. Without the documentation, the adminis-trator must guess at how the role works, or must start digging into thedesign of the application himself to see where the role is referenced.

It’s important to note that there are no predefined role names within Domino. There isno functionality that is inherently associated with the role name itself. For example, ifa designer creates a role called “Supervisor” and assigns that role to his own nameor to a group within the ACL, he hasn’t accomplished anything with the role. Onlywhen the designer then references the role name within the design elements of theapplication does the role take on any significance. When referencing role namesthrough code, designers must enclose the role name within square brackets; forexample, “[Supervisor].”

On the exam, don’t confuse roles with groups. Groups are defined within the DominoDirectory, and can be referenced from any database or application within the domain.Roles are defined and referenced within a single database. Roles have no scopebeyond the current database. For example, if a role called “ProductMgr” was creat-ed in POLICIES.NSF, that role could not be referenced through code by the designerwithin another database called PRODUCTS.NSF. Watch out for exam questions thattry to trick you into thinking that roles are able to control functionality across data-bases.

Securing Applications with Authors Fieldsand Readers FieldsThe designer uses Authors and Readers fields to control access to individualdocuments within the application. Authors fields are used to control who can

13 0789729180 CH11 10/21/03 2:41 PM Page 305

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11306

edit a document for those users listed with Author access in the databaseACL. Readers fields are used to control who can read a document, and applyto all levels of access within the ACL.

Authors and Readers fields were covered in detail in Chapter 6. Refer to“Securing Applications with Authors Fields” and “Securing Applications withReaders Fields” in Chapter 6 for a complete explanation of these two topics.

Troubleshooting User AccessProblemsUsers can encounter many problems when attempting to access Dominoresources. In this section, we highlight several access control scenarios thatwill likely be similar to those presented in questions on the exam. Rather thanmemorizing each scenario, you should try to understand the reason behindthe user problems, and be able to articulate how to solve the problem. Someof these same scenarios were also presented in Chapter 6.

Users Report That They Can’t Access theDatabaseThere are several things that might prevent a user from accessing an applica-tion:

➤ The server storing the database may be temporarily down—In this case, theadministrator must troubleshoot why the server is down or unavailableand restart it or fix the networking problem that may be causing theaccess problem.

➤ Users don’t have the appropriate access to the server—If the user is encoun-tering the error “You are not authorized to access the server,” he is likelybeing denied access to the server. The administrator should check theServer document, Security section for that server to check the values inthe Access Server and Not Access Server fields.

➤ Users don’t have the appropriate access in the database ACL—Administratorsshould check the database ACL to make sure users have the necessaryaccess to the database.

➤ The server is continuously updating a full-text index and is too busy to servicerequests for data access—If a database is large and active, database perform-ance can be slow if the server updates a full-text index too frequently.

13 0789729180 CH11 10/21/03 2:41 PM Page 306

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 307

Administrators can change the full-text index update frequency andtime, if necessary.

Users Can’t Find a New Server in the List ofServersIf users can’t find a new server when they try to add, create, copy, or repli-cate a database, administrators should ensure that the Domino Directorycontains a Server document for the new server and that the information inthe document is accurate and correctly spelled. If no Server document exists,create one and then make sure that the new Server document replicates to allservers in the domain. If a Server document exists and contains accurateinformation for the new server, check the log file on both the user’s homeserver and the inaccessible server to see if there are network problems.

Users Complain That They Can’t Seem to“See” All the Documents in the DatabaseIf users cannot locate or read documents in a database, they likely have beenexcluded from reading a document because they aren’t listed in the Readersfield for those documents. If the user needs to be able to read certain docu-ments, that user needs to find out how to get added to the Readers field—likely through the use of a role or group.

A User Complains That He Can’t Edit aDocument That He Created in the DatabaseIf a user has Author access in the database and cannot edit a document thathe originally created, that user likely isn’t listed in an Authors field on thatdocument. The user should look at the database documentation or consultwith the designer or manager of the database. Perhaps the database has beenarchitected to prevent users from editing their own documents for businessreasons that support the business rules for the application. Or, perhaps thedesigner has omitted the Authors field by mistake, in which case the design-er will need to add an Authors field to the form(s) and run agents in the data-base to populate the Authors fields on existing documents. When the user’sfull hierarchical name has been stored in the document, that user should beable to edit that document.

13 0789729180 CH11 10/21/03 2:41 PM Page 307

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11308

Users Complain That They Can’t CreateAgents in the DatabaseIf a user can’t create agents in a particular database, the administrator shouldcheck the database ACL to see if the user has the access level required to cre-ate agents in that database. To create personal agents, a user must have atleast Reader access to the database, with the Create Private Agents privilegeenabled. To create shared agents, a user must have at least Designer access.If the designer wants to create agents that use either LotusScript or Javacode, the Create LotusScript/Java Agents privilege also must be enabled.

Users Complain That They Don’t Have theCorrect Access Level Within the DatabaseIt’s possible to assign users or servers more than one level of access to a data-base. The following list describes access level conflicts and resolutions.

➤ A name is listed in an ACL individually and as a member of a group—Theaccess level assigned to the individual name takes precedence over theaccess level for the group, even if the individual access level is lowerthan the group level.

➤ A name is included in two or more groups—The name receives the access ofthe group with the highest access.

➤ A name appears in an ACL and in access lists associated with forms, views, orsections—The ACL controls database access; design element access listsrefine this access to a lower level. For example, if a user has Authoraccess to a database but is not listed in the access list for a form in thedatabase, the user cannot use the form to create a document.

You’ll likely encounter exam scenarios that test your ability to understand the pre-ceding bullet points. To summarize, remember that a user always gets the accessassociated with their individual name in the ACL, if listed as an individual, or thehighest of the group access levels, if they are listed in more than one group. Thehighest of group access rules applies even if one of the groups is granted No Access.Don’t confuse the Domino ACL security rules with other products with which youmay have experience. For example, in the Microsoft world, the No Access level takesprecedence over all others—not so in Domino.

13 0789729180 CH11 10/21/03 2:41 PM Page 308

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 309

Exam Prep Questions

Question 1

Which of the following options must be enabled in the client’s browser for ses-sion-based authentication to be successful?

❍ A. Cookies

❍ B. ICM

❍ C. JavaScript

❍ D. Java

Answer A is correct. Domino session-based authentication requires thatrequesting browsers be able to support and accept cookies. The cookies areused to track users’ sessions.

Question 2

Which of the following options can provide security for a user who has had theirID file and password stolen?

❍ A. No security option in Domino can prevent someone from using astolen ID file if they know the password to that ID.

❍ B. Enabling the StolenIDFile server task.

❍ C. Enabling the Compare Digital Certificates option on the Server docu-ment.

❍ D. Enabling the Check Passwords on Notes IDs option on the Server doc-ument.

Answer D is correct. The Domino administrator can enable password verifi-cation so that a Notes user can authenticate with a server only after providingthe correct password that is associated with the user ID. If an unauthorizeduser obtains an ID and learns the ID’s password, the owner of the ID can usepassword verification to change the password and prevent the unauthorizeduser from continuing to use the ID to authenticate with servers.

13 0789729180 CH11 10/21/03 2:41 PM Page 309

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11310

Question 3

John designed a view within an application with a view access list that restrict-ed access to the view. Which of the following describes who can access the viewin the application?

❍ A. Only users listed in the view access list

❍ B. Only users listed in the database ACL with at least Reader access, whoare also listed in the view access list

❍ C. Only users with Designer access in the ACL

❍ D. Only users with at least Author access in the ACL, who are also listedin the view access list

Answer B is correct. Adding usernames to a read access list for a view designelement limits the view to being available for only those users. Users mustalso have at least Reader access in the database ACL to see the view. A viewaccess list can never grant access to a view for a user who doesn’t have at leastReader access to the database; view access lists can only refine, not enhancea user’s database access level.

Question 4

Monty, the Domino administrator for Acme Company, was asked to recover apassword from an ID file that was backed up with recovery information withinhis mail-in database of user ID files. Which of the following keys did Monty useto decrypt the password for the ID file, thereby generating the required unlock-ing key for the user?

❍ A. The user’s private key

❍ B. The user’s public key

❍ C. The administrator’s private key

❍ D. The administrator’s public key

Answer C is correct. Each user’s Notes ID file contains a recovery passwordthat is randomly generated and encrypted with the administrator’s public key.The administrator must then decrypt the password with his private key.

13 0789729180 CH11 10/21/03 2:41 PM Page 310

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 311

Question 5

Susan is listed in the ProductEditors group in the Domino Directory. TheProductEditors group is listed in the ACL of PRODUCTS.NSF with Editor access.Susan is complaining that she has only reader access to the database. Which ofthe following could explain why she doesn’t have Editor access?

❍ A. The ACL of the database has become corrupted.

❍ B. Susan is listed in another group in the ACL with Reader access.

❍ C. Susan is listed in the ACL as an individual with Reader access.

❍ D. None of the above.

Answer C is correct. The access level assigned to the individual name takesprecedence over the access level for the group, even if the individual accesslevel is lower than the group level. Answer B isn’t correct because the userwould always get the highest of group access if she was listed in more thanone group.

Question 6

Rick is listed in both the Access Server field and the Not Access Server field inthe Server document for ServerA/Acme. What will happen when Rick tries toaccess a database on ServerA?

❍ A. Rick will be allowed to access the server.

❍ B. Rick will be denied access to the server.

❍ C. The ACL of the database will determine whether Rick can access theserver.

❍ D. It is not possible to save the Server document with the same name inboth the Access and Not Access fields.

Answer B is correct. The Not Access Server field takes precedence over theAccess Server field. If someone is denied access to the server, the databaseACL for the database he is trying to access is never checked.

13 0789729180 CH11 10/21/03 2:41 PM Page 311

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 11312

Question 7

Sylvie, a designer, is trying to decide whether to hide some text on a form byreferencing either a group name or a role name. Which of the following state-ments about groups and roles is true?

❍ A. Both groups and roles are defined within the database ACL.

❍ B. Both groups and roles are defined within the Domino Directory.

❍ C. Roles are defined within the Directory, whereas groups are defined inthe database ACL.

❍ D. Groups are defined within the Directory, whereas roles are defined inthe database ACL.

Answer D is correct. Groups are created and maintained within the DominoDirectory. Roles are database specific—they are created and assigned withinthe database, and have context for that one database only.

Question 8

Susan created a document in PRODUCTS.NSF but now she cannot seem to editthe document. She has confirmed that she has Author access in the ACL. Shewants to be able to edit all of the documents that she creates in the database.Which of the following best describes what the problem is?

❍ A. Susan’s name was not included in a Readers field on the document.

❍ B. Susan’s name was not included in an Authors field on the document.

❍ C. Susan should have been granted Editor access to the database in orderto edit her own documents.

❍ D. None of the above.

Answer B is correct. Authors fields control editing for users listed withAuthor access in the database ACL. If Susan was grated Editor access in theACL, she would be able to edit every document in the database.

13 0789729180 CH11 10/21/03 2:41 PM Page 312

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Security 313

Need to Know More?Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBMRedbooks, 2002. Also available on the Web at www.redbooks.ibm.com/.For references to security, consult Chapter 10, “Security.”

Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notesand Domino 6. Indianapolis, IN: Que Publishing, 2003.

Policy-based System Administration with Domino 6: www-10.lotus.com/ldd/today.nsf/8a6d147cf55a7fd385256658007aacf1/d78ede75b351cf81

00256be9005b7d35?OpenDocument.

Lotus Domino 6 Technical Overview: www-10.lotus.com/ldd/

today.nsf/3c8c02bbcf9e0d2a85256658007ab2f6/089a22f9f8a573af85256a1b

00782950?OpenDocument. For references to security, consult the section“New Security Features.”

Accessing and Protecting the File System: www-10.lotus.com/ldd/today.nsf/f01245ebfc115aaf8525661a006b86b9/a115026680fd744985256b34

000f4c1b?OpenDocument.





13 0789729180 CH11 10/21/03 2:41 PM Page 313

13 0789729180 CH11 10/21/03 2:41 PM Page 314

PART IIIExam 622

12 Managing Non-Notes and Notes Clients

13 Setting Up Server Monitoring

14 Managing Servers

15 Managing Users and Groups

16 Monitoring Server Performance

17 Resolving Server Problems

18 Resolving User Problems

14 0789729180 Pt 3 10/21/03 2:37 PM Page 315

14 0789729180 Pt 3 10/21/03 2:37 PM Page 316

Managing Non-Notes andNotes Clients

Terms you’ll need to understand:✓ Smart Upgrade kits✓ Incremental installers✓ Policy documents✓ HTTP server task

Techniques you’ll need to master:✓ Applying policy documents to new users✓ Setting up browser clients✓ Setting up version reporting and updating client software

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

12

15 0789729180 CH12 10/21/03 2:35 PM Page 317

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 12318

Lotus has provided multiple options for accessing the Domino server. Userscan access the server by using a Domino client or by using a Web browser ifthe Domino designer has Web-enabled the application. This chapter dis-cusses accessing the server using a Web browser.

Applying Policy Documents to NewUsersA policy document is a form that is used to define a set of standards and set-tings. Domino policy documents are used to regulate how users can access thesystem and perform specific functions. Policy documents are applied to newusers when they are registered. Policy documents can be changed after theyare assigned and will then be applied to all policy users.



➤ Archiving—Defines policy settings related to the user’s ability to archivemail.





Types of Domino policies available are

➤ Explicit policies—Use this type of policy when specific groups or users inthe organization need specific access; explicit policies define their access.Use this policy when making changes to users already defined in thedomain.

➤ Organizational policies—Use this type of policy when specific settings arerequired for users in a specific organization.

15 0789729180 CH12 10/21/03 2:35 PM Page 318

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing Non-Notes and Notes Clients 319

Setting Up Browser ClientsBrowser users access the Domino server using one of the following approvedInternet clients:

➤ Microsoft Explorer 5.5 or greater

➤ Netscape Navigator 4.7 or greater

To allow browser clients to access the server, the following steps must be per-formed by the Domino administrator:

➤ The HTTP server task must be running on the server. Make sure thatHTTP is either configured to launch in the Notes.ini file or is manuallyloaded using the “Load HTTP” command at the console.

➤ Decide how users will find the server with the browser client. Using aTCP/IP address is discouraged; the maintenance required to informusers when an IP address has changed is time-consuming and prone toerrors. Establish a defined DNS name and provide the address to theusers for server access. Select the type of access you will require forusers, HTTP or HTTPS, and configure it as required.

➤ Using the Administrator client, open and configure the following docu-ments:

➤ Web Server Configurations—Verify that the Basics tab is correctlyconfigured with all domain and Internet information pertinent toyour network infrastructure requirements.

➤ Internet Sites—Select Web, IMAP, POP3, LDAP, SMTP Inbound,or IIOP types to configure, based on the requirements of the com-munications protocol in place for the Internet site.

➤ File Identifications—Edit as needed; this is similar to Windows filetype association.

➤ Edit user’s Internet password in their Person document as needed. If theuser does not have an Internet password, create one. If a password existsand the user does not know it, change the password and inform the userof the new password.

When studying for the exam, make sure that you are aware of the browser require-ments as well as the protocols that are available for setting up the server. Be certain tospend time actually examining the configuration documents and how they can be setup based on the requirements of the deployment. The author has attempted to capturethe information that could be presented regarding configuring a server for HTTPaccess, but based on the complexity of the configurations, real-world experiences insetting up various configurations are important aids to preparing for the exam.

15 0789729180 CH12 10/21/03 2:35 PM Page 319

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 12320

Setting Up Version Reporting andUpdating Client SoftwarePolicy documents and configuration documents can also be used to updateworkstation clients and provide version control. IBM Lotus Notes SmartUpgrade monitors users as they log in and then alerts users when an upgradeis available. As client upgrades become available, Smart Upgrade will instructthe user that they need to upgrade their client software and guide themthrough the process. The following steps allow an administrator to use theSmart Upgrade utility:

1. Create a database with the Domino Administrator client using thedatabase template Smupgrade.ntf.

2. Complete the Smart Upgrade Database Link field on the Basics tab ofthe server configuration document, specifying the database name.

3. Smart Upgrade kits, or incremental installers, are available at the LotusDeveloper Domain Web site. The kits are used by administrators toallow users to update their Domino workstation client to a more cur-rent version than they are currently running. The first step in makingthe kit available to users is to download the latest available kit and saveit to the server.

4. After downloading and extracting the file, create a Smart Upgradedatabase using the supplied template. In the Smart Upgrade database,create and configure a kit document and attach the upgrade kit usingthe paperclip icon on the Data tab.

5. Open the desktop policy settings document and modify the Basics tab,specifying the client release version to upgrade and the upgrade dead-line date. If necessary, modify a master policy document that will assignusers and groups to the desktop policy document.

After these steps have been completed and a user accesses his home server,the Smart Upgrade utility checks the client version that accessed the serverand compares it with the release version specified in the kit document of theSmart Upgrade database. If all conditions are met regarding security restric-tions, the user is prompted to upgrade the client. If a user refuses to upgradethe client and the grace period is reached, an Update Now button appearsand the client must be upgraded or access to the server is denied.

15 0789729180 CH12 10/21/03 2:35 PM Page 320


To prepare for possible exam questions related to the Smart Upgrade utility and kitdocuments, take time in your development environment to download the files andrun an upgrade. At a bare minimum, download the files and read the documentationrelated to the steps and processes involved in running the utility and study thesesteps.

15 0789729180 CH12 10/21/03 2:35 PM Page 321

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 12322

Exam Prep Questions

Question 1

What version of Domino is required for clients and servers to participate in pol-icy documents deployment?

❍ A. 5.x only

❍ B. 6.x only

❍ C. 3.x or greater

❍ D. 4.7 or greater

Answer D is correct. All clients and servers participating in policy documentdeployment must be running a minimum of version 4.67a or greater ordirectory replication errors will occur. However, not all policies will workwith clients not running version 6, so testing is required to ensure compati-bility.

Question 2

What database template is used to create the Smart Upgrade database?

❍ A. Upgrade.ntf

❍ B. Datakit.ntf

❍ C. StdNotesKits.ntf

❍ D. Smartkit.ntf

Answer C is correct. The template used for the Smart Upgrade database isSmupgrade.ntf.

Question 3

What is another name for the Smart Upgrade kit?

❍ A. Upgrade deployment database

❍ B. Incremental installer

❍ C. Smart kit installer

❍ D. Client maintenance release

15 0789729180 CH12 10/21/03 2:35 PM Page 322


Answer B is correct. Smart Upgrade kits are also known as incrementalinstallers.

Question 4

What is the purpose of the archiving policy?

❍ A. Automatically backs up mail across the entire domain

❍ B. Allows an assigned delegate to back up another user’s mailbox

❍ C. Defines policy settings related to a user’s ability to archive mail

❍ D. Saves copies of all system documents in a central storage database toassist with disaster recovery

Answer C is correct. Archiving defines policy settings related to the user’sability to archive mail.

Question 5

What happens if the grace period during which a user can upgrade his or herclient expires?

❍ A. Nothing, the user can continue to operate as before, but only has read-er access.

❍ B. The user is refused access to the server.

❍ C. The server shuts down as a security control to prevent unsecured access.

❍ D. The user is presented with an Update Now button and must select itbefore they can proceed.

Answer D is correct. If a user refuses to upgrade the client and the grace peri-od is reached, an Update Now button appears. The client must be upgradedor access to the server is denied.

Question 6

When setting up the server to allow Internet browser access, which of the fol-lowing fields is valid on the Internet Sites tab?

❍ A. IIS

❍ B. NNTP

❍ C. MMC

❍ D. IMAP

15 0789729180 CH12 10/21/03 2:35 PM Page 323

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 12324

Answer D is correct. Web, IMAP, POP3, LDAP, SMTP Inbound, or IIOPare the available fields to configure on the Internet Sites tab.

Question 7

How is the upgrade kit added to the Smart Upgrade database?

❍ A. Using explicit policy documents

❍ B. Using the Update task

❍ C. Using the paperclip icon on the Data tab

❍ D. Installing and running a setup program available for download atwww.notes.net

Answer C is correct. In the Smart Upgrade database, you create and config-ure a kit document and attach the upgrade kit using the paperclip icon on theData tab.

Question 8

Which server process must be running in order for Web clients to access theserver?

❍ A. Fixup

❍ B. Compact

❍ C. HTTP

❍ D. Web loader

Answer C is correct. The HTTP task must be running on the server.

15 0789729180 CH12 10/21/03 2:35 PM Page 324




15 0789729180 CH12 10/21/03 2:35 PM Page 325

15 0789729180 CH12 10/21/03 2:35 PM Page 326

Setting Up ServerMonitoring

Terms you’ll need to understand:✓ EVENTS4.NSF✓ STATREP.NSF✓ Event Monitor✓ Agent view✓ Log_AgentManager✓ Event generators✓ Event handlers✓ Agent logging

Techniques you’ll need to master:✓ Creating event generators✓ Creating event handlers✓ Enabling agent logging✓ Identifying mechanisms for collecting server information✓ Starting the Statistics Collectors task

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13

16 0789729180 CH13 10/21/03 2:49 PM Page 327

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 13328

Creating Event GeneratorsEvent generators are used to gather information about tasks or statistics on theserver using probes defined by the administrator. Domino uses events todetermine when a server task is in need of attention. The databaseEVENTS4.NSF is used to define which system tasks will be monitored andat what point a system alarm is generated. The Domino administratordefines the threshold state for each event. The Event Monitor watches thesystem and sends events to the database as they occur. When the thresholdis reached, the action that is defined for that event is executed. If an eventtakes place and no event generator is defined, no action takes place. TheEvent Monitor loads automatically when the server starts.

In previous versions of Domino, the Event Monitor was known as the Event task.

Event generators can be defined to monitor the following:

➤ Database—Database space and access as well as replication history aremonitored. ACL changes are also recorded.

➤ Domino server—Network health, including port status, is monitored.

➤ TCP server—TCP services are monitored and statistics are generatedreporting response time for the running services. The time is recordedin milliseconds.

➤ Mail routing—Statistics are reported stating the time required to route amail message. The time is recorded in seconds.

➤ Statistics—Specified Domino statistics are monitored.

➤ Task status—Specified Domino tasks are monitored.

Be sure that you know and understand all the event generators and event handlersavailable to the administrator. One or more of them will probably be addressed in theexam and they are key to troubleshooting and tuning system performance.

16 0789729180 CH13 10/21/03 2:49 PM Page 328

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Setting Up Server Monitoring 329

Creating Event HandlersEvent handlers are used to determine what task will occur when an event istriggered. EVENTS4.NSF includes predefined events that can be used tomonitor the server, but the most efficient use of the handler task is when anadministrator defines events specific to the domain they are monitoring. Anadministrator may decide to just log events and then maintain them weekly,or he may decide to be alerted immediately when an event occurs so that hecan resolve the issue.

The EVENTS4.NSF database includes a wizard that assists administratorsin creating the following event handlers:





Event handlers can also be created by using the Domino Administrator, nav-igating to the Configuration tab, and selecting the MonitoringConfiguration, Event Handler view. Each event has a Basics, Event, andAction tab that must be completed.

Enabling Agent LoggingIf a database contains agents, it has a view called the Agent log. The purposeof this view is to show the last time an agent ran and if there were errors orif the agent was successful. To view the Agent log, select View, then Agentsfrom the menu to see the Agent view. The Agent view lists the agents in a sin-gle location so that the administrator can verify that the correct agents areenabled and defined on the system. Right-click the agent, and select log fromthe menu to see the run history. Agent logging can be enabled for theLOG.NSF database by including the Log_AgentManager setting in theNotes.ini file. The miscellaneous view in the server log may also have mes-sages detailing problems that agents are experiencing. This allows agent

16 0789729180 CH13 10/21/03 2:49 PM Page 329

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 13330

results to be recorded in the LOG.NSF database as well as displaying resultson the server console.

The following commands can be issued at the server console to assist inagent troubleshooting:

➤ Tell amgr schedule—Displays the agent schedule. Administrators cancheck the agents that are scheduled to run and reschedule them for adifferent time when the server is not overloaded with requests toimprove server performance.

➤ Tell amgr status—Displays an agent status report. The status report per-mits administrators to determine if agents are running properly and ifthey are executing at the proper time.

➤ Tell amgr debug—Displays the agent debug setting. This setting allowsadministrators to examine the debug settings used to troubleshoot fail-ing agents.

Identifying Mechanisms forCollecting Server InformationIn addition to event generators and event handlers, Domino provides othermethods that allow an administrator to gather information about the healthof a server. For instance, executing a show server command from the serverprompt on a test server displays the following information:

Server name: R6Test/R6TestOrg—R6Test

Server directory: C:\r6server\data

Partition: C.r6server.data

Elapsed time: 21:57:45

Transactions/minute: Last minute: 0; Last hour: 0; Peak: 86

Peak # of sessions: 2 at 07/26/2003 02:28:55 PM

Transactions: 357 Max. concurrent: 20

ThreadPool Threads: 40

Availability Index: 100 (state: AVAILABLE)

Mail Tracking: Not Enabled

Mail Journaling: Not Enabled

Shared mail: Not Enabled

Number of Mailboxes: 1

16 0789729180 CH13 10/21/03 2:49 PM Page 330


Pending mail:0 Dead mail: 0

Waiting Tasks: 0

Transactional Logging: Not Enabled

Fault Recovery: Not Enabled

Activity Logging: Not Enabled

Server Controller: Enabled

This is a typical example of tasks running on a new server with the defaulttasks running. This list can vary based on the tasks that have been launchedby server tasks or manually by an administrator.

Server information can also be found in various databases on the server,including these

➤ Domino log

➤ Statistics database

➤ Events database

Tools available on the server to provide information on demand include

➤ Server monitor

➤ Mail-in statistics

➤ Paging

Starting the Statistics CollectorsTaskStatistics are gathered on the Domino server using the Statistics Collectortask. In previous versions of Domino, this was known as the Collector task,but it still functions in the same manner. The Collector task can gather datafor a single server or multiple servers in the domain. The default databaseused by the Collector task is STATREP.NSF.

Using the Administrator client, select the Configuration tab and follow thesesteps to create a Server Statistic Collection document:

1. Select the Server Statistic Collection view in the MonitoringConfiguration panel.

2. Select the server and then click New Statistics Collection.

16 0789729180 CH13 10/21/03 2:49 PM Page 331

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 13332

3. Select the Collecting server on the Basics tab and then select the serverto be collected. The valid selections are

➤ All servers in the domain.

➤ All servers that are not explicitly listed to be collected.

➤ “From the following servers” multiple servers can be selected withthis view.

4. Select the Options tab. This page allows the administrator to definewhich database will be used to collect the statistics, the interval andalarm time, and the available filters.

5. Click Save & Close after configuration is complete.

Lotus has provided events, agent logging and monitoring, and statistics gathering astools to assist an administrator in troubleshooting server and performance issues.When studying for the exam, be sure that you are aware of the options available andhave created event handlers in your development environment.

16 0789729180 CH13 10/21/03 2:49 PM Page 332


Exam Prep Questions

Question 1

Which database is used to define the system tasks that are monitored?

❍ A. LOG.NSF

❍ B. STATREP.NSF

❍ C. EVENTS4.NSF

❍ D. R6EVENTS.NSF

Answer C is correct. The database EVENTS4.NSF is used to define whichsystem tasks will be monitored and at what point a system alarm is generated.

Question 2

Which database is used by the Collector task?

❍ A. DOMLOG.NSF

❍ B. COLLECT.NSF

❍ C. STATREP.NSF

❍ D. STATCOLLECT.NSF

Answer C is correct. The default database used by the Collector task isSTATREP.NSF.

Question 3

What does the command Tell amgr schedule perform?

❍ A. Generates an agent schedule diagram

❍ B. Displays the agent schedule

❍ C. Tells the agent manager to shut down as scheduled

❍ D. Clears the agent schedule and resets the counters

Answer B is correct. The command Tell amgr schedule displays the agentschedule.

16 0789729180 CH13 10/21/03 2:49 PM Page 333

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 13334

Question 4

Which of the following selections can be monitored by event generators?Choose all that apply.

❑ A. User client versions

❑ B. Database space

❑ C. Network health

❑ D. Domain search index age

Answers B and C are correct. Database space and access, replication history,and network health, including port status are monitored.

Question 5

What Notes.ini setting must be set to enable agent logging in the LOG.NSF data-base?

❍ A. AGENT_Logging=True

❍ B. Log_AgentEnable

❍ C. Agent_Manager=1

❍ D. Log_AgentManager

Answer D is correct. Agent logging can be enabled for the LOG.NSF data-base by including the Log_AgentManager setting in the Notes.ini file.

Question 6

What does the command Tell amgr status do when executed at the serverprompt?

❍ A. Routes all administrative mail to the Adminmail.box database

❍ B. Displays an agent status report

❍ C. Stops the agent manager status task

❍ D. Instructs the agent manager to poll all servers for user login status

Answer B is correct. When the command Tell amgr status is executed at theserver prompt, an agent status report is displayed on the screen.

16 0789729180 CH13 10/21/03 2:49 PM Page 334


Question 7

Which of the following system tasks is used to collect statistics?

❍ A. StatCollect task

❍ B. Collection task

❍ C. Statistics Collector task

❍ D. Statrep Demand task

Answer C is correct. Statistics are gathered on the Domino server using theStatistics Collector task.

Question 8

What is the purpose of the Troubleshooting Wizard?

❍ A. Identifies common configuration errors in the EVENTS4.NSF database

❍ B. Identifies common configuration errors in the STATREP.NSF database

❍ C. Suggests problem resolutions for the LOG.NSF database

❍ D. Analyzes white space errors in database and informs administratorswhen to execute the compact command

Answer A is correct. The Troubleshooting Wizard identifies some commonconfiguration errors in the EVENTS4.NSF database and suggests possibleresolutions.

16 0789729180 CH13 10/21/03 2:49 PM Page 335

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 13336



16 0789729180 CH13 10/21/03 2:49 PM Page 336

Managing ServersTerms you’ll need to understand:✓ Transaction logging✓ Activity logging✓ Policy documents✓ Administrator access✓ Network names✓ Directory deployment configurations

Techniques you’ll need to master:✓ Analyzing activity data✓ Applying policy documents to existing users✓ Automating server tasks✓ Changing administrator access✓ Changing server access✓ Configuring Domino network names✓ Creating security policies✓ Decommissioning a server✓ Defining a backup process✓ Defining Domino domains✓ Enabling transaction logging✓ Identifying a registration server✓ Identifying supported protocols✓ Implementing distributed and centralized directories✓ Recertifying a server ID✓ Searching for server references in a domain✓ Setting up authentication with other Domino organizations

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

14

17 0789729180 CH14 10/21/03 2:41 PM Page 337

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14338

Analyzing Activity DataThe key to analyzing data on a Domino server is the ability to log the infor-mation. This process is known as activity logging. To set up activity loggingon the Domino server, follow these steps:

1. Select the Configuration tab on the Domino Administrator.

2. Select the Server tab and select Configurations in the task pane. SelectEdit Configuration in the results pane to open the document.

3. Open the Activity Logging tab and select the Activity Logging IsEnabled check box to open the selection criteria available for theActivity Logging tab.

4. Select the enable logging type to be logged. Valid selections include

➤ Domino.AGENT

➤ Domino.HTTP

➤ Domino.IMAP

➤ Domino.LDAP

➤ Domino.POP3

➤ Domino.SMTP.Session

➤ Domino.SMTP.Message

➤ Domino.Notes.Database

➤ Domino.Notes.Passthru

➤ Domino.Notes.Session

➤ Domino.REPLICA

➤ Domino.MAIL

5. Select a time for the checkpoint interval (choose either LogCheckpoint at Midnight or Log Checkpoint for Prime Shift).

If Log Checkpoint at Midnight is selected in step 5 of the procedure for setting upactivity logging on the Domino server, the session activity for the selected options willbe added to the log at midnight. If Log Checkpoint for Prime Shift is selected, the ses-sion activity for the selected options will be logged at the start and the end of the workshift.

17 0789729180 CH14 10/21/03 2:41 PM Page 338

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing Servers 339

6. Select the Activity Trends tab, and then select the Basics tab (seeFigure 14.1).

7. In the Activity Trends Basic Configuration section, select the EnableActivity Trends Collector check box.

8. In the Activity Trends Collector Database path, enter the name of thedatabase to be used. The default name is ACTIVITY.NSF.

9. Enter the time to run the task in the Time of Day to Run ActivityTrends Collector field.

10. Select the days of the week to run the task.

11. In the Activity Trends Data Profile Option section, “Use Defaults” isselected by default. Deselecting the Use Defaults check box providesthe following options:

➤ Trends Cardinal Interval

➤ Observation Time Bucket Seconds

➤ Maximum Observation List Size

➤ Trends History Interval

Figure 14.1 The Activity Trends tab is used to determine when the collector will gather information.

17 0789729180 CH14 10/21/03 2:41 PM Page 339

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14340

12. Select the Retention tab. To change the default retention period, dese-lect the Use Defaults check box and change the retention time.

13. Select the Proxy Data tab. A free form box is available to enter a list ofdatabases that can be searched for activity data when requested byAdministrator clients.

14. Click Save & Close when all selections have been made.

After the document has been saved, navigate to the Server tab in theAdministrator client, navigate to the Analysis tab, and select Analyze fromthe Tools pane on the right. After the Analyze tab has been opened, selectActivity to open the Server Activity Analysis dialog box (see Figure 14.2).Select the activity types to log (all are selected by default) and the start andend dates. The final step is to select the log database (if you plan to use any-thing except for the Activity Analysis database). Click OK to save yourchanges. The Activity Analysis database opens automatically so that collect-ed data can be viewed.

Figure 14.2 The Server Activity Analysis dialog box is used to select the activity types to log.

Policy documents make management of the Domino domain easier and provide con-sistency when multiple administrators are involved. Be sure that you understand howpolicy documents are created and the types available when studying for the exam.

17 0789729180 CH14 10/21/03 2:41 PM Page 340


Applying Policy Documents toExisting UsersPolicy documents are used to regulate how users can access the system and per-form specific functions. Policy documents can be changed after they areassigned and the modified documents will then be applied to all policy users.



➤ Archiving—Defines policy settings related to a user’s ability to archivemail.

➤ Desktop—Enforces consistent client settings. If a client setting ischanged and then the workstation logs out of the server, the settings arereset the next time the user logs into the server.




Types of Domino policies to consider include

➤ Explicit policies—Use this type of policy when specific groups or users inthe organization need specific access; explicit policies define their access.Use this policy when making changes to users already defined in thedomain, such as when making changes to groups.

➤ Organizational policies—Use this type of policy when specific settings arerequired for users in a specific Organizational Unit (OU), such as whenmaking changes to a department.

Policies can be assigned to existing users by editing the Person document. Tochange policies, a user’s ACL level needs to be set to at least Editor, orAuthor level with the UserModifier role assigned. Navigate to theAdministration tab and complete the Policy Management section to assignpolicies to the user. Click Save & Close to update the Person document.

17 0789729180 CH14 10/21/03 2:41 PM Page 341

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14342

Policies can also be added to users and groups by using the Administratorclient. Select the People & Groups tab and under the Tools pane, selecteither People or Groups and click Assign Policy. Make the desired changesand then click OK to make the change.

Automating Server TasksServer tasks can be automated in one of two ways, either by assigning themin the Notes.ini file to run when the server starts or by creating a programdocument. Compacting databases or running system utilities are examples ofprograms used in Program documents. To create a Program document, openthe Domino Administrator and navigate to the Configuration tab. SelectServers, Programs, and select Add Program. Complete these fields on theBasics section of the Basics tab:

➤ Program Name

➤ Command Line

➤ Server to Run On

➤ Comments (used to assist the administrator to define the purpose of theProgram document)

The Basics tab also has a section where the Schedule is defined. The validfields in this section are

➤ Enabled/Disabled

➤ Run at Times

➤ Repeat Interval of

➤ Days of Week

Select the criteria needed for this document and click Save & Close.Entering Show Schedule at the server prompt shows all tasks, including pro-grams that are enabled on the server.

Lotus has broken the Domino Administrator out from a single user to multiple usersthat have varying access to perform different tasks. To prepare for the exam, studythe different types of administrators and test them in your development environment.

17 0789729180 CH14 10/21/03 2:41 PM Page 342


Changing Administrator AccessDomino allows for multiple levels of administrators. They include

➤ Full access administrator—All levels of access to the system, includingoperating system and Domino system configuration access. This is thehighest level of access available on the Domino system.

➤ Administrator—Access at this level is the same as a database administra-tor and full-console administrator access.

➤ Full console administrator—View-only access to the Domino Console.This level of administrator is not able to make changes to the systemconfiguration.

➤ System administrator—Limited to the restrictions of operating systemadministrator only

Administrator access, or defining how an administrator can change server con-figurations, is set using the Domino Administrator client. Select theConfiguration tab, and then open the Server document. Navigate to thesecurity page and add or change users to groups as needed.

Full access administrators, administrators, and database administrators have fullaccess to delete databases even if they are not explicitly listed as managers in the ACLof the database. Take care when defining these users to ensure that only properlyauthorized users are able to delete databases.

Full access administrators can be prevented from accessing the server byadding the line SECURE_DISABLE_FULLADMIN=1 in the Notes.inifile. This does not act the same as a deny user list, however, and if a user isexplicitly defined in the Domino Directory or a database with specific access,that setting will override the setting in the .ini file.

Options for setting up full access administrators include

➤ Generate a full admin ID file that can only be used by full access admin-istrators.

➤ Generate a certifier ID with OU-level full administrator access and cer-tify users.

➤ Don’t assign anyone and only add users to the Full Access Administratorfield as needed.

17 0789729180 CH14 10/21/03 2:41 PM Page 343

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14344

Changing Server AccessServer access is enabled by completing the information in the Server Accesssection on the Security tab of the Server document. Modification of the fieldson the Security tab allow an administrator to change access to the server.

Available server access control types include

➤ Access Server—This field is used to define users and groups who canaccess the server.

➤ Not Access Server—This field defines users and groups who are prohibit-ed from accessing the server. This field is typically used for users whohave left the company or may have been moved to a different Dominodomain.

➤ Create Database & Templates—This field defines users who can createnew database and template files and can also execute copy commands.

➤ Create New Replicas—This field defines users who can create new replicasof databases or template files.

➤ Create Master Templates—This field defines users who can create mastertemplates. Master templates have a template name defined in the data-base properties. If this field is left undefined, no users will have the abili-ty to create master templates.

➤ Allowed to Use Monitors—This field defines users and groups who arepermitted to use monitors on the server.

➤ Not Allowed to Use Monitors—This field defines users who cannot usemonitors on the server.

➤ Trusted Servers—This field defines which servers can access the server.

Configuring Domino NetworkNamesA Notes named network is a group of servers that have the same networkname and use the same port type to communicate. The network name is used

Understanding how users and servers access the Domino domain is key for anyonestudying to be a certified administrator. As you prepare for the exam, be sure thatyou understand how to change server access and the access control types that areavailable.

17 0789729180 CH14 10/21/03 2:41 PM Page 344


to identify these servers as a group. Domino network names are defined onthe Ports tab of the Server document. To create a Notes named network,complete the information on the Notes Network Ports tab under the NotesNetwork section. The default name for networks is Network1, but this canbe changed during registration or by editing this field. The maximum allow-able networks are 31. Servers in the same Notes network can route mailwithout requiring Connection documents.

Creating Security PoliciesPolicy documents are used to maintain consistent standards in the domain.Security policy documents are used to maintain execution control lists andpassword data on Notes and Internet passwords. Editor access to theDomino directory and PolicyCreator and PolicyModifier roles are requiredto create security policies. To create a security policy, follow these steps:

1. Using the Administrator client, navigate to the People & Groups taband select the Settings view.

2. Select the Add Settings button in the main view and choose theSecurity option from the drop-down list. The Basics tab will now bedisplayed.

3. Complete the Name and Description fields on the Basics tab.

4. Navigate to the Password Management tab. Change these settings asneeded based on the configuration for the server:

➤ Allow users to change Internet password over HTTP

➤ Update Internet password when Notes client password changes

➤ Check Notes password

➤ Enforce password expiration

➤ Required change interval

➤ Allowed grace period

➤ Password history

➤ Required password quality

5. Navigate to the Execution Control List tab and complete these steps asrequired for the specific server configuration:

➤ Admin ECL—Select Edit to used a predefined Admin ECL settingor select New to create a new set of criteria to be used.

17 0789729180 CH14 10/21/03 2:41 PM Page 345

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14346

➤ Update Mode—Choose Refresh or Replace.

➤ Update Frequency—Choose When Admin ECL changes, Once Daily,or Never.

6. Complete the desired changes, and then click Save & Close to save thedocument.

Decommissioning a ServerA server is decommissioned when it is no longer needed in the domain orwhen the users and databases are being consolidated to another server andthe server is being permanently retired. Domino uses a tool called theDecommission Server Analysis tool to assist administrators in determiningthe impact on removing a server from the domain. When the tool is run, adatabase is generated that compares the existing server with the new server,so that the administrator has an idea what needs to be changed on the newserver to guarantee a smooth transition. However, the database is meant tobe a starting point and should not be considered an all-inclusive guide for allpoints that should be considered when using the tool.

For the Decommission Server Analysis tool to operate, both servers must bein the same domain and their hierarchical names must be consistent.

You must properly prepare for the server decommissioning process. Beforedecommissioning a server, be certain you have taken care of the followingitems:

➤ Make sure that system backups are complete and verified.

➤ Verify that database formulas do not have explicit server reference infor-mation.

➤ Update configuration information in the directory that may have theexisting server name defined in it, such as Connection and Program doc-uments.

➤ Document all cross certificates and make sure that all certifier IDs areavailable to cross certify the new server.

➤ If the existing domain has Connection documents to external domains,be certain to notify the other domain administrators of the plannedchange.

➤ Notify users of the change.

➤ Verify that all protocols and named networks are set up correctly.

17 0789729180 CH14 10/21/03 2:41 PM Page 346


➤ Be certain that both servers contain matching databases with the samereplica ID.

➤ Verify that all mail routing configuration information is correct and inplace.

When you have verified that all of the preceding tasks have been performed,you can run the Decommission Server Analysis tool.

Be sure that administrator access is properly defined on both the source and targetservers. If the access is not defined properly, the decommission process may fail orthe report may not contain the correct information.

Complete the following steps to run the Decommission Server Analysis tool:

1. Using the Administrator, select the Server tab and then choose theAnalysis tab.

2. Navigate to the Tools pane and Analyze tab. Select DecommissionServer.

3. A dialog box appears. Verify that the source server to be commissionedis correct.

4. Select the target server that will replace the existing server.

5. The default name for the Results database is DECOMSRV.NSF. If thename of the database needs to be changed, select the Results Databasebutton and select a new database.

6. The default setting for writing to the database is Append. Using thissetting, if an existing database is in place, the tool will write the infor-mation to the end of the database. If Overwrite is selected, new resultswill be created and the previous information will be deleted.

7. Select OK to use these settings and continue with the analysis.

When the tool has completed the analysis, the database should open to theReports view. Examine the reports and correct any discrepancies beforecompleting the decommissioning of the server.

Defining a Backup ProcessDomino is versatile in that it provides two ways to back up your data. Thetypical method of backups can be used, such as tape or digital media, or

17 0789729180 CH14 10/21/03 2:41 PM Page 347

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14348

transaction logging can be used. When using a traditional version of backingup the server, you should consider the following:

➤ Verify that the backup utility can back up open files. Domino keeps theLOG.NSF,NAMES.NSF,MAIL.BOX, and the server ID file open at alltimes. If the backup software being used will not backup open files, cre-ate a Program document that will stop the server, run the backup rou-tine, and then restart the server to make sure these files are archived.

➤ Keep an archived version of the server ID file, administrator ID files,and all certifier IDs stored in a secure location.

➤ Maintain an up-to-date copy of the Domino Directory on a local work-station.

Defining Domino DomainsDomains are defined by creating Domain documents. Multiple documenttypes are available based on the requirements needed to route mail. The fol-lowing types of documents are available:

➤ Adjacent domain document—This document is used to route mail betweenservers that are not in the same Notes named network.

➤ Nonadjacent domain document—This document serves three functions:

➤ Supplies next-hop routing information to route mail

➤ Prohibits mail from routing to the domain

➤ Provides Calendar server synchronization between two domains

➤ Foreign domain document—This document is used for connectionsbetween external applications. A typical application used is a fax or pagergateway.

➤ Foreign SMTP domain document—This document is used to routeInternet mail when the server does not have explicit DNS access.

➤ Global domain document—This document is used to route mail toInternet domains. Configuration information regarding message conver-sion rules are defined in the document.

17 0789729180 CH14 10/21/03 2:41 PM Page 348


Enabling ProtocolsDomino supports various protocols that are enabled on the Ports tab of theserver document. The following protocols can be enabled:

➤HTTP—Used for Web access

➤ IIOP—Used to allow Java code to run on the server

➤ LDAP—Used for addressing services

➤ POP3—Used to access Internet mail, typically used by clients such asNetscape Navigator

➤ IMAP—Used to access Internet mail, typically used by clients such asMicrosoft Outlook

➤SSL—Used to provide data encryption and security

Select a protocol based on the intended use when changing the Server doc-ument settings.

Enabling Transaction LoggingTransaction logging is available for Domino servers running release 5 or laterand databases using release version 5 or later On Disk Structure (ODS).Database changes are sent to a transaction log database and then written laterto the target database. Transaction logging offers benefits for the followingsystem activities:

➤ Backup throughput is increased because transaction logs back up quickerthan normal databases.

➤ Disaster recovery is more complete in that data that was stored in thetransaction log can be supplemented to the full system recovery so datais not lost. Data that is stored in the transaction log file is written to thedatabase when the log file is recovered from tape.

➤ Database views are stored in the log file so database views may not needto be rebuilt.

Although transactional logging is a form of backup, it does not replace a true archiv-ing system, such as tape or optical media. In the event of a server crash, full systembackups will be needed to recover. In addition, special backup software is requiredthat specifically backs up the transactional log, so make sure that it is supported bythe software vendor.

17 0789729180 CH14 10/21/03 2:41 PM Page 349

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14350

Transactional logging also creates a unique database instance ID (DBIID) foreach database. When transactions are added to the log, the DBIID is assignedso that the source database can be recorded. DBIID tags are assigned at thefollowing times:

➤ The first time transaction logging occurs

➤ In some instances when the Compact task is executed, such as reducingfile size

➤ When fixup is used to correct a corrupted database

➤ When a database is moved to a server using transaction logging

Transaction Logging VersionsYou can choose from three different versions of transaction logging, includ-ing Circular, Linear, and Archived. Here are descriptions of each of thesetransaction logging versions:

➤ Circular—This version of logging uses up to 4GB of disk space and thenbegins writing over the oldest log information in the database. Thetransaction log database should be backed up daily using this deploymentversion.

➤ Linear—This version of logging is similar to circular logging, but can usemore than 4GB of disk space.

➤ Archived—This version of logging creates transaction logs as needed.Log files are not overwritten; they are archived. Ensure that the logs arebeing backed up regularly or the server might run out of disk space

Implementing Transaction LoggingTransaction logging needs to be properly planned before it can be imple-mented. Steps to complete before implementing transaction logging include

➤ Make sure the server hardware is properly configured. Use a disk arraywith at least RAID 1 support and a dedicated disk controller.

➤ Define a backup plan and use software that supports Domino serversrunning transaction logging.

➤ Plan to use logging on all available databases, but remember that only data-bases using the R5 ODS or later will be able to use transaction logging.

➤ Decide which version of logging to use (Circular, Linear, or Archived).

17 0789729180 CH14 10/21/03 2:41 PM Page 350


To set up transaction logging on the server, follow these steps:

1. Using the Domino Administrator, select the Configuration tab, selectthe Server document, and then click Edit Server Document.

2. Select the Transactional Logging tab.

3. In the Transactional Logging field, select either Enabled or Disabled.

4. In the Log Path field, enter the explicit path to the transaction logdatabase.

5. In the Logging Style field, select either Circular, Linear, or Archived.

6. The default selection for the Use All Available Space On Log Device isNo. If you use the default selection, in the Maximum Log Space field,enter the amount of space in megabytes to be used for the transactionlog database.

If you select Yes in the Use All Available Space On Log Device field,the next option, Maximum Log Space, is removed as a valid selection.

7. Choose Enabled or Disabled in the Automatic Fixup Of CorruptDatabases field. If Automatic Fixup is not enabled, administrators willneed to manually perform database maintenance when errors occur.

8. In the Runtime/Restart Performance field, choose from the validoptions in the drop down menu: Favor Runtime, Standard, and FavorRestart Recovery Time.

9. In the Quota Enforcement field, choose from these valid options:

➤ Check Space Used in File when Adding a Note

➤ Check Filesize when Extending the File

➤ Check Filesize when Adding a Note

10. Select Save & Close to start transaction logging.

Identifying a Registration ServerDomino uses a Registration server to define changes made to the Directoryand then replicates the changes to all servers in the domain. By using a sin-gle instance of the Directory for all changes, consistency is maintainedthroughout the domain.

17 0789729180 CH14 10/21/03 2:41 PM Page 351

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14352

A registration server is defined using the Administrator client. To do so, fol-low these steps:

1. Click the File menu and select Preferences.

2. Select Administration Preferences from the submenu.

3. From the available selections, click Registration. This tab allows anadministrator to select a registration server.

4. Select the Registration Server button.

5. Select the server to be used as the registration server and click OK.Click OK again to close the Administration Preferences dialog box.The registration server is now set.

Implementing Distributed andCentralized DirectoriesDomino provides multiple options when presenting directories in thedomain. The key point to remember is that the Domino Directory isaccessed by all users as well as servers, so care should be taken to ensure thatuser and server access is optimized for the best throughput. Three ways toprovide directory access are

➤ Distributed—This method assumes that each server has a replica copy ofthe directory on each server in the domain. This method is optimalwhen many users are on the network or the communications infrastruc-ture may have many points of congestion.

➤ Centralized—This method uses the administration server as the centralpoint for the directory and configuration directories. Configurationdirectories host Server, Connection, and Configuration Setting docu-ments. Typically, a second server also has these directories for disasterrecovery purposes in the event that the registration server fails.

➤ Hybrid—This method uses a combination of distributed and centralized.Local users may use the centralized directory, whereas remote userswould have a local copy of the directory on their server so that band-width would not be an issue.

17 0789729180 CH14 10/21/03 2:41 PM Page 352


Recertifying a Server IDPeriodically, certificates associated with a server ID expire. When thisoccurs, the ID needs to be recertified. To recertify a server ID, the adminis-trator must have either Author access to the Domino directory and theServerModifier role assigned or Editor access to the directory. In addition,the administrator must have Author access or greater to the certification log.The following steps allow a server ID to be recertified:


2. Open the Certification tab under the Tools pane and select Certify; theChoose a Certifier dialog box appears.

3. Click the Server button to select the Registration server and click OK.

4. In the Registration Server dialog box, choose an option to determinehow you will register the server. The options include

➤ Supply Certifier ID and Password—If you choose this option, a filenavigation box appears. This option is used if a certifier ID is usedto authorize access to the domain. Navigate to the required certifierid and select OK.

➤ Use the CA Process—This option allows the administrator to recertifythe ID without having access to the certifier ID or the certifier pass-word, by using a Certificate Authority (CA), instead. If you choosethis option, use the drop-down box it provides to select a CA-configured certifier from the ones available on the server.

5. After you’ve selected one of the two options, click OK. If SupplyCertifier ID and Password is chosen, a dialog box appears requiring thecertifier password. Enter the password and click OK to continue.

6. A file navigation box appears prompting for the ID to be certified.Select the server’s ID file and click OK; the Certify ID dialog boxappears.

7. In the Expiration Date field, choose a setting to determine when theserver will need to be recertified. The default time is two years, but canbe changed as needed.

8. In the Subject Name List field, type a common name for the ID ifdesired (this field is optional). This is used to identify the user in theDirectory.

17 0789729180 CH14 10/21/03 2:41 PM Page 353

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14354

9. In the Password Quality field, use the slide bar to determine the quali-ty of password security to assign to the ID file. The default location ofthe slider is to the extreme left, which is No Password and a value of 0.Sliding the bar to the extreme right forces a very strong password anda value of 16. Although it is true that this is optimal for servers, eachtime the server is loaded, a password will be required at the consolebefore the server will start.

10. Select Certify to continue and recertify the ID; a dialog box appearsasking if the administrator wants to certify another ID.

11. Select Yes to certify more IDs or No to exit the certification process.

Searching for Server References ina DomainDomino provides the ability to search for files across multiple servers usinga tool called Domain Search. Database information that is searchableincludes documents, files, and file attachments.

Setting up Domain Search requires a server to be designated as the indexingserver. This server creates a master index that contains all of the results fromsearch queries run in the domain. The database that is used by DomainSearch is Domain Catalog. The databases in the domain are then searchedby the indexing server using a search spider. Based on the size of the domain,this task could take a few hours, a few days, or a few weeks.

Indexing is an intensive task and proper consideration should be taken tomake sure that the indexing server is adequately configured to handle thework. Multiple processors, disk arrays with high-speed access, and largeamounts of RAM are recommended for the indexing server. Lotus recom-mends a dedicated indexing server if more than six servers in the domain willbe participating in the Domain Search, but use this as a “rule of thumb” onlybased on the configuration of the domain. When a user’s search is per-formed, the indexing server accesses the Domain Catalog and returns searchresults that are valid based on the user’s access restrictions.

Proper planning is the most important consideration when setting up the DomainSearch. Indexing unnecessary files, such as Administration Requests databases, cat-alogs, and libraries, adds no value to the search and wastes space.

17 0789729180 CH14 10/21/03 2:41 PM Page 354


When setting up the Domain Search program, set the search spider to runat a time when server use is low, typically at night.

Follow these steps to set up the Domain Search:

1. Create the Domain Catalog on the indexing server. Create a new data-base using the CATALOG.NTF as the database template.

2. Using the Domino Administrator, open the Configuration tab andselect the server to be used as the indexing server. Click Edit Server toopen the Server document.

3. Navigate to the Server Tasks tab, choose the Domain Indexer tab, andselect enabled for the Domain Catalog field. In the Limit DomainWide Indexing to the Following Servers field, select the servers to addto the search.

4. Click Save & Close to save the document.

5. This task requires a server restart before it starts. Restart the serverwhen possible and then verify that the Directory Indexer task has start-ed by issuing a show tasks command at the server prompt.

Setting Up Authentication withOther Domino OrganizationsFor Domino organizations to be capable of exchanging data, they must sharea common certificate. This is accomplished by using an organization certifi-er ID file. Cross certifying a user or server ID with an organizational certifi-er guarantees that both IDs have a common certificate. Domino uses twotypes of certifier IDs related to organizations:

➤ Organization certifier ID—The default name for this ID file is CERT.ID.This ID file is created when the server is deployed. This ID typicallyincludes the company name and is the highest point on the hierarchytree.

➤ Organization unit certifier IDs—This level of organizational certifier istypically used to delineate the next level on the hierarchy tree, usuallyidentifying county or department names.

17 0789729180 CH14 10/21/03 2:41 PM Page 355

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14356

Creating a New Organization Certifier IDTo create a new organization certifier ID, follow these steps:

1. Using the Administrator client, select the Configuration tab and openthe Tools pane. Select Registration, and then click Organization fromthe menu; the Register Organization Certifier dialog box appears.

2. Enter the organization name and choose a country code (the latter isoptional).

3. In the Certifier Password field, enter a new password that will berequired when certifying IDs for the new organization.

4. Use the Password Quality slider to determine the quality of passwordsecurity to assign to the ID file. The default location of the slider is tothe extreme left, which is no password and a value of 0. Sliding the barto the extreme right forces a very strong password and a value of 16.Although it is true that this is optimal for servers, each time the serveris loaded, a password will be required at the console before the serverwill start.

5. In the Security Type field, choose North American or International.

6. In the Mail Certification Requests To field, choose Administrator.

7. Optionally, add a location and comments.

8. Click Register to create the new certifier ID.

Creating a New Organizational Unit IDTo create a new Organizational Unit ID, complete these steps:


2. Open the Certification menu selection under the Tools pane and selectOrganization Unit; the Register Organization Certifier dialog boxappears.

3. Click the Server button to select the Registration server and click OK.You are then presented with two options:

➤ Supply Certifier ID and Password—A file navigation box appears whenthis option is selected. Navigate to the required certifier ID andselect OK. If you choose this option, go to step 4.

17 0789729180 CH14 10/21/03 2:41 PM Page 356


➤ Use the CA Process—This option allows the administrator to recertifythe ID without having access to the certifier ID or the certifier pass-word. A drop-down box is provided to allow the administrator toselect a CA-configured certifier from the ones available on the server.

4. If you chose Supply Certifier ID And Password in step 3, a dialog boxappears requiring the certifier password. Enter the password and selectOK; the Register Organizational Unit Certifier dialog box appears.

5. Select the registration server, and then select the certifier ID.

6. Select Set ID file to define the location for the new certifier ID beingcreated.

7. Complete the Organizational field by entering a name for the newOrganizational Unit.

8. Complete the Certifier password field by entering a new password.

9. Use the Password Quality slider to determine the quality of passwordsecurity to assign to the ID file. The default location of the slider is tothe extreme left, which is No Password and a value of 0. Sliding thebar to the extreme right forces a very strong password and a value of16. Although it is true that this is optimal for servers, each time theserver is loaded a password will be required at the console before theserver will start.

10. In the Security Type field, choose North American or International.

11. In the Mail Certification Requests To field, choose Administrator.

12. Optionally, enter a location and/or comments.

13. Click Register to create the new ID file.

17 0789729180 CH14 10/21/03 2:41 PM Page 357

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14358

Exam Prep Questions

Question 1

What role is required for an administrator to be able to recertify a server ID?

❍ A. ID Modifier

❍ B. ServerModifier

❍ C. Server ID Moderator

❍ D. Mod_Ser_Complete

Answer B is correct. To recertify a server ID, the administrator must haveeither Author access to the Domino directory and the ServerModifier roleassigned or Editor access to the directory.

Question 2

Which of the following are valid options available when setting up activity log-ging? Choose all that apply.

❑ A. Domino.Agent

❑ B. Domino.IMAP

❑ C. Domino.POP3

❑ D. Domino.SMTP.POP4

Answers A, B, and C are correct. Valid selections available when setting upactivity logging include Domino.AGENT, Domino.IMAP, andDomino.POP3.

Question 3

Which of these configuration types of providing access to the Domino Directoryis valid? Choose all that apply.

❑ A. Circular

❑ B. Distributed

❑ C. Decentralized

❑ D. Hybrid

17 0789729180 CH14 10/21/03 2:41 PM Page 358


Answers B and D are correct. The three valid configuration types to accessthe Domino Directory are Distributed, Centralized, and Hybrid.

Question 4

Which of the following statements is true regarding transactional logging?

❍ A. While transactional logging is enabled, normal system backups are notrequired.

❍ B. Transactional logging is available for all versions of Domino runningversion 4.6.3 or later.

❍ C. Transaction logging requires database ODS version 5 or later.

❍ D. Any user can run transaction logging on their personal mailbox to con-serve disk space.

Answer C is correct. Transaction logging is available for Domino serversrunning release 5 or later and databases using release version 5 or later ODS.

Question 5

What steps can be taken in the Notes.INI file to prohibit Full access administra-tors from accessing the server?

❍ A. Add the line SECURE_ADMINSTRATOR_LOGIN=1.

❍ B. Encrypt the NOTES.INI file with private key encryption.

❍ C. Delete the Catalog task from the Server@Run list.

❍ D. Add the line SECURE_DISABLE_FULLADMIN=1.

Answer D is correct. Adding the line SECURE_DISABLE_FULLADMIN=1 in the Notes.ini file tells the server to ignore the FullAdministrators field in the Domino Directory and explicit access for fulladministrators will need to be defined in database and applications.

Question 6

What versions of transaction logging allows for databases greater than 4GB in size?

❍ A. Spiral

❍ B. Circular

❍ C. Linear

❍ D. Metrical

17 0789729180 CH14 10/21/03 2:41 PM Page 359

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14360

Answer C is correct. Linear transaction logging is similar to circular logging,but can use more than 4GB of disk space.

Question 7

What is the default name of the database used for activity logging?

❍ A. ACTIVITY.NSF

❍ B. COLLECTION.NSF

❍ C. ACTIVITYSTAT.NSF

❍ D. ACTIVITY.LOG

Answer A is correct. The default database name used for activity logging isACTIVITY.NSF.

Question 8

Regarding password quality, which of the following statements are true?Choose all that apply.

❑ A. Password quality is selected by choosing radio buttons with preset lev-els defined.

❑ B. The strongest password selection has a value of 15.

❑ C. Values are set using a slide bar.

❑ D. A value of 0 signifies no password is defined.

Answers C and D are correct. Password quality is set using a slide bar todetermine the quality of password security to assign to the ID file. Thedefault location of the slider is to the extreme left, which is no password anda value of 0. Sliding the bar to the extreme right forces a very strong pass-word and a value of 16.

Question 9

What is the purpose of a Program document?

❍ A. Automation of server tasks

❍ B. Mail routing

❍ C. Database replication

❍ D. File purging

17 0789729180 CH14 10/21/03 2:41 PM Page 360


Answer A is correct. Server tasks can be automated in one of two ways, eitherby assigning them in the Notes.ini file to run when the server starts or bycreating a Program document.

Question 10

What is the purpose of the IIOP protocol?

❍ A. Provide communications channels to IIS servers.

❍ B. Allow java code to run on the system.

❍ C. Generate SMTP mail.

❍ D. Regulate Web server authentication.

Answer B is correct. The IIOP protocol allows java code to run on theDomino server.

17 0789729180 CH14 10/21/03 2:41 PM Page 361

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 14362



17 0789729180 CH14 10/21/03 2:41 PM Page 362

Managing Users andGroups

Terms you’ll need to understand:✓ Group management✓ User management✓ Administrative process✓ Notes ID expiration✓ Roaming users

Techniques you’ll need to master:✓ Changing a user’s group membership✓ Changing a user’s location in the hierarchy✓ Changing a user’s name✓ Deleting groups✓ Deleting users✓ Extending a Notes ID’s expiration date✓ Managing groups✓ Modifying Person documents✓ Moving a user’s mail file✓ Renaming groups✓ Setting up roaming users

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15

18 0789729180 CH15 10/21/03 2:34 PM Page 363

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 15364

This chapter covers the tasks required to manage users and groups in theDomino domain. Creating new users and setting up roaming users are keytopics that are covered here and that should be studied for the exam.

Changing a User’s GroupMembershipWhen users change departments or leave the company, administrators arerequired to perform maintenance on the user profile to change how the useris defined in a group. Editing a group requires ACL access to the DominoDirectory with one of the following defined security assignments:

At least Editor with Create Documents privilege

Or

The UserModifier role

Follow these steps to change group membership assignments:


2. Expand the Domino Directories item and select Groups. A list of thevalid groups on the server displays in the main navigation window.Select the group that needs to be edited and then click Edit Group andopen the Basics tab.

3. Do not edit the group name (the assigned name of the group) unlessabsolutely necessary; changing the group name also requires changingthe ACLs in databases associated with this name. The maximum lengthfor group names is 62 characters.

4. Edit the group type by selecting from the available types, described asfollows:

➤ Multipurpose—Used for multiple types of users. Multipurpose is thedefault selection.

➤ Access Control List Only—Exclusively used to maintain database andserver authentication.

➤ Mail Only—Exclusively used for mail users.

➤ Server Only—Exclusively used for Connection documents andAdministrator clients to group domain bookmarks.

➤ Deny List Only—Exclusively used for denying access to the server.

18 0789729180 CH15 10/21/03 2:34 PM Page 364

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing Users and Groups 365

5. If you choose to do so, you can add a description of the group to theDescription free form field.

6. In the Mail Domain field, enter the name of the mail domain used bythis group.

7. Identify the group with an Internet address by adding the address tothe Internet address field; after you have done so, the group canreceive Internet mail.

8. In the Members field, add, delete, or change the names in the list ofusers to define the members of the group.

9. Click Save & Close to save the group changes.

Changing a User’s Location in theHierarchyUsers may change departments or move to other company subsidiaries,requiring an administrator to change their location in the hierarchy. Movinga user changes the Organizational Unit (OU) assigned to the user, so the userID requires recertification. Domino enables administrators to move users toother locations by using the Administration Process (AdminP). Administratorscan use AdminP to change a user’s name, assign a new Organizational Unit,or add the user’s information to a completely new organization. Moving auser requires the original certifier as well as the certifier for the new location.

The administrator must have the certifier and Editor access to theAdministration Requests database in order to move a user. Follow these stepsto move a user in the domain:


2. Using the Tools pane, select People and Rename. A dialog box appearswith the following three choices:

You cannot change the group’s Category setting; Administration is the only selection.

18 0789729180 CH15 10/21/03 2:34 PM Page 365

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 15366




3. To change the number of days that the old user name and informationwill be honored, edit the entry option at the bottom of the Honor OldNames for Up to XX Days dialog box. The default option for thisselection is 21 days, but the value can be changed to reflect a numberfrom 14 to 60 days.

4. To move the user, click the Request Move to New Certifier button; theChoose a Certifier dialog box appears. Choose from among the follow-ing options:

➤ Choose the Server option to select the registration server.

➤ Choose the Supply Certifier ID and Password option to use a certi-fier ID file. A dialog box is available under this option that enablesyou to navigate to the ID on the server.

➤ Use the CA Process option to make the changes without havingaccess to a certifier ID file.

5. After you have selected one of the preceding options, click OK to con-tinue. If you selected the option to use a certifier ID, a dialog box titled“Lotus Notes” appears requesting the password. Enter the passwordand click OK to continue.

6. A dialog box now allows the administrator to assign a new certifier ID.Select the ID and click OK to continue.

7. The Rename Person dialog box appears. The Primary NameInformation displays and a check box is presented with the followingtext:

Allow the primary name to be changed when the name is moved.

This is optional, and all systems must be running Domino versions5.04 or greater to support this option. Select OK to continue; thechange is processed and a Processing Statistics dialog box appears dis-playing the results of the change process.

8. Click OK to close the dialog box and return to the Administratorclient.

18 0789729180 CH15 10/21/03 2:34 PM Page 366


Changing a User’s NameUsers may also require a name change to their account information in theDomino Directory. To change a user’s name, follow these steps:


2. Using the Tools pane, select People and Rename. In the People andRename dialog box, select the Change Common Name option; theChoose a Certifier dialog box appears.

At the bottom of the People and Rename dialog box is the Honor Old Names for Upto XX Days option. The default option for this selection is 21 days, but the value canbe changed to reflect a number from 14 to 60 days.

3. As in step 4 of the preceding list of steps (see “Changing a User’sLocation in the Hierarchy”), select an option for choosing a certifier,and then click OK to continue. If you choose the option to use a certi-fier ID, a dialog box appears requesting the password. Enter the pass-word and click OK to continue.

4. The Certificate Expiration Date dialog box appears. The default set inthis box is two years from the current date. Change the date ifrequired or leave it at the two year default and click OK to continue.

5. The Rename Person dialog box appears with fields to be completed.Complete these fields:

➤ First Name

➤ Middle Name

➤ Last Name

➤ Qualifying Org Unit (optional)

➤ Short Name (optional)

➤ Internet Address (optional)

➤ Rename Windows NT User Account (optional)

6. After you have completed the fields required for this user, click OK.The name change is processed and the Processing Statistics dialog boxappears displaying the results of the change process.

7. Click OK to close the dialog box and continue.

18 0789729180 CH15 10/21/03 2:34 PM Page 367

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 15368

Deleting GroupsGroups can be deleted from the Domino Directory, but only after theadministrator has taken the proper steps to prepare for the deletion. Deletinga group can have extremely detrimental effects on the domain, as server anduser access will change based on the group deletion. Make sure that alldomain administrators and users are prepared for the deletion of the groupby sending an email to the affected users before the group is deleted.

Deleting a group requires an administrator to have the following access:

Author access with the ability to delete documents and the GroupModifierrole

Or

Editor access to the Directory

To delete a group, follow these steps:

1. Launch the Domino Administrator and select the People & Groupstab. Click Groups and select the group to be deleted; a Delete Groupdialog box appears.

2. Choose from these options in the Delete Group dialog box:

➤ Delete Group’s Windows NT/2000 Accounts, if Existing.

➤ Delete Groups from This Domino Directory Immediately.

3. After selecting either of these options, click OK to delete the group.

Deleting UsersDeleting a user requires an administrator to have the following access:

Author access with the Create Documents access to the certification log

And

Author access with the ability to delete documents and the UserModifierrole assigned

Or

Editor access to the Domino Directory

The following steps should be taken to delete a user from the DominoDirectory:

18 0789729180 CH15 10/21/03 2:34 PM Page 368


1. Launch the Domino Administrator and select the People & Groupstab. Click People and select the user to be deleted.

2. Select People from the Tools pane and choose Delete. The DeletePerson dialog box appears, prompting you to choose an option todetermine what should happen to the user’s mail database. The avail-able options are

➤ Do Not Delete the Database

➤ Delete the Mail Database on the User’s Home Server

➤ Add Deleted Users to Deny Access Group (optional)

➤ Delete User’s Windows NT/2000 Accounts, if Existing

➤ Delete Users from This Domino Directory Immediately

3. Complete the required selections and click OK to delete the user.

Extending a Notes ID’s ExpirationDateA Notes ID’s Expiration Date is used to manage when an ID will no longer beable to access a server. Typically user ID expiration dates are set for anextended amount of time, such as ten years, so that administrators are notrequired to constantly recertify IDs.

Extending the date on a Notes user ID requires the ID to be recertified.Complete these steps to change the expiration date of an ID:

1. Launch the Domino Administrator and select the People & Groupstab. Click People and using the Tools pane, select People, and thenselect Recertify.

2. In the Choose a Certifier dialog box, choose an option (see step 4 instepped procedure outlined in “Changing a User’s Location in theHierarchy,” earlier in the chapter), and then click OK to continue. Ifthe option to use a certifier ID was selected, a dialog box appearsrequesting the password. Enter the password and click OK to continue.

3. The Renew Certificates in Selected Entries dialog box appears. In theNew Certificate Expiration Date field, change the date to reflect thedesired expiration date and then click OK to continue.

4. The Recertify User dialog box appears showing the common name andthe qualifying org unit. Click OK to continue.

18 0789729180 CH15 10/21/03 2:34 PM Page 369

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 15370

5. The user ID recertification is processed and the Processing Statisticsdialog box appears displaying the results of the change process. ClickOK to close the dialog box and continue.

Managing GroupsGroup management is used by administrators to add or delete users andservers from groups and to create new groups as needed. Group manage-ment tasks are performed using the Administrator client. To manage groups,follow these steps:

1. Launch the Domino Administrator and select the People & Groupstab.

2. Click Groups and select the required group. Using the Tools pane,select Groups, and then select Manage. The Manage Groups dialogbox appears (see Figure 15.1).

Figure 15.1 Domino users, groups, or servers data types can be added or removed from groupsusing the Manage Groups tool.

3. To add a data type to a group, select the data type from the People andGroups section on the left. Expand the destination group under theGroup Hierarchies section on the right. Click Add to add the data typeto the target group.

4. To remove a data type from a group, expand the group under the GroupHierarchies section, select the data type to be deleted, and click Remove.

5. Click Done when finished.

18 0789729180 CH15 10/21/03 2:34 PM Page 370


Modifying Person DocumentsUser management includes adding and deleting users, recertifying user IDsand moving users in the domain. The Administrator client is used for usermanagement.

The Person document contains all of the information related to the user thatdetermines access and rights related to how the user interacts with thedomain. When changes such as the name or title are made to the user’s infor-mation, the changes are recorded in the Person document. To edit thePerson document, follow these steps:


2. Click People and choose the user to be modified, and then select EditPerson.

3. Make the changes desired to the Person document and select Save &Close to save the changes.

Moving a User’s Mail FileUser mail files may need to be moved when a user changes departments ormoves to another location in the country that supports his new Dominoneeds. Domino provides a tool that moves the user’s mail file and changes theDirectory to reflect the new mail file location. To move a user’s mail file, fol-low these steps:

1. Launch the Domino Administrator and select the People & Groupstab. Click People and using the Tools pane, select People, and thenselect Move To Another Server to produce the Move Users(s) ToAnother Server dialog box. The selected user is displayed in the dialogbox along with a drop-down box used to select the destination server.

2. Choose from these available options:

➤ Move Roaming Files into This Folder on “Server Name”

➤ Move Mail Files into This Folder on “Server Name”

➤ Link to Object Store

➤ Delete Old Replicas in Current Cluster

3. Click OK to complete the process of moving the mail file.

18 0789729180 CH15 10/21/03 2:34 PM Page 371

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 15372

Renaming GroupsGroups can be renamed using the Administrator client. Editing a grouprequires ACL access to the Domino Directory with one of the followingdefined security assignments:


Or


Care should be taken when renaming a group, because renaming a group affectsusers and their access within the domain. In the event that a group needs to berenamed, notify the users and system administrators who communicate with theserver.

Follow these steps to rename a group:


2. Expand the Domino Directories item and select Groups. A list of thevalid groups on the server displays in the main navigation window.Select the group that needs to be edited and then click Edit Group.

3. On the Basics tab, change the name of the group and click Save &Close to save the group using the new name.

Setting Up Roaming UsersRoaming users are able to access Notes from multiple clients in the domainand retain their personal information. A roaming server is used to store theuser’s files. When a user logs on to the server as a roaming user, the user’sinformation is retrieved from the server and presented to the user. When aroaming user makes changes, the user is replicated to the server so that theserver is available when the user logs in at a later time.

Roaming users are unique to Domino. In preparing for the exam, you should studythe concepts surrounding how to define them. Set up roaming user configurationsin a development domain to ensure that you understand all of the processes.

18 0789729180 CH15 10/21/03 2:34 PM Page 372


Roaming users are created during user registration. To define the settings forroaming users, follow these steps:

1. Launch the Domino Administrator and select the People & Groupstab.

2. Using the Tools pane, select People, then select Register. A LotusNotes dialog box appears requiring the certifier password. Enter thepassword and click OK to continue.

3. The Register Person—New Entry dialog box appears. Enter the rele-vant user information related to name and password, and then selectEnable Roaming For This Person.

4. Click the Advanced button and a new menu displays on the left. Selectthe Roaming tab to configure the Roaming settings; the Roaming tabis shown in Figure 15.2.

Figure 15.2 When roaming users are created, the files Personal Address, Bookmark, and Journalare also created and stored based on the settings here in the Roaming tab.

5. Complete these fields to set up Roaming:

➤ Put Roaming User Files on Mail Server, or click the RoamingServer button to select the location to store the files.

➤ Enter the personal roaming folder in the Personal Roaming Foldertext box.

➤ Choose a subfolder format from the Sub-Folder Format drop-downlist.

18 0789729180 CH15 10/21/03 2:34 PM Page 373

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 15374

➤ Create Roaming Files Now or Create Roaming Files inBackground.

➤ Roaming replicas are available if a Domino cluster is available.

➤ Select a Clean-up option from the Clean-Up Option drop-downlist.

6. Select the required options and click Done to create the roaming user.

Typically, the exam may contain questions related to moving users to new servers orchanging where a user may exist in the hierarchy. Be sure while studying that youunderstand examples of creating users and groups and that you test your under-standing of the process in a development environment.

18 0789729180 CH15 10/21/03 2:34 PM Page 374


Exam Prep Questions

Question 1

Which ACL access is required to the Domino Directory to allow an administra-tor to edit a group?

❑ A. Editor with the Create Documents privilege

❑ B. Editor with Document Copy privilege

❑ C. UserModifier role

❑ D. ModifyUser role

Answers A and C are correct. Editing a group requires ACL access to theDomino Directory with one of the following defined security assignments:


Or


Question 2

Which Domino task is used to move users to other servers or domains?

❍ A. Catalogger

❍ B. AdminP

❍ C. Userlocater

❍ D. Filer

Answer B is correct. Domino users are moved to other servers or domains byusing the Administration Process (AdminP).

Question 3

When moving a user, which two things are required to complete the move to anew server?

❑ A. The original certifier

❑ B. The user’s public key

❑ C. A replica copy of the NAMES.NSF database

❑ D. The certifier for the new server location.

18 0789729180 CH15 10/21/03 2:34 PM Page 375

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 15376

Answers A and D are correct. Moving a user requires the original certifier aswell as the certifier for the new server location.

Question 4

When changing a user’s name, which of the following statements is true aboutdate expiration on the user ID?

❍ A. The default time for certificate expiration is 10 years.

❍ B. The certificate expiration time cannot be changed.

❍ C. The default time for certificate expiration is two years.

❍ D. The certificate expiration time is based on the server certificate expira-tion parameter.

Answer C is correct. The default time for the certificate expiration time istwo years from the current date, but can be changed to any number.

Question 5

When are roaming users created?

❍ A. During nightly batch system processing

❍ B. During registration

❍ C. During NAMES.NSF domainwide replication

❍ D. During server launch

Answer B is correct. Roaming users are created during user registration.

Question 6

What does an administrator select to set up roaming for a user?

❍ A. Set Roaming=1 in the NOTES.INI file.

❍ B. Select Enable Roaming for This Person on the registration page for anew user.

❍ C. Define the group RoamingUsers in the Domino Directory.

❍ D. Set the RoamingUsers task to launch at server startup in the server’sconfiguration document.

Answer B is correct. Select Enable Roaming for This Person in the RegisterPerson—New Entry dialog box.

18 0789729180 CH15 10/21/03 2:34 PM Page 376


Question 7

Which files are created for roaming users to retain their roaming information?

❍ A. Roamer, Filer, and Journal

❍ B. Personal Address, Bookkeeper, and Replicator

❍ C. Personal Address, Bookmark, and Journal

❍ D. Addresser, Personal Bookmarks, and Journal

Answer C is correct. When roaming users are created, the files PersonalAddress, Bookmark, and Journal are also created and stored based on the set-tings on the Roaming tab.

Question 8

Which tab in the group document is used to change the name of a group?

❍ A. The Groups Definition tab

❍ B. The Basics tab

❍ C. The IIOP tab

❍ D. The Security tab

Answer B is correct. Change the name of the group on the Basics tab of thegroup document and click Save & Close to save the group using the newname.

18 0789729180 CH15 10/21/03 2:34 PM Page 377

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 15378



18 0789729180 CH15 10/21/03 2:34 PM Page 378

Monitoring ServerPerformance

Terms you’ll need to understand:✓ Domino console✓ jconsole✓ Domino Web Administrator✓ WEBADMIN.NSF✓ Real-time statistics✓ Individual statistics✓ Bundled statistics✓ Statistics profile

Techniques you’ll need to master:✓ Using the Domino console✓ Using the Domino Web Administrator✓ Viewing real-time statistics✓ Viewing statistics with Server Monitor

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

19 0789729180 ch16 10/21/03 2:49 PM Page 379

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 16380

Using the Domino ConsoleOne of the tools available to maintain a server is the Domino console. TheDomino console is an application that enables administrators to send com-mands to the server as if they were using the console on the server itself. TheDomino console is installed when the Domino server is installed or when theAdministrator client is installed. The console is a Java application and canalso be loaded as a Windows Service when running Windows 2000 orWindows XP.

The application provided by Lotus to run the Domino console is called jconsole. To start the Domino console manually, change to either the client orserver directory and run the jconsole executable. The Domino server mustbe running. If you are running a server controller, the Domino console startsautomatically.

You can launch the console in four ways:

➤ Launch the jconsole application by selecting the program icon in the serveror admin client directory when the server is already running.

➤ Create a shortcut or execute nserver --jc at the command prompt to run theserver controller, the Domino server, and the console.

➤ Create a shortcut or execute nserver --jc --c at the command prompt to runthe server controller and the Domino server.

➤ Create a shortcut or execute nserver --jc --s at the command prompt to runthe server controller and the console.

As mentioned earlier, the Domino console enables administrators to sendcommands to the server as if they were using the console on the server itself.Typical commands such as show server and show tasks can be sent to the serv-er and then are displayed in the console window. The console window alsodisplays server events, such as Adminp processes, as they are launched. Asample console window is shown in Figure 16.1.

Options available using the console’s File menu are as follows:

➤ Open Server

➤ Disconnect

➤ Show Users

➤ Show Processes

➤ Broadcast (send a message to all server users)

➤ Local Logging

➤ Start Server

19 0789729180 ch16 10/21/03 2:49 PM Page 380


➤ Stop Server

➤ Kill Server

➤ Quit Controller

➤ Refresh Server List

➤ Exit the Console Program

Figure 16.1 The console has predefined commands available via the file menu or the Commandsbutton at the bottom of the Console.

The Commands button has the typical commands that an administratorwould use to manage the server, as well as an option to create and save cus-tom commands.

You can configure the console to show a number of views, including the fol-lowing:

➤ Header—Specifies the user, platform type, server name, and release number

➤ Bookmarks—Includes the available icons Connect Local Server,Connected Servers, and Domain

➤ Event Filter—Displays one of the following at the bottom of the consoleof the events monitored: Fatal, Failure, Warning (High), Warning(Low), Normal, and Unknown

19 0789729180 ch16 10/21/03 2:49 PM Page 381

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 16382

➤ Secure Password—Is an empty field used by the administrator to securethe console

➤ Connected Servers—Lists the servers available to the console

➤ Domain—Provides a hierarchical graphic view of the domain structureavailable to the console

➤ Debug Output Window—Launches an active debug window used for trou-bleshooting

➤ Look and Feel—Changes the theme used to display the console window

An example of the console window displaying some of the server commandsis shown in Figure 16.2.

Figure 16.2 You can use server commands to control the console view.

To stop the console, select Exit from the file menu Alt+Q. After you haveselected to shut down the console, you are presented with a dialog box toeither shut down the console itself or shut down the console and the servercontroller simultaneously. Three additional buttons are available on the WebAdministrator: Logout, Preferences, and Help.

Although the Domino console is a powerful tool, it is still limited in its uses. You stillneed either the Domino Administrator client or the Web Administrator client to main-tain the server.

Using the Domino WebAdministratorThe Domino Web Administrator allows remote administration using only abrowser client. Although the Web Administrator is essentially the same as

19 0789729180 ch16 10/21/03 2:49 PM Page 382


the administrator client, the navigation is slightly different, so make sure youare familiar with it. To use the Web Administrator, the following browserconfigurations are required:

➤ Microsoft Explorer 5.5 or greater on Windows 98, 2000, XP and NT4

➤ Netscape 4.7 or greater on Windows 98, 2000, XP, and NT4

➤ Netscape 4.7 on Linux OS version 7 or later

Support for NT4Even though Release 6 does support the Web Administrator client on NT4, you must also installthe Microsoft Windows Management Instrumentation Software Development Kit (WMI SDK)before the task will work properly. We recommend migrating to Windows 2000 or XP beforeinstalling the Domino application because Microsoft support for NT4 is scheduled to expire overthe next 18 months.

Access using the Domino Web Administrator is maintained by the databaseWEBADMIN.NSF. Make sure you are familiar with this database and the requirementsneeded to configure the database to facilitate proper admin access. Also note thatMacintosh browsers are not supported.

Here are some keys things to remember about the differences between theWeb Administrator and the Web clients:

➤ The Messaging tab on the Web client now has a task tool that enablesyou to issue Tell, Start, Stop, and Restart commands on the mail servertasks.

➤ The Replication tab on the Web client also has a task tool that enablesyou to issue Tell, Start, Stop, and Restart commands on the replicationserver tasks.

➤ The Mail tab on the Web client displays mail statistics differently thanin the administrator client. Mail routing, retrieval, DNSBL (DNS black-list filter), and destination routing statistics are available on this tab.

➤ Server Monitor and performance charts are not available in the Webclient.

AdminP, CA (Certificate Authority), and the HTTP task must all be runningon the Domino server for the Web administration client functionality tooperate. Additionally, the WEBADMIN.NSF database ACLs need to beconfigured to allow administrators to access the server.

19 0789729180 ch16 10/21/03 2:49 PM Page 383

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 16384

When the WEBADMIN.NSF database is created, these default ACLs arecreated:

➤ Administrators and Full Access Administrators, the Named server, andLocalDomainServers are set as Manager.

➤ Default, OtherDomainServers, and Anonymous are all set to No Access.

The HTTP task updates the WEBADMIN.NSF database with ACLchanges generated from the modification of the Domino Directory’s Serverdocument about every 20 minutes. You can also force an immediate updatefor administrator access by editing the Security tab on the Server document.Editing the ACLs in the WEBADMIN.NSF database also permits immedi-ate access. Select a user, define the user as a manager, and then add the rolesrequired for the mangers to have access.

After the ACL access has been defined, you need to define the authentica-tion method that will be used to access the server. The two options are todefine an Internet password in the Person document or to define an SSL cer-tificate.

When you have finished the configuration, make sure that the HTTP task isrunning on the server and then enter the URL of your server followed by/webadmin.nsf—for example, http://r6test.test.com/webadmin.nsf, or https://r6test.test.com/webadmin.nsf if SSL authentication is enabled.

The first screen that is presented is a server status screen. This is helpful fora quick glimpse of server health, but you must access the other tabs to actu-ally perform maintenance activities.

Viewing Real-Time StatisticsTo maintain a server running at peak performance, you need to monitor howtasks are being performed and issues that need attention. Domino allows fortracking of real-time statistics, which enable administrators to analyze serverinformation as it is occurring.

Real-time monitoring is set up with the Domino Administration client. Astatistics profile is used to gather information about how the server is per-forming and possible problems that are occurring. Select the Server tab andthen the Performance tab. Under Statistics Charts, select Real-TimeStatistics and then click the Add button. A dialog box appears that enablesyou to select the domain and server, as well as the type of statistics to gather.

19 0789729180 ch16 10/21/03 2:49 PM Page 384


This dialog box enables you to gather one of two types of statistics: individ-ual or bundled. Individual statistics enable you to select what to monitor. Asyou add these statistics, they appear immediately in the Performance tab.This capability is important if you are troubleshooting a problem and needto watch the performance on a specific statistic. Bundled statistics enable youto group sets of statistics and then label them for easy access and use.Bundled statistics show only after you have given the bundle a name andclicked the OK button on the dialog box. At the Performance tab, you nowcan save the statistics as a statistics profile. Select the paper icon next to theStatistics Profile box and choose Save As. Enter a name and click OK to saveyour profile.

The Add Statistics tab is shown in Figure 16.3.

Figure 16.3 Use the Add Statistics feature to create a statistics profile of your system.

Viewing Statistics with ServerMonitorViewing statistics with Server Monitor can be accomplished only using theDomino Administrator client. The Web Administrator does not supportServer Monitor or performance charting.

19 0789729180 ch16 10/21/03 2:49 PM Page 385

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 16386

Server Monitor can be configured with the following parameters:

➤ View Statistics Either By Timeline or By State

➤ Show Past Error States Only

➤ Task Status

➤ Task Errors

➤ View a Single Server or a Group of Servers

Select the paper icon next to the Statistics Profile box and choose Save As.Enter a name and click OK to save your profile.

19 0789729180 ch16 10/21/03 2:49 PM Page 386


Exam Prep Questions

Question 1

Which task automatically starts when the server console loads?

❍ A. Updall

❍ B. Domino Console

❍ C. Fixup

❍ D. HTTP

Answer B is correct. If you are running a server controller, the Domino con-sole starts automatically. Answers A, C, and D are incorrect because thesefeatures do not start automatically when the server console loads.

Question 2

What are the correct default ACLs when the WEBADMIN.NSF database is creat-ed? Choose all that apply.

❑ A. Administrator: Reader

❑ B. LocalDomainServers: Manager

❑ C. OtherDomainServers: Editor

❑ D. Administrators: Manager

Answers B and D are correct. Administrators and Full Access Administrators,the Named server, and LocalDomainServers are set as Manager. Default,OtherDomainServers, and Anonymous are all set to No Access.

Question 3

Which parameter is valid when configuring Server Monitor?

❍ A. View Statistics by TimeSlice

❍ B. Task Priority

❍ C. Task Errors

❍ D. Show Past Error States and Future Possible errors

Answer C is correct. The only valid parameter from this list is Task Errors.

19 0789729180 ch16 10/21/03 2:49 PM Page 387

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 16388

Question 4

Which of these procedures are correct when launching the console?

❑ A. Launching the jconsole application by selecting the program icon inthe server or admin client directory when the server is already running

❑ B. Creating a shortcut or executing nserver --jq at the command promptto run the server controller, the Domino server, and the console

❑ C. Creating a shortcut or executing nserver --jc --c at the commandprompt to run the server controller and the Domino server

❑ D. Creating a shortcut or executing nserver --jc --t at the commandprompt to run the server controller and the console

Answers A and C are correct. You can launch the console in one of four ways:

1. Launch the jconsole application by selecting the program icon in theserver or admin client directory when the server is already running.

2. Create a shortcut or execute nserver --jc at the command prompt torun the server controller, the Domino server, and the console.

3. Create a shortcut or execute nserver --jc --c at the command promptto run the server controller and the Domino server

4. Create a shortcut or execute nserver --jc --s at the command promptto run the server controller and the console.

Question 5

Which of the following statements is correct?

❍ A. The Names.nsf database maintains control of who can use the WebAdministrator.

❍ B. All versions of computing platforms can use the Web Administrator.

❍ C. The Webadmin.NSF database controls who can access the server withthe Web Administrator.

❍ D. The Webadmin database is automatically configured when the server islaunched.

Answer C is correct. Access using the Domino Web Administrator is main-tained by the database WEBADMIN.NSF. Make sure you are familiar withthis database and the requirements needed to configure the database to facil-itate proper admin access. Also note that Macintosh browsers are not sup-ported.

19 0789729180 ch16 10/21/03 2:49 PM Page 388


Question 6

Which statement is true about setting up real-time statistics?

❍ A. The administrator and the Web Administrator have the capability todefine real-time statistics.

❍ B. Real-time statistics are predefined and cannot be changed.

❍ C. Real-time monitoring is set up with the Domino Administration client.

❍ D. Macintosh computers are the most efficient at setting up real-time sta-tistics using the upgraded client for OSX.

Answer C is correct. Real-time monitoring is set up with the DominoAdministration client.

Question 7

Which of the following browser configurations enable the Web Administrator toaccess the server? Choose all that apply.

❑ A. Microsoft Explorer 5.5 or greater on Windows 98, 2000, XP, and NT4

❑ B. Netscape 4.7 or greater on Windows 95, 98, 2000, XP, and NT4, orLinux version 7 or greater

❑ C. Microsoft Explorer 5.5 or greater on Windows 98, 2000, XP, and NT4,and Macintosh Netscape 5.6 or greater

❑ D. Netscape 4.7 or greater on Windows 98, 2000, XP, and NT4, or Linuxversion 7 or greater

Answers A and D are correct. Microsoft Explorer 5.5 or greater is requiredon Windows 98, 2000, XP, and NT4, and when using Netscape 4.7 orgreater on Windows 98, 2000, XP, and NT4 or Linux version 7 or greater.

Question 8

What types of statistics are available to configure?

❑ A. Bundled

❑ B. Embedded

❑ C. Distinct

❑ D. Individual

❑ E. Discretionary

Answers A and D are correct. The two types of statistics that are configurableare individual and bundled.

19 0789729180 ch16 10/21/03 2:49 PM Page 389

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 16390


19 0789729180 ch16 10/21/03 2:49 PM Page 390

Resolving ServerProblems

Terms you’ll need to understand:✓ Administration Process✓ AdminP✓ Agent Manager✓ Event triggers

Techniques you’ll need to master:✓ Monitoring application size✓ Monitoring server tasks✓ Recovering from a server crash✓ Solving Agent Manager issues✓ Solving authentication and authorization issues✓ Troubleshooting Administration Process problems✓ Troubleshooting replication problems✓ Troubleshooting mail routing issues✓ Using event triggers to troubleshoot problems

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

20 0789729180 CH17 10/21/03 2:34 PM Page 391

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 17392

In this chapter, we cover issues that administrators may have to contend withwhen troubleshooting server problems. We look at how to resolve replica-tion issues, mail routing issues, and authentication issues as part of the trou-bleshooting process, along with other possible problems that may occur.This information is an important part of your preparation for Exam 622.

Monitoring Application SizeApplication, or database, size can directly affect the manner in which a sys-tem performs. A database that has grown in size and isn’t maintained regu-larly causes the server to have performance issues. The maximum databasesize on Windows and Unix servers is 64 gigabytes.

To check the size of a database, select the database on the DominoWorkspace. Navigate to the File menu, select Database, and then selectProperties to open the database properties. Database size is listed on the Infotab (the second tab, labeled with an “i”). This tab displays

➤ The database size.

➤ The number of documents in the database.

➤ The database creation date.

➤ The last day the database was modified.

➤ The replica ID of the database.

➤ The ODS version of the database.

➤ % used—This button displays the amount of the database in use calcu-lated in percent.

➤ Compact—This button initiates a compact on the database.

➤ User Detail—This button shows information related to the owner of thedatabase.

Here are some additional ways to check database size:

➤ View the database size on the Files tab of the Domino Administrator

➤ Check the database size in the Domino log file

➤ View the statistics reports in the Statistics database

20 0789729180 CH17 10/21/03 2:34 PM Page 392

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving Server Problems 393

Monitoring Server TasksAs previously discussed in this book, Domino offers multiple ways to moni-tor server tasks. These include

➤ Using the Domino console

➤ Using the Domino Administrator

➤ Using the Domino Web Administrator

➤ Examining the server log, miscellaneous view

➤ Setting up statistics monitoring

Recovering from a Server CrashEven the best maintained server will crash occasionally. The one thing thatalways allows an administrator to recover from a catastrophic system failureis the use of a reliable, tested backup system. Always make sure to use reli-able media, test the backup system, and regularly verify backups to be surethey are accurate and complete. Common causes of server crashes include

➤ Inadequate hardware—A slow CPU and minimal amounts of memorymay allow a server to be deployed and Domino to be installed, but afterusers access the server and system tasks launch, the server will experi-ence slowdowns and possibly crash the server.

➤ Defective hardware—Bad network cards, failing disk drives or drivearrays, or defective memory can cause server crashes.

➤ Software patches or upgrades—Security patches and operating systemupgrades are notorious for overwriting DLL files and system files thatDomino uses for running the server. Loading a patch or an upgrade maycause a software conflict and cause the server to crash.

➤ Domino applications—Databases that have become corrupted are a com-mon reason for server problems that may lead to a system crash.

Typically, after a server crashes, a system reboot allows the server to restartand fires system utilities such as “fixup” to correct any database issues thatoccurred when the server went down. In the event that the server will notrestart, you may need to place a call to Lotus tech support to determine whatcaused the crash. Before placing the call, gather the following information ifpossible:

20 0789729180 CH17 10/21/03 2:34 PM Page 393

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 17394

➤ Domino software version

➤ Operating system version and a list of all installed patches and upgrades

➤ List of installed programs on the server and their versions

➤ Network configuration

➤ A record of any errors on the server screen

➤ An NSD (Notes System Diagnostics) file if available

An NSD file might be generated when the server crashes and can be valuable forrecovering from the crash. Lotus tech support can analyze the NSD file to determinethe cause of the crash and provide possible solutions. This file is not created atevery server crash.

Before contacting Lotus tech support, you also should gather any availablesystem files that can assist Lotus in troubleshooting the problem. Theseinclude, but are not limited to

➤ System files such as any autoexec or config file

➤ Notes.ini file

➤ Server log files if available

Solving Agent Manager IssuesThe Agent Manager is a Domino task that manages agent execution on theserver. Agents can be resource intensive, depending on what task they arerunning, so it’s important that they are managed efficiently. The AgentManager serves this function but may not always run properly. In order tofine-tune how Agent Manager operates, you can edit the Notes.ini file withthe following settings:

➤ AMgr_DocUpdateAgentMinInterval—This setting is used to determinethe delay time before a document updates and runs an agent in responseto the document update. The default time is 30 minutes.

➤ AMgr_DocUpdateEventDelay—This setting is used to determine theamount of time that the Agent Manager will delay the execution of thesame agent that will run and update documents. This is effective inkeeping document updates from running during the times when theserver is most active, such as in the morning or just after lunch. Thedefault time is 5 minutes.

20 0789729180 CH17 10/21/03 2:34 PM Page 394


➤ AMgr_NewMailAgentMinInterval—This setting is used to determine theminimum amount of time that needs to pass before the same agent willrun and process mail events. The default is 0 minutes.

➤ AMgr_NewMailEventDelay—This setting is used to determine theamount of time that the Agent Manager will delay the arrival of a newdocument and the running of an agent as a response to the update. Thedefault time is 1 minute.

➤ DominoAsynchronizeAgents—This setting is used to manage Web agentsthat are executed by browser clients so that they can run simultaneously.Setting this parameter to 1 allows multiple agents to run concurrently.

➤ AMgr_SchedulingInterval—This setting is used to dictate the amount oftime that the Agent Manager scheduler task will pause before running.The default is 1 minute and the valid values are 1 minute to 60 minutes.

➤ AMgr_UntriggeredMailInterval—This setting dictates how much timeshould pass before the Agent Manager checks for untriggered mail. Thedefault time is 60 minutes.

In addition, these commands can be entered at the server prompt to trou-bleshoot Agent Manager issues:

➤ tell amgr schedule—This command displays the agent manager schedule.

➤ tell amgr status—This command asks the server to generate a statusreport about the Agent Manager.

➤ tell amgr debug—This command displays the current state of the AgentManager debugger.

Solving Authentication andAuthorization IssuesThere are multiple reasons why users or servers may be experiencing prob-lems authenticating to the server. Troubleshooting authentication andauthorization issues involves the following processes:

➤ Verifying that the Domino Directory is set up correctly

➤ Verifying that the server’s ID file is not the problem

➤ Determining potential causes of user problems

The following sections describe these processes in detail.

20 0789729180 CH17 10/21/03 2:34 PM Page 395

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 17396

Knowing how to verify that a Domino Directory is set up correctly is a key skill for aDomino administrator. Make sure that you understand the information on this topicpresented here as you prepare for the exam. Spend some time in your developmentenvironment to fully understand how the Directory is set up and configured.

Verifying Correct Domino Directory SetupFollow these steps when troubleshooting authentication issues to verify thatthe Domino Directory is set up correctly:

1. Be certain all information related to the server configuration is proper-ly defined. Verify that the server name, Notes named networks, anddomain names are correct with no typos. Also, be certain that all groupinformation and usernames are correct.

2. Verify that the network information is configured correctly. Be surethat all ports are enabled properly as required.

3. The Server document may be damaged or corrupted. Back up theDomino Directory if possible, or make sure that a valid archived copyexists and restore it to a safe location. Create a new Server documentin the Directory, copy the original Server document’s public key intothe new Server document, and delete the original document to see ifthe problem is corrected.

If the new Server document does not correct the problem, use the Directory that wasrestored from tape. Remember that any changes that were made to the Directorysince it was archived will need to be re-created.

4. Validate that the public key in the server ID matches the public key.

5. Check the Domino Directory for save or replication conflicts and cor-rect them if they exist.

6. Corrupted database views may be preventing access. Rebuild the viewsusing the Updall task first and then use the fixup task if necessary toresolve the corrupted views.

7. Replace the design of the Domino Directory with the PUBNAMES.NTF template if appropriate. If the Directory was modified with a cus-tom template, replace the design with the custom template instead ofthe default template.

20 0789729180 CH17 10/21/03 2:34 PM Page 396


Verifying Server IDYou can verify that the server’s ID file is not the problem by checking theseitems:

➤ The server ID itself may be damaged. Stop the server, rename the oldserver ID file with a .old extension, replace the server ID from a knowngood backup, and restart the server.

➤ Missing or corrupted certificates could hinder access. Verify that theserver ID file has all expected certificates and if any are missing, recerti-fy as needed with the appropriate certifier.

➤ Verify that the server’s public key matches the public key stored in theDomino Directory’s Server document.

Troubleshooting User Problems If a user is having problems accessing the server, check these items to searchout the source of the problem:

➤ Check for typos or errors in the user’s Person document in theDirectory.

➤ Determine that the user has all of the proper certifications needed toaccess the server.

➤ Verify that the user’s client is configured properly, including networkconfigurations and connections.

Troubleshooting AdministrationProcess Problems

Lotus has provided the Administration Process to assist administrators in automat-ing system tasks and scheduling them to run at times when the system is not expe-riencing heavy use. Make sure that you understand how the Administration Processworks and how to troubleshoot it when studying for the exams.

The Administration Process (AdminP) is a Domino task that runs on the serverto execute housekeeping, maintenance, and administrative tasks. For exam-ple, AdminP processes requests for a user’s name to be changed, a newOrganizational Unit to be assigned, or a user’s information to be added to a

20 0789729180 CH17 10/21/03 2:34 PM Page 397

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 17398

completely new organization in the hierarchy. As we have discussed previous-ly in this book, a server that does not have the proper hardware configurationcan cause a myriad of problems. The Administration Process is a memory-intensive process and care should be taken to ensure that the server has anadequate amount of memory to execute the task. To troubleshoot possibleproblems with the Administration Process, follow these steps:

➤ Make sure that no system changes have been made at the operating sys-tem level or to the network infrastructure that could cause communica-tion failures within the domain.

➤ Configuration errors on the server may be causing problems. Try run-ning the Administration Process on a different server in the domain tosee if the problem persists.

➤ Type show tasks at the server prompt and check to make sure that theAdminP task is running.

➤ Verify that an Administration Server is defined in the Directory and inall databases in the domain. If the Administration Server is not definedin the databases, the AdminP process cannot run against them.

➤ Check the replication events in the Domino log file to make sure thatthe Directory and the Administration Requests database is replicatingproperly in the domain.

Troubleshooting ReplicationProblemsDatabase replication errors can be common, but can also be very frustratingto correct. Suggestions for troubleshooting replication problems include:

➤ Make sure that the replica IDs are the same between the two databasesthat are replicating. Remember that replication is dependent on thereplica IDs and not on the database names.

➤ Check the Connection documents for the servers and make sure that thereplication task is enabled. Verify that the replication scheduled is prop-erly defined.

➤ Verify that replication is not disabled in the database properties.

➤ Check the ACLs for the database and verify that the access is properlyset to allow replication to occur between the databases.

20 0789729180 CH17 10/21/03 2:34 PM Page 398


➤ Make sure that the server has sufficient disk space to allow the databasesto add the documents.

➤ Check the Domino Log database for possible errors that are occurring.

➤ Examine the database’s replication history to determine the last time thedatabase successfully replicated to determine when the problems startedoccurring.

Troubleshooting Mail RoutingIssuesA typical sign that mail routing is not working correctly is a report from auser that they are not receiving mail or cannot send mail. Suggestions fortroubleshooting mail routing issues include




➤ Verify that the settings in the Connection documents are configuredproperly for mail routing between servers.

➤ Make sure that the mail.box file on the server is not corrupted.

➤ Check the server and make sure that there is sufficient disk space toallow the server to process the mail.

➤ Examine the Domino log to see if errors are occurring in the MailRouting Events section.

➤ Check the mail.box file for undeliverable mail and examine the errorsthat are occurring to determine how to correct the problem. In addition,an administrator can issue the command tell router show to determinewhether mail is backed up on the server and the last error messagelogged.

20 0789729180 CH17 10/21/03 2:34 PM Page 399

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 17400

Using Event Triggers toTroubleshoot ProblemsEvent handlers are used to determine which tasks launch when a predeter-mined event occurs on the server. Such an event is known as an event trig-ger. The events database EVENTS4.NSF includes predefined events thatcan be used to monitor the server, but the most efficient use of the handlertask is when an administrator defines events specific to the domain they aremonitoring. An administrator may decide to just log events and then main-tain them weekly. Alternatively, administrators may decide to be alertedimmediately when an event occurs so that they can resolve the issue.

The EVENTS4.NSF database includes a wizard that assists administratorsin creating the following event handlers:





Event handlers can also be created by using the Domino Administrator andnavigating to the Configuration tab and selecting the MonitoringConfiguration, Event Handler view. Each event has a Basics, Event, andAction tab that must be completed.

The following events provide assistance in troubleshooting problems:

➤ Agent—This event monitors tasks related to the execution of agents onthe server.

➤ Mail—This event monitors tasks related to mail processing.

➤ Replica—This event monitors database activities associated with replica-tion.

➤ POP3—This event monitors Internet mail activities.

➤ SMTP—This event monitors activities related to SMTP communications.

20 0789729180 CH17 10/21/03 2:34 PM Page 400


Exam Prep Questions

Question 1

Which of the following options are available to administrators to monitor theDomino server?

❑ A. Using the Domino console

❑ B. Using HP OpenView

❑ C. Examining the server log, miscellaneous view

❑ D. Using the Web Administrator

Answers A, C, and D are correct. Domino offers multiple ways to monitorserver tasks. These include:

➤ Using the Domino console

➤ Using the Domino Administrator

➤ Using the Domino Web Administrator

➤ Examining the server log, miscellaneous view

➤ Setting up statistics monitoring

Question 2

What is the maximum size possible for a database on Windows and Unixservers?

❍ A. 100 gigabytes

❍ B. 64 gigabytes

❍ C. 1 terabytes

❍ D. None of the above

Answer B is correct. The maximum database size on Windows and Unixservers is 64 gigabytes.

20 0789729180 CH17 10/21/03 2:34 PM Page 401

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 17402

Question 3

Which command is issued at the server prompt to generate a status report con-cerning the Agent Manager?

❍ A. show agent report

❍ B. tell agent manager show status

❍ C. tell amgr status

❍ D. show agent manager status report

❍ E. None of the above

Answer C is correct. The command tell amgr status asks the server to gen-erate a status report about the Agent Manager.

Question 4

Which of the following items could cause database replication problems?

❍ A. The databases might have different names.

❍ B. The server task “Replica Check” might not be running.

❍ C. The replica IDs do not match.

❍ D. The database might need to be compacted.

Answer C is correct. Make sure that the replica IDs are the same between thetwo databases that are replicating. Remember that replication is dependenton the replica IDs and not on the database names.

Question 5

What is the purpose of event handlers?

❍ A. They are used to determine holidays in calendaring and scheduling.

❍ B. They are used to generate system records in the EVENTS.NSF data-base.

❍ C. They are used to determine which tasks launch when an event is trig-gered.

❍ D. They are used to perform an orderly shutdown of the server if a criticalsystem failure occurs.

Answer C is correct. Event handlers are used to determine which taskslaunch when an event is triggered.

20 0789729180 CH17 10/21/03 2:34 PM Page 402


Question 6

Which of the following statements are true about the Administration Process?

❑ A. It is very memory intensive.

❑ B. It can be launched by a user.

❑ C. An Administration Server must be defined in the Directory for theprocess to be able to launch.

❑ D. Running the process quarterly is adequate for maintaining the adminis-trative tasks.

Answers A and C are correct. The Administration Process is a memory-intensive process and care should be taken to ensure that the server has anadequate amount of memory to execute the task. An Administration Servermust be defined in the Directory and in all databases in the domain. If theAdministration domains are not defined in the databases, the AdminPprocess cannot run against them.

Question 7

What is the purpose of an NSD file?

❍ A. To assist in troubleshooting the reason for a system crash

❍ B. To generate a listing of all Non Standard Domains accessing the net-work

❍ C. To compile a report of all available Notes users accessing the server

❍ D. To generate a report showing a list of Internet users accessing theserver using a Web client

Answer A is correct. An NSD file can be generated when the server crashesand can be valuable for Lotus tech support to analyze the crash and providepossible solutions. This file is not created at every server crash.

20 0789729180 CH17 10/21/03 2:34 PM Page 403

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 17404

Question 8

Which of the following selections are possible solutions for troubleshootingmail routing issues on the server?

❑ A. Set up the Failed_Mail statistics generator in the EVENTS.NSF data-base.

❑ B. Examine a delivery failure report.

❑ C. Execute a mail trace.

❑ D. Check the Domino Directory and make sure mail routing is enabled.

Answers B, C, and D are correct. The following items can assist in trou-bleshooting mail routing issues:




20 0789729180 CH17 10/21/03 2:34 PM Page 404



Upgrading to Domino 6: Performance Benefits: www.ibm.com/

redbooks.

20 0789729180 CH17 10/21/03 2:34 PM Page 405

20 0789729180 CH17 10/21/03 2:34 PM Page 406

Resolving User ProblemsTerms you’ll need to understand:✓ FIXUP✓ UPDATE✓ UPDALL✓ COMPACT✓ MTC✓ MSTORE.NSF✓ CATALOG.NSF

Techniques you’ll need to master:✓ Tracking user mail messages✓ Troubleshooting routing problems✓ Troubleshooting server access problems✓ Troubleshooting connection problems✓ Troubleshooting data access control problems✓ Troubleshooting database issues✓ Troubleshooting workstation problems

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

18

21 0789729180 CH18 10/21/03 2:48 PM Page 407

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 18408

Tracking User Mail MessagesDomino provides the capability for administrators as well as users to tracktheir messages. The tool that enables this is the Mail Tracker Collector. Fromtime to time, users might state that mail is not being delivered in a timelyfashion or that it might not be reaching the intended recipient at all. Whenthis occurs, a mail-tracking tool can be used to determine the problem.

The database used for this task is the MailTracker Store database, orMSTORE.NSF. The database is populated by data that is fed from the MailTracker Collector task, or MTC. The MTC processes log files generated bythe Router task and then copies specific data to the MSTORE.NSF data-base. When a message-tracking request is generated, Domino uses theMSTORE.NSF database to perform the trace. When a trace is initiated, itstarts at the user or administrator client and continues through the entiredomain until the route expires. When the trace is completed, the user is pre-sented with one of the following delivery status messages:

➤ Delivered—Delivery was successful.

➤ Delivery failed—Delivery was unsuccessful.

➤ In queue—Domino has queued the message in the Router task.

➤ Transferred—The message was sent to the next defined mail hop.

➤ Transfer failed—The message could not be transferred.

➤ Group expanded—A group message sent to the server was expanded to allrecipients.

➤ Unknown—The status of the delivery is not known.

Although it is true that users and administrators can track mail, users can track onlytheir own mail.

Troubleshooting Routing ProblemsMail routing errors can occur for various reasons. Server configurationerrors, client configuration errors, and network issues can all be possibleproblems. The key to resolving the issue is to use the tools provided byDomino to correct the problem. If the MAIL.BOX database has dead orpending mail, the most common things to check first are these:

21 0789729180 CH18 10/21/03 2:48 PM Page 408

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolving User Problems 409

➤ System logs detailing delivery failures and mail traces.

➤ Errors in the Directory itself, possibly related to connection configura-tions. Also make sure that the Mail Routing field is enabled on theBasics tab of the Server document.

➤ Errors in the recipient’s address.

➤ Network configuration errors prohibiting correct routing paths

➤ System errors, such as full disks or memory errors

➤ Shared mail configuration errors

Tools available to administrators to troubleshoot routing problems includethese:

➤ Delivery Failure Reports, which contain a description of why the mes-sage failed

➤ Mail Trace from the Domino Administrator

➤ Mail routing topology maps that display routes by connections andnamed networks

➤ Mail Routing status in the Domino Administrator

➤ Mail routing events in the Domino server log

Troubleshooting Server AccessProblemsServer access problems can occur when a user tries to access the server orwhen the server attempts a connection with another server and is denied.

The following section will aid you in troubleshooting Directory problems. Some ofthese are extreme measures, and you should always make sure that you have arecent, verified backup of the Directory file before attempting this procedure.

The following sections discuss some typical errors related to server accessthat can occur and their possible solutions.

21 0789729180 CH18 10/21/03 2:48 PM Page 409

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 18410

Directory Errors Directory errors are the most common types of errors that cause serveraccess problems. If users are not authorized to access the server, you shouldverify that the Domino Directory does not have errors or corrupted Serverdocuments. Typical Directory errors to look for are listed here:

➤ Incorrect server and domain names or misspelled names would prohibitaccess.

➤ Verify that the information regarding the server and domain informationis correct and that there are no spelling errors.

➤ Configuration errors related to Notes Networks. At least one NotesNetwork must be enabled.

➤ Verify that all fields in the server access section of the Security tab in theServer document are set correctly. Pay special attention to the DenyAccess and Not Access Server fields to make sure they are configuredcorrectly.

➤ Ensure that the public keys in the server ID file and the public keymatch. Copy both keys to a separate text file and verify that they match.

➤ Check groups to verify that no spelling errors exist and that the usersare assigned to the correct groups. Verify that the group types are setcorrectly in the Group Type field on the Basics tab.

➤ Make sure there are no save and replication conflicts in the Directory.Open the Directory and check the main view pane to see if conflictshave occurred. If they have, validate which document is correct anddelete the incorrect document.

➤ You also should verify that the Server document is not corrupted by cre-ating a new version and using it instead of the original one. Make surethat you copy the server’s public key from the old document to the newone. Views in the Domino Directory also might need attention. Poorperformance or errors displaying the database are examples of corrupteddatabase views. Views can be rebuilt by issuing the following commandsat the Domino console or at the server prompt:Load updall names.nsf -r

➤ Fixup should be used if the database is in R4 or R5 format or greaterand if transaction logging is not enabled. The command to execute atthe server is Load fixup names.nsf.

21 0789729180 CH18 10/21/03 2:48 PM Page 410


➤ Entering Fixup -j using the -j switch is appropriate when transactionlogging is running on the server. The command to enter at the serverconsole is Load fixup names.nsf.

Finally, here are other techniques for troubleshooting Directory errors:

➤ Restore the Directory from a backup tape, or create a new replica copyand use it.

➤ Replace the design of the database with the PUBNAMES.NTF tem-plate file.

➤ If a passthru server is defined on the basics and the Security tab in theServer document, make sure there are no configuration errors.

Other Techniques for TroubleshootingServer Access ProblemsNot all server access problems are related specifically to Directory errors.Here are some other techniques for troubleshooting server access problems:

➤ Make sure that the server is using the correct server ID and that it isn’tcorrupted. Activity such as ID recertification, in which the ID isaccessed, can cause corruption. If you suspect that the ID is corrupt,take down the server, rename the server.id file, and restore it from avalid backup.

➤ Verify that the user’s certificates are valid and not expired and that theserver has all of the expected certificates installed.

➤ Verify that the server’s network connections are operational. Launch abrowser, perform a ping from the server, and so on.

Troubleshooting ConnectionProblemsConnection problems in the Domino environment can cause replication,routing, and access issues. These errors can manifest themselves as errorsindicating the system’s incapability to find routes to servers, mail deliveryerrors, or the failure of data to be updated in databases across the domain.System messages such as “TCP/IP host unknown” or “Remote system not

21 0789729180 CH18 10/21/03 2:48 PM Page 411

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 18412

responding” might also be displayed in the Domino log. To troubleshootconnection issues, take the following steps:

➤ Verify that there are no save and replication errors on any Server docu-ment.

➤ Make sure that all Connection documents are in place. If a Connectiondocument is missing, create it and then retest to see if the problem hasbeen corrected.

Although it is true that using IP addresses in Connection documents allows theDomino infrastructure to operate properly, the most effective method is to use DNSentries. Using DNS entries allows for more consistent maintenance, in that a servercan be moved to a new network segment and the Domino server documents will notneed to be changed to reflect the new IP address.

➤ Verify that all settings for Connection documents are valid and thatthere are no spelling errors or incorrect network settings. Check theinformation on the Basics tab of the Server document, and make surethat all of the server and domain information is accurate.

➤ Test connections at the Domino console using the trace command.Using the trace command, you can execute a trace to a specific serverand optionally choose the port to use.

➤ If DNS names are being used instead of IP addresses, verify that theHost file on the server contains the correct IP addresses and that thereare no conflicts with the DNS table entries. Using OS tools such as pingmight also determine whether the communications paths are resolvingcorrectly.

Troubleshooting Data AccessControl ProblemsData access control problems can cause users as well as servers to be deniedaccess to a specific database, a server, or an entire domain. Administratorscan ensure that database access will be constant by making sure thatEnforce a Consistent Access Control List is selected on the database ACLAdvanced tab.

21 0789729180 CH18 10/21/03 2:48 PM Page 412


Administrators can get a complete view of all database ACLs by accessing theAccess Control List in the database catalog file, typically called CATALOG.NSF. The CATALOG.NSG database is populated by the CATALOG task.These three views are available:

➤ By Database—This is an alphabetical list of all databases in the domain,sorted by the actual filename on the server.

➤ By Level—This is a list of all databases, sorted by access level.

➤ By Name—This is a list of all valid ACLs on the system, sorted by eachspecific type.

Troubleshooting Database IssuesDatabase issues can occur if the database is not maintained properly.Database performance and data loss can be attributed to not performingregular database housekeeping tasks. Database usage and replication can betracked in the Domino log file, typically named LOG.NSF.

Domino has system tasks that can be scheduled at predefined times to ensurethat all databases are performing at an optimum level. Key system tasksinclude these:

➤ Update—The purpose of Update is to update a database’s view indexes.Update runs automatically when the server is started and continues torun while the server is up. Update waits about 15 minutes before pro-cessing the database so that all changes in the database are finishedprocessing. When the views are updated, it then searches the domain fordatabases set for immediate or scheduled hourly index updates. WhenUpdate finds a corrupted view or full-text index, it rebuilds the full-textindex and tries to solve the issue.

➤ Updall—Updall is useful for rebuilding corrupted views and full-textindex searches, as is Update. Updall has various options that can bedefined when launched by using a software switch. Updall is executed bydefault at 2:00 a.m. and, unlike Update, can be run manually. Deletion

Although enforcement of a consistent ACL does assist in maintaining ACL integrity,it’s not a complete solution. If a user replicates a copy of a database to his localmachine, group membership does not replicate along with the database. If the userthen wanted to share that replica with another user, the new user would not to be ableto access the database because group information would not be inherited. One otherthing to keep in mind is local replica security. Because a uniform ACL is not imposedon the database, a local replica should be encrypted to maintain security.

21 0789729180 CH18 10/21/03 2:48 PM Page 413

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 18414

stubs are removed, and views that haven’t been used for 45 days aredeleted unless they are protected by the database designer. Setting theparameter Default_Index_Lifetime_Days in the Notes.ini file enables anadministrator to determine when Updall removes unused views.

➤ Fixup—Fixup is used to repair databases that were open when a serverfailure occurred. Fixup runs automatically when the server starts, but itcan also be run from the Domino Console, when necessary. Databasesare checked for data errors generated when a write command to thedatabase was issued and a failure occurred causing a corruption in thedatabase. When Fixup is running on a database, user access is denieduntil the job completes. Fixup should be run if Updall does not fix thedatabase errors.

➤ Compact—Compact can be used to recover space in a database after docu-ments are deleted. Deleting documents from a Domino database doesnot actually decrease the size of the database. A deletion stub is createdand the document is removed permanently when Compact is run, andthe size of the database is then reduced. Three types of compacting areavailable:

➤ In-place compacting with space recovery—Unused space is recovered,but the physical size of the database remains the same. Unlike withUpdate and Updall, access to the database is not denied while theCompact task is running. When Compact is launched withoutswitches or with a -b switch, in-place compacting with space recov-ery is the type of compacting used. The DBIID, or database instanceID (used to identify the database), remains the same. In-place com-pacting is used for databases that have the system configured to runtransaction logging.

Use In-place compacting when possible because it is the quickest and generates thesmallest amount of system activity.

➤ In-place compacting with space recovery and reduction in file size—Thisversion reduces the physical database size and recovers unusedspace, but it takes longer to complete. The DBIID is changed withthis Compact version. Running Compact without a software switchoption compacts databases not associated with transaction logging.

➤ Copy-style compacting—A copy is created, and when the compact iscomplete, the original database is deleted. Because of this, there

21 0789729180 CH18 10/21/03 2:48 PM Page 414


needs to be sufficient disk space available to make the copy of thedatabase, or an error will occur and the compact will not work.During this type of compacting, a new database is created and a newDBIID is assigned. Because a new database is actually being created,this option locks out all users and servers from editing the database.Access using this version of Compact for read only can be enabled ifthe -L switch is used at the time it is run.

Compact should be run on all databases at least weekly, if possible, but it should berun at a minimum of once a month using the format compact -B to minimize theamount of disk space. If Fixup does not correct a database problem, running Compactwith the switch of -c can attempt to correct the problem.

Databases should be monitored on a regular basis to make sure that they areperforming efficiently. Other possible solutions besides running these data-base utilities include the following:

➤ Move the database to another server in the domain, if necessary. Makesure that the server itself is tuned occasionally and running at peak effi-ciency. Defragment disk drives and run preventive maintenance tasks onthe server to foresee possible hardware problems. Also make sure thatbackups are scheduled to complete before nightly Domino server taskslaunch.

➤ Domino 6 database design provides a significant speed improvement. Ifpossible, upgrade the database to version 6 if it’s running as an earlierversion.

➤ Implement transaction-based logging, if the hardware configurationmakes it a possible solution, because this is very processor, memory, anddisk access intensive.

➤ Schedule nightly system tasks to complete before users access the systemat the start of a work day.

➤ Verify that a task such as Compact or Updall isn’t stuck on a database,expending system resources.

➤ Monitor database usage. A database used constantly by many usersmight need separate replicas on other servers in the domain, to makesure that access is not creating an unneeded system load.

➤ Examine the database design to see if any improvements can be madethat would allow it to perform better.

21 0789729180 CH18 10/21/03 2:48 PM Page 415

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 18416

➤ Check the Database, Enhanced tab to see if any options can be enabledto improve performance.

➤ Create a replica of a database if Fixup, Update, and Updall don’t correctthe problem. If all else fails, restore the database from backup.

Troubleshooting WorkstationProblemsUsers might be experiencing problems even though the server and networksare working properly. Items to check when a workstation can’t access theDomino network include these:

➤ Verify that the workstation can access other network devices. Submit aping or trace route from the OS level to make sure that no networkissues need to be addressed.

➤ The user at the workstation might not have the privileges to access theserver. Verify that the user is using the correct ID file and that the serverthe user is attempting to access from the workstation is correct.

➤ Check Connection documents at the workstation to ensure that they areset up correctly. Verify that there are no spelling errors and that theserver information is correct.

➤ Make sure that the location selected at the workstation is correct.

➤ Verify that all certificates are in place and up-to-date.

➤ Check the account information in the workstation, and ensure that allaccount and port information is correct.

21 0789729180 CH18 10/21/03 2:48 PM Page 416


Exam Prep Questions

Question 1

What type of mail can users track?

❍ A. Mail for the entire domain

❍ B. Mail for only the users on their server

❍ C. Their own mail

❍ D. Mail for groups that they belong to

Answer C is correct. Although it is true that users and administrators cantrack mail, users can track only their own mail.

Question 2

What database does the Mail Tracker Collector use? Choose all that apply.

❍ A. TRACK.NSF

❍ B. POSTAL.NSF

❍ C. MSTORE.NSF

❍ D. DOMLOG.NSF

Answer C is correct. The tool that enables this to occur is the Mail TrackerCollector. The database used for this task is the MailTracker Store database,or MTSTORE.NSF.

Question 3

Which of the following is used to troubleshoot routing problems?

❍ A. Delivery Failure Reports

❍ B. Mail Store tracking views

❍ C. Server Address Book Dynamic Tracking reports

❍ D. Mail Routing tracking templates

Answer A is correct. Delivery Failure Reports are one of the tools availableto administrators to troubleshoot routing problems.

21 0789729180 CH18 10/21/03 2:48 PM Page 417

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 18418

Question 4

Which of the following is true about Copy-style compacting? Choose all thatapply.

❑ A. A copy of the database is created.

❑ B. All replicas in the domain are backed up to the database store.

❑ C. The original database is deleted.

❑ D. NAMES.NSF updates the DBIID in the database store tracking view.

Answers A and C are correct. When Copy-style compacting is used, a copyis created. When the compact is complete, the original database is deleted.

Question 5

Which of the following is true about Updall? Choose all that apply.

❑ A. The Default run time is 2:00 a.m.

❑ B. It can be run at any time.

❑ C. It rebuilds corrupted views.

❑ D. It rebuilds full-text search indexes.

Answers A, B, C, and D are correct. Updall is executed by default at 2:00 a.m.and, unlike Update, can be run manually at any time. Its purpose is to rebuildcorrupted views and full-text search indexes.

Question 6

How often should Compact be run, at a minimum?

❍ A. Yearly

❍ B. Quarterly

❍ C. Weekly

❍ D. Monthly

Answer D is correct. Compact should be run on all databases weekly, if pos-sible, but it should be run, at a minimum, once a month.

21 0789729180 CH18 10/21/03 2:48 PM Page 418


Question 7

Which of the following is true about in-place compacting with space recovery?

❍ A. Access to the database is denied.

❍ B. The database ACL is changed to add anonymous access.

❍ C. Access to the database is not denied.

❍ D. Anonymous access is deleted during the copy process.

Answer C is correct. While in-place compacting with space recovery is run-ning, access to the database is not denied to the user.

Question 8

How can an administrator improve database performance on the server?

❍ A. Ensure that the cache is running only on the MSTORE.NSF database.

❍ B. Adjust the database cache.

❍ C. Delete the Names.nsf database.

❍ D. Increase the physical size of the server log.

Answer B is correct. Monitor the database cache and adjust it as necessary toimprove database performance.

Question 9

Which of the following is true about the Update task?

❍ A. It can be run at any time by any user.

❍ B. It runs only monthly.

❍ C. It runs automatically when the server starts.

❍ D. It checks disk space information and sends notifications when thespace is low.

Answer C is correct. Update runs automatically when the server is startedand continues to run while the server is up.

21 0789729180 CH18 10/21/03 2:48 PM Page 419

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 18420

Question 10

What database is useful when a complete view of all database ACLs in thedomain is needed?

❍ A. DOMLOG.NSF

❍ B. ACLVIEW.NSF

❍ C. CATALOG.NSF

❍ D. DATABASE ACLVIEW.NSF

Answer C is correct. Administrators can get a complete view of all databaseACLs by accessing the Access Control List in the database catalog file, typi-cally called CATALOG.NSF.

21 0789729180 CH18 10/21/03 2:48 PM Page 420




21 0789729180 CH18 10/21/03 2:48 PM Page 421

21 0789729180 CH18 10/21/03 2:48 PM Page 422

PART IVSample Exams

19 Practice Exam 620

20 Answer Key for 620





22 0789729180 Pt 4 10/21/03 2:43 PM Page 423

22 0789729180 Pt 4 10/21/03 2:43 PM Page 424

Practice Exam 620All Lotus Notes exams are difficult and require a broad working knowledgeof the subject, as indicated by the competencies for that exam. The examquestions are very rarely precise, and students should take note of the fol-lowing considerations when choosing an answer from the four choices:

➤ All choices can be correct. Choose the most precise.

➤ All choices can be incorrect. Choose the least incorrect.

➤ After choosing an answer, apply the answer back to the question. Theanswer must answer the question. This might sound redundant, butquite often, when applying what at first glance appears to be the correctanswer back to the question, you realize that the answer is not correctfor the question the way it is written.

➤ Questions and answers usually apply to the default behavior of Notes,not to workarounds or very advanced development, unless specified inthe question and answer.

➤ Look for similar questions or questions that relate to the same topic.Sometimes one question may provide hints for answering another ques-tion.

➤ Read all questions carefully because a word such as must or not can makea huge difference in the correct answer.

The following questions and answers are for Exam 620, “Notes Domino 6System Administration Operating Fundamentals.” The questions cover thefive core competencies required for this exam and are similar to the questionsyou will encounter when taking Domino exams. Each question has four pos-sible answers. Read each of the choices and choose the one that best answersthe question.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

19

23 0789729180 CH19 10/21/03 2:40 PM Page 425

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 19426

Question 1

Eric has set a database quota of 50MB on the mail files for the users in his organ-ization. What could Eric do so that his users are informed when the size of theirmail file approaches the database quota?

❍ A. Set the Database Quota Warning to 45MB and enable Quota WarningNotifications.

❍ B. Set the Warning Threshold to 45MB and enable Over QuotaNotifications.

❍ C. Set the Warning Threshold to 45MB and enable Over WarningThreshold Notifications.

❍ D. This cannot be done because database quotas do not apply to mail files.

Question 2

Kevin has created a new welcome page for the users in his organization. He hasjust changed the default welcome page in the Desktop Policy Settings document.Patty is one of the users in this organization. When will the new welcome pagebecome effective for Patty?

❍ A. The next time she authenticates with her home server

❍ B. After the Policy task runs on her home server

❍ C. After her Notes ID has been recertified

❍ D. Immediately

Question 3

Marcia recently made a change to a scheduled Java agent. The agent is scheduled torun daily at 2:00 a.m. However, the agent will not run. What might be the problem?

❍ A. The Updall task is scheduled to run at 2:00 a.m., by default. Scheduledagents cannot run while this server task is running.

❍ B. Marcia’s name is included in the Run Unrestricted Methods andOperations field of the Server document. However, her name is notincluded in the Run Restricted LotusScript/Java Agents field.

❍ C. Marcia’s name is included in the Run Unrestricted Methods andOperations field of the Server document. However, the groupRunRestrictedAgents, of which she is a member, is included in the RunRestricted LotusScript/Java Agents field.

❍ D. Neither Marcia nor any group that she is a member of is included in theRun Restricted LotusScript/Java Agents field of the Server document.

23 0789729180 CH19 10/21/03 2:40 PM Page 426

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 620 427

Question 4

Design changes were recently made to a database on server East/Acme. Forthese design changes to replicate properly to the database replica on serverWest/Acme, what minimum access levels are required?

❍ A. The database replica on server East/Acme must give server West/Acmeat least Reader access, and the database replica on server West/Acmemust give server East/Acme at least Designer access.

❍ B. The database replica on server East/Acme must give server West/Acmeat least Designer access, and the database replica on serverWest/Acme must give server East/Acme at least Reader access.

❍ C. The database replica on server East/Acme must give server West/AcmeManager access, and the database replica on server West/Acme mustgive server East/Acme at least Designer access.

❍ D. The database replicas on both servers must have a minimum ofDesigner access.

Question 5

Network compression is possible for which of the following Notes/Domino con-nections?

❍ A. A connection between a Domino Release 5 server and a Notes Release6 client workstation

❍ B. A connection between a Domino Release 6 server and a Notes Release5 client workstation

❍ C. A connection between a Domino Release 6 server and another DominoRelease 6 server


23 0789729180 CH19 10/21/03 2:40 PM Page 427

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 19428

Question 6

Which of the following is a true statement related to the Extended AccessControl List?

❍ A. The Extended ACL can be used to increase the level of access of theuser listed in the database ACL.

❍ B. The Extended ACL can be used to apply restrictions to the access thatthe database ACL allows a user.

❍ C. The Extended ACL is used to provide full-access administrators withaccess to all databases residing on a server.


Question 7

Kathy recently made some design changes to fix a problem with the Invoice.nsfdatabase on server East/Acme. She contacted Curtis, the Domino administrator,to request that these design changes be replicated to the database replica locat-ed on server West/Acme. These two servers are scheduled to replicate eachmorning at 5:00 a.m. What can Curtis do to replicate these changes as quicklyas possible?

❍ A. Design changes can be replicated only via scheduled replication. Thesechanges will be replicated at 5:00 a.m., during the next scheduledreplication.

❍ B. Update the Connection document for servers East/Acme to West/Acmeby changing the Replication Type to Immediate and enteringInvoice.nsf in the field Files/Directories to Replicate.

❍ C. From the East/Acme server console, force replication between serversEast/Acme and West/Acme by entering the command Pull West/AcmeInvoice.nsf.

❍ D. From the East/Acme server console, force replication between serversEast/Acme and West/Acme by entering the command Push West/AcmeInvoice.nsf.

23 0789729180 CH19 10/21/03 2:40 PM Page 428

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 620 429

Question 8

Tara is an administrator for the Acme Corporation. She can use the remote con-sole to execute the show tasks command for server East/Acme. However, shecannot execute the replicate command to initiate replication between serversEast/Acme and West/Acme. What might be Tara’s problem?

❍ A. She is listed as a view-only administrator in the Server document forEast/Acme.

❍ B. The Replicate task cannot be performed from the remote console.

❍ C. The replicate command is not a valid server command. The com-mands pull or push should have been used instead.

❍ D. She is listed in the Not Access Server field in the Server Access sec-tion of the Server document for East/Acme.

Question 9

Helena is listed as a full-access administrator for server East/Acme. What rightsdoes Helena have on this server?

❍ A. Manager access, with all roles and access privileges enabled, to alldatabases on the server, regardless of the database ACL settings

❍ B. The capability to create agents that run in unrestricted mode with fulladministration rights

❍ C. Access to all documents in all databases, regardless of Reader Namesfields


Question 10

Which of the following is the abbreviated format of the hierarchical name RandySmith/Purchasing/East/Acme?

❍ A. Randy Smith/Purchasing/East/Acme

❍ B. CN=Randy Smith/OU=Purchasing/OU=East/O=Acme

❍ C. */Purchasing/East/Acme

❍ D. Randy Smith

23 0789729180 CH19 10/21/03 2:40 PM Page 429

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 19430

Question 11

In Notes/Domino, what do users and servers use to authenticate with one another?

❍ A. A passthru server

❍ B. Their public and private keys

❍ C. The Access Control List (ACL)

❍ D. The Extended Access Control List (xACL)

Question 12

Which method can be used to assign an explicit policy to a user?

❍ A. You can assign an explicit policy to a user by updating the Person doc-ument.

❍ B. You can assign an explicit policy to a user with the Assign Policy tool.

❍ C. You can assign an explicit policy to a user during user registration.

❍ D. All of the above.

Question 13

Carmen is listed in the Run Restricted LotusScript/Java Agents field of theServer document. However, she is not listed in the Run Unrestricted Methodsand Operations field. Which LotusScript features will Carmen be able to use inher agents that she runs on the server?

❍ A. She will not be able to run any LotusScript agents on the server.

❍ B. She will be able to run any LotusScript agents on the server, eventhose using restricted features.

❍ C. She will be able to run only LotusScript agents that do not use restrict-ed features.

❍ D. She will be able to run only LotusScript agents that access the file system.

23 0789729180 CH19 10/21/03 2:40 PM Page 430

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 620 431

Question 14

In a central directory architecture, where is the primary Domino Directorystored?

❍ A. On the Directory servers

❍ B. In the Configuration directory

❍ C. On every server in the domain

❍ D. In the Notes.ini of the administration server

Question 15

Which of the following is not a valid administrator type for a server?

❍ A. Full-access administrator

❍ B. Domain administrator

❍ C. System administrator

❍ D. Full remote console administrator

Question 16

A replica of the Payroll.nsf database on server East/Acme was recently createdon server West/Acme. Users have created new documents in both replicas.During scheduled replication, all of the new documents created on serverEast/Acme are successfully replicating to server West/Acme. However, only cer-tain document types from the replica on server West/Acme are replicating toserver East/Acme. What could be preventing the other documents from repli-cating?

❍ A. The documents that are not replicating have a Readers field. ServerWest/Acme is not included in the Readers field.

❍ B. The ACL for the database replica on server East/Acme has the entry forWest/Acme set to Reader access.

❍ C. The documents that are not replicating have a Readers field. ServerEast/Acme is not included in the Readers field.

❍ D. The ACL for the database replica on server West/Acme has the entryfor East/Acme set to Reader access.

23 0789729180 CH19 10/21/03 2:40 PM Page 431

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 19432

Question 17

Lois has been asked to create a new group in the Domino Directory (names.nsf).What minimum ACL settings must she have in names.nsf to create this group?

❍ A. Manager access

❍ B. Editor access with the GroupCreator Role assigned

❍ C. Author access, the Create Documents privilege enabled, and theGroupCreator Role assigned

❍ D. Reader access, the Create Documents privilege enabled, and theGroupCreator Role assigned

Question 18

Kim is able to create new documents in the HelpDesk.nsf database. She canopen these documents from a view, but she cannot edit them. Why can she notedit the documents that she has created?

❍ A. She has Editor access in the ACL, but her name is in a Readers field inthe documents, preventing her from editing them.

❍ B. She has Author access in the ACL. Users with Author access in a data-base can never edit documents; they can only create new documents.

❍ C. She has Author access in the ACL with the Create Documents privilegeenabled. She also needs to have the Edit Documents privilege enabledfor her ACL entry.

❍ D. She has Author access in the ACL with the Create Documents privilegeenabled, but her name is not included in an Authors field in the docu-ments.

Question 19

Fran is in the ACL of the JobPosting.nsf database with an access level of NoAccess. However, she is a member of two groups that are also in the ACL. TheReviewer group has an access level of Reader, and the Approver group has anaccess level of Author. The default access to this database is Editor. What accesslevel will Fran have to this database?

❍ A. No Access

❍ B. Author

❍ C. Reader

❍ D. Editor

23 0789729180 CH19 10/21/03 2:40 PM Page 432

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 620 433

Question 20

Tom has set up name-and-password access and created Person documents forhis users who will be accessing Notes databases over the Internet. Under whatcircumstances will Domino authenticate these users?

❍ A. When they attempt to do something for which access is restricted

❍ B. When session-based authentication is enabled

❍ C. When anonymous access is not allowed on the server


Question 21

How are the policy settings that are related to a user resolved to determine theeffective policy for the user?

❍ A. If a user has any explicit policies assigned, they represent the effectivepolicy for the user and the organizational policy settings documentsare ignored.

❍ B. If organizational policies exist, they represent the effective policy for allusers and any explicit policy settings documents are ignored.

❍ C. Explicit policy settings are resolved first, followed by organizationalpolicy settings.

❍ D. Organizational policy settings are resolved first, followed by explicitpolicy settings.

Question 22

Which of the following is not a valid Policy Settings document?

❍ A. Registration Policy Settings document

❍ B. Administration Policy Settings document

❍ C. Desktop Policy Settings document

❍ D. Archive Policy Settings document

23 0789729180 CH19 10/21/03 2:40 PM Page 433

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 19434

Question 23

In the hierarchical name CN=Randy Smith/O=Acme/C=US, what do each of thecomponents represent?

❍ A. Randy Smith is the common name component, Acme is the organiza-tion component, and US is the country component.

❍ B. Randy Smith is the corporate name component, Acme is the organiza-tion component, and US is the company component.

❍ C. Randy Smith is the common name component, Acme is the organiza-tion component, and US is the company component.

❍ D. Randy Smith is the corporate name component, Acme is theOrganizational Unit component, and US is the country component.

Question 24

Using a design template on her local machine, Nancy performed a RefreshDesign to the HelpDesk.nsf database located on server East/Acme. When willthe design changes take effect?

❍ A. Immediately.

❍ B. Never. A Refresh Design cannot be performed from a local designcopy.

❍ C. After the Designer task runs on server East/Acme.

❍ D. After the Replicator task runs on server East/Acme.

Question 25

When Jim registered the users in his organization, he set the password qualityscale to 4. For security reasons, he has decided to begin registering new userswith a password quality scale of 8 and wants to increase the password qualityscale to 8 for existing users. In addition, he wants to allow users to use the samepassword to log into both Notes and the Internet. How could Jim accomplishthis?

❍ A. Recertify the IDs of his existing users with a password quality scale of8, and enable the Synchronize Internet Password with Notes Passwordoption in the Person documents.

❍ B. Create a security policy settings document with the password qualityscale set to 8 and the Synchronize Internet Password with NotesPassword field set to Yes.

23 0789729180 CH19 10/21/03 2:40 PM Page 434

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 620 435

❍ C. Create a registration policy settings document with the password quali-ty scale set to 8 and the Synchronize Internet Password with NotesPassword field set to Yes.

❍ D. This cannot be done. After users have been registered, their passwordquality scales cannot be altered. Jim would have to reissue new IDs tothe existing users.

Question 26

Ron is receiving complaints from users accessing the HelpDesk.nsf databasefrom the Internet. They are able to open documents, but they cannot edit them.These same users can edit these documents when using the Notes Client. TheAnonymous ACL entry for this database is set to No Access, and the default ACLentry is set to Reader. Why might these users be unable to edit these documentsfrom the Internet?

❍ A. The Anonymous ACL entry controls access to the database for allInternet users. The access level for this entry should be set to Editor.

❍ B. The default ACL entry controls access to the database for all Internetusers. The access level for this entry should be set to Editor.

❍ C. The Maximum Internet Name and Password field in the ACL is set toReader. This field should be set to Editor.

❍ D. The Maximum Internet Name and Password field in the ACL is set toNo Access. This field should be set to Editor.

Question 27

What does the Certificate Revocation List (CRL) contain?

❍ A. A list of Notes IDs that have expired

❍ B. A list of server IDs that have expired

❍ C. The list of users in the Deny Access group

❍ D. A list of revoked Internet certificates

23 0789729180 CH19 10/21/03 2:40 PM Page 435

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 19436

Question 28

Which of the following is not a valid delivery status for a mail-tracking request?

❍ A. Delivered

❍ B. Delivery pending

❍ C. Delivery failed

❍ D. In queue

Question 29

Marcia is setting up mail routing failover for a mail server, which is in a cluster.Which of the following is not an option in the Cluster Failover field?

❍ A. Disabled

❍ B. Enabled for All Transfers in This Domain

❍ C. Enabled for Last Hop Only

❍ D. Enabled for First Hop Only

Question 30

Which of the following is not a tool that Domino provides for monitoring mail?

❍ A. Message Tracking

❍ B. Mail Usage Reports

❍ C. Mail Probes

❍ D. Shared Mail

23 0789729180 CH19 10/21/03 2:40 PM Page 436

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 620 437

Question 31

Jessica has created an Archive Policy Settings document and assigned this pol-icy to the users in her organization. She has indicated that the archive databas-es should reside on the mail server. Jessica has also created an Archive CriteriaPolicy Settings document. However, users are not able to create their archivedatabases. What is most likely the problem?

❍ A. The users must be given Create access on the mail server to create anarchive database.

❍ B. Archive Policy Settings documents and Archive Criteria Policy Settingsdocuments are mutually exclusive. You cannot create an ArchiveCriteria Policy Settings documents if an Archive Policy Settings docu-ment already exists.

❍ C. A user’s mail archive database cannot reside on the same server asthat user’s mail database.

❍ D. Mail archive databases can be stored only on a user’s local drive.

Question 32

Where does Domino store mail usage reports?

❍ A. Domino Server Log database (log.nsf)

❍ B. Monitoring Results database (statrep.nsf)

❍ C. Reports database (reports.nsf)

❍ D. Mail Tracker Store database (mtstore.nsf)

Question 33

Kevin has assigned a secondary name server in the Location documents of theusers in his organization. Under which of the following circumstances will thesecondary name server be used?

❍ A. The user’s home server is down.

❍ B. The user’s home server is not running TCP/IP.

❍ C. The name of the user’s home server cannot be resolved over TCP/IP.


23 0789729180 CH19 10/21/03 2:40 PM Page 437

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 19438

Question 34

Tara is using the Policy Synopsis tool to determine the effective policy for Pat,a user registered in her domain. Which of the following is a valid Report Typeselection in the Policy Synopsis tool?

❍ A. Summary Only

❍ B. Hierarchical

❍ C. Organizational

❍ D. Security

Question 35

During new user registration, which of the following pieces of information is notincluded in the document that is stored in the certification log?

❍ A. Name and license type

❍ B. Certification and expiration dates

❍ C. Name, license type, and ID number of the registration server

❍ D. Name, license type, and ID number of the certifier ID used to createthe user ID

Question 36

Rachel is listed in the ACL of the Appraisal.nsf database with the access level ofReader. She is also a member of the group Reviewers, which has an access levelof Author. The [ADMIN] access role has been assigned to the Reviewers group.An Authors field includes the [ADMIN] access role in each of the documents in thedatabase. What best describes the access that Rachel will have to this database?

❍ A. ACL access roles override individual ACL entries. She will have Authoraccess to the database and will be able to edit any document in thedatabase.

❍ B. ACL access roles override individual ACL entries. She will have Authoraccess to the database and will be able to edit only those documents inthe database that she has created.

❍ C. Individual ACL entries override group ACL entries. She will haveReader access to the database and will not be able to edit any of thedocuments.

❍ D. Group ACL entries override individual ACL entries. However, ACL accessroles cannot be used in Authors fields. She will have Author access tothe database but will not be able to edit any of the documents.

23 0789729180 CH19 10/21/03 2:40 PM Page 438

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 620 439

Question 37

Ron is considering setting up a cluster for the Domino Release 6 servers thatcontain his organization’s critical Lotus Notes applications. Which DominoRelease 6 server license type supports Domino clustering?

❍ A. Domino Application Server

❍ B. Domino Enterprise Server

❍ C. Domino Messaging Server


Question 38

Jeff is attempting to access the Payroll.nsf database from a Web browser. Theserver that Payroll.nsf resides on has been set up for anonymous access. TheAnonymous entry in the database ACL is set to Reader access level, and the default ACL entry has the access level set to Editor. Jeff is not listed in theACL as an individual entry, but he is a member of a group listed in the ACL withAuthor access. The Maximum Internet Name and Password property in theAdvanced ACL properties has been set to No Access. What level of access willJeff have for this database when using a Web browser?

❍ A. No Access

❍ B. Reader

❍ C. Author

❍ D. Editor

Question 39

Gretchen requires access to the Lotus Notes databases used by everyone in hercompany. She is also a Lotus Notes developer who must make design changesto several databases supported by her department. Whenever she creates a newversion of a database, she needs to sign all of the design elements in the data-base with a server ID. What Notes/Domino client software should be installedon her workstation?

❍ A. Notes client only

❍ B. Notes client and Domino Administrator client only

❍ C. Domino Designer client and Domino Administrator client only

❍ D. Notes client, Domino Designer client, and Domino Administrator client

23 0789729180 CH19 10/21/03 2:40 PM Page 439

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 19440

Question 40

Jenny, a Lotus Notes developer for the Acme Company, is able to create newdatabases on server East/Acme. However, she is unable to create databasereplicas on this server. What would prevent her from creating database replicas?

❍ A. She is not listed in the Create Databases and Templates field in theServer Access section of the Server document.

❍ B. She is not listed in the Create New Replicas field in the Server Accesssection of the Server document.

❍ C. She does not have full-access administrator rights on the server. Onlyfull-access administrators can create database replicas on a server.

❍ D. She does not have database administrator rights on the server. Onlydatabase administrators can create database replicas on a server.

Question 41

The database Survey.nsf is no longer needed on server East/Acme. Of the fol-lowing, who would not be able to delete this database from the server?

❍ A. Anyone listed in the database ACL with an access level of Manager

❍ B. Anyone listed in the database ACL with an access level of Designer orabove

❍ C. Anyone with full-access administrator rights on the server, regardlessof access level in the database ACL

❍ D. Anyone with database administrator rights on the server, regardless ofaccess level in the database ACL

23 0789729180 CH19 10/21/03 2:40 PM Page 440

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 620 441

Question 42

The Products.nsf database on server West/Acme has the Anonymous ACL entryset to Reader access. The default ACL entry is set to Editor access. TheMaximum Internet Name and Password property in the Advanced ACL proper-ties has been set to Author access. Users receive an “Authorization failure” mes-sage when attempting to access this database from a Web browser. What is themost likely problem?

❍ A. The access level assigned to the default ACL entry cannot be greaterthan the Anonymous ACL entry.

❍ B. The access level assigned to the default ACL entry cannot be greaterthan the access level assigned to the Maximum Internet Name andPassword property.

❍ C. The access level assigned to the Maximum Internet Name andPassword property cannot be greater than the Anonymous ACL entry.

❍ D. Server West/Acme has not been set up to allow anonymous access.

Question 43

Dan is listed in the Access Server field in the Server Access section of the Serverdocument for East/Acme. He is also a member of a group that is listed in the NotAccess Server field. Dan’s name is listed as an individual ACL entry in thePayroll.nsf database with an access level of Reader. Will he be able to access thePayroll.nsf database on server East/Acme?

❍ A. Yes, because his individual entry in the Server Access section over-rides the group entry

❍ B. Yes, because the Access Server field overrides the Not Access Serverfield, regardless of whether a user is listed individually or as a memberof a group

❍ C. No, because the Not Access Server field overrides the Access Serverfield, regardless of whether a user is listed individually or as a memberof a group

❍ D. Yes, because a database ACL overrides the security settings on theServer document

23 0789729180 CH19 10/21/03 2:40 PM Page 441

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 19442

Question 44

How are Server documents created in the Domino Directory?

❍ A. Server documents are created during the server registration process.

❍ B. After a server has been registered, the Server document must be man-ually created by the system administrator assigned to the server.

❍ C. After a server has been registered, the Server document must be man-ually created by the full-access administrator assigned to the server.

❍ D. A Server document is created when the Register [servername] com-mand is run from the server console.

Question 45

Mary has encrypted a mail message that she is sending to Andy. What bestdescribes how Mary and Andy’s public/private keys are used with Notes mailencryption?

❍ A. The mail message is encrypted with Andy’s private key and decryptedwith Andy’s public key.

❍ B. The mail message is encrypted with Andy’s public key and decryptedwith Andy’s private key.

❍ C. The mail message is encrypted with Mary’s private key and decryptedwith Mary’s public key.

❍ D. The mail message is encrypted with Mary’s public key and decryptedwith Andy’s private key.

Question 46

How many Connection documents are required to route mail between twoservers if the servers reside in different Notes Named Networks within the sameDomino domain?

❍ A. No Connection documents are required because the servers are in thesame Domino domain.

❍ B. One Connection document is required, but each of the servers must belisted in both the Source Server and Destination Server fields of theConnection document.

❍ C. Two Connection documents are required. A Connection document isrequired for each server so that mail routes in both directions.

❍ D. Four Connection documents are required. Two Connection documents arerequired for each server—one to send mail and another to receive mail.

23 0789729180 CH19 10/21/03 2:40 PM Page 442

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 620 443

Question 47

Kathy has set up server PASS1/Acme as a passthru server to enable access todatabases on servers APP1/Acme and APP2/Acme by remote users in herorganization. These users now can access databases on server APP1/Acme byconnecting to server PASS1/Acme. However, they cannot access the databasesresiding on server APP2/Acme. What should Kathy look for in the Server docu-ments for these servers?

❍ A. Ensure that these users are listed in the Access This Server field (byname, group, or wildcard entry) in the Passthru Use section of theServer document for APP2/Acme.

❍ B. Ensure that these users are listed in the Route Through field (by name,group, or wildcard entry) in the Passthru Use section of the Serverdocument for PASS1/Acme.

❍ C. Ensure that server APP2/Acme is listed in the Destinations Allowedfield in the Passthru Use section of the Server document forPASS1/Acme.


Question 48

Which of the following activities is not performed by Domino when you registera new server?

❍ A. A server ID is created for the new server and it is certified with the cer-tifier ID

❍ B. A Server document for the new server is created in the DominoDirectory

❍ C. Connection documents are created for the new server to all otherservers registered in the domain

❍ D. The new server name is added to the LocalDomainServers group in theDomino Directory

23 0789729180 CH19 10/21/03 2:40 PM Page 443

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 19444

Question 49

Sarah, a Domino administrator, wants to manually shut down and restart therouter on server West/Acme to troubleshoot server and messaging problems.Which commands would she enter at the console to do this?

❍ A. To shut down the router, she would enter tell router stop. To restartthe router, she would enter tell router restart.

❍ B. To shut down the router, she would enter tell router quit. To restart therouter, she would enter tell router restart.

❍ C. To shut down the router, she would enter tell router quit. To restart therouter, she would enter load router.

❍ D. To shut down the router, she would enter unload router. To restart therouter, she would enter load router.

Question 50

Matt is upgrading his Domino servers from Release 5 to Release 6. He is con-sidering migrating from a distributed directory architecture to a central directo-ry architecture. Which of the following statements is not true regarding theDomino Directory architecture in Release 6?

❍ A. In a central directory architecture, there can be only one Directoryserver within a domain.

❍ B. In a central directory architecture, the Domino Directory replica thatresides on a Directory server contains the entire contents of theDomino Directory.

❍ C. In a central directory architecture, a configuration directory is a selec-tive replica of the Domino Directory that contains only documentsused for Domino configuration.

❍ D. A central directory architecture and a distributed directory architecturecan be combined in a single domain.

23 0789729180 CH19 10/21/03 2:40 PM Page 444

Answer Key for 620. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

201. C

2. A

3. D

4. A

5. C

6. B

7. D

8. A

9. D

10. A

11. B

12. D

13. C

14. A

15. B

16. C

17. C

18. D

19. A

20. D

21. D

22. B

23. A

24. A

25. B

26. C

27. D

28. B

29. D

30. D

31. A

32. C

33. D

34. A

35. C

36. C

37. B

38. A

39. D

40. B

41. B

42. D

43. C

44. A

45. B

46. C

47. D

48. C

49. C

50. A

24 0789729180 CH20 10/21/03 2:44 PM Page 445

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 20446

Question 1

Answer C is correct. The Warning Threshold should be set to a value thatallows users to take action to reduce the size of their mail file before it reach-es the database quota size. The Over Warning Threshold Notifications fieldin the Configurations Settings document must also be set to either PerMessage or Per Time Interval.

Answer A is incorrect because there are no such settings as Database QuotaWarning or Quota Warning Notifications.

Answer B is incorrect because enabling the Over Quota Notifications field inthe Configurations Settings document would only send a message to a userwho has exceeded the database quota (not the warning threshold).

Answer D is incorrect. Database quotas are often used for mail files.

Question 2

Answer A is correct. After the Desktop Policy Settings document has beenchanged, any changes to the settings become effective the next time usersauthenticate with their home server.

Answer B is incorrect because there is no such server task as Policy.

Answer C is incorrect. Desktop Policy Settings do not require recertificationof users.

Answer D is incorrect. When a change is made to the Desktop PolicySettings document, the change becomes effective for a user the next timethat user authenticates with his home server.

Question 3

Answer D is correct. To run agents on a server, the signer of the agent mustbe listed in either the Run Unrestricted Methods and Operations field or theRun Restricted LotusScript/Java Agents field.

Answer A is incorrect. When scheduling an agent to run on a server, there isno restriction for choosing a time outside of the execution of the Updallserver task.

Answer B is incorrect because the Run Unrestricted Methods andOperations field allows the users included in this field to run any agent.

24 0789729180 CH20 10/21/03 2:44 PM Page 446

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 620 447

Being a member of this field takes precedence over the Run RestrictedLotusScript/Java Agents field.

Answer C is incorrect because the Run Unrestricted Methods andOperations field takes precedence over the Run Restricted LotusScript/JavaAgents field. The Run Unrestricted Methods and Operations field allows theusers included in this field to run any agent, while the Run RestrictedLotusScript/Java Agents field allows the users included in this field to runonly LotusScript or Java agents that do not perform restricted operations(manipulation of system time, file I/O and operating system commands).

Question 4

Answer A is correct. To receive design changes from East/Acme (the sourceserver), the database replica on West/Acme (the destination server) must giveEast/Acme at least Designer access, and the database replica on East/Acmemust give West/Acme at least Reader access.

Answer B is incorrect. Although West/Acme could indeed access the designchanges on East/Acme with Designer access, if East/Acme had only Readeraccess to the database replica on West/Acme, it could not replicate thosedesign changes.

Answers C and D are incorrect. These access levels would be sufficient forreplicating the design changes. However, the question asked for the mini-mum access levels required.

Question 5

Answer C is correct. Network compression can be enabled between twoDomino Release 6 servers or a Domino Release 6 server and a Notes Release6 client workstation. For compression to work, the network ports on bothsides of the connection must be enabled.

Answer A is incorrect because network compression cannot be enabled forthe Domino Release 5 server.

Answer B is incorrect because network compression cannot be enabled forthe Notes Release 5 client workstation.

Answer D is incorrect because answers A and B are incorrect.

24 0789729180 CH20 10/21/03 2:44 PM Page 447

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 20448

Question 6

Answer B is correct. An Extended ACL is used to restrict access to databaseobjects (documents, fields, and so on) that a user would otherwise have fromthe access level assigned in the database ACL.

Answer A is incorrect because you cannot use the Extended ACL to give auser a higher level of access to a database than the access level assigned in thedatabase ACL.

Answer C is incorrect. A full-access administrator does have access to all data-bases residing on the server. However, this administrator type is assigned inthe Server document, not via the Extended ACL for a database.

Answer D is incorrect because answers A and C are not correct.

Question 7

Answer D is correct. The most expedient way to replicate these changes is viaone-way (push) forced replication.

Answer A is incorrect because design changes can be replicated using eitherscheduled or forced replication.

Answer B is incorrect because there is no such replication type as Immediate.Also, a forced one-way replication would be the quickest method for repli-cating these changes.

Answer C is incorrect because this would only pull changes from the databasereplica on server West/Acme. The design changes made on the databasereplica on server East/Acme would not be replicated.

Question 8

Answer A is correct. View-only administrators can use the remote console toissue only a subset of server commands (those that provide system statusinformation, such as show tasks and show server).

Answer B is incorrect. The replicate server command can be executed fromthe remote console.

Answer C is incorrect because replicate is a valid server command.

Answer D is incorrect. If she was listed in the Not Access Server field, shewould not have been able to run the show tasks server command.

24 0789729180 CH20 10/21/03 2:44 PM Page 448

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 620 449

Question 9

Answer D is correct. A full-access administrator for a server has all of therights that are listed.

Question 10

Answer A is correct. The abbreviated format is the full hierarchical name,which includes each of its components, but without the component indica-tor. In this case, Acme is the organization, East is the first-levelOrganizational Unit, Purchasing is the second-level Organizational Unit,and Randy Smith is the common name.

Answer B is incorrect because this is the canonical format of the hierarchicalname. Note that the component indicators (CN=, OU=, and O=) are includ-ed with their respective components.

Answer C is incorrect because the abbreviated format for a specific hierar-chical name would not include the wildcard character (*). The wildcard for-mat is used in ACL entries to grant access to all users or servers of a specificorganization or organizational unit.

Answer D is incorrect because this is only the common name component ofthe hierarchical name.

Question 11

Answer B is correct. Notes/Domino authentication uses the public and pri-vate keys of the client and the server in a challenge/response interaction.

Answer A is incorrect because a passthru server is an intermediary server thatacts as a “stepping stone” to gain access to a destination server. When usinga passthru server, authentication still must take place between the client andthe server.

Answer C is incorrect because the ACL controls access to a database, not theserver.

Answer D is incorrect because the Extended ACL is used to further restrictaccess to users in specific databases.

24 0789729180 CH20 10/21/03 2:44 PM Page 449

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 20450

Question 12

Answer D is correct. These are all methods that can be used to manuallyassign an explicit policy to a user.

Question 13

Answer C is correct. If the signer of the agent is not listed in the RunUnrestricted Methods and Operations field, LotusScript features that per-form restricted operations (manipulation of system time, file I/O, and oper-ating system commands) cannot be used when the agent is run on the server.

Answer A is incorrect because a LotusScript agent that does not perform anyrestricted operations can be run on the server if the signer of the agent is list-ed in the Run Restricted LotusScript/Java Agents field.

Answer B is incorrect because the signer of a LotusScript agent running ona server must be listed in the Run Unrestricted Methods and Operationsfield if the agent performs restricted operations.

Answer D is incorrect because a LotusScript agent that accesses the file sys-tem (a restricted operation) cannot be run on a server if the signer of theagent is not listed in the Run Unrestricted Methods and Operations field.

Question 14

Answer A is correct. The primary Domino Directory contains the entirecontents of the Domino Directory and is stored only on the directory serversin the domain.

Answer B is incorrect because the configuration directory is a selective repli-ca of the Domino Directory, containing only a subset of the documents inthe primary Domino Directory.

Answer C is incorrect because in a central directory architecture, only thedirectory servers have a replica of the primary Domino Directory. The otherservers have the configuration directory, which contains only a subset of thedocuments in the primary Domino Directory.

Answer D is incorrect because the primary Domino Directory is not aNotes.ini setting.

24 0789729180 CH20 10/21/03 2:44 PM Page 450

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 620 451

Question 15

Answer B is correct. The various administrator types for a server are assignedin the Administrators section on the Security tab of the Server document.Domain Administrator is not a valid administrator type.

Answers A, C, and D are incorrect because these are valid administratortypes.

Question 16

Answer C is correct. A Readers field in a document controls access to thatdocument. If a document contains a Readers field, a server must be listed inthe Readers field or that server will not have access to that document, regard-less of the access level assigned to the server in the database ACL. Withoutaccess to the document, the server cannot replicate the document.

Answer A is incorrect. All documents are replicating successfully from serv-er East/Acme to server West/Acme, meaning that server West/Acme must beincluded in any Readers fields on the documents.

Answers B and D are incorrect because at least some of the new documentsare being replicated successfully to both servers. During replication, thesource server could not add new documents to the destination server withonly Reader access in the database ACL.

Question 17

Answer C is correct. To create new groups in the Domino Directory(names.nsf), a user must have at least Editor access or Author access with theGroupCreator role.

Answers A and B are incorrect. Although either of these access levels wouldallow a user to create new groups, the question asked for the minimum accessrequired.

Answer D is incorrect because a user with Reader access in the ACL cannotcreate new documents.

24 0789729180 CH20 10/21/03 2:44 PM Page 451

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 20452

Question 18

Answer D is correct. A user with Author access in the database ACL canopen and read any document shown in a view. With the Create Documentsprivilege enabled, the user can also create new documents. However, to edita document in the database, even if the user created it, the document musthave an Authors field and the user must be specified in the Authors field.

Answer A is incorrect because a user with Editor access in the database ACLcan edit any document shown in a view. A Readers field controls access to thedocument, not the capability to edit it.

Answer B is incorrect because if a user with Author access is specified in anAuthors field on the document, that user can edit the document, even if thedocument was not originally created by the user.

Answer C is incorrect because Edit Documents is not an optional ACL priv-ilege.

Question 19

Answer A is correct. An explicit ACL entry for a user always takes prece-dence over the default and group entries, even if these entries have a higheraccess level.

Answer B is incorrect. If a user is not listed explicitly in the ACL and is amember of more than one group listed in an ACL, the highest access level isused. However, the explicit entry takes precedence in this case.

Answer C is incorrect because the access level of the explicit ACL entry forthis user takes precedence.

Answer D is incorrect because the access level of the default ACL entry isused only if there is no explicit entry for the user and the user is not a mem-ber of any group listed in the ACL.

Question 20

Answer D is correct. These are all circumstances in which Domino willauthenticate a user accessing a Notes database over the Internet.

24 0789729180 CH20 10/21/03 2:44 PM Page 452

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 620 453

Question 21

Answer D is correct. An organizational policy automatically applies to allusers registered in a particular Organizational Unit. These settings areresolved first. An explicit policy assigns default settings to individual users orgroups. These settings are resolved after the organizational policy settings.

Answer A is incorrect. Organizational policy settings apply to all users regis-tered in a particular Organizational Unit. Explicit policy settings overridespecific settings for a user or group, but the organizational policy settings arenot ignored.

Answer B is incorrect. Organizational policy settings are applied first to usersregistered in a particular Organizational Unit. Explicit policy settingsassigned to the users then override specific settings.

Answer C is incorrect because organizational policy settings are resolvedfirst, followed by any explicit policy settings that are assigned.

Question 22

Answer B is correct. This is not a valid Policy Settings document. The validPolicy Settings documents are Registration, Setup, Desktop, Security, andArchive.

Answers A, C, and D are incorrect because these are all valid Policy Settingsdocuments.

Question 23

Answer A is correct. This is the canonical format of the hierarchical name.In the canonical format, each component of the hierarchical name includesthe component identifier, followed by the component name. The componentidentifiers are: CN=, representing the common name; OU=, representing anOrganizational Unit; O=, representing the organization; and C=, represent-ing the country.

Answers B, C, and D are incorrect because corporate name and company arenot valid hierarchical name components.

24 0789729180 CH20 10/21/03 2:44 PM Page 453

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 20454

Question 24

Answer A is correct. Refresh Design is a manual process that immediatelyupdates the design of the database with modifications in the design template.

Answer B is incorrect because the Refresh Design process can be performedwith Local selected as the server in the Refresh Database Design dialog box.A design template with the correct template name must be stored on thelocal machine.

Answer C is incorrect because, in this case, the design of a specific databaseis being updated manually from a local design template, via the RefreshDesign process. The Designer server task, which runs at 1:00 a.m. by default,updates the design of all databases that inherit their designs from mastertemplates stored on the server.

Answer D is incorrect. The Replicator task replicates design changes toother replicas of the database, but when the design of a specific replica isrefreshed manually via Refresh Design, those changes take effect immedi-ately.

Question 25

Answer B is correct. The next time these users change their passwords, theywill be required to choose a password with a password quality scale rating of8 or higher, and their Notes passwords will be synchronized with theirInternet passwords.

Answer A is incorrect. Although recertifying these users with the higherpassword quality scale would accomplish part of his goal, there is noSynchronize Internet Password with Notes Password option in the Persondocument.

Answer C is incorrect because registration policy settings impact only userswho are being registered. The existing users would not be impacted.

Answer D is incorrect because the password quality scale rating for existingregistered users can be changed either by recertifying them or via securitypolicy settings.

24 0789729180 CH20 10/21/03 2:44 PM Page 454

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 620 455

Question 26

Answer C is correct. Because these users can edit documents when using aNotes Client but can only read documents when accessing the database fromthe Internet, the Maximum Internet Name and Password field in theAdvanced ACL properties must be set to Reader. Internet users accessing adatabase using name and password authentication will not receive an accesslevel higher than the access level selected in the Maximum Internet Nameand Password field.

Answers A and B are incorrect because Internet users accessing a databaseusing name and password authentication will receive the same level of accessto the database as they would when using a Notes Client (but no higher thanthe access level selected in the Maximum Internet Name and Password field).

Answer D is incorrect because if the Maximum Internet Name and Passwordfield was set to No Access, the Internet users would not have been able toaccess the database to read documents.

Question 27

Answer D is correct. A Certificate Revocation List is a time-stamped list ofrevoked Internet certificates.

Answers A and B are incorrect because a CRL does not list expired Notesuser/server IDs. It contains a list of Internet certificates that have beenrevoked.

Answer C is incorrect because Deny Access groups are used to control accessto servers by Notes and Internet clients. A CRL lists revoked Internet cer-tificates.

Question 28

Answer B is correct. Delivery Pending is not a valid delivery status that canbe reported on a mail-tracking request.

Answers A, C, and D are incorrect because these are all valid delivery status-es that can be reported on a mail-tracking request.

24 0789729180 CH20 10/21/03 2:44 PM Page 455

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 20456

Question 29

Answer D is correct. Enabled for First Hop Only is not a valid option for theCluster Failover field.

Answers A, B, and C are incorrect because these are all valid options for theCluster Failover field.

Question 30

Answer D is correct. Shared mail is a space-saving feature, not a mail-monitoring tool. When shared mail is implemented, mail messages that areaddressed to multiple recipients store only a single copy of the message in ashared mail database.

Answers A, B, and C are incorrect because these are all tools that Dominoprovides for monitoring mail.

Question 31

Answer A is correct. If you allow private archiving, you must give the userCreate access on the destination server to create an archive database.

Answer B is incorrect because you create an Archive Criteria Policy Settingsdocument from within an Archive Policy Settings document. Both Archiveand Archive Criteria Policy Settings documents are used to set up mail filearchiving.

Answers C and D are incorrect. Mail archive databases are often stored onmail servers.

Question 32

Answer C is correct. Domino stores mail usage reports in the Reports data-base (reports.nsf).

Answers A and B are incorrect. Although these are databases used byDomino, they do not store the mail usage reports.

24 0789729180 CH20 10/21/03 2:44 PM Page 456

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 620 457

Answer D is incorrect. Domino uses the data stored in the Mail TrackingStore database (mtstore.nsf) to create mail usage reports. However, the actu-al mail usage reports are stored in the Reports database (reports.nsf).

Question 33

Answer D is correct. The secondary name server would be used under eachof these circumstances.

Question 34

Answer A is correct. The Report Type options available in the PolicySynopsis tool are Summary Only (the default) and Detailed.

Answers B, C, and D are incorrect because these are not valid report types inthe Policy Synopsis tool.

Question 35

Answer C is correct. When a new user is registered, the certification logstores the name, license type, and ID number of the certifier ID, not the reg-istration server.

Answers A, B, and D are incorrect. All of this information is stored in thecertification log document during new user registration.

Question 36

Answer C is correct. Individual ACL entries always override group ACLentries.

Answers A and B are incorrect because ACL access roles do not overrideACL entries.

Answer D is incorrect because group ACL entries do not override individualACL entries.

24 0789729180 CH20 10/21/03 2:44 PM Page 457

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 20458

Question 37

Answer B is correct. The Domino Enterprise Server and Domino UtilityServer are the Domino Release 6 server license types that support Dominoclustering.

Answer A is incorrect because The Domino Application Server is a DominoRelease 5 server license type that does not support Domino clustering.

Answer C is incorrect. Although the Domino messaging server is a valid serv-er license type for Domino Release 6, this server type does not supportDomino clustering.

Answer D is incorrect because answers A and C are incorrect.

Question 38

Answer A is correct. Internet users accessing this database cannot have anaccess level higher than the level assigned in the Maximum Internet Nameand Password property.

Answers B, C, and D are incorrect. For Internet users, the access levelassigned in the Maximum Internet Name and Password property overridesthe access levels for the ACL entries.

Question 39

Answer D is correct. She will need all three clients installed on her worksta-tion to perform all of these tasks.

Answers A, B, and C are incorrect. She could not perform all of the tasks list-ed unless all three clients were installed.

Question 40

Answer B is correct. The user must be listed in the Create New Replicas field(by individual, group, or wildcard) for that user to create database replicas onthe server.

Answer A is incorrect because the Create Databases and Templates field controlswho can create new copies of databases and templates. To create a new replicaof a database, she would need to be listed in the Create New Replicas field.

24 0789729180 CH20 10/21/03 2:44 PM Page 458

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 620 459

Answers C and D are incorrect. Although these administrator levels haverights to create new database replicas on the server, users listed in the CreateNew Replicas field also can create database replicas.

Question 41

Answer B is correct. Users with Designer access or below in the databaseACL cannot delete the database.

Answers A, C, and D are incorrect. Users with an access level of Manager ina database ACL can delete the database from the server. Full-access admin-istrators and database administrators for a server also have rights to deleteany database on the server.

Question 42

Answer D is correct. If the settings in the Server document do not allowanonymous access to the server, users attempting to access the databaseanonymously via a Web browser will receive an “Authorization failure” mes-sage.

Answers A, B, and C are incorrect because these ACL entries and propertieshave no restrictions for assigning access levels greater than or less than oneanother.

Question 43

Answer C is correct. If a user is listed in the Not Access Server field (by indi-vidual, group, or wildcard), the user will not be able to access the server. TheNot Access Server field takes precedence over the Access Server field in theServer document as well as the database ACL.

Answers A and B are incorrect. The Not Access Server field always takesprecedence over the Access Server field, regardless of whether the name isincluded as an individual, group, or wildcard.

Answer D is incorrect. When attempting to access a database, a user mustfirst authenticate with the server that the database resides on. If the user isdenied access to the server, there is no need to check the database ACL.

24 0789729180 CH20 10/21/03 2:44 PM Page 459

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 20460

Question 44

Answer A is correct. During the server registration process, a Server docu-ment is created for the server and placed in the Domino Directory.

Answers B and C are incorrect because Server documents are automaticallycreated and placed in the Domino Directory during the server registrationprocess.

Answer D is incorrect because Register is not a valid console command.

Question 45

Answer B is correct. The sender of an encrypted mail message uses the pub-lic keys of the recipients to encrypt the message. The recipients then decryptthe message with their own private key, which is stored in their Notes ID.

Answers A and C are incorrect because private keys are used for decryptingmail messages, not for encrypting them.

Answer D is incorrect because the public key of the recipient (Andy) is usedto encrypt the mail message, not the public key of the sender (Mary).

Question 46

Answer C is correct. A Connection document for each server is required forrouting mail in both directions between these two servers.

Answer A is incorrect because these servers reside in different Notes NamedNetworks. If these server were in the same Notes Named Network, noConnection documents would be required.

Answer B is incorrect because the Source Server and Destination Serverfields can contain only one server entry each. They are not multivalue fields.

Answer D is incorrect because only one Connection document for each serv-er is required to route mail in both directions between the two servers.

Question 47

Answer D is correct. These are all settings that could impact access to theseservers.

24 0789729180 CH20 10/21/03 2:44 PM Page 460

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 620 461

Question 48

Answer C is correct. Connection documents to other servers in the domainmust be created after the new server has been registered.

Answers A, B, and D are incorrect because Domino performs all of thesetasks during the server registration process.

Question 49

Answer C is correct. The console command tell router quit disables mailrouting on the server. The console command load router starts the Routertask and begins routing and delivering mail.

Answers A, B, and D are incorrect because the commands tell router stop,tell router restart, and unload router are not valid console commands.

Question 50

Answer A is correct. Although it is entirely possible for a domain using thecentral directory architecture to have only one directory server, this is notthe typical implementation. In fact, for failover reasons, at least one otherserver in the domain should store a primary Domino Directory.

Answers B, C, and D are incorrect. A central directory architecture includesone or more directory servers that contain a full replica of the primaryDomino Directory. Other servers in the domain have a configuration direc-tory. This is a selective replica of the Domino Directory that contains onlydocuments used for Domino configuration. A single domain can use a hybriddirectory architecture, with some servers using the central directory modelwhile other servers use the distributed directory architecture.

24 0789729180 CH20 10/21/03 2:44 PM Page 461

24 0789729180 CH20 10/21/03 2:44 PM Page 462

Practice Exam 621. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

21

25 0789729180 CH21 10/21/03 2:36 PM Page 463

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 21464

Question 1

Multiuser installation is available for which of the following clients?

❍ A. Notes Client

❍ B. Domino Designer Client

❍ C. Domino Administrator Client


Question 2

Which of the following is not a true statement about streaming replication?

❍ A. Documents are replicated by their size, in ascending order.

❍ B. During replication, Notes Client users can begin working with docu-ments as soon as they appear, even if the database hasn’t finishedreplicating.

❍ C. Streaming replication works only for Lotus Notes/Domino Release 6clients and servers.

❍ D. Streaming replication works only for server-to-server replication, notfor client-to-server replication.

Question 3

Which of the following is not a true statement about clustering Domino servers?

❍ A. All servers in the cluster must use TCP/IP and be on the same NotesNamed Network.

❍ B. All servers in the cluster must be in the same Domino domain andshare a common Domino Directory.

❍ C. A server can be a member of multiple clusters.

❍ D. Each server in the cluster must have a hierarchical server ID.

25 0789729180 CH21 10/21/03 2:36 PM Page 464

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 621 465

Question 4

In the event of a server crash or media failure, Lori would like to be able torecover the Payroll.nsf database on server East/Acme as quickly as possible.She would also like to be able to recover updates to the Assignments view ofthis database. What would Lori do to accomplish this?

❍ A. Enable transaction logging in the database properties for Payroll.nsf

❍ B. Enable view logging in the Server document for server East/Acme

❍ C. Enable transaction logging in the Server document for serverEast/Acme and enable the setting Include Updates in Transaction Login the Assignments view properties for Payroll.nsf

❍ D. Enable transaction logging in the Server document for serverEast/Acme and enable the setting Include Updates in Transaction Login the database properties for Payroll.nsf

Question 5

Lynda, a Domino Administrator, would like to issue server and client certificatesusing Domino Certificate Authority (CA) with a CA key ring. What does she needfor issuing certificates in this manner?

❍ A. Access to the CA key ring file and the password for the CA key ring. Inthe ACL for the Domino Certificate Authority database, she needsEditor access with the Delete Documents privilege and the[CAPrivlegedUser] role assigned.

❍ B. Access to the CA key ring file and the password for the server or clientthat the certificate is being issued for. In the ACL for the DominoCertificate Authority database, she needs Editor access with the DeleteDocuments privilege and the [CAPrivlegedUser] role assigned.

❍ C. Access to the CA key ring file and the password for the CA key ring. Inthe ACL for the Domino Certificate Authority database, she needsDepositor access with the Create Documents privilege and the[CAPrivlegedUser] role assigned.

❍ D. Access to the CA key ring file and the password for the CA key ring. Inthe ACL for the Domino Directory database, she needs Editor accesswith the Delete Documents privilege and the [CAPrivlegedUser] roleassigned.

25 0789729180 CH21 10/21/03 2:36 PM Page 465

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 21466

Question 6

Gene has been receiving complaints from users about performance for some ofthe larger databases on server West/Acme. He is considering enabling databaseproperties to optimize database performance. Which of the following is not adatabase property that can be used to optimize database performance?

❍ A. Don’t Maintain Unread Marks

❍ B. Show Response Documents in a Hierarchy

❍ C. Maintain LastAccessed Property

❍ D. Don’t Allow Headline Monitoring

Question 7

Which of the following is a potential benefit of creating an additional MAIL.BOXdatabase on a Domino Mail Server?

❍ A. Creating an additional MAIL.BOX database might eliminate many of theaccess conflicts that could otherwise occur when using only oneMAIL.BOX database.

❍ B. Creating an additional MAIL.BOX database might result in a large per-formance improvement compared to using only one MAIL.BOX data-base.

❍ C. In the event of corruption of a MAIL.BOX database, having an addition-al MAIL.BOX database provides for failover.


Question 8

Where does Domino store server mail rules?

❍ A. In the Server document

❍ B. In the Notes.ini file

❍ C. In the Configuration Settings document

❍ D. In the Security Policy Settings document

25 0789729180 CH21 10/21/03 2:36 PM Page 466

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 621 467

Question 9

Amanda, a Notes application developer, made several design changes in adesign template for the HelpDesk.nsf database. She has submitted the designtemplate to Peter, the Domino Administrator, for implementation on a produc-tion Domino server. After performing a Refresh Design using the design tem-plate, Peter notices that all of the design changes were made to theHelpDesk.nsf database on the production server, except for a new view that wasbeing added. Which of the following circumstances could have prevented thenew view from being added?

❍ A. The replication settings for the database have the view excluded.

❍ B. Amanda created the new view as a private view rather than a sharedview.

❍ C. Manager access is required to perform a Refresh Design. Peter did nothave Manager access to the database.

❍ D. Designer access or above is required to perform a Refresh Design.Peter did not have at least Designer access to the database.

Question 10

Domino stores certain information in a certifier ID file that is set up for IDRecovery. Which of the following would not be stored in the certifier ID file?

❍ A. The names of administrators who are allowed to recover IDs

❍ B. The number of administrators required to unlock an ID file

❍ C. The private keys of users who have mailed in encrypted backup copiesof their ID files

❍ D. The mail-in database address where users send encrypted backupcopies of their ID files

Question 11

Leanne has been assigned the administration level of View-Only Administratorfor server East/Acme. Which of the following server commands could she issuefrom the remote console?

❍ A. Show Server

❍ B. Restart Server

❍ C. Start Port

❍ D. Stop Port

25 0789729180 CH21 10/21/03 2:36 PM Page 467

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 21468

Question 12

Which of the following is a benefit of Transaction Logging?

❍ A. Quicker recovery from server crashes and media failures

❍ B. Increased database performance

❍ C. Increased server performance


Question 13

Which of the following is not a true statement related to cluster failover?

❍ A. Cluster failover will work for Notes clients running Release 4.5 or later.

❍ B. Cluster failover will work only for Notes clients and Domino serversrunning Release 6.

❍ C. Cluster failover will work for a Notes Release 5 client accessing a data-base on a Domino Release 6 server.

❍ D. When a server that belongs to a cluster is not responding, the ClusterManager determines the most available server containing a replica ofthe database being accessed.

Question 14

Colleen was recently promoted to a supervisor position in her department andnow needs the capability to update documents in the JobPosting.nsf databaseand gain access to several restricted views. She has submitted a request to haveher access to the database changed to the same access level as that of the othersupervisors in her department, who are members of the DeptSupervisorsgroup. Colleen is currently listed in the database ACL individually with Readeraccess and no access role assignments. The DeptSupervisors group is listed inthe ACL with Editor access and is assigned to the Approver access role that con-trols access to the restricted views in the database. What can be done to giveColleen the same level of access to this database as the other supervisors in herdepartment?

❍ A. Assign the Approver access role to her individual ACL entry

❍ B. Change the access level of her individual ACL entry to Editor

❍ C. Add her name to the DeptSupervisors group

❍ D. Add her name to the DeptSupervisors group and remove her individualACL entry

25 0789729180 CH21 10/21/03 2:36 PM Page 468

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 621 469

Question 15

Mike has set up cross-domain configuration documents to enable an adminis-tration server in the ACME1 domain to import and export administrationrequests to and from an administration server in the ACME2 domain. Which ofthe following administration tasks cannot be performed via cross-domain pro-cessing?

❍ A. Delete a person in the Domino Directory

❍ B. Rename a person in the Domino Directory

❍ C. Add a server in the Domino Directory

❍ D. Delete a server in the Domino Directory

Question 16

Which of the following is not a true statement about LZ1 (Lempel-Zev class 1)compression?

❍ A. The LZ1 algorithm is used for compressing attachments in NotesDomino 6.

❍ B. The Huffman algorithm is a quicker and more efficient compressionmethod than the LZ1 algorithm.

❍ C. When using a Notes/Domino 6 client with a Domino 5 server, attach-ments are automatically recompressed on the server using theHuffman algorithm.

❍ D. LZ1 compression is enabled and disabled in the Advanced tab ofDatabase Properties.

Question 17

Sandy wants to use License Tracking to monitor the number of active Notesusers in the ACME domain. What information does the administration processupdate in the UserLicenses.nsf database when License Tracking is enabled?

❍ A. For a new user, a User License document is created in the database.

❍ B. For users with existing User License documents, their documents areupdated with the new time and date they accessed a server within thedomain.

❍ C. For a user who has not accessed any server in the domain for one fullyear, the User License document for that user is deleted from the data-base.


25 0789729180 CH21 10/21/03 2:36 PM Page 469

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 21470

Question 18

Several of the views for the database JobPosting.nsf appear to be corrupt in thedatabase replica residing on server East/Acme. These same views look fine inthe database replica residing on server West/Acme. Which of the followingwould not be a recommended approach for attempting to fix the corruption inthis database?

❍ A. Delete the database from the server East/Acme and create a new copyof the database from the database replica on the server West/Acme

❍ B. Delete the database from the server East/Acme and create a new repli-ca of the database from the database replica on the server West/Acme

❍ C. Run UPDALL and FIXUP on the database replica on the serverEast/Acme

❍ D. Press Ctrl+Shift+F9 to rebuild all of the views in the database replicaon the server East/Acme

Question 19

What is the ICL database used for in the CA Process?

❍ A. For tracking Internet certificates revoked by a certifier using the CAProcess

❍ B. For tracking Internet and Notes certificates issued by a certifier usingthe CA Process

❍ C. For tracking only Internet certificates issued by a certifier using the CAProcess

❍ D. For tracking only Notes certificates issued by a certifier using the CAProcess

Question 20

Which of the following is not a valid client software installation method/type forLotus Notes/Domino?

❍ A. Single-user client installation

❍ B. Multiuser installation

❍ C. Shared installation

❍ D. Single Copy Template installation

25 0789729180 CH21 10/21/03 2:36 PM Page 470

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 621 471

Question 21

Ron has learned that Web users are not being required to authenticate whenaccessing documents in the Payroll.nsf database on server East/Acme. Theaccess level for the default ACL entry is set to Editor. What could he do to ensurethat Web users are authenticated before accessing this database?

❍ A. Set the access level of the default ACL entry to Authenticate

❍ B. Add the entry Anonymous to the database ACL with an access level ofAuthenticate

❍ C. Add the entry Anonymous to the database ACL with an access level ofNo Access

❍ D. Add the entry Anonymous to the database ACL with an access level ofEditor

Question 22

Who can set quotas for databases on a server?

❍ A. Those assigned as a Quota Administrator in the Server document

❍ B. Those assigned as a Database Administrator in the Server document

❍ C. Those assigned the access level of Administrator in the database ACLs


Question 23

Helena would like to restrict access to certain documents in the Payroll.nsf data-base so that only members of the DeptManagers group can access those doc-uments. Which of the following is the best solution for accomplishing this?

❍ A. Add a Readers field to the restricted documents and include theDeptManagers group in the Readers field.

❍ B. Add an Authors field to the restricted documents and include theDeptManagers group in the Authors field.

❍ C. Give the DeptManagers group Editor access in the database ACL, andchange the access level of all other entries in the database ACL to NoAccess.

❍ D. In each of the views that display the restricted documents, create aview access list in View Properties and include the DeptManagersgroup in the view access list.

25 0789729180 CH21 10/21/03 2:36 PM Page 471

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 21472

Question 24

Charlie, a Domino Administrator, has been asked by management to create anddeploy a new corporate welcome page as the default welcome page for theNotes users in his organization. He also wants to prevent Notes users fromselecting or creating a different welcome page than the default welcome pagethat he is deploying. Charlie has finished creating the new welcome page on alocal welcome page database. What additional steps must he perform?

❍ A. Copy the welcome page database to a server. In the desktop policy set-tings document(s) assigned to the organizational/explicit policies, cre-ate a database link to this welcome page database in the CorporateWelcome Pages database field. In the Home Page Selection field,enable the option Do Not Allow Users to Change Their Home Page.

❍ B. In the desktop policy settings document(s) assigned to the organiza-tional/explicit policies, create a database link to the local welcome pagedatabase in the Corporate Welcome Pages database field. In the HomePage Selection field, enable the option Do Not Allow Users to ChangeTheir Home Page.

❍ C. Copy the welcome page database to a server. In theorganizational/explicit policy document(s), create a database link tothis welcome page database in the Corporate Welcome Pages databasefield. In the Home Page Selection field, enable the option Do Not AllowUsers to Change Their Home Page.

❍ D. In the organizational/explicit policy documents, create a database linkto the local welcome page database in the Corporate Welcome Pagesdatabase field. In the Home Page Selection field, enable the option DoNot Allow Users to Change Their Home Page.

Question 25

Which of the following is a true statement about access roles in a database ACL?

❍ A. Roles can be assigned to ACL entries to increase the level of access tospecific forms, views, documents, and so on.

❍ B. Roles can be assigned to ACL entries to allow access to specificforms, views, documents, and so on.

❍ C. A user must have an access level of Designer or above in the databaseACL to be able to assign an access role to an ACL entry.

❍ D. ACL access roles do not work for users accessing the database from aWeb browser.

25 0789729180 CH21 10/21/03 2:36 PM Page 472

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 621 473

Question 26

Steve, a supervisor in the Marketing department, would like to set up his Notescalendar to display calendar entry types in different colors. Which of the follow-ing is not a requirement for changing calendar entry types to display in differentcolors?

❍ A. He must be connected to his mail server.

❍ B. His mail server must be a Domino 6 server.

❍ C. He must be using a Notes 6 client.

❍ D. He must be using a Domino Designer 6 client to make this designchange.

Question 27

Which of the following is not a true statement about the Domino Console?

❍ A. The Domino Console is a Java-based console.

❍ B. When you start a Server Controller, the Domino Console starts bydefault.

❍ C. The Domino Console can be used to open and manage Notes databases.

❍ D. Commands can be sent to multiple servers using the Domino Console.

Question 28

Patty created an organizational policy for the users in the Sales/AcmeOrganizational Unit. She would like to assign an explicit policy to Randy, a tem-porary contractor whom she recently registered in Sales/Acme. Which of thefollowing methods can Patty use to assign the explicit policy?

❍ A. Add the explicit policy to Randy’s Person document

❍ B. Use the Policy Synopsis tool to assign the explicit policy to Randy

❍ C. Add the explicit policy to Randy’s Notes.ini file


25 0789729180 CH21 10/21/03 2:36 PM Page 473

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 21474

Question 29

Which of the following is a true statement about network compression?

❍ A. Network compression can be enabled only on Domino Release 5 andDomino Release 6 servers.

❍ B. Network compression works only for data transmitted between twoDomino Release 6 servers.

❍ C. Network compression is enabled in Advanced Database Properties fora database.

❍ D. Network compression does not compress encrypted data.

Question 30

The HelpDesk.nsf database was added to the server West/Acme, and a replicaof this database was added to the server East/Acme. The database replica on theserver West/Acme has an ACL entry for East/Acme with an access level ofDesigner. The database replica on the server East/Acme has an ACL entry forWest/Acme with an access level of Editor. During scheduled pull-pull replication,what information will be replicated between these database replicas?

❍ A. Nothing will be replicated. Schedule replication requires that a serverhave an access level of Manager in the ACL of the database it is repli-cating with.

❍ B. During scheduled replication, all changes (documents, design, andACL) are replicated, regardless of the ACL access levels assigned tothe servers.

❍ C. Documents will replicate to and from replicas on both servers. No ACLchanges will be replicated. Design changes will replicate from the serv-er East/Acme to West/Acme, but not from the server West/Acme toEast/Acme.

❍ D. Documents will replicate to and from replicas on both servers. No ACLchanges will be replicated. Design changes will replicate from the serv-er West/Acme to East/Acme, but not from the server East/Acme toWest/Acme.

Question 31

Sharon is trying to determine why a document is not replicating. She has foundthe reference to the document in the log file. Which of the following tools couldSharon use to locate and review the document properties for this document?

25 0789729180 CH21 10/21/03 2:37 PM Page 474

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 621 475

❍ A. Use the Design Synopsis tool in the Domino Administrator client tosearch for the document by Universal Note ID (UNID)

❍ B. Use the Find Note tool in the Domino Administrator client to search forthe document by Note ID

❍ C. Use the Design Synopsis tool in the Notes client to search for the doc-ument by Note ID

❍ D. Use the Design Synopsis tool in the Notes client to search for the doc-ument by Universal Note ID (UNID)

Question 32

Kevin, a Domino Administrator, has noticed that the mail files on the serverEast/Acme have become quite large. Which of the following might Kevin con-sider for managing the size of his users’ mail files?

❍ A. Set up Shared Mail on server East/Acme

❍ B. Create an Archive policy settings document and assign the policy tomail users

❍ C. Set up a mail file quota for the mail files on the server East/Acme


Question 33

Eric has just created the new Payroll.nsf database on the server East/Acme. Hewould like to ensure that the ACL for this database remains identical on all repli-cas. What can Eric do to accomplish this?

❍ A. Enable the Advanced ACL property Enforce a Consistent AccessControl List Across All Replicas of This Database for the Payroll.nsfdatabase on the server East/Acme

❍ B. In the Security Setting section of the Server document for the serverEast/Acme, add Payroll.nsf to the field Enforce a Consistent AccessControl List Across All Replicas

❍ C. In the Replication section of the Server document for the serverEast/Acme, add Payroll.nsf to the field Enforce a Consistent AccessControl List Across All Replicas

❍ D. In the Replication section of the Configuration Settings document forthe server East/Acme, add Payroll.nsf to the field Enforce a ConsistentAccess Control List Across All Replicas

25 0789729180 CH21 10/21/03 2:37 PM Page 475

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 21476

Question 34

Which Domino server type does not support partitioned servers?

❍ A. Domino Utility Server

❍ B. Domino Messaging Server

❍ C. Domino Enterprise Server

❍ D. Domino Application Server

Question 35

Marcia, a Notes Developer, is designing the Request form in the HelpDesk.nsfdatabase on server East/Acme. This form will contain fields that will connect toan external relational database. What steps must she first perform to connectthese fields to the external database?

❍ A. Create a Data Source Resource on server East/Acme. Create a DataConnection Resource in the HelpDesk.nsf database. Enable the proper-ty Allow Connections to External Databases Using DCRs in the data-base properties for HelpDesk.nsf.

❍ B. Create a Data Connection Resource in the HelpDesk.nsf database.Enable the property Allow Connections to External Databases UsingDCRs in the database properties for HelpDesk.nsf.

❍ C. Create a Data Source Resource in the HelpDesk.nsf database. Enablethe property Allow Connections to External Databases Using DCRs inthe database properties for HelpDesk.nsf.

❍ D. Create a Data Source Resource on the server East/Acme. Create a DataConnection Resource in the HelpDesk.nsf database. Enable the proper-ty Allow Connections to External Databases Using DCRs in the formproperties for the Request form.

Question 36

What are the valid server commands for forced replication?

❍ A. Pull-push, push-only, and pull-only

❍ B. Pull-push, pull-pull, pull-only, and push-only

❍ C. Replicate, pull, and push

❍ D. Replicate, pull-push, push-only, and pull-only

25 0789729180 CH21 10/21/03 2:37 PM Page 476

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 621 477

Question 37

Tara, a Notes Developer with Designer access in the JobReview.nsf database,has changed the Appraisal form in this database by adding a Readers field withthe computed value [Review]. However, she intended for the value in theReaders field to be [Reviewer] for the [Reviewer] access role. Now whenAppraisal documents are saved in this database, users no longer have access tothe documents. Tara has created an agent to correct the Readers field, but shedoes not have access to these documents, either. The Readers field in thesedocuments must be corrected. How can this be accomplished?

❍ A. Tara could change her access level to Manager. This will allow her toaccess all the documents in the database, regardless of Readers fields.

❍ B. Tara must contact an administrator with Full Access Administration tothe server that this database resides on and have this person run theagent.

❍ C. Tara must correct the Appraisal form design by changing the comput-ed value of the Readers field to [Reviewer]. This will correct the prob-lem without having to run the agent.

❍ D. All of these methods could be used to gain access to the documents toresolve the problem.

Question 38

Which of the following is not included in the ID file for a Notes user?

❍ A. The owner’s name

❍ B. A private key

❍ C. A Notes certificate

❍ D. The location of the user’s mail file

25 0789729180 CH21 10/21/03 2:37 PM Page 477

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 21478

Question 39

Kim has been informed by the users of the Orders.nsf database that documentsdeleted from the database replica on the server East/Acme have been reappear-ing. She has noticed that these documents seem to reappear after replicatingwith the database replica on the server West/Acme. What might be causingthese documents to reappear?

❍ A. The purge interval settings for the database replica on the serverEast/Acme are causing the deletion stubs to be removed before repli-cation with the database replica on the server West/Acme.

❍ B. The replication setting Temporarily Disable Replication has beenenabled for the database replica on the server East/Acme.

❍ C. The replication setting Temporarily Disable Replication has beenenabled for the database replica on the server West/Acme.

❍ D. The replication setting Do Not Send Deletions Made in the Replica toOther Replicas has been enabled for the database replica on the serverWest/Acme.

Question 40

Kathy, a Domino Administrator for the AcmeCorp domain, and Carmen, a DominoAdministrator for the AcmeToys domain (a subsidiary company), want to cross-certify their domains so that all users and servers in both organizations canauthenticate with one another. What steps should they take to accomplish this?

❍ A. The AcmeCorp organization certifier must obtain a cross-certificate forthe AcmeToys organization certifier and store it in the AcmeCorpDomino Directory. Also, the AcmeToys organization certifier mustobtain a cross-certificate for the AcmeCorp organization certifier andstore it in the AcmeToys Domino Directory.

❍ B. The AcmeCorp organization certifier must obtain a cross-certificate forthe AcmeToys organization certifier and store it in the AcmeCorpDomino Directory. Then the AcmeToys organization certifier mustrecertify all the users and servers to obtain a copy of the AcmeCorporganization certificate.

❍ C. The AcmeCorp organization certifier must obtain a cross-certificate forthe AcmeToys organization certifier and store it in the AcmeCorpDomino Directory. Then the AcmeCorp organization certifier mustrecertify all the users and servers to obtain a copy of the AcmeToysorganization certificate.

❍ D. In the Security section of the Configuration Settings document in theAcmeCorp Domino Directory, include /AcmeToys in the Cross-Certifywith These Domains field. Also, in the Security section of theConfiguration Settings document in the AcmeToys Domino Directory,include /AcmeCorp in the Cross-Certify with These Domains field.

25 0789729180 CH21 10/21/03 2:37 PM Page 478

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 621 479

Question 41

Fran is setting up the server East/Acme as a passthru server for members of theSalesReps group to access databases on the server West/Acme. Which of the following settings in the Passthru Use section of the Server document for the server East/Acme would allow users in the SalesReps group to connectto the server West/Acme via passthru?

❍ A. The Access This Server field contains SalesReps. The Route Throughfield is blank. The Destinations Allowed field contains West/Acme.

❍ B. The Access This Server field contains West/Acme. The Route Throughfield contains SalesReps. The Destinations Allowed field is blank.

❍ C. The Access This Server field is blank. The Route Through field is blank.The Destinations Allowed field contains West/Acme.

❍ D. The Access This Server field contains SalesReps. The Route Throughfield is blank. The Destinations Allowed field is blank.

Question 42

Tom, a Domino Administrator for the ACME domain, is considering migratingfrom a distributed directory architecture to a central directory architecture.Which of the following is a benefit of a central directory architecture?

❍ A. Each server in the domain will contain a replica of the primary DominoDirectory, making replication more efficient.

❍ B. Servers that store a Configuration Directory often require more power-ful machines.

❍ C. Administrators will be able to manage the Domino Directory with moreadministrative control.

❍ D. A central directory architecture requires less network bandwidth tosupport remote primary directory lookups.

25 0789729180 CH21 10/21/03 2:37 PM Page 479

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 21480

Question 43

What are the requirements for using the Remote Debugger to debug an agentfrom a client workstation?

❍ A. The agent must be a LotusScript agent. Remote debugging must beenabled in the agent. The rdebug task must be running on the serverwhere the database resides. The agent must be running on the server.

❍ B. The agent must be a LotusScript or JavaScript agent. The rdebug taskmust be running on the server where the database resides. The agentmust be running on the server.

❍ C. The agent must be a LotusScript or Formula agent. Remote debuggingmust be enabled in the agent. The agent must be running on the server.

❍ D. The agent must be a LotusScript agent. Remote debugging must beenabled in the agent. The rdebug task must be running on the serverwhere the database resides. The agent must be running on the clientworkstation.

Question 44

The Projects.nsf database on the server West/Acme is currently accessed byemployees using the Notes client. Their access to this database is controlled bythe default ACL entry, which is set to Editor. Management now wants this data-base to be available to employees to access from home using a Web browser.Employees are required to authenticate whether accessing the database fromthe Notes client or a Web browser. Anonymous access should not be permitted.What should the ACL settings be in this database to meet these requirements?

❍ A. Set the access level of the Anonymous ACL entry to Authenticate, andset the Maximum Internet Name and Password property in theAdvanced ACL properties to Editor

❍ B. Set the access level of the Anonymous ACL entry to No Access, andset the Maximum Internet Name and Password property in theAdvanced ACL properties to Editor

❍ C. Set the access level of the Anonymous ACL entry to No Access, set theaccess level of the Default ACL entry to Authenticate, and set theMaximum Internet Name and Password property in the Advanced ACLproperties to No Access

❍ D. Ensure that the Anonymous entry does not exist in the ACL, and setthe Maximum Internet Name and Password property in the AdvancedACL properties to Authenticate

25 0789729180 CH21 10/21/03 2:37 PM Page 480

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 621 481

Question 45

Which of the following issues should be considered before enabling ExtendedAccess for a Domino Directory?

❍ A. The Advanced ACL setting Enforce a Consistent Access Control ListAcross All Replicas should be enabled to ensure that the databasereplicates properly.

❍ B. After Extended Access is enabled, changes should not be made toreplicas of the Domino Directory on servers running Domino Release 5or earlier because the changes will not replicate to a Domino 6 server.

❍ C. After Extended Access is enabled, the database ACL and the ExtendedACL are enforced for anonymous LDAP searches of the directory.


Question 46

What replication types are available for scheduled replication?

❍ A. Pull-push, pull-pull, and push-pull

❍ B. Pull-pull, push-only, and pull-only

❍ C. Pull-push, pull-pull, push-only, and pull-only

❍ D. Pull-push, push-pull, push-only, and pull-only

Question 47

Which of the following can a Domino Administrator use to communicate with aServer Controller?

❍ A. The Domino Console from a Domino server

❍ B. The remote console in the Domino Administrator client

❍ C. The remote console in the Web Administrator


25 0789729180 CH21 10/21/03 2:37 PM Page 481

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 21482

Question 48

Which of the following is not a true statement about electronic signatures usedin documents of a Lotus Notes database?

❍ A. An electronic signature can be used to sign specific fields in a docu-ment.

❍ B. An electronic signature can be used to sign sections of a document.

❍ C. An electronic signature is used to encrypt documents so that onlyusers with access to the encryption key can view the contents of thedocuments.

❍ D. An electronic signature is used to verify that the person who originatedthe data in a document is the author of that data and that no one hastampered with the data.

Question 49

Gretchen would like to manage the size of mail files of the users in her organi-zation. She has set the quota for mail files to 50MB. Several users have exceed-ed the quota size, but the router continues to deliver mail to them. Why mightthe router be continuing to deliver their mail rather than withholding it?

❍ A. The router is still configured with its default behavior, which is to con-tinue to deliver mail after the quota has been exceeded. The routershould be configured to refuse or hold mail when the quota has beenexceeded.

❍ B. These users have been assigned Manager access in the ACL of theirmail files, which overrides quota enforcement. Their ACL access levelshould be set to Designer or below if mail file quotas are to beenforced.

❍ C. The Quota task is not running on the server where these users’ mailfiles reside.

❍ D. Exceeding a mail file quota triggers a notification message. Mail filequotas are not enforceable.

25 0789729180 CH21 10/21/03 2:37 PM Page 482

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 621 483

Question 50

The default access level in the ACL of the Domino Directory for the ACMEdomain is set to Reader. The Administrator and Server groups have an accesslevel of Manager. Jeff, a Domino Administrator for this domain, would like toallow the users registered in this domain to update only certain personal infor-mation fields in the Work/Home section of their Person documents. What couldJeff do to accomplish this?

❍ A. Change the default access level to Author

❍ B. Change the default access level to Editor

❍ C. Create an extended Access Control List and enable Write access to thespecific fields for the default ACL entry

❍ D. Change the default access level to Author and create an extendedAccess Control List to restrict the default ACL entry to Write access forthe specific fields

25 0789729180 CH21 10/21/03 2:37 PM Page 483

25 0789729180 CH21 10/21/03 2:37 PM Page 484

Answer Key for 621. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

221. A

2. D

3. C

4. C

5. A

6. B

7. D

8. C

9. B

10. C

11. A

12. A

13. B

14. D

15. C

16. B

17. D

18. A

19. B

20. D

21. C

22. B

23. A

24. A

25. B

26. D

27. C

28. A

29. D

30. C

31. B

32. D

33. A

34. D

35. A

36. C

37. B

38. D

39. A

40. A

41. B

42. C

43. A

44. B

45. D

46. C

47. D

48. C

49. A

50. D

26 0789729180 CH22 10/21/03 2:30 PM Page 485

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 22486

Question 1

Answer A is correct. The multiuser installation is available only for the Notesclient. Answers B and C are incorrect because multiuser installation is notsupported for either the Domino Administrator or Domino Designer clients.Answer D is incorrect because answers B and C are not correct.

Question 2

Answer D is correct. Streaming replication works for client-to-server repli-cation if both the client and the server are running Notes Domino Release 6.Answers A and B are incorrect because these are features of streaming repli-cation. Answer C is incorrect because streaming replication is a new featureof Notes Domino 6. It does not work for earlier releases or in mixed-releaseclient/server environments.

Question 3

Answer C is correct. A server can be a member of only one cluster at a time.Answers A, B, and D are incorrect because these are all requirements forDomino clustering.

Question 4

Answer C is correct. Transaction logging is enabled in the Server documentfor databases that reside on the server. View logging is enabled in the viewproperties for specific views in a database with transaction logging enabled.Answer A is incorrect because, although you could disable transaction loggingin the database properties for a specific database, transaction logging must beenabled in the Server document. Answer B is incorrect because view loggingis enabled in the view properties of a database, not in the Server document.Answer D is incorrect because the setting Include Updates in TransactionLog is a setting in the view properties, not the database properties.

26 0789729180 CH22 10/21/03 2:30 PM Page 486

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 621 487

Question 5

Answer A is correct. These are the requirements for using the CA Processwith a CA key ring to issue server and client certificates. Answer B is incor-rect because access to the server or client password is not required. AnswerC is incorrect because Editor access with the Delete Documents privilegeand the [CAPrivlegedUser] role is required. Answer D is incorrect becausethese ACL settings are required for the Domino Certificate Authority data-base, not the Domino Directory database.

Question 6

Answer B is correct. The setting Show Response Documents in a Hierarchyis a view property, not a database property. Answers A, C, and D are incor-rect because these are all valid database properties. Enabling these settingscan optimize database performance.

Question 7

Answer D is correct. These are all potential benefits of creating an addition-al MAIL.BOX database.

Question 8

Answer C is correct. Server mail rules are created and maintained in theConfiguration Settings document. Answers A, B, and D are incorrect.Although these are all valid documents in the Domino Directory, none ofthem store server mail rules.

26 0789729180 CH22 10/21/03 2:30 PM Page 487

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 22488

Question 9

Answer B is correct. The administrator would not have access to a privateview in the design template that was created by another user. Therefore,while performing the Refresh Design, this view would not have been avail-able to the administrator. Answer A is incorrect because replication settingsin the database would have no impact on the Refresh Design process.Answers C and D are also incorrect. An access level of Designer or Manageris required to perform a Refresh Design on a database. However, becauseother design elements were updated during the Refresh Design process, theadministrator had sufficient access in the database ACL.

Question 10

Answer C is correct. A user’s private key is stored in the user’s Notes ID file.The certifier ID file does not contain the users’ private keys. Answers A, B,and D are incorrect because all of this information is stored in a certifier IDfile that is set up for ID recovery.

Question 11

Answer A is correct. View-Only administrators can issue commands that dis-play system status information. Answers B, C, and D are incorrect becauseView-Only administrators cannot issue commands that could impact theserver’s operation.

Question 12

Answer A is correct. Database recovery is quicker and more reliable whentransaction logging is enabled. Data that was not written to a database dur-ing a server crash or media failure can be recovered from the transactionlogs. Also, consistency checks are not required for databases using transac-tion logging. Answers B and C are incorrect. Although database recovery andserver restarts are quicker and more reliable when transaction logging isenabled, there is no runtime performance increase for databases with trans-action logging enabled or for the server(s) on which these databases reside.Answer D is incorrect because answers B and C are not correct.

26 0789729180 CH22 10/21/03 2:30 PM Page 488

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 621 489

Question 13

Answer B is correct. Cluster failover works for Notes Domino Release 4.5 orlater. Answer A is incorrect because cluster failover works for Notes clientsrunning Release 4.5 or later. Answer C is incorrect because cluster failoverworks in a mixed client/server environment. Answer D is incorrect becausethis is the process that Domino uses during a failover event.

Question 14

Answer D is correct. Her individual ACL entry must be removed so thataccess to the database is controlled by the ACL entry of the group that sheis being added to. Answers A and C are incorrect because she would still haveonly the access level of Reader in the ACL. Individual ACL entries takeprecedence over group ACL entries. Answer B is incorrect because shewould still not have the necessary access role assigned to her for accessing therestricted views.

Question 15

Answer C is correct. Servers are added to the Domino Directory during theserver registration process. Answers A, B, and D are incorrect because these areall administration tasks that can be performed via cross-domain processing.

Question 16

Answer B is correct. The LZ1 algorithm is a quicker and more efficient com-pression method than the Huffman algorithm. Answer A is incorrectbecause, when enabled, the LZ1 (Lempel-Zev class 1) compression algo-rithm is used for compressing attachments in Notes Domino 6. Answer C isincorrect because LZ1 compression is not supported on a Domino 5 server.The attachments would be recompressed using the Huffman compressionalgorithm. Answer D is incorrect because the setting Use LZ1 Compressionfor Attachments in the database properties is used to enable or disable LZ1compression for a database.

26 0789729180 CH22 10/21/03 2:30 PM Page 489

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 22490

Question 17

Answer D is correct. All this information is updated by the administrationprocess when License Tracking is enabled.

Question 18

Answer A is correct. A new copy of a database is created with a new replicaID. This would not allow the database on server X to replicate with the orig-inal database replica residing on server Y. Answers B, C, and D are incorrectbecause these are all methods that an administrator might pursue to resolvea database corruption problem.

Question 19

Answer B is correct. The Issued Certificate List (ICL) tracks both Notes andInternet certificates issued by the Certificate Authority (CA) Process. AnswerA is incorrect because the ICL tracks the certificates issued by the CAProcess. The Certificate Revocation List (CRL) identifies Internet certifi-cates that have been revoked. Answers C and D are incorrect because theICL tracks both Notes and Internet certificates issued by the CertificateAuthority (CA) Process.

Question 20

Answer D is correct. Single Copy Template is not a client installation type.This is a new space-saving feature in Notes Domino 6 that stores designinformation in a single template rather than in each database that uses thattemplate. Answers A, B, and C are incorrect because these are all valid LotusNotes/Domino client software-installation methods/types.

Question 21

Answer C is correct. With an ACL entry of Anonymous set to No Access,Web users are authenticated when attempting to access this database.Answers A and B are incorrect because Authenticate is not a valid ACL access

26 0789729180 CH22 10/21/03 2:30 PM Page 490

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 621 491

level. Answer D is incorrect because Web users would be given the accessprivileges of the Anonymous ACL entry. They would have an access level ofEditor without being authenticated.

Question 22

Answer B is correct. Users listed in the Database Administrator field in theServer document can set database size quotas for databases on that server.Answer A is incorrect because Quota Administrator is not a valid adminis-tration level in the Server document. Answer C is incorrect becauseAdministrator is not a valid ACL access level. Answer D is incorrect becauseanswers A and C are not correct.

Question 23

Answer A is correct. A Readers field in a document can be used to restrictaccess to the document. The entries in a Readers field can be individualnames, groups, or access roles. Answer B is incorrect because an Authorsfield cannot be used to restrict access to a document. An Authors field is usedin combination with the ACL access level of Author. A user with Authoraccess must be listed in an Authors field of a document to edit the document.Answer C is incorrect because, although an access level of No Access wouldprevent other users from accessing the restricted documents, these userswould not have access to any documents in the database. Answer D is incor-rect because a view access list restricts access to the view, not the documentsdisplayed in the view. This solution would not prevent a user from creatinga private view to display the restricted documents.

Question 24

Answer A is correct. These are the necessary steps for deploying the defaultwelcome page. Answer B is incorrect because the default welcome page mustreside on a server that the users have access to. The users would not haveaccess to the administrator’s local welcome page database referenced by thedatabase link. Answers C and D are incorrect because a database link to thewelcome page database is created in a desktop policy settings document, notan organizational or explicit policy document.

26 0789729180 CH22 10/21/03 2:30 PM Page 491

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 22492

Question 25

Answer B is correct. An ACL access role can be added to form/view accesslists, Reader/Author fields, and so on to allow access to the ACL entriesassigned to that access role. However, access roles cannot be used to increasethe level of access that a user would otherwise have to the database accord-ing to the access level assigned in the database ACL. Answer A is incorrectbecause an access role cannot be used to increase the level of access that auser would otherwise have to the database, according to the access levelassigned in the database ACL. Answer C is incorrect because the access levelof Manager is required in the database ACL to assign an access role to anACL entry. Answer D is incorrect because ACL access roles work for usersaccessing a database from either a Notes client or a Web browser.

Question 26

Answer D is correct. Setting up the Notes calendar to display calendar entrytypes in different colors does not require a design change. The Notes 6 clientis used to make these changes. Answers A, B, and C are incorrect becausethese are all requirements for changing calendar entry types to display in dif-ferent colors.

Question 27

Answer C is correct. The Domino Console cannot be used to open or man-age Notes databases. Answers A, B, and D are incorrect because these are allfeatures/behaviors of the Domino Console.

Question 28

Answer A is correct. An explicit policy can be assigned to a user in the user’sPerson document, during user registration, or by using the Assign Policytool. Answer B is incorrect because the Policy Synopsis tool is used to gen-erate reports that show effective policies for users, not for assigning policies.Answer C is incorrect because the Notes.ini file does not provide a means ofassigning policies. Answer D is incorrect because answers B and C are notcorrect.

26 0789729180 CH22 10/21/03 2:30 PM Page 492

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 621 493

Question 29

Answer D is correct. Encrypted data is not compressed during network com-pression. Answer A is incorrect because network compression does not workfor Domino Release 5 servers. Network compression requires a pure NotesDomino 6 server-to-server or client-to-server connection. Answer B isincorrect because network compression will also work for a Notes Release 6client to a Domino Release 6 server. Answer C is incorrect because networkcompression is enabled for a server or client network port, not in the prop-erties for a database.

Question 30

Answer C is correct. During replication, the source server needs an accesslevel of Manager to update ACL changes in the database replica on the des-tination server. Also, to receive design changes from West/Acme, the data-base replica on East/Acme needs to give West/Acme at least Designer access.Answer A is incorrect because an access level of Manager is not a require-ment for replicating documents or design changes. Answer B is incorrectbecause, to replicate documents, design changes, and/or ACL changes, boththe source and destination servers must have adequate access levels in theACLs of the database replicas. The source server must have an access levelof at least Designer to replicate design changes and an access level ofManager to replicate ACL changes. Answer D is incorrect because, toreceive design changes from West/Acme, the database replica on East/Acmeneeds to give West/Acme at least Designer access. Because the databasereplica on West/Acme has given an access level of Designer to East/Acme,the design changes will replicate from East/Acme to West/Acme.

Question 31

Answer B is correct. The Find Note tool in the Domino Administrator clientcan be used to search for a document in the database using either the NotesID or the Universal Note ID (UNID) of the document. Answers A, C, andD are incorrect because the Design Synopsis tool is used for generatingreports about the database design.

26 0789729180 CH22 10/21/03 2:30 PM Page 493

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 22494

Question 32

Answer D is correct. Each of these solutions could be used to manage the sizeof the users’ mail files.

Question 33

Answer A is correct. When the Advanced ACL property Enforce aConsistent Access Control List Across All Replicas of This Database isenabled, the ACLs of all replicas of this database will remain identical.Answers B, C, and D are incorrect because the setting Enforce a ConsistentAccess Control List Across All Replicas does not exist in either the Serverdocument or the Configuration Settings document.

Question 34

Answer D is correct. Domino Application Server is a server type for DominoRelease 5. This server type does not support partitioned servers. Answers A,B, and C are incorrect because these are all Domino Release 6 server typesthat support partitioned servers.

Question 35

Answer A is correct. These are the steps that must be completed before con-necting the fields to the external database. Answer B is incorrect because aData Source Resource must also be created on the server East/Acme. AnswerC is incorrect because the Data Source Resource must be created on theserver, not in the database. Answer D is incorrect because the property AllowConnections to External Databases Using DCRs is a database property, nota form property.

Question 36

Answer C is correct. These are the valid server commands for performingforced replication. Answers A, B, and D are incorrect because pull-push,pull-pull, pull-only, and push-only are not valid server commands.

26 0789729180 CH22 10/21/03 2:30 PM Page 494

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 621 495

Question 37

Answer B is correct. An administrator with Full Access Administration rightsfor a server has access to all documents in all databases residing on the serv-er, regardless of Readers fields. Answer A is incorrect because, with an ACLaccess level of Designer, she could not update the ACL for this database.Also, even if her ACL access level was changed to Manager, the Readers fieldwould prevent her from accessing the documents. Answer C is incorrectbecause changing the form design would not change the existing documents.The computed value in the Readers field of an existing document wouldremain unchanged until the document is saved. Answer D is incorrectbecause answers A and C are not correct.

Question 38

Answer D is correct. The location of a user’s mail file is stored in theNotes.ini file and in the user’s Location document, but not in the Notes IDfile. Answers A, B, and C are incorrect because all of these items are storedin a user’s Notes ID file.

Question 39

Answer A is correct. The replication setting Remove Documents NotModified in the Last: x Days (the purge interval) removes deletion stubs aswell as documents from the database. If replication does not occur more fre-quently than the purge interval, documents deleted from a database replicacan be replicated back from other replicas. Answers B and C are incorrectbecause, although this is a valid replication setting, the deleted documentscould not be replicated back to the database replica on the server East/Acmeif replication was disabled. Answer D is incorrect because enabling this repli-cation setting on the database replica on server West/Acme would preventonly deletion stubs in the West/Acme replica from replicating to theEast/Acme replica. The problem is that documents deleted from the replicaon East/Acme are not being deleted from the replica on West/Acme. Thesedocuments are then replicated back to the East/Acme replica.

26 0789729180 CH22 10/21/03 2:30 PM Page 495

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 22496

Question 40

Answer A is correct. These are the steps to perform for cross-certifying twodomains. Answers B and C are incorrect because recertification of users andservers is not necessary when cross-certifying domains. Answer D is incor-rect because there is no such field as Cross-Certify with These Domains inthe configuration Settings document.

Question 41

Answer B is correct. The Route Through field must contain the SalesRepsgroup (or a wildcard entry that includes this group). A blank in theDestinations Allowed field allows clients to access any server that is set up asa passthru destination. Because the server East/Acme is not the passthru des-tination, it doesn’t matter what was entered in the Access This Server field inthe Server document for East/Acme. Answers A, C, and D are incorrectbecause a blank in the Route Through field indicates that the server cannotbe used as a passthru server.

Question 42

Answer C is correct. A central directory architecture enables administratorsto manage the Domino Directory with more administrative control, com-pared to a distributed directory architecture. Answer A is incorrect because,in a central directory architecture, some servers contain a full replica of theprimary Domino Directory, while other servers contain a ConfigurationDirectory (a smaller, selective replica of the Primary Domino Directory).Replication of the Domino Directory is typically more efficient because ofthe smaller Configuration Directories. Answer B is incorrect because serversthat store a Configuration Directory typically require less powerfulmachines. Answer D is incorrect because a central directory architecturerequires more network bandwidth to support remote primary directorylookups.

Question 43

Answer A is correct. These are the requirements for using the RemoteDebugger to debug an agent from a client workstation. Answers B and C are

26 0789729180 CH22 10/21/03 2:30 PM Page 496

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 621 497

incorrect because the Remote Debugger cannot be used to debug Formulaor JavaScript agents. Answer D is incorrect because the agent must be run-ning on the server to use the Remote Debugger to debug the agent. Todebug an agent running on the workstation, use the Debug LotusScriptdebugging tool instead.

Question 44

Answer B is correct. If the database ACL includes the Anonymous ACLentry with an access level of No Access, users accessing the database from aWeb browser will be authenticated. Because the employees require an ACLaccess level of Editor, the Advanced ACL property Maximum Internet Nameand Password must be set to at least Editor for them to use the database froma Web browser. Answers A and C are incorrect because Authenticate is not avalid ACL access level. Answer D is incorrect because Authenticate is not avalid setting for the Advanced ACL property Maximum Internet Name andPassword.

Question 45

Answer D is correct. Each of these issues should be considered and/orresolved before enabling Extended Access for a Domino Directory.

Question 46

Answer C is correct. Replication schedules for servers are defined inConnection documents. The valid replication types are pull-push, pull-pull,push-only, and pull-only. Answers A and D are incorrect because push-pullis not a valid replication type. Answer B is incorrect because pull-push is alsoa valid replication type.

Question 47

Answer D is correct. Each of these methods can be used to communicatewith a server controller.

26 0789729180 CH22 10/21/03 2:30 PM Page 497

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 22498

Question 48

Answer C is correct. Encryption keys (not electronic signatures) are used toencrypt documents. Answers A, B, and D are incorrect because these are alltrue statements about electronic signatures.

Question 49

Answer A is correct. The default setting in the Over Quota Enforcementfield in the Quota Controls section for the Router is Deliver Anyway (Don’tObey Quotas). Answer B is incorrect because ACL access levels do not over-ride quota enforcement. Answer C is incorrect because there is no such serv-er task as Quota. Answer D is incorrect because quotas are enforceable if therouter is configured correctly.

Question 50

Answer D is correct. Changing the default access level to Author would giveusers author access to their own Person documents. The Extended ACLcould then restrict users’ access to these documents further by allowing theseusers Write access to only specific fields within the Person document.Answers A and B are incorrect because users would be able to edit everyeditable field within their Person documents, not just the specific fields.Answer C is incorrect because users would still have only an access level ofReader. The Extended ACL cannot give a user more access to the databasethan he would otherwise have in the database ACL.

26 0789729180 CH22 10/21/03 2:30 PM Page 498

Practice Exam 622

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

23

27 0789729180 CH23 10/21/03 2:43 PM Page 499

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 23500

Question 1

Adam, a Domino Administrator, has upgraded the Domino servers in his organ-ization from Release 5 to Release 6. He would now like to upgrade the Notesclient workstations for all the users in his organization from Release 5 toRelease 6. Which of the following methods could Adam use to upgrade theseworkstations?

❍ A. Deploy Smart Upgrade to these workstations by using a desktop policysettings document to force an upgrade of the Notes client fromRelease 5 to Release 6.

❍ B. Configure the home server(s) for these users to use Smart Upgrade toautomatically upgrade their Notes clients from Release 5 to Release 6.

❍ C. Manually upgrade the Notes client by installing the Notes Release 6upgrade from a CD or network location on each of the workstations.

❍ D. All these installation methods can be used to upgrade the Notes clientworkstations from Release 5 to Release 6.

Question 2

Pete is creating a Server Statistic Collection document to collect and report sta-tistics on several Domino Release 6 servers within the ACME domain. In whichof the following databases is the Server Statistic Collection document stored?

❍ A. In the LOG.NSF database

❍ B. In the EVENTS4.NSF database

❍ C. In the STATLOG.NSF database

❍ D. In the STATREP.NSF database

Question 3

Which of the following server console commands can be used to start theStatistic Collector task?

❍ A. load collect

❍ B. load stats

❍ C. tell collect start

❍ D. tell stats collect

27 0789729180 CH23 10/21/03 2:43 PM Page 500

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 622 501

Question 4

Sean is creating a Server Console Configuration document to customize theDomino server console. Which of the following is not a customizable setting forthe Domino server console?

❍ A. Text color for failure events

❍ B. Text color for fatal events

❍ C. Alarm tune for fatal events

❍ D. Background color of the server console

Question 5

Which of the following actions can an event handler perform when a specificevent occurs?

❍ A. Log the event to a specified database

❍ B. Prevent the event from being logged to the server console

❍ C. Forward the event to another program for additional processing


Question 6

When a roaming user logs on, which files are replicated from the roaming userserver to the user’s machine?

❍ A. desktop.dsk, journal.nsf, and bookmark.nsf

❍ B. journal.nsf, bookmark.nsf, and names.nsf

❍ C. notes.ini and names.nsf

❍ D. desktop.dsk and notes.ini

27 0789729180 CH23 10/21/03 2:43 PM Page 501

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 23502

Question 7

Natalie is using the Domino Administrator server console to monitor events.What will occur if she sets a stop trigger for a particular event?

❍ A. The event handler for this event will be disabled immediately.

❍ B. The event handler for this event will be disabled the next time the eventoccurs.

❍ C. The console will pause and display only that event plus the 10 follow-ing lines of text when the event occurs.

❍ D. The console will highlight the text for that event only. Other events willcontinue to display in regular text.

Question 8

Conner has determined that agent logging is not enabled for the serverSouth/Acme. How would he enable agent logging for this server?

❍ A. In the Notes.ini file for the server, set the Log_AgentManager value to1 or 2

❍ B. At the server console, enter the command Tell amgr log

❍ C. At the server console, enter the command Load amgr log

❍ D. In the Agent Manager section of the Server document, select Enabledfor the Allow Agent Logging field

Question 9

The server ID for the server South/Acme has a certificate that is about to expire.Carolyn is using the original certifier to recertify this server ID. What is the min-imum access that she must have to the Domino Directory and Certification Logdatabases to recertify this server ID?

❍ A. Author access with the Create Documents privilege and the [Certifier]role in the Domino Directory. Also, at least Author access with theCreate Documents privilege in the Certification Log database.

❍ B. Manager access in the Domino Directory. Also, at least Author accesswith the Create Documents privilege and the [Certifier] role in theCertification Log database.

❍ C. Author access with the Create Documents privilege and the[ServerModifier] access role in the Domino Directory. Also, Manageraccess and the [Certifier] role in the Certification Log database.

27 0789729180 CH23 10/21/03 2:43 PM Page 502

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 622 503

❍ D. Author access with the Create Documents privilege and the[ServerModifier] role in the Domino Directory. Also, at least Authoraccess with the Create Documents privilege in the Certification Logdatabase.

Question 10

While reviewing the Certificate Expiration view in the Domino Directory, Pattyhas noticed that one of her users has a Notes ID that is due to expire in the nextfew weeks. How can she extend the expiration date for this Notes ID?

❍ A. In the Notes Certificate section of the user’s Person document, changethe Certificate Expiration field to the new date.

❍ B. Recertify the user’s Notes ID and change the Expiration Date field tothe new date.

❍ C. From the user’s Notes client, choose Tools, User ID, Certificates, andchange the Certificate Expiration field to the new date.

❍ D. All of these methods can be used to extend the expiration date for aNotes ID.

Question 11

What feature in Domino displays real-time statistics and provides a visual rep-resentation of the status of servers and server tasks?

❍ A. Domino Server Monitor

❍ B. Domino Server Analyzer

❍ C. Domino Server Controller

❍ D. Domino Statistic Collector

Question 12

Which of the following is not a valid type of event generator document?

❍ A. Database event generator

❍ B. Mail routing event generator

❍ C. Administration event generator

❍ D. Task status event generator

27 0789729180 CH23 10/21/03 2:43 PM Page 503

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 23504

Question 13

Antonio would like to begin using Activity Logging for billing users who use thedatabases residing on the server South/Acme. Where is Activity Loggingenabled?

❍ A. In the Activity Logging section of the Server document

❍ B. In the Activity Logging section of the Configuration Settings document

❍ C. On the Advanced tab of the database properties

❍ D. In the Notes.ini setting Log_User_Activity

Question 14

Bill would like to chart a defined set of server statistics on a regular basis. To doso, which of the following steps would he be required to perform?

❍ A. Create a statistics profile

❍ B. Enable Generate Statistic Reports While Monitoring or ChartingStatistics in Administration Preferences

❍ C. Ensure that the Domino server monitor is running


Question 15

Danielle recently made some changes to a design template residing on the serv-er North/Acme. However, the databases on the server North/Acme that inherittheir design from this template still don’t reflect these design changes. Whichcommand could she enter at the server console to assist her in investigating thisproblem?

❍ A. Issue the show tasks command to see if the updall task is running onthe server

❍ B. Issue the show schedule command to see if the design task is sched-uled to run on the server

❍ C. Issue the show design command to see if the design task is scheduledto run on the server

❍ D. Issue the tell design refresh command to display and update the listof design templates used by the design task

27 0789729180 CH23 10/21/03 2:43 PM Page 504

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 622 505

Question 16

Kelly is using the Domino Administrator client to move a user from the serverSouth/Acme to the server North/Acme. From the People and Groups tab, shehas selected the user who is being moved and clicked on People, Move toAnother Server. From the Move User(s) to Another Server dialog box, what fileswill she now be able to move to the new server?

❍ A. The user’s Notes ID file and roaming files

❍ B. The user’s Notes.ini file and roaming files

❍ C. The user’s mail file and roaming files

❍ D. The user’s mail file and Notes ID file

Question 17

What ACL access levels are required for replicating design changes from a data-base residing on the server South/Acme to a replica on the server North/Acme?

❍ A. The database on the server North/Acme must include South/Acme inits ACL with an access level of Designer or Manager. Also, the replicaon the server South/Acme must include North/Acme in its ACL with anaccess level of Reader or above.

❍ B. The database on the server North/Acme must include South/Acme inits ACL with an access level of Reader or above. Also, the replica onthe server South/Acme must include North/Acme in its ACL with anaccess level of Designer or Manager.

❍ C. The database on the server North/Acme must include South/Acme inits ACL with an access level of Manager, and the replica on the serverSouth/Acme must include North/Acme in its ACL with an access levelof Manager.

❍ D. The database on the server North/Acme must include South/Acme inits ACL with an access level of Editor or above. Also, the replica on theserver South/Acme must include North/Acme in its ACL with an accesslevel of Editor or above.

27 0789729180 CH23 10/21/03 2:43 PM Page 505

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 23506

Question 18

Patrick, a Domino Administrator for the ACME domain, has decided to decom-mission server South/ACME. He plans to move the databases on the serverSouth/ACME to the server North/ACME. What access rights should Patrick haveto successfully generate an analysis report using the Decommission ServerAnalysis Tool?

❍ A. The ACL access level of Manager in the Domino Directory database

❍ B. The ACL access role of [ServerModifier] in the Domino Directory data-base

❍ C. Administrator access to the server South/ACME and the serverNorth/ACME


Question 19

Candice has deployed the Staffing.nsf database on the server East/Acme withreplicas on the servers West/Acme, North/Acme, and South/Acme. This data-base has several views that are controlled by read access lists. In addition, oneof the forms contains a Readers field. What must Candice do to ensure thatthese servers properly replicate the data, design, and ACL for this database?

❍ A. Assign at least Editor access to all of these servers in each of the repli-cas, and include the servers in any Readers fields in the documents.

❍ B. Assign Manager access to all of these servers in each of the replicas,and include the servers in any Readers fields in the documents.

❍ C. Assign at least Editor access to all of these servers in each of the repli-cas. Also, include these servers in the read access lists for the restrict-ed views as well as in any Readers fields in the documents.

❍ D. Assign Manager access to all of these servers in each of the replicas.Also, include these servers in the read access lists for the restrictedviews as well as in any Readers fields in the documents.

27 0789729180 CH23 10/21/03 2:43 PM Page 506

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 622 507

Question 20

Which of the following server tasks can be set up to begin automatically whenthe Domino server is started?

❍ A. billing, authenticate, amgr, stats

❍ B. replica, router, backup, amgr

❍ C. router, billing, quota, stats

❍ D. replica, router, collect, amgr

Question 21

To authenticate an Internet user attempting to access a Domino server, in whatorder will Domino search the directories for the username and credentials?

❍ A. The server’s primary Domino Directory, the Condensed DirectoryCatalog on the server, the directories defined in the server’s directoryassistance database

❍ B. The server’s primary Domino Directory, the server’s ConfigurationDirectory, the directories defined in the server’s directory assistancedatabase

❍ C. The user’s Personal Name and Address Book, the server’s primaryDomino Directory, the server’s Configuration Directory

❍ D. The user’s Personal Name and Address Book, the server’s primaryDomino Directory, the directories defined in the server’s directoryassistance database

Question 22

Which of the following is not available from the Web Administrator?

❍ A. Policy Synopsis tool

❍ B. Policy Assign tool

❍ C. Domino Server Monitor


27 0789729180 CH23 10/21/03 2:43 PM Page 507

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 23508

Question 23

The server North/Acme crashed and had to be restarted. Transaction loggingwas enabled on the server. When the server North/Acme was restarted, the data-bases were quickly recovered via the transaction logs, with one exception. TheHelpDesk database was corrupt and had to have the FIXUP task run to recoverthis database. What is the most likely reason that transaction logging did notrecover the HelpDesk database?

❍ A. Transaction logging was disabled for this database in the Server docu-ment.

❍ B. Transaction logging was disabled in the database properties for thisdatabase.

❍ C. Transaction logging was disabled for this database in the ConfigurationSettings document.

❍ D. This database was last saved as a Domino R5 design (ODS version41).

Question 24

A setup policy settings document assigned to the users of the ACME organiza-tion specifies applet security settings. What must be done to ensure that thesesettings are maintained for these users?

❍ A. Nothing. These settings will be reinforced each time these usersauthenticate with their home server.

❍ B. Select Yes for the field Reinforce Settings in the setup policy settingsdocument.

❍ C. Create a desktop policy settings document with the same settings.When these users authenticate with their home server, these settingswill be reinforced.

❍ D. Create a security policy settings document with the same settings.When these users authenticate with their home server, these settingswill be reinforced.

27 0789729180 CH23 10/21/03 2:43 PM Page 508

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 622 509

Question 25

Which of the following is a true statement about flat ID files in LotusNotes/Domino Release 6?

❍ A. You can create new flat ID files with Lotus Notes/Domino Release 6.

❍ B. Lotus Notes/Domino Release 6 supports flat ID file maintenance.

❍ C. Flat names cannot be used as ACL entries in databases residing onDomino Release 6 servers.

❍ D. Flat names are converted to hierarchical names when the DominoDirectory is replicated to a Domino Release 6 server.

Question 26

Lauren has recently deployed a new Sametime server in her organization. Shewould like to ensure that the users in Sales/Acme connect to this Sametimeserver when they start their Notes client. Which of the following policy settingsdocuments would enable her to define this Sametime server for all theSales/Acme users?

❍ A. Create a registration policy settings document with the Sametime serv-er defined

❍ B. Create a setup policy settings document with the Sametime serverdefined

❍ C. Create a desktop policy settings document with the Sametime serverdefined


Question 27

A Connection document for the server South/Acme to the server North/Acmehas been configured for replication on a daily basis. The replication schedulehas been enabled. The Connect at Times field contains 6:00 AM, 6:00 PM, andthe Repeat Interval Of field contains 0. For any one day, when will the connec-tion attempt(s) occur?

❍ A. The first connection attempt will occur at 6:00 a.m. If the connectionfails, additional attempts will occur continuously for up to an hour(7:00 a.m.). No additional connection attempts will occur until 6:00p.m. If the 6:00 p.m. connection attempt fails, additional attempts willoccur continuously for up to an hour (7:00 p.m.).

❍ B. The first connection attempt will occur at 6:00 a.m. If the connectionfails, additional attempts will occur continuously until 6:00 p.m.

27 0789729180 CH23 10/21/03 2:44 PM Page 509

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 23510

❍ C. The first connection attempt will occur at 6:00 a.m. If the connectionfails, no additional connection attempts will occur for the remainder ofthe day.

❍ D. Because the repeat interval is set to 0, only one connection attempt perscheduled time will occur (once at 6:00 a.m. and once at 6:00 p.m.),regardless of any connection failures.

Question 28

Which task must be running on a Domino server to allow HTTP clients to accessLDAP Directory information?

❍ A. ICM

❍ B. NRPC

❍ C. DIRCAT

❍ D. LDAP

Question 29

Randy has been transferred from the Purchasing department to the Accountingdepartment in the Acme organization. His full hierarchical name is RandySmith/Purchasing/Acme. What should be done to change Randy’s full hierarchi-cal name to Randy Smith/Accounting/Acme?

❍ A. Use the /Accounting/Acme Organizational Unit certifier ID to recertifyhis user ID.

❍ B. Change his username to Randy Smith/Accounting/Acme in his Persondocument.

❍ C. Delete the Randy Smith/Purchasing/Acme user ID and register a newuser ID for Randy Smith/Accounting/Acme.

❍ D. Create a cross-certificate in his Person document for the/Accounting/Acme Organizational Unit, and recertify his user ID withthe /Acme organization certifier ID.

27 0789729180 CH23 10/21/03 2:44 PM Page 510

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 622 511

Question 30

Which of the following methods can be used to start a server task automatically?

❍ A. Include the task in the ServerTasks setting of the Notes.ini file

❍ B. Include the task in the ServerTasksAt setting of the Notes.ini file

❍ C. Create a Program document in the Domino Directory to schedule thetask


Question 31

Rosemary is investigating a problem with a scheduled LotusScript agent that runsevery six hours on the server South/Acme. The agent runs to completion withoutincident during the evening hours. However, the agent often terminates beforecompletion when it runs during the daytime hours. What is the most likely causeof this problem?

❍ A. The agent is exceeding the number of minutes defined in the AgentTimeout setting in the Agent properties.

❍ B. The agent is exceeding the number of minutes defined in the MaxLotusScript/Java Execution Time field in the Daytime parameters of theAgent Manager section of the Server document.

❍ C. There is an infinite loop in the code for the agent.

❍ D. Scheduled agents are not permitted to run while certain server tasks,such as COMPACT, UPDALL, and FIXUP, are running.

Question 32

Which policy settings document is used to define administration ECLs?

❍ A. Security Policy Settings document

❍ B. Administration Policy Settings document

❍ C. Setup Policy Settings document

❍ D. Desktop Policy Settings document

27 0789729180 CH23 10/21/03 2:44 PM Page 511

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 23512

Question 33

Directory Assistance can be configured to use a specific directory for which ofthe following?

❍ A. Client authentication

❍ B. Notes mail addressing

❍ C. Lookups of Group entries in database ACLs


Question 34

Sherrie wants to enable password verification for several Notes users. Theseusers should be required to enter a password to authenticate with the serverNorth/Acme. They should also be prompted to change their password every 30days. What settings are required to accomplish this?

❍ A. In the Server document for the server North/Acme, the CheckPasswords on Notes IDs field must be enabled. In the Person docu-ments for these users, the Check Password field should be set to 30.

❍ B. In the Server document for the server North/Acme, the CheckPasswords on Notes IDs field must be enabled. In the Person docu-ments for these users, the Check Password field should be set to CheckPassword, and the Required Change Interval field should be set to 30.

❍ C. In the Person documents for these users, the Password Verificationfield should be set to Enabled, and the Required Change Interval fieldshould be set to 30.

❍ D. In the Person documents for these users, the Password Verificationfield should be set to 30.

Question 35

What is the minimum access required in the ACL of the Domino Directory fordeleting a group?

❍ A. Editor access level, the GroupEditor role, and the Delete Documentsprivilege

❍ B. Editor access level, the GroupDeleter role, and the Delete Documentsprivilege

❍ C. Author access level, the GroupModifier role, and the Delete Documentsprivilege

❍ D. Manager access level, the GroupEditor role, and the Delete Documentsprivilege

27 0789729180 CH23 10/21/03 2:44 PM Page 512

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 622 513

Question 36

The ACL of the Projects.nsf database has a default access level of Editor. Lisa islisted in the ACL as an individual entry with Reader access. The groupAllProjectTeams is also in the ACL with an access level of Author. Lisa is a mem-ber of the ProjectTeam4 group. ProjectTeam4 is not listed in the ACL, but thisgroup is a member of the AllProjectTeams group. Which of the following is atrue statement about Lisa’s access level for this database?

❍ A. Because group ACL entries take precedence over individual and defaultentries, she has an access level of Author.

❍ B. Because individual ACL entries take precedence over group and defaultentries, she has an access level of Reader.

❍ C. Because the effective access for the user is determined by the highestaccess level assigned to either the default entry, their individual ACLentry, or a group that the user is a member of, she has an access levelof Editor.

❍ D. Because cascading groups do not work in database ACLs, she has thedefault access level of Editor.

Question 37

Which of the following is a true statement about a Configuration Directory in acentral directory architecture?

❍ A. A Configuration Directory is a selective replica of the primary DominoDirectory.

❍ B. The administration server for the Domino Directory must store aConfiguration Directory.

❍ C. Flat names must be converted to hierarchical names before replicatingPerson documents to a Configuration Directory.


27 0789729180 CH23 10/21/03 2:44 PM Page 513

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 23514

Question 38

Helena, a user in the Sales/Acme Organizational Unit, finds that certain user pref-erences that she makes on her workstation keep getting reset. What is the mostlikely reason for this?

❍ A. A setup policy settings document assigned to an organizational policyis resetting these preferences.

❍ B. A setup policy settings document assigned to an explicit policy is reset-ting these preferences.

❍ C. A desktop policy settings document assigned to an organizational poli-cy is resetting these preferences.

❍ D. A security policy settings document assigned to an organizational poli-cy is resetting these preferences.

Question 39

When users create new documents with the Project form in the Projects.nsfdatabase on the server South/Acme, their username is supposed to be displayedautomatically in the Created By field. This works when these users are accessingthe database from a Notes client. However, when these same users access thedatabase from a Web browser, the value Anonymous is displayed in the CreatedBy field. What is the most likely reason for Anonymous to be displayed insteadof the username?

❍ A. The Internet Authentication field in the Internet Access section of theServer document for the server South/Acme is set to Allow AnonymousAccess.

❍ B. The Anonymous entry in the database ACL is set to Editor access.

❍ C. The Allow Anonymous Access setting is enabled in the database properties.

❍ D The Maximum Internet Name and Password setting in the databaseACL is set to No Access.

Question 40

What documents are required to route mail with no restrictions between twoadjacent Notes domains?

❍ A. One Connection document and one Adjacent Domain document

❍ B. Two Connection documents (one in each Notes domain) and oneAdjacent Domain document

❍ C. Two Connection documents (one in each Notes domain)

❍ D. Two Adjacent Domain documents (one in each Notes domain)

27 0789729180 CH23 10/21/03 2:44 PM Page 514

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 622 515

Question 41

Which option in Advanced Database Properties can be enabled to improve theperformance of view updates?

❍ A. Limit Entries in $Revisions Fields

❍ B. Limit Entries in $UpdatedBy Fields

❍ C. Document Table Bitmap Optimization


Question 42

Tara wants to provide server failover and workload balancing to HTTP clientsaccessing several of the Domino servers in the Acme domain. What must shedo to accomplish this?

❍ A. Create a Domino cluster for these servers and configure the InternetCluster Manager on each server in the Domino cluster

❍ B. Create a Domino cluster for these servers and configure the InternetCluster Manager on one or more servers within or outside of theDomino cluster

❍ C. Enable the Internet Cluster option in the Internet Protocols/HTTP sec-tion of the Server document for each of these servers

❍ D. Enable the Internet Cluster option in the Internet Protocols/HTTP sec-tion of the Server document for each of these servers, and create anInternet Cluster Manager document in the Domino Directory

Question 43

Requests for work to be done by the Administration Process are stored in whichdatabase?

❍ A. CERTLOG.NSF

❍ B. ADMINP.NSF

❍ C. ADMIN4.NSF

❍ D. EVENTS4.NSF

27 0789729180 CH23 10/21/03 2:44 PM Page 515

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 23516

Question 44

Mary would like to allow the users in Sales/Acme to log in using the same pass-word from both a Notes client and a Web browser. What steps would she needto take to accomplish this?

❍ A. Create a security policy settings document for these users with thefield Synchronize Internet Password with Notes Password set to Yes

❍ B. Create a registration policy settings document for these users with thefield Synchronize Internet Password with Notes Password set to Yes

❍ C. Create a security policy settings document for these users with theadministration ECL setting Synchronize Internet Password with NotesPassword enabled

❍ D. Create an administration policy settings document for these users withthe Workstation ECL setting Synchronize Internet Password with NotesPassword enabled

Question 45

Which server tasks can be run against databases to try to fix corruption prob-lems?

❍ A. FIXUP

❍ B. UPDALL

❍ C. COMPACT


Question 46

Greg must rename several groups in the Domino Directory. He would like thesechanges to be reflected in the ACL of any databases on the server North/Acmethat contain the groups. Also, any documents in these databases that containReaders or Authors fields with these groups should be modified to reflect thechanges. What settings should Greg review or update to ensure that these groupname changes will be made in the databases?

❍ A. In the Advanced ACL settings for each of the databases, the serverNorth/Acme should be selected as the Administration Server, andModify All Reader and Author Fields should be selected.

❍ B. In the Advanced ACL settings for each of the databases, the serverNorth/Acme should be selected as the Administration Server. In thegroup documents for these groups, the field Modify All Reader andAuthor Fields should be enabled.

27 0789729180 CH23 10/21/03 2:44 PM Page 516

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Practice Exam 622 517

❍ C. In the group documents for these groups, the server North/Acmeshould be selected as the Administration Server. In the Advanced ACLsettings for each of the databases, Modify All Reader and Author Fieldsshould be selected.

❍ D. In the group documents for these groups, server North/Acme shouldbe selected as the Administration Server, and the field Modify AllReader and Author Fields should be enabled.

Question 47

Dwight needs to register a new server in the Sales/Acme Organizational Unit.What does he require to register this server from his workstation?

❍ A. Access to the Acme organization certifier ID and password; access tothe registration server; and at least Author access in the ACL of theDomino Directory, with the ServerCreator and GroupModifier rolesassigned

❍ B. Access to the Sales/Acme Organizational Unit certifier ID and pass-word; access to the registration server; and at least Author access inthe ACL of the Domino Directory, with the ServerCreator andGroupModifier roles assigned

❍ C. Access to the registration server ID and password, and Manageraccess in the ACL of the Domino Directory, with the ServerCreator andGroupModifier roles assigned

❍ D. Access to the registration server ID and password, and at least Authoraccess in the ACL of the Domino Directory, with the ServerModifierrole assigned

Question 48

In the Server Access section of the Server document for the server North/Acme,the Access Server field contains the group TechSupport, and the Not AccessServer field contains the group Contractors. In the Passthru Use section of thisServer document, the Access This Server field and the Route Through field eachcontain the group Contractors. If Mike is a member of both groups(TechSupport and Contractors), what access will he have to this server?

❍ A. He will be able to use this server only to pass through to a destinationserver.

❍ B. He will be able to use this server only as a passthru destination.

❍ C. He will have full access to this server, including access as a passthrudestination as well as for passthru use to another server.

❍ D. He will not be able to use this server in any capacity.

27 0789729180 CH23 10/21/03 2:44 PM Page 517

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 23518

Question 49

What command can be entered at the console to check which servers have mailqueued?

❍ A. show router mail

❍ B. show router stats

❍ C tell mail show

❍ D. tell router show

Question 50

Jeff attempted to open the Projects.nsf database on the server South/Acme andreceived the error message “You are not authorized to access that database.”What could be causing this error message?

❍ A. The server South/Acme is not operational.

❍ B. Jeff is listed in the Not Access Server field of the Server document forthe server South/Acme.

❍ C. Jeff is listed in the database ACL with the access level of No Access.

❍ D. All of the above are possible reasons for this error message.

27 0789729180 CH23 10/21/03 2:44 PM Page 518

Answer Key for 622. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

241. C

2. B

3. A

4. C

5. D

6. B

7. C

8. A

9. D

10. B

11. A

12. C

13. B

14. D

15. B

16. C

17. A

18. C

19. D

20. D

21. A

22. D

23. B

24. C

25. B

26. C

27. A

28. D

29. A

30. D

31. B

32. A

33. D

34. B

35. C

36. B

37. A

38. C

39. B

40. C

41. D

42. B

43. C

44. A

45. D

46. A

47. B

48. A

49. D

50. C

28 0789729180 CH24 10/21/03 2:36 PM Page 519

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 24520

Question 1

Answer C is correct. The Notes client workstations must first be upgradedto Notes Release 6 before Smart Upgrade can be used. Answers A and B areincorrect because, although Smart Upgrade can be used to upgrade NotesRelease 6 client workstations, Smart Upgrade cannot upgrade a Notes clientto Release 6 from an earlier release of the product. Answer D is incorrectbecause answers A and B are not correct.

Question 2

Answer B is correct. Server Statistic Collection documents are stored in theMonitoring Configuration database (EVENTS4.NSF). Answers A and D areincorrect because the LOG.NSF and STATREP.NSF databases are used byDomino servers, but they do not store Server Statistic Collection documents.Answer C is incorrect because STATLOG is a Domino server task used forrecording database activity in the log file (LOG.NSF); it is not a databaseused for storing Server Statistic Collection documents.

Question 3

Answer A is correct. Entering this command at the server console starts theStatistic Collector task. Answer B is incorrect because the command loadstats starts the Stats task, which is used for generating statistics for a remoteserver on demand. Answers C and D are incorrect because these are not validserver commands.

Question 4

Answer C is correct. Audible alarms cannot be configured in the ServerConsole Configuration document. Answers A, B, and D are incorrectbecause these are all customizable settings for the Domino server console.

Question 5

Answer D is correct. An event handler can perform any of these actions fora specific event.

28 0789729180 CH24 10/21/03 2:36 PM Page 520

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 622 521

Question 6

Answer B is correct. A roaming user’s Personal Address Book (names.nsf),Bookmarks (bookmark.nsf), and Journal (journal.nsf) files are replicated fromthe roaming user server to the user’s workstation during login. Answers A, C,and D are incorrect because the notes.ini and desktop.dsk files are not repli-cated for roaming users.

Question 7

Answer C is correct. When you set a stop trigger for an event, it causes theconsole to pause and display only the event and the next 10 lines of consoletext when the event occurs. Answers A and B are incorrect because an eventtrigger does not disable an event handler. Answer D is incorrect because astop trigger has no impact on the font attributes used to display the text onthe console.

Question 8

Answer A is correct. A value of 1 for Log_AgentManager logs agent-execution events that are partially or completely successful. A value of 2 logsonly agent-execution events that are completely successful. Answers B and Care incorrect because these are not valid server console commands. AnswerD is incorrect because there is no such field in the Server document as AllowAgent Logging.

Question 9

Answer D is correct. These are the minimum access levels and roles requiredto recertify the server ID. Answers A, B, and C are incorrect because[Certifier] is not a valid access role in either the Domino Directory or theCertification Log databases.

28 0789729180 CH24 10/21/03 2:36 PM Page 521

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 24522

Question 10

Answer B is correct. To extend the expiration date for the Notes ID, the usermust be recertified. Answer A is incorrect because there is no such field asCertificate Expiration in the Notes Certificate section of the Person docu-ment. Answer C is incorrect because the expiration date of a user’s Notes IDcannot be changed from the user’s Notes client. Answer D is incorrectbecause answers A and C are not correct.

Question 11

Answer A is correct. These are features of the Domino Server Monitor.Answer B is incorrect because there is no such feature as Domino ServerAnalyzer. Answer C is incorrect because the Domino Server Controller is aJava-based program that runs on a Domino server to control that server.Remote consoles in the Domino Administrator and Web Administratorcommunicate with the Domino Server Controller. Answer D is incorrectbecause the Statistic Collector task gathers server statistics and creates sta-tistic reports in the STATREP.NSF database; it does not provide real-timestatistics.

Question 12

Answer C is correct. This is not a valid event generator document type.Answers A, B, and D are incorrect because these are all valid event genera-tor document types.

Question 13

Answer B is correct. Activity Logging is enabled in the ConfigurationSettings document. Answer A is incorrect because Activity Logging is notenabled in the Server document. Answer C is incorrect because there is nosetting in the database properties for enabling Activity Logging for a data-base. Answer D is incorrect because Log_User_Activity is not a validNotes.ini setting.

28 0789729180 CH24 10/21/03 2:36 PM Page 522

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 622 523

Question 14

Answer D is correct. These are all steps that must be performed to chart theseserver statistics on a regular basis.

Question 15

Answer B is correct. The design task must run on the server to automatical-ly update database designs from a master design template. The show schedulecommand shows whether the design task is scheduled to run on the server.Answer A is incorrect because the updall task is used for updating views andfull-text indexes for all databases, not for refreshing database designs.Answers C and D are incorrect because these are not valid server consolecommands.

Question 16

Answer C is correct. The user’s mail file and roaming files can be moved toanother server using this method. Answers A, B, and D are incorrect becausethe user’s Notes ID and Notes.ini files are not choices in the Move User(s) toAnother Server dialog box.

Question 17

Answer A is correct. To receive design changes from South/Acme (the sourceserver), the database replica on North/Acme (the destination server) must giveSouth/Acme at least Designer access, and the database replica on South/Acmemust give North/Acme at least Reader access. Answers B and D are incorrectbecause an access level of Reader or Editor would not be sufficient for serverSouth/Acme to push design changes to the database replica on the serverNorth/Acme. Answer C is incorrect because although Manager access forthese servers in both replicas would allow design changes to replicate, thislevel of access is not a requirement for these servers in either replica.

28 0789729180 CH24 10/21/03 2:36 PM Page 523

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 24524

Question 18

Answer C is correct. Administrator access to both of the servers would berequired. Answer A is incorrect because it is not necessary to have Manageraccess in the Domino Directory to use this tool. Answer B is incorrectbecause it is not necessary to have the [ServerModifier] role in the DominoDirectory to use this tool. Answer D is incorrect because answers A and B arenot correct.

Question 19

Answer D is correct. Each of the servers would need Manager access to theother replicas to push ACL changes. These servers would need to be includ-ed in the view read access lists to have access to the view design elements.Also, these servers would need to be included in the Readers fields of thedocuments to have access to the documents. Answers A and C are incorrectbecause Editor access would not allow a server to push ACL or designchanges to the database replicas on the other servers. Answer B is incorrectbecause if a server is not listed in the view read access lists, that server doesnot have access to the view design element.

Question 20

Answer D is correct. All of these server tasks can be listed in theServerTasks= setting in the Notes.ini so that they begin automatically whenthe Domino server is started. Answer A is incorrect because authenticate isnot a valid server task. Answer B is incorrect because backup is not a validserver task. Answer C is incorrect because quota is not a valid server task.

Question 21

Answer A is correct. This is the order in which Domino searches the direc-tories for Internet users. Answers B and C are incorrect because aConfiguration Directory is a selective replica of the primary DominoDirectory in a central directory architecture. A Configuration Directorydoes not contain user information. Answer D is incorrect because Dominodoes not search an Internet user’s Personal Name and Address Book.

28 0789729180 CH24 10/21/03 2:36 PM Page 524

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 622 525

Question 22

Answer D is correct. None of these choices are available from the WebAdministrator.

Question 23

Answer B is correct. Transaction is enabled in the Server document for alldatabases on the server. However, transaction logging can be disabled for aspecific database in the advanced database properties. Answer A is incorrect.Transaction is enabled in the Server document for all databases on the serv-er. Transaction logging cannot be disabled for a specific database in theServer document. Answer C is incorrect because the Configuration Settingsdocument is not used to enable or disable transaction logging. Answer D isincorrect because transaction logging can be used for Domino R5 databases.

Question 24

Answer C is correct. A desktop policy settings document can be used forexisting users to reinforce policy settings that are defined in a setup policysettings document. Answer A is incorrect because the settings in a setup pol-icy settings document are applied only during initial Notes client setup.Answer B is incorrect because there is no such setting as Reinforce Settingsin the setup policy settings document. Answer D is incorrect because a secu-rity policy settings document is not used to specify applet security settings.

Question 25

Answer B is correct. Lotus Notes/Domino Release 6 supports maintenanceof flat ID files. Answer A is incorrect. Although Lotus Notes/Domino 6 sup-ports flat ID files, you cannot use Lotus Notes/Domino 6 to create new flatID files. Answer C is incorrect because the ACL entries in databases resid-ing on Domino Release 6 servers can include flat names as well as hierarchi-cal names. Answer D is incorrect because Lotus Notes/Domino Release 6supports flat names; they are not converted to hierarchical names duringreplication.

28 0789729180 CH24 10/21/03 2:36 PM Page 525

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 24526

Question 26

Answer C is correct. A desktop policy settings document would apply theSametime server setting to these users the next time they authenticate withtheir home server. Answer A is incorrect because the Sametime server can-not be specified in a registration policy settings document. Answer B isincorrect because the settings in a setup policy settings document are appliedduring the initial Notes workstation setup. Existing users would not receivethis change. Answer D is incorrect because answers A and B are not correct.

Question 27

Answer A is correct. Connection attempts occur during the scheduled con-nection times. If a connection attempt fails, the connection is tried continu-ously for up to an hour. Answer B is incorrect because if the connection failsduring a scheduled connection time, the connection is tried continuously foronly one hour for that scheduled connection time. Answer C is incorrect.Connection attempts will continue for up to an hour after the scheduled con-nection time. Also, a connection attempt will occur during the next sched-uled connection time, regardless of the success of any previously scheduledconnections. Answer D is incorrect because the repeat interval is used whenthe Connect at Times field uses a time range, not a list of specific times.

Question 28

Answer D is correct. The LDAP task must be running on the server to allowHTTP clients to access an LDAP directory. Answers A and C are incorrectbecause, although these are valid server tasks, they have nothing to do withallowing HTTP clients to access an LDAP directory. Answer B is incorrectbecause NRPC is the Notes Remote Procedure Call service; it is not a serv-er task.

Question 29

Answer A is correct. Recertifying a user with another Organizational Unitcertifier ID changes the user’s hierarchical name. Answer B is incorrect

28 0789729180 CH24 10/21/03 2:36 PM Page 526

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 622 527

because a user’s hierarchical name cannot be changed by simply editing theuser’s Person document. Answer C is incorrect because deleting the currentuser ID is not required for changing the hierarchical name to a differentOrganizational Unit. Answer D is incorrect because a cross-certificate is notnecessary for changing the hierarchical name of a user.

Question 30

Answer D is correct. All of these methods can be used to start a server taskautomatically.

Question 31

Answer B is correct. Different maximum execution times for agents can beset for daytime and nighttime execution. Answer A is incorrect because thereis no Agent Timeout setting in Agent Properties. Answer C is incorrectbecause the agent is completing during the evening hours without incident.An infinite loop in the agent code would have also impacted the agent run-ning during the evening hours. Answer D is incorrect because there is norestriction for running agents during the execution of server tasks.

Question 32

Answer A is correct. A security policy settings document can be used todefine administration ECLs as well as Notes and Internet passwords. AnswerB is incorrect because there is no such thing as an Administration PolicySettings document in Lotus Notes/Domino Release 6. Answers C and D areincorrect because, although these are valid policy settings document types,they are not used to define administration ECLs.

Question 33

Answer D is correct. Directory Assistance can be configured for all of thesechoices.

28 0789729180 CH24 10/21/03 2:36 PM Page 527

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 24528

Question 34

Answer B is correct. These settings in the Server and Person documentsmeet the password verification requirements for these users. Answer A isincorrect because 30 is not a valid selection for the Check Password field inthe Person document. Answers C and D are incorrect because there is nosuch field as Password Verification in the Person document. Also, passwordverification must be enabled in the Server document for the serverNorth/Acme.

Question 35

Answer C is correct. These are the minimum ACL settings required.Answers A, B, and D are incorrect because GroupEditor and GroupDeleterare not valid access roles in the Domino Directory ACL.

Question 36

Answer B is correct. Individual ACL entries always take precedence over thedefault entry or any group entries. Answer A is incorrect because group ACLentries do not take precedence over individual ACL entries. Answer C isincorrect because individual ACL entries always take precedence over thedefault entry or any group entries, regardless of which access level might behigher. Answer D is incorrect because cascading groups (groups that aremembers of other groups) can be used in database ACLs.

Question 37

Answer A is correct. A Configuration Directory contains only those docu-ments that are used to configure servers in a Domino domain. Answer B isincorrect because the administration server for the Domino Directory muststore a replica of the primary Domino Directory. Answer C is incorrectbecause user information is not replicated to a Configuration Directory.Also, Lotus Notes/Domino (including Release 6) supports flat names as wellas hierarchical names. Answer D is incorrect because answers B and C arenot correct.

28 0789729180 CH24 10/21/03 2:36 PM Page 528

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 622 529

Question 38

Answer C is correct. If a user changes any user preference settings on theworkstation that are controlled by a desktop policy settings document, thosesettings are reset the next time the user authenticates with the home server.Answers A and B are incorrect because the settings in a setup policy settingsdocument are applied only during the initial Notes workstation setup.Existing users would not be impacted by any of these settings. Answer D isincorrect because user preference settings are not defined in a security poli-cy settings document.

Question 39

Answer B is correct. When there is an Anonymous ACL entry in a database,Web users access the database as Anonymous until they attempt to performan operation that exceeds the access level assigned to the Anonymous entry.Answer A is incorrect because there is no such field as InternetAuthentication in the Server document. Answer C is incorrect because thereis no such setting as Allow Anonymous Access in the database properties.Answer D is incorrect because if the Maximum Internet Name and Passwordsetting in the database ACL was set to No Access, users would not be able toaccess the database from a Web browser.

Question 40

Answer C is correct. Two Connection documents, one in each Notesdomain, are required to route mail in both directions. Answers A, B, and Dare incorrect because Adjacent Domain documents would not be required.An Adjacent Domain document is used to define restrictions for the transferof mail between adjacent domains.

Question 41

Answer D is correct. Enabling any of these settings in Advanced DatabaseProperties can improve the performance of view updates.

28 0789729180 CH24 10/21/03 2:36 PM Page 529

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 24530

Question 42

Answer B is correct. These are the requirements for configuring Dominoclustering and the Internet Cluster Manager (ICM) to provide server failoverand workload balancing for HTTP clients. Answer A is incorrect because theICM does not have to be configured for each server in the Domino cluster.Answers C and D are incorrect because the Server document does notinclude an Internet Cluster option.

Question 43

Answer C is correct. The Administration Requests database (ADMIN4.NSF)stores requests for the Administration Process. Answers A and D are incor-rect. Although these are valid databases used by Domino, they do not storeAdministration Process requests. Answer B is incorrect because there is nosuch database as ADMINP.NSF used by the Administration Process.

Question 44

Answer A is correct. These are the steps for synchronizing Notes andInternet passwords for users. Answer B is incorrect because the registrationpolicy settings document does not include the field Synchronize InternetPassword with Notes Password. Answer C is incorrect because SynchronizeInternet Password with Notes Password is not an administration ECL set-ting. Answer D is incorrect because there is no such policy settings documenttype as an administration policy settings document.

Question 45

Answer D is correct. All of the server tasks can be run to try to fix corruptionproblems with databases.

Question 46

Answer A is correct. These settings are required so that the AdministrationProcess can perform the group name changes on these databases. Answer Bis incorrect because there is no such field as Modify All Reader and Author

28 0789729180 CH24 10/21/03 2:36 PM Page 530

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer Key for 622 531

Fields in the Group document. Answers C and D are incorrect becauseadministration servers are not selected in group documents.

Question 47

Answer B is correct. These are the requirements for registering this serverfrom a workstation. Answer A is incorrect because he would need to registerthe server with the Sales/Acme Organizational Unit certifier ID. Answers Cand D are incorrect because the servers are registered with a certifier ID, notthe registration server ID.

Question 48

Answer A is correct. Users listed in the Route Through field in the PassthruUse section of the Server document can use the server as a passthru servereven if they are denied access to the server in the Not Access Server field.Answers B and C are incorrect because the Not Access Server field in theServer Access section of the Server document takes precedence over theAccess This Server field in the Passthru Use section. Answer D is incorrectbecause he will be able to use this server as a passthru server.

Question 49

Answer D is correct. This command can be used to check a server for mailpending for local delivery or to check for messages that are being held formail files that are over quota. Answers A, B, and C are incorrect because theseare not valid console commands.

Question 50

Answer C is correct. If his individual ACL entry had the access level of NoAccess, he would have received this error message when attempting to openthe database. Answers A and B are incorrect because users are first authenti-cated with the Domino server before their access level to the database ischecked. He would not have received the error message “You are not author-ized to access that database” if the server was not operational or if he wasdenied access to the server. Answer D is incorrect because answers A and Bare not correct.

28 0789729180 CH24 10/21/03 2:36 PM Page 531

28 0789729180 CH24 10/21/03 2:36 PM Page 532

PART VAppendixes

A Resources

B What’s on the CD-ROM?

C Using the PrepLogic Practice Tests, Preview EditionSoftware

Glossary

29 0789729180 Pt 5 10/21/03 2:36 PM Page 533

29 0789729180 Pt 5 10/21/03 2:36 PM Page 534

Resources

Print Resources Gunther, Jeff and Randall Tamura. Special Edition Using Lotus Notes andDomino 6. Indianapolis, Indiana: Que Publishing, 2003.

Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBM Redbooks,2002. Also available on the Web at www.redbooks.ibm.com/. For references tomail, consult Chapter 9, “New Messaging Administration Options.”

Tulisalo, Tommi et al. Upgrading to Lotus Notes and Domino 6. IBM Redbooks,2002. Also available on the Web at www.redbooks.ibm.com/. For references tosecurity, consult Chapter 10, “Security.”

Web ResourcesAccessing and protecting the file system: www-10.lotus.com/ldd/today.nsf/

f01245ebfc115aaf8525661a006b86b9/a115026680fd744985256b34000f4c1b?OpenDocument.

Lotus Domino 6 technical overview: www-10.lotus.com/ldd/today.nsf/

3c8c02bbcf9e0d2a85256658007ab2f6/089a22f9f8a573af85256a1b00782950?OpenDocument.For references to mail, consult the “Messaging” section.

Lotus Domino 6 technical overview: www-10.lotus.com/ldd/today.nsf/

3c8c02bbcf9e0d2a85256658007ab2f6/089a22f9f8a573af85256a1b00782950?OpenDocument.For references to security, consult the “New Security Features” section.

The Lotus Developers Domain: www-10.lotus.com/ldd.

“Maximizing Domino Performance” whitepaper: ftp://ftp.lotus.com/pub/

lotusweb/product/domino/domperform/MaximizingApplicationPerf.pdf.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A

30 0789729180 App A 10/21/03 2:43 PM Page 535

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Appendix A536

Policy-based system administration with Domino 6: www-10.lotus.com/ldd/today.nsf/8a6d147cf55a7fd385256658007aacf1/d78ede75b351cf8100256be9005b7d35?

OpenDocument.

What’s in Store for the Domino R6 Database: www-10.lotus.com/ldd/

today.nsf/8a6d147cf55a7fd385256658007aacf1/acc8a09b7e3e624f85256af700621c8a?

OpenDocument.


Webcast: Lotus Live! Series: “What’s New in Notes/Domino 6 Admin-istration”: http://searchdomino.techtarget.com/webcastsTranscriptSecurity/1,

289693,sid4_gci857398,00.html.

Webcast: “Preparation and Test-Taking Strategies with Lotus EducationManagers”: http://searchdomino.techtarget.com/webcastsTranscriptSecurity/

1,289693,sid4_gci876208,00.html.

30 0789729180 App A 10/21/03 2:43 PM Page 536

What’s on the CD-ROM?This appendix provides a brief summary of what you’ll find on the CD-ROMthat accompanies this book. For a more detailed description of the PrepLogicPractice Exams, Preview Edition exam-simulation software, see Appendix C,“Using the PrepLogic Practice Exams, Preview Edition Software.” In addition tothe PrepLogic Practice Exams, Preview Edition software, the CD-ROMincludes an electronic version of the book in Portable Document Format(PDF) and the source code used in the book.

The PrepLogic Practice Exams,Preview Edition SoftwarePrepLogic is a leading provider of certification training tools. Trusted by cer-tification students worldwide, PrepLogic is the best practice exam softwareavailable. In addition to providing a means of evaluating your knowledge ofthis book’s material, PrepLogic Practice Exams, Preview Edition features severalinnovations that help you improve your mastery of the subject matter.

For example, the practice exams enable you to check your score by exam areaor domain, to determine which topics you need to study further. Anotherfeature enables you to obtain immediate feedback on your responses, in theform of explanations for the correct and incorrect answers.

PrepLogic Practice Exams, Preview Edition exhibits all the full-test simulationfunctionality of the Premium Edition but offers only a fraction of the totalquestions. To get the complete set of practice questions, visit www.preplogic.

com and order the Premium Edition for this and other challenging examtraining guides.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

B

31 0789729180 App B 10/21/03 2:43 PM Page 537

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Appendix B538

For a more detailed description of the features of the PrepLogic PracticeExams, Preview Edition software, see Appendix C.

An Exclusive Electronic Version ofthe TextAs mentioned previously, the CD-ROM that accompanies this book alsocontains an electronic PDF version of this book. This electronic versioncomes complete with all figures as they appear in the book. You can useAcrobat’s handy search capability for study and review purposes.

31 0789729180 App B 10/21/03 2:43 PM Page 538

Using the PrepLogicPractice Exams, PreviewEdition SoftwareThis book includes a special version of the PrepLogic Practice Exams soft-ware, a revolutionary test engine designed to give you the best in certifica-tion exam preparation. PrepLogic offers sample and practice exams for manyof today’s most in-demand and challenging technical certifications. A specialPreview Edition of the PrepLogic Practice Exams software is included withthis book as a tool to use in assessing your knowledge of the training guidematerial while also providing you with the experience of taking an electron-ic exam.

This appendix describes in detail what PrepLogic Practice Exams, PreviewEdition is, how it works, and what it can do to help you prepare for the exam.Note that although the Preview Edition includes all the test-simulation func-tions of the complete retail version, it contains only a single practice test.The Premium Edition, available at www.preplogic.com, contains a complete setof challenging practice exams designed to optimize your learning experience.

The Exam SimulationOne of the main functions of PrepLogic Practice Exams, Preview Edition isexam simulation. To prepare you to take the actual vendor certification exam,PrepLogic is designed to offer the most effective exam simulation available.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C

32 0789729180 App C 10/21/03 2:43 PM Page 539

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Appendix C540

Question QualityThe questions provided in PrepLogic Practice Exams, Preview Edition are writ-ten to the highest standards of technical accuracy. The questions tap the con-tent of this book’s chapters and help you review and assess your knowledgebefore you take the actual exam.

The Interface DesignThe PrepLogic Practice Exams, Preview Edition exam-simulation interface pro-vides you with the experience of taking an electronic exam. This enables youto effectively prepare to take the actual exam by making the test experiencefamiliar. Using this test simulation can help eliminate the sense of surprise oranxiety you might experience in the testing center because you will alreadybe acquainted with computerized testing.

The Effective Learning EnvironmentThe PrepLogic Practice Exams, Preview Edition interface provides a learningenvironment that not only tests you through the computer, but also teachesthe material you need to know to pass the certification exam. Each questionincludes a detailed explanation of the correct answer, and most of theseexplanations provide reasons why the other answers are incorrect. Thisinformation helps to reinforce the knowledge you already have and also pro-vides practical information you can use on the job.

Software RequirementsPrepLogic Practice Exams requires a computer with the following:

➤ Microsoft Windows 98, Windows Me, Windows NT 4.0, Windows2000, or Windows XP

➤ A 166MHz or faster processor

➤ A minimum of 32MB of RAM

➤ 10MB of hard drive space

32 0789729180 App C 10/21/03 2:43 PM Page 540

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using the PrepLogic Practice Exams, Preview Edition Software 541

Installing PrepLogic PracticeExams, Preview EditionYou install PrepLogic Practice Exams, Preview Edition by following these steps:

1. Insert the CD-ROM that accompanies this book into your CD-ROMdrive. The Autorun feature of Windows should launch the software. Ifyou have Autorun disabled, select Start, Run. Go to the root directoryof the CD-ROM and select setup.exe. Click Open, and then click OK.

2. The Installation Wizard copies the PrepLogic Practice Exams, PreviewEdition files to your hard drive. It then adds PrepLogic Practice Exams,Preview Edition to your desktop and the Program menu. Finally, itinstalls test engine components to the appropriate system folders.

Removing PrepLogic PracticeExams, Preview Edition from YourComputerIf you elect to remove the PrepLogic Practice Exams, Preview Edition, you canuse the included uninstallation process to ensure that it is removed from yoursystem safely and completely. Follow these instructions to remove PrepLogicPractice Exams, Preview Edition from your computer:

1. Select Start, Settings, Control Panel.

2. Double-click the Add/Remove Programs icon. You are presented witha list of software installed on your computer.

3. Select the PrepLogic Practice Exams, Preview Edition title you want toremove. Click the Add/Remove button. The software is removed fromyour computer.

Performance As with any Windows application, the more memory you have avail-able in your system, the better the performance of the PrepLogic Practice Exams,Preview Edition software will be.

32 0789729180 App C 10/21/03 2:43 PM Page 541

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Appendix C542

How to Use the SoftwarePrepLogic is designed to be user friendly and intuitive. Because the softwarehas a smooth learning curve, your time is maximized because you start prac-ticing with it almost immediately. PrepLogic Practice Exams, Preview Editionhas two major modes of study: Practice Exam and Flash Review.

Using Practice Exam mode, you can develop your test-taking abilities as wellas your knowledge through the use of the Show Answer option. While youare taking the test, you can expose the answers along with detailed explana-tions of why answers are right or wrong. This helps you better understandthe material presented.

Flash Review mode is designed to reinforce exam topics rather than quiz you.In this mode, you are shown a series of questions but no answer choices. Youcan click a button that reveals the correct answer to each question and a fullexplanation for that answer.

Starting a Practice Exam Mode SessionPractice Exam mode enables you to control the exam experience in ways thatactual certification exams do not allow. To begin studying in Practice Exammode, you click the Practice Exam radio button from the main exam-customization screen. This enables the following options:

➤ The Enable Show Answer button—Clicking this button activates the ShowAnswer button, which allows you to view the correct answer(s) and fullexplanation for each question during the exam. When this option is notenabled, you must wait until after your exam has been graded to viewthe correct answer(s) and explanation for each question.

➤ The Enable Item Review button—Clicking this button activates the ItemReview button, which allows you to view your answer choices. Thisoption also facilitates navigation among questions.

➤ The Randomize Choices option—You can randomize answer choices fromone exam session to the next. This makes memorizing question choicesmore difficult, thereby keeping questions fresh and challenging longer.

On the left side of the main exam-customization screen, you are presentedwith the option of selecting the preconfigured practice test or creating yourown custom test. The preconfigured test has a fixed time limit and numberof questions. Custom tests enable you to configure the time limit and thenumber of questions in your exam.

32 0789729180 App C 10/21/03 2:43 PM Page 542


The Preview Edition on this book’s CD-ROM includes a single preconfig-ured practice test. You can get the compete set of challenging PrepLogicPractice Exams at www.preplogic.com to make certain you’re ready for the bigexam.

You click the Begin Exam button to begin your exam.

Starting a Flash Review Mode SessionFlash Review mode provides an easy way to reinforce topics covered in thepractice questions. To begin studying in Flash Review mode, you click theFlash Review radio button from the main exam-customization screen. Thenyou either select the preconfigured practice test or create your own customtest.

You click the Best Exam button to begin a Flash Review mode session.

Standard PrepLogic Practice Exams,Preview Edition OptionsThe following list describes the function of each of the buttons you seeacross the bottom of the screen:

Button Status Depending on the options, some of the buttons will be grayed out andinaccessible—or they might be missing completely. Buttons that are appropriate areactive.

➤ Exhibit—This button is visible if an exhibit is provided to support thequestion. An exhibit is an image that provides supplemental informationthat is necessary to answer a question.

➤ Item Review—This button leaves the question window and opens theItem Review screen, from which you can see all questions, your answers,and your marked items. You can also see correct answers listed here,when appropriate.

➤ Show Answer—This option displays the correct answer, with an explana-tion about why it is correct. If you select this option, the current ques-tion is not scored.

➤ Mark Item—You can check this box to flag a question that you need toreview further. You can view and navigate your marked items by clicking

32 0789729180 App C 10/21/03 2:43 PM Page 543

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Appendix C544

the Item Review button (if it is enabled). When your exam is beinggraded, you are notified if you have any marked items remaining.

➤ Previous Item—You can use this option to view the previous question.

➤ Next Item—You can use this option to view the next question.

➤ Grade Exam—When you have completed your exam, you can clickGrade Exam to end your exam and view your detailed score report. Ifyou have unanswered or marked items remaining, you are asked whetheryou want to continue taking your exam or view the exam report.

Seeing Time RemainingIf your practice test is timed, the time remaining is displayed on the upper-right corner of the application screen. It counts down the minutes and sec-onds remaining to complete the test. If you run out of time, you are askedwhether you want to continue taking the test or end your exam.

Getting Your Examination Score ReportThe Examination Score Report screen appears when the Practice Exammode ends—as a result of time expiration, completion of all questions, oryour decision to terminate early.

This screen provides a graphical display of your test score, with a breakdownof scores by topic domain. The graphical display at the top of the screencompares your overall score with the PrepLogic Exam Competency Score.The PrepLogic Exam Competency Score reflects the level of subject competen-cy required to pass the particular vendor’s exam. Although this score does notdirectly translate to a passing score, consistently matching or exceeding thisscore does suggest that you possess the knowledge needed to pass the actualvendor exam.

Reviewing Your ExamFrom the Your Score Report screen, you can review the exam that you justcompleted by clicking the View Items button. You can navigate through theitems, viewing the questions, your answers, the correct answers, and theexplanations for those questions. You can return to your score report byclicking the View Items button.

32 0789729180 App C 10/21/03 2:43 PM Page 544


Contacting PrepLogicIf you would like to contact PrepLogic for any reason, including to get infor-mation about its extensive line of certification practice tests, you can do soonline at www.preplogic.com.

Customer ServiceIf you have a damaged product and need to contact customer service, pleasecall

800-858-7674.

Product Suggestions and CommentsPrepLogic values your input! Please email your suggestions and commentsto [email protected].

License AgreementYOU MUST AGREE TO THE TERMS AND CONDITIONS OUT-LINED IN THE END USER LICENSE AGREEMENT (“EULA”)PRESENTED TO YOU DURING THE INSTALLATION PROCESS.IF YOU DO NOT AGREE TO THESE TERMS, DO NOT INSTALLTHE SOFTWARE.

32 0789729180 App C 10/21/03 2:43 PM Page 545

32 0789729180 App C 10/21/03 2:43 PM Page 546

AAccess Control List (ACL)List used to control the access levelto a database or application. TheACL specifies which users canaccess the database and what tasksthey can perform.

Access Control List Only groupGroup used exclusively for ACLlookups to determine access withina specific database.

activity loggingLogging that generates a record foreach Domino server-based agentthat runs successfully. The recordshows the name of the agent, thename of the database that containsthe agent, the amount of time ittook to run the agent, and thename of the person who last savedthe agent.

adjacent domainA domain that has a constant con-nection to another domain.

adjacent domain documentDocument used to restrict connec-tivity between the adjacentdomains defined by a Connectiondocument.

Administration Process (AdminP)The Administration Process(AdminP) is a Domino task thatruns on the server to executehousekeeping, maintenance, andadministrative tasks. For example,AdminP processes requests for auser’s name to be changed, a newOrganizational Unit to beassigned, or a user’s information tobe added to a completely neworganization in the hierarchy.

administratorA Domino Administrator’s accesslevel to the server is the same asthat of a database administratorand a full-console administrator.This access level cannot performthe functions available to aDomino System Administrator.

Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33 0789729180 Glossary 10/21/03 2:33 PM Page 547

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ADMIN4.NSF548

ADMIN4.NSFThe default name of the databaseused by the Administration Processtask.

Agent logA listing of when an agent last ranand whether it completed running.

Agent ManagerA Domino task that manages agentsand how they run on the server.The Agent Manager should alwaysbe running, and the resource-intensive agents should be sched-uled to run at off-hours, if possible.

agent signerThe last user to save the agent,thereby signing it with his user ID.

AMgr_DocUpdateAgentMinIntervalA Notes.ini setting that is used todetermine the minimum amount oftime that needs to pass before thesame agent will run and updatedocuments. The default time is 30minutes.

AMgr_DocUpdateEventDelayA Notes.ini setting that is used todetermine the amount of time thatthe Agent Manager delays the exe-cution of the same agent that willrun and update documents. Thedefault time is 5 minutes.

AMgr_NewMailAgentMinInterval A Notes.ini setting that is used todetermine the minimum amount oftime that needs to pass before thesame agent will run and process mailevents. The default interval is 0.

AMgr_NewMailEventDelayA Notes.ini setting that is used todetermine the amount of time thatthe Agent Manager delays the exe-cution of the same agent that willprocess new mail events. Thedefault time is 1 minute.

AMgr_SchedulingIntervalA Note.ini setting that is used todictate the amount of time that theAgent Manager scheduler taskpauses before running. The defaultis 1 minute, and the valid values are1 minute to 60 minutes.

AMgr_UntriggeredMailIntervalA Notes.ini setting that is used todictate how much time should passbefore the Agent Manager checksfor untriggered mail. The defaulttime is 60 minutes.

Anonymous accessLets users and servers access a serv-er without authentication, which isuseful for providing the generalpublic access to servers and databas-es for which they are not certified.It is typically used for grantingaccess to the servers and databaseson a Web site.

archived transaction loggingCreates transaction logs as needed.Log files are not overwritten; theyare archived.

archiving policyDefines settings related to a user’sability to archive mail. A documentthat allows administrators to cen-trally control mail file archiving.

33 0789729180 Glossary 10/21/03 2:33 PM Page 548

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CERTLOG.NSF 549

authenticationThe process by which ID files arechecked to see if they are trusted—that is, that they have a certificatein common.

Authors fieldField that lists the names of peoplewho can edit the document, if theyhave Author access in the AccessControl List (ACL).

Bbasic name-and-passwordauthenticationProvides Web users with access todata on the Web server using thename and password recorded in theuser’s Person document in theDirectory.

CCalconnCalendar Connector, used in con-junction with the Scheduling task toprovide calendaring and scheduling.Calconn is loaded automaticallywhen a Domino server is installedand is added to the Server Tasksline in the Notes.ini file.

CATALOG.NSFThe Domino catalog database,identified by the name CATALOG.NSF by default.Enables administrators to view alldatabase ACLs for databases regis-tered in the domain.

centralized directorySchema that uses the administra-tion server as the central point forthe directory and configurationdirectories.

central directory architectureDirectory architecture in a Dominodomain in which some servers storeconfiguration directories and useprimary Domino Directories onremote servers for lookups.

certificateA unique electronic stamp thatidentifies a user or server. Dominouses two types of certificates: Notescertificates and Internet certificates.

Certificate AuthorityUsed to verify the identity ofservers and clients by issuing a dig-ital signature certificate. The cer-tificate makes sure that all partiesattempting access can be verifiedand trusted to access resources inthe Domain.

Certificate Revocation List (CRL)A time-stamped list identifyingrevoked Internet certificates, suchas certificates belonging to termi-nated employees.

Certifier IDA file that generates an electronic“stamp” that indicates a trust rela-tionship. Used to certify or stampall server and user IDs.

CERTLOG.NSFThe database that tracks all certifi-cation requests within an organiza-tion.

33 0789729180 Glossary 10/21/03 2:33 PM Page 549

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .character set mapping550

character set mappingA “map” or template used by theWeb server to generate charactersets for HTML text.

circular transaction loggingAllows up to 4GB of disk space onthe server, and then begins overwrit-ing the oldest historical informationin the transaction log database. Thetransaction log database should bebacked up daily using this deploy-ment version.

client licenseAn authorization purchased fromLotus that enables the administra-tor to register and set up a clientmachine running the Lotus Notesclient, the Notes Administratorclient, or the Designer client.

Cluster ReplicatorPushes database changes to otherdatabases in the cluster immediate-ly as they occur.

clustered replicationReal-time replication between twoor more servers in a cluster.

CompactA Domino utility that can be usedto recover space in a database afterdocuments are deleted. Deletingdocuments from a Domino data-base does not actually decrease thesize of the database. A deletion stubis created, and the document isremoved permanently whenCompact is run; the size of thedatabase is then reduced. Also, theprocess by which a database is com-pressed, to reclaim space freed by

the deletion of documents andattachments.

Connection documentIn the Domino Directory, a docu-ment that enables communicationbetween two servers and specifieshow and when the informationexchange occurs. In the PersonalAddress Book, it describes how aclient accesses a certain server.

copy-style compactingA copy is created, and when thecompact is complete, the originaldatabase is deleted.

DDatabase and Statistic WizardWizard that creates an event gener-ator that fires when a specifieddatabase or statistic event occurs ona server or database.

dead messages/mailMessages that are permanently“stuck” in the MAIL.BOX. Theycannot find a route to the destina-tion, and they can’t return a failuremessage to the sender.

Decommission Server AnalysistoolTool used to assist administrators indetermining the impact of remov-ing a server from the domain.

DECOMSRV.NSFThe default results database for theDecommission Server Analysis tool.

33 0789729180 Glossary 10/21/03 2:33 PM Page 550

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Domino Console 551

delivery failureA message that is returned to theoriginator to indicate that the mailmessage failed to arrive at its desti-nation.

Deny Access groupGroup typically listed in the NotAccess Server field in the Serverdocument, used to deny access toservers for people who have left thecompany.

Deny List Only groupA Domino group exclusively usedfor denying access to the server.

design templateA database design that lets youshare design elements among data-bases and store design elementswith a template. Administrators canenable the template so that when itchanges, the change automaticallyoccurs in all databases created withthat template.

desktop policyUsed to enforce consistent clientsettings.

directoryAn address book that contains allservers and users in a singledomain.

Distributed DirectoryDirectory architecture in a Dominodomain in which all servers use alocal primary Domino Directory. ADistributed Directory schemaassumes that each server has a repli-ca copy of the directory. This

method is optimal when manyusers are on the network or thecommunications infrastructure hasmany points of congestion.

document-level sequence numberThe unique number assigned toeach document in a database thattracks how many times a documenthas been edited.

domainA collection of Domino servers andusers that share a common DominoDirectory. The primary function ofthe domain is mail routing.

Domain SearchProvides the capability to searchfor files across multiple servers.Database information that issearchable includes documents,files, and file attachments.

DominoAsynchronizeAgentsA Notes.ini setting that is used tomanage Web agents that are exe-cuted by browser clients so thatthey can run simultaneously.Setting this parameter to 1 enablesmultiple agents to run concurrently.

Domino ConsoleAn application that enables admin-istrators to send commands to theserver as if they were using theconsole on the server itself. It is aJava application and can also beloaded as a Windows Service whenrunning Windows 2000 orWindows XP.

33 0789729180 Glossary 10/21/03 2:33 PM Page 551

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Domino Directory552

Domino DirectoryThe primary database on the serv-er, previously known as the Nameand Address book or Public Nameand Address Book in earlier ver-sions of Notes. The Directory con-tains information about users,groups, the server, and networkinformation that provide the con-figuration of the Domino Domain.Information about users and serversthat have the capability to accessthe server is contained in theDomino Directory.

Domino Messaging Server Type used if the only requirementfor the server is messaging services.

Domino Named Network (DNN)A group of Domino servers thatrun on the same LAN protocol andare constantly connected by aLAN/WAN connection. Servers onthe same Notes Named Networkroute mail to each other automati-cally.

DOMLOG.NSFThe database that collects statisticalinformation about the Web server.

EEncryptionSecurity feature that scrambles dataso that only the intended recipientcan read encrypted text.

Enterprise serverA Domino server that providesboth messaging and application

services, with support for Dominoclusters. This server type is used ifapplications and messaging arerequired or if clustering is required.

event generatorsUsed by the server to gather infor-mation on specific tasks or statistics.Event generators are set withthresholds or conditions that areconstantly monitored. When theyare met, a specific action takes placebased on the configuration of eventhandlers defined in the EventMonitor.

event handlersDetermine what action Dominowill take when an event is triggeredby the Event Monitor.

Event Handler WizardWizard used to create event han-dlers.

Event MonitorWatches the system and sends eventinformation to the database as theyoccur. The Event Monitor loadsautomatically when the serverstarts. In previous versions ofDomino, the Event Monitor wasknown as the Event task.

EVENTS4.NSFThe monitoring configuration data-base that stores all documents usedto configure statistics and monitor-ing for a server, used to definewhich system tasks will be moni-tored and at what point a systemalarm is generated.

33 0789729180 Glossary 10/21/03 2:33 PM Page 552

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .full-text index 553

exam proctorSomeone who is certified to admin-ister a certification exam. Theproctor verifies the tester’s ID,downloads and sets up the exam,and supervises the exam for itsduration.

Execution Control List (ECL)A list stored on the workstation thatcontrols which formulas and scriptscreated by another user can run onthat workstation.

explicit policiesPolicies that define specific groupsor users in the organization andtheir access requirements; should beused to make changes to existingusers.

Extended Access Control List(xACL)An optional directory access controlfeature available for a DominoDirectory and Extended DirectoryCatalog, used to apply restrictionsto users’ overall directory access.

Ffield-level sequence numberThe unique number assigned toeach field in a document that trackshow many times a field has beenedited.

file-protection documentDocument that controls access toWeb files (graphics, HTML, and so on).

FixupThe server task that runs on data-bases to attempt to fix any inconsis-tencies that result from partiallywritten operations caused by a fail-ure; used to repair databases thatwere open when a server failureoccurred. Fixup runs automaticallywhen the server starts, but it canalso be run from the DominoConsole, when necessary.

foreign Domain documentDocument used for connectionsbetween external applications.Typical applications using a foreigndomain document are a fax orpager gateway.

foreign SMTP Domain documentDocument used to route Internetmail when the server does not haveexplicit DNS access.

full-access administratorPermitted access to all componentsof the Domino server. This is thehighest level of access permitted.

full-console administratorAdministrator that has all the rightsof the view-only administrators,plus the capability to issue consolecommands.

full-text indexA collection of files that indexes thetext in a database to allow Notes toprocess users’ search queries.

33 0789729180 Glossary 10/21/03 2:33 PM Page 553

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .global Domain document554

Gglobal Domain documentDocument that defines the Internetdomains considered to be internalto the local Domino domain and forwhich the local domain can acceptinbound SMTP mail—for example,acme.com, sales.acme.com, and soon. It also defines rules for convert-ing the sender’s Notes mail addressto an Internet address in outboundSMTP messages in which the Inter-net address is not already specified.

groupA named list of users and/or servers.It can be used in Domino Direc-tories, Personal Address Books,Access Control Lists, and so on.

GroupModifierRole that allows anyone withappropriate access to edit groupdocuments.

Hhierarchical namingA system of naming associated withNotes IDs that reflects the relation-ship of names to the certifiers in anorganization. Hierarchical naminghelps distinguish users with thesame common name for addedsecurity and allows for decentral-ized management of certification.

home URLThe home or default page thatloads when accessing a DominoWeb server via HTTP.

hybrid directoryDirectory schema that uses a com-bination of distributed and central-ized directory configurations. Localusers might use the centralizeddirectory, while remote users have alocal copy of the directory on theirserver so that bandwidth would notbe an issue.

Hypertext Markup Language(HTML)An Internet-standard language thatallows text to be rendered to theWeb browser client.

Hypertext Transfer Protocol(HTTP)Protocol used to exchange informa-tion with Web browser clients.

IID backup and recoveryThe process that allows administra-tors to store backup copies of userID files so that IDs and passwordscan be recovered.

ID fileA file that uniquely identifies eachcertifier, server, and user in anorganization.

in-place compacting with spacerecovery Recovers unused space in a data-base, but the physical size of thedatabase remains the same. Unlikewith Update and Updall, access tothe database is not denied while theCompact task is running.

33 0789729180 Glossary 10/21/03 2:33 PM Page 554

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MAIL.BOX 555

in-place compacting with spacerecovery and reduction in file size A version of Compact that reducesthe physical database size andrecovers unused space, but takeslonger than other versions to com-plete. The DBIID is changed withthis Compact version. RunningCompact without a software switchoption compacts databases not asso-ciated with transaction logging.

Internet Inter-Orb Protocol (IIOP)Protocol used to permit Java codeto be executed on the server.

Internet Message Access Protocol(IMAP)Access protocol used to processmail. A typical example of a servicethat uses IMAP is MicrosoftExchange.

ISpyA server task that sends server andmail probes, and stores the statisticsgenerated by those probes.

Issued Certificate List (ICL)A database that stores a copy ofeach unexpired certificate that it hasissued, certificate revocation lists,and CA configuration documents.

J–KJconsoleA Java-based application providedby Lotus to launch the DominoConsole.

LLDAP (Lightweight DirectoryAccess Protocol)Industry-standard protocol used formanipulating entries in a directorythat are associated with a distin-guished name.

linear transaction loggingSimilar to circular logging, but canuse more than 4GB of disk space.

live consoleConsole interface to the Dominoserver that allows the administratorto issue console commands fromthe Notes Administrator client.

Location documentA document in the user’s PersonalAddress Book that contains com-munication and other location-specific settings used when workingwith Notes in a specific place.

Log_AgentMangerA Notes.ini setting that enablesagent logging in the Domino logfile, typically identified by thename LOG.NSF.

LOG.NSFThe database on the Domino serv-er that stores information about allactivity on that server.

MMAIL.BOXThe database that acts as the trans-fer point for mail on each routingserver.

33 0789729180 Glossary 10/21/03 2:33 PM Page 555

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mail-In Database document556

Mail-In Database documentA document in the directory thatcontains the information thatallows the router to deliver mail toa database.

mail-in statisticsUsed to provide statistics informa-tion by sending reports to a speci-fied mail recipient.

Mail Only groupGroup used to define groups thatare used exclusively for mailinglists.

mail quotaA limit that the administrator canset that determines how the mailrouter will restrict messages basedon quota settings.

Mail Routing and ServerResponse WizardWizard that creates an event gener-ator that generates statistics or firesan event based on the availability ofa resource.

Mail Tracker CollectorDomino tool that provides thecapability for administrators as wellas users to track their messages.

mail usage reportsReports that can be generated bythe administrator based on mes-sage-tracking information collectedby the Message Tracking Collectortask.

memory cacheAn area in memory that storesmapping information about

databases and authenticating Webusers for quick access.

Merge Replication ConflictsA form property that can beenabled to allow two documents tomerge fields during replication.

message trackingA process that enables the adminis-trator to check the status of anymessage that has been routed with-in the Domino network.

messaging serverA Domino server that providesmessaging services. There is no sup-port for application services orDomino clusters.

Monitor documentIn statistics and monitoring, a docu-ment that allows the administratorto monitor replication and useractivity.

MSTORE.NSFThe MailTracker Store database,used by the Mail Tracker Collectortask.

multipurpose groupGroup used for mailing lists and byACLs to determine access to a spe-cific database.

multiuser supportA Domino tool that allows manyusers to share a single workstationand retain their own distinct setupinformation. It is available only onWindows workstations.

33 0789729180 Glossary 10/21/03 2:33 PM Page 556

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .physical security 557

Nnetwork compressionA style of compression that speedsup data transmission either betweena Notes client and a Domino serveror between two Domino servers.

nonadjacent domainDomains that aren’t connected overa physical connection.

nonadjacent Domain documentProvides three purposes in thedomain. First, it supplies next-hoprouting information to route mail.Second, it can be used to restrictmail routing from the domain.Third, it provides Calendar serversynchronization between two differ-ent domains.

Notes networkA group of servers that have thesame network name and use thesame port type to communicate.

Notes Remote Procedure Call(NRPC)The architectural layer of Notesused for all Notes-to-Notes com-munication.

OOn Disk Structure (ODS)Used to determine the file formattype used by a Domino database orapplication.

organizationTypically a company name; thehighest point on the hierarchy tree.

organizational policiesPolicies used to establish distinctsettings that are required for usersin a specific OU.

Organizational UnitTypically used to identify a countryor department name; a lower-levelcertifier used to stamp or certifyservers and users that allows for amore decentralized namingscheme.

Ppassing markThe minimum score required topass a certification exam. The pass-ing mark differs for each exam.

password verificationA server option that ensures that aNotes user can authenticate with aserver only after providing the cor-rect password that is associatedwith the user ID.

pending mailMail messages sitting in theMAIL.BOX waiting to be routed.

physical securitySecurity that involves securing theDomino server’s hardware and soft-ware from local, physical access.

33 0789729180 Glossary 10/21/03 2:33 PM Page 557

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Policy documents558

Policy documentsA document used to regulate howusers can access the system andperform specific functions. Allclients and servers participating inPolicy document deployment mustbe running a minimum of version4.67a or greater, to avoid directoryreplication errors.

Policy SynopsisA tool that the administrator canuse to determine the effective poli-cy governing a selected user.

POP3 (Post Office ProtocolVersion 3)Protocol used by mail applicationsto retrieve mail, typically over theInternet.

portThe hardware connection and itsrelated protocol that allows theserver to communicate with otherservers or clients with the sameprotocols.

practice testA sample test included with theExam Cram book that helps thereader practice for the real exam byattempting multiple-choice ques-tions that are similar to the actualexam questions.

private keyA secret encryption key that isstored in a Notes ID file and usedto sign and decrypt messages and toauthenticate the owner of the key.

Program documentA document that is used to auto-matically run a server task at a spe-cific time.

protocolA communication language usedbetween servers and clients.

public keyAn encryption key associated with aNotes ID that is used to verify anelectronic signature, encrypt a mes-sage, or identify an authenticatinguser. A public key is part of eachuser ID, and a copy of the key isstored in the Domino Directory.Certificates on IDs ensure that pub-lic keys are valid.

PUBNAMES.NTFTemplate used to design theDomino Directory.

pullOne-way replication or mail rout-ing in which the replica task pullsdocuments from the target server,or the router pulls mail from thetarget server.

pull-pull replicationBidirectional replication in whichthe source server pulls documentsfrom the target server, and the tar-get server then pulls documentsfrom the source server.

pushOne-way replication or mail rout-ing in which the replica task sendsdocuments to the target server, orthe router sends mail to the targetserver.

33 0789729180 Glossary 10/21/03 2:33 PM Page 558

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .role 559

Rradio buttonType of field in which a singleselection button is used to choosean option from a range of choices.

Readers fieldA document field that contains a listof names to control access to thedocument.

refresh designThe process by which a database’sdesign elements are refreshed tomatch the design elements stored inthe design template.

registration policyPolicies assigned when a new user iscreated.

registration serverThe designated server that storeschanges in the Domino Directory,such as new users, server, or namechanges. When the changes arecompleted the server replicates thechanges to the replica copies of theDirectory throughout the domain.

repeat intervalThe time interval between replica-tion attempts, agent scheduling,mail routing, and other time-basedNotes tasks.

replace designThe process by which a database’sdesign elements are deleted andreplaced with the design elementsin the design template.

replica IDA unique number that is generatedwhen a database is first created.When you make a replica of thedatabase, the replica inherits thereplica ID. For two databases toreplicate, they must share the samereplica ID.

replicationThe process of exchanging modifi-cations between replicas. Throughreplication, Notes makes all of thereplicas essentially identical overtime if the ACLs are defined topermit changes to the databases.

replication conflictA condition that occurs when twoor more users edit the same docu-ment in different replicas of a data-base between replications.

replication historyThe listing of replication times,dates, and server names involved inreplication.

replication topologiesThe configuration that an adminis-trator uses to connect servers forreplication.

review markA check-box interface located inthe top corner of the screen duringan exam that allows the tester tomark a question for later review.

roleAn attribute assigned to an ACLentry (person, server, or group) andcreated to simplify the maintenanceof restricted fields, forms, and views.

33 0789729180 Glossary 10/21/03 2:33 PM Page 559

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Router560

RouterThe server task responsible fortransferring mail between servers.

routing costA cost assigned by the router to eachpossible route for a message. Therouter attempts to deliver a mailmessage using the least-cost route.

routing tablesThe tables’ built-in memory oneach server running the router task.These tables poll informationstored in the Directory regardingmail routes, and the router refers tothese tables when routing mailbetween servers instead of pollingthe Directory directly.

SSchedThe Schedule Manager (Sched),used in conjunction with theCalendar Connector task to providecalendaring and scheduling. Schedis loaded automatically when aDomino server is installed and isadded to the Server Tasks line inthe Notes.ini file.

SECURE_DISABLE_FULLADMINA Notes.ini setting that preventsfull-access administrators fromaccessing the server. The setting forthis parameter isSECURE_DISABLE_FULLADMIN=1.

security policyPolicy that defines password man-agement and ECL setup informa-tion.

Security Settings documentA document that allows the admin-istrator to easily modify and main-tain security standards across anorganization.

self-assessmentA tool included in this book thathelps readers assess their ability toprepare for the exam based on theirown background. The assessmenthelps readers identify parts of theirbackground or experience thatmight need improvement, enhance-ment, or further learning.

server accessThe collection of security settingsthat control access to the server’sresources.

server IDA file that uniquely identifies eachserver within an organization, andallows the server to authenticatewith other servers and with users.

SERVER_MAXSESSIONSA Notes.ini setting that limits themaximum number of sessions thatcan be opened on the server.

server monitorProvides Domino administratorswith real-time statistics reporting.

server registrationA process that allows the adminis-trator to create an identity for thenew server in the domain’s DominoDirectory.

33 0789729180 Glossary 10/21/03 2:33 PM Page 560

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .system administrator access 561

server setupThe process that allows the adminis-trator to set up the Domino softwareon the server machine by runningsetup.exe.

ServerModifierA role that allows anyone withappropriate access to edit serverdocuments.

session-based name-and-password authenticationAuthentication that allows the Webuser to authenticate with the Webserver based on the name and pass-word stored in that user’s Persondocument in the Directory, andlogs the session using a cookie inthe browser.

setup policyA policy used for new registrationsthat defines a group of settingsapplied to a new user when it is cre-ated.

shared mailA feature that stores messagesaddressed to more than one user ona mail server in a central database,called the shared mail database.Message headers are stored in usermail files. When users double-clickthe headers, links to the correspon-ding content in the shared maildatabase are activated.

Smart UpgradeA new Domino R6 feature thatnotifies users to update their Notes6 clients to later releases. Lotus

Notes Smart Upgrade uses policyand settings documents to helpmanage updates. The tool monitorsusers as they log in and then alertsthem when an upgrade is available.Smart Upgrade kits, or incrementalinstallers, are available at the LotusDeveloper Domain Web site.

source serverThe server that initiates replica-tion.

SSL (Secure Socket Layer)Protocol designed to provideencrypted communications on theInternet; SSL applies to Web con-nections only.

STATREP.NSFDefault database used by theCollector task, which can gatherdata for a single server or multipleservers in the domain.

streaming replicationA type of replication that allows thereplicator task to send multiplechanges in one request and toreplicate smaller documents first.This style of replication is usedduring pull or pull-pull replication.

system administrator accessOne of the four types of adminis-trator access, all of which are usedto define how an administrator canchange server configurations.Individuals with system administra-tor access can issue only commandsrelated to the operating system.

33 0789729180 Glossary 10/21/03 2:33 PM Page 561

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .target server562

Ttarget serverThe destination server during repli-cation.

testing centerA place of business authorized toadminister the Lotus Domino certi-fication exams, as well as certifica-tion exams by other vendors.

timeoutThe amount of time that passesbefore Domino drops an inactivethread.

transaction loggingFeature available for Dominoservers running release 5 or laterand databases using release version5 or later On Disk Structure(ODS). Database changes are sentto a transaction log database andthen are written later to the targetdatabase. Transaction logging isuseful for increasing backupthroughput, disaster recovery, anddatabase performance.

Troubleshooting WizardWizard that identifies some com-mon configuration errors in theEVENTS4.NSF database and sug-gests possible resolutions.

UUpdallRebuilds corrupted views and full-text index searches, as Update does,and has various options that can be

defined when launched by using asoftware switch. Updall is executedby default at 2:00 a.m. and, unlikeUpdate, can be run manually.

UpdateUpdates a database’s view indexes.Update runs automatically whenthe server is started and continuesto run while the server is up.

user IDA file that uniquely identifies eachuser within an organization andallows the user to authenticate withservers.

UserModifierRole that allows anyone withappropriate access to edit user doc-uments.

user registrationA process that allows the adminis-trator to create an identity for thenew user in the domain’s DominoDirectory.

user typeIdentifies whether a name in theACL is a person, server, or group.

Utility ServerA Domino server that providesapplication services only, with sup-port for Domino clusters. TheDomino Utility Server is a newinstallation type for Lotus Domino6 that removes client access licenserequirements. There is no supportfor messaging services. The UtilityServer type is used if the require-ment is for application servicesonly, with no messaging services.

33 0789729180 Glossary 10/21/03 2:33 PM Page 562

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .welcome page 563

Wwarning thresholdA limit that the administrator setson a mail file that can be used toprovide users with advance noticewhen their mail files approach thedesignated mail file quota. Usersthen can reduce the size of theirmail files before message flow isinterrupted.

WEBADMIN.NSFDatabase used to provide accesscontrol for the Domino WebAdministrator.

Web AdministratorThe Web-based client that allowsan administrator to administer theserver using a Web browser insteadof a Notes client interface.

The Domino Web Administratorallows remote administration usingonly a browser client. Access usingthe Domino Web Administrator ismaintained by the databaseWEBADMIN.NSF. In addition tousing the Domino Console and theDomino Administrator client,Lotus has now provided the capa-bility to administer the server usingjust a browser. Although the Webadministrator is essentially the sameas the administrator client, the navi-gation is slightly different, so besure you are familiar with it.

Web serverA Domino server that is runningthe HTTP task to allow Web clientaccess to data.

Web site ruleDocuments that allow the adminis-trator to relocate or reorganizesites without breaking existing linksor browser bookmarks.

welcome pagePages used to provide a commonentry point for all users across anorganization, with a standard lookand feel.

33 0789729180 Glossary 10/21/03 2:33 PM Page 563

33 0789729180 Glossary 10/21/03 2:33 PM Page 564

Aaccess

ACL levels, 302administrators, 140, 343agents, 297-299applications, 235-236data access control, 412-413databases, 302-303, 344

Authors/Readers fields, 305consistent ACLs, 303-304roles, 304-305

domains, 247-248Domino application, 148-149Domino servers, 135

administrators, 136-137allowing/denying, 137-138monitoring/maintaining, 139ports, 138server console, 135troubleshooting, 140-141

intermediate servers, 112ports, 138, 293roaming users, 221-222servers, 344

administrator, 292assigning, 266-269configuring, 291-293Manager/Editor, 267Manager/Manager, 266Manager/No Access, 268Manager/Reader, 267Reader/Reader, 268troubleshooting, 293-294, 409-411

users, 306-308

Access Control List Only groups, 21access control list only groups, 364Access Control Lists. See ACLsaccess levels

ACLs, 142-143assigning, 109-112author, 143depositor, 143designer, 143editor, 111, 143manager, 109, 143manager/designer, 110manager/editor, 110manager/reader, 111reader, 143

accessing and protecting the file systemWeb site, 157, 535

ACLs (Access Control Lists), 101, 108access levels, 142-143, 302access, assigning, 109-112application security, 302-304Authors field, 146consistency, 112, 303-304Domino application security, 141-142

access levels, 142-143user types, 144

Domino Directory, 131-133editor access, 111integrity, 413intermediate server access, 112manager access, 109manager/designer access, 110manager/editor access, 110manager/reader access, 111Readers field, 146-147

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

34 0789729180 Index 10/21/03 2:35 PM Page 565

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ACLs566

reading, 112replication, 266-269user types, 144

Activity Analysis dialog box, 340activity logging

agents, 301configuring, 338-340

ACTIVITY.NSF database, 339adjacent domains, 191-192, 229, 348administration

ECL, 68monitoring tools, 84

Domino Administrator client, 84-85Domino server console, 86-87Web Administrator client, 85-86

Administration Preferences dialog box, 352Administration Process (AdminP), 365

configuring, 90group maintenance, 91-92troubleshooting, 237-238, 397-398users

maintenance, 89-91management, 225

administrators, 136access, 136-137, 343

full access, 343full console, 343servers, 292system, 343troubleshooting, 140

AdminP, 365database, 136-137full remote console, 137full-access, 136groups, 22restricted system, 137system, 137view-only, 137

Advanced Domino Services dialog box, 168Advanced tab (Replication Settings dialog

box), 265Agent event, 400Agent Manager, 394-395agents

access, 297-299Agent Manager, 394-395controlling, 66-68creating, 149formula, 67local, 299logging, 300, 329-330monitoring/maintaining, 300-301running, 299server-based, 299signing, 67simple, 67

troubleshooting, 308Web application, 83

Agents command (View menu), 329applications

access control, 235-236Administration Process. See

Administration Processagents, 308Compact, 233-234database maintenance, 232-234deploying, 62

agents, controlling, 66-68attachment based, 214coding based, 212compression, 69-70design elements based, 212-213ECL, 68-69HTML-based applications, 64-65,

216nonshared design elements based,

214NSF based, 215-216replication based, 215shared design elements based, 214server-based applications, 62-64Web applications for international-

ization, 65-66designs

Design task, 70-72refreshing, 71replacing, 72, 216-218replicating, 73

Domino, 141-144, 146-149Fixup, 233jconsole, 241-244, 380multiple replicas, 263-265security, 295-297

ACLs, 302-304agent access, 297-299agents, 300-301Authors/Readers fields, 305encrypted fields, 296Form Access Lists, 297Form Read Access Lists, 295hidden fields, 296Readers fields, 295roles, 304-305section access lists, 296signed fields, 296View Read Access Lists, 296

Server Monitor, 236-237Smart Upgrade, 320Updall, 233Update, 233

Archive Criteria Settings documents, 50

34 0789729180 Index 10/21/03 2:36 PM Page 566

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .clients 567

Archive Policy Settings documents, 50archiving, 210

client-based, 49, 210configuring, 211-212copying, 210databases, 74document selection, 210logging, 180, 350mail

archiving policies, 49-50file clean up, 210

policiescreating, 48-49mail archiving management, 49-50settings documents, creating, 50

server-based, 49, 210Archiving Settings document, 50Assign Policy tool, 28assigning access levels, 109-112

editor, 111manager, 109manager/designer, 110manager/editor, 110manager/reader, 111

authentication, 236, 355configuring, 280-281name-and-password, 134, 281organization certifier IDs, creating, 356organizational unit IDs, creating,

356-357Remote Console, 246session-based, 134, 281troubleshooting, 395

Domino directory configuration, 396server ID verification, 397user problems, 397

Web, 134author access level, 143, 303authorization, troubleshooting, 395

Domino directory configuration, 396server ID verification, 397user problems, 397

Authors fields (application security), 146,305

automatingclient installations, 23server tasks, 342

B-B switch, 415backups, 210, 348basic name-and-password authentication,

134

Basics tab (Replication Connection docu-ments), 106

batch file installations, 24Bookmarks view

Console, 243Domino server, 381

browsersclients, 319Web, 177

bundled statistics, 385

C-c switch, 415CA Configuration documents, 290CA keys, 175-176CA process, 289-291calendaring, 177capacity planning, 162-163CAT Global, 4CATALOG.NSF database, 413central directories

configuring, 20-21distributed directory migrations, 87-88,

183-184Certificate Expiration Date dialog box, 224,

367Certificate Revocation List (CRLs),

290-291certificates, 172

CA keys, 175-176Internet, 25managing, 291Notes, 25organization certifier IDs, 173organizational unit certifier IDs,

173-174troubleshooting, 411

certification exams. See examscertifier IDs, 18-19, 130, 281Certify ID dialog box, 219, 353character set mapping, 65Choose a Certifier dialog box, 220, 224, 366Choose the Domino Domain Name dialog

box, 167circular logging, 180, 350client-based archiving, 49, 210clients

browsers, 319Domino Administrator

monitoring preferences, 84-85replication, forcing, 258-259

How can we make this index more useful? Email us at [email protected]

34 0789729180 Index 10/21/03 2:36 PM Page 567

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .clients568

IMAP, 176iNotes Web Access, 177licenses, 23-24Notes, 176, 257POP3, 177upgrades, 320users

configuring, 24-25IDs, 25-26registering, 22-23

Web Administrator, 85-86workstations, 176-177

Cluster Replica task, 115clustering

failovers, 182load balancing, 181replication, 115-116troubleshooting, 238-239

collectingserver information, 330-331statistics, 331-332

Collector task, 331-332command-line utility installations, 24commands

agents, 301Compact, 74console

mail routing, troubleshooting, 47-48viewing, 258

Domino console, 380File, Preferences, User Preferences,

Mail, 53fixup, 410jconsole, 243Load Router, 48pull, 103, 258push, 104, 258Refresh Design, 72, 271Replace Design, 72Replicate, 102-103, 258Route, 40Set Secure, 135show server, 330

Domino console, 380server tasks, monitoring, 227

show tasks, 380Tell amgr debug, 330Tell amgr schedule, 330Tell amgr status, 330Tell Router Compact, 48Tell Router Delivery Stats, 48Tell Router Exit, 48Tell Router Quit, 48Tell Router show, 40

Tell Router Show Queues, 48Tell Router Update Config, 48trace, 412View, Agents, 329

Compact, 233-234command, 74task, 414

compacting, 74, 414compression

application deployment, 69-70enabling/disabling, 218LZ1, 70network, 69

Configuration documents, 198configuring

activity logging, 338-340Administration Process, 90administrator access, 343agent access, 297-299archiving, 211-212authentication, 236, 280-281calendaring, 177client workstations, 176-177database access, 302-303

Authors/Readers fields, 305consistent ACLs, 303-304roles, 304-305

directories, 19, 169-170administrator groups, 22central, 20-21distributed, 20-21domains, 19groups, 21

Domain Search, 355Internet clients, 319mail quotas, 195mail routing, 36-37, 190-191messaging

Location document, 54-55tracking, 197-199user preferences, 53-54

multiuser support, 176networks

names, 344timeouts, 81-82

Notes R6 users, 24-25replication, 261-262resource sharing, 177-179roaming users, 221-222, 372-374Router responses (mail quotas), 196-197scheduling, 177servers, 165-169

access, 291-293, 344additional, 16-17

34 0789729180 Index 10/21/03 2:36 PM Page 568

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .databases 569

administrators, 167Country codes, 167domain names, 167names/titles, 166organization name, 166passwords, 167ports, 17-18protocols, 17-18security, 169

size quotas (mail), 196transaction logging, 179-181, 351

Confirm Database Delete dialog box, 209conflict documents, 114conflicts (replication), 113-115Connected Servers view


Connection documents, 36, 190, 260changes, 39creating, 260-261mail routing, scheduling, 38-39replication

connection types, 106creating, 106-108destination domains, 106destination server, 106ports, 106priorities, 107pull only, 107pull pull replication, 107pull push replication, 107push only, 107replication tasks, 106replication types, 107source domains, 106source server, 106time limits, 107usage priority, 106

replication, scheduling, 104connections

mail, 198modems, 240Replication Connection documents, 106testing, 411-412troubleshooting, 411-412

consolescommands

mail routing, troubleshooting, 47-48viewing, 258

Domino, 241, 380-382exiting, 382File menu, 380jconsole, 241-244

launching, 242views, 381

Live, 258Remote, 245-247server

replication, forcing, 102-104security, 135, 291

copy-style compacting, 414corrupted views (databases), 413costs (exams), 4Country codes (servers), 167crashes (server). See servers, crashesCRLs (Certificate Revocation Lists),

290-291customizing

group memberships, 364-365installations, 24replication, 263-265user hierarchy locations, 365-366user names, 223-224, 367

Ddata access control, 412-413database administrators, 136-137Database and Statistic Wizard, 329, 400database instance IDs (DBIIDs), 179, 350,

414Database Replication Failure Monitor, 118databases

access, 302-303Authors/Readers fields, 305consistent ACLs, 303-304roles, 304-305

ACTIVITY.NSF, 339adding to servers, 208agents, 149archiving, 74backing up, 210catalog file, 413compacting, 74, 414corrupted views, 413creating, 344DECOMSRV.NSF, 347deleting, 209design changes, 270-271documents

deleting, 414viewing, 149

documents, locking, 148DOMLOG.NSF, 80


34 0789729180 Index 10/21/03 2:36 PM Page 569

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .databases570

EVENTS4.NSF, 85event handlers, 329server tasks, monitoring, 226system tasks, 328

fault recovery, 75-76full-text index searches, 233, 413local, 129LOG.NSF, 75mail-in, 283MAIL.BOX, 36, 42, 190MailTracker Store, 408maintenance

tasks, 234-235utilities, 232-234

moving, 209MTSTORE.NSF, 43, 198quotas, 74recipient mail, 191repairing, 233replication, troubleshooting, 398-399REPORTS.NSF, 44Resource Reservations, 177-179restoring, 210routing mail to, 199-201servers

crashes, causing, 393tasks, monitoring, 228

size, 74-75, 232, 392soft deletions, 74space, recovering, 233-234STATREP.NSF, 46, 331system tasks, 413-414troubleshooting, 413-416upgrading, 209user activity recording, 74view indexes, 413, 233views, 233WEBADMIN.NSF, 86, 246, 383-384

DBIIDs (database instance IDs), 179, 350,414

dead messages, 41Debug Output Window view


Decommission Server Analysis tool,346-347

DECOMSRV.NSF database, 347Delete Group dialog box, 368Delete Person dialog box, 369deleting

databases, 209documents, 148, 414groups, 368

PrepLogic Practice Exams, PreviewEdition, 541

users, 225, 368-369Delivered messages, 230Delivery failed messages, 230delivery (messages)

failure reports, 46-47status, 230, 408

Deny Access groups, 145deny list only groups, 21, 364deploying

applications, 62agents, controlling, 66-68attachment based, 214coding based, 212compression, 69-70design elements based, 212-213ECL, 68-69HTML, 64-65, 216nonshared design element based, 214NSF based, 215-216replication based, 215shared design elements based, 214server-based, 62-64Web for internationalization, 65-66

user IDs, 25Depositor access level, 143, 303Design task, 70-72, 271designer access, 110, 143, 303designs

Design task, 70-72refreshing, 71replacing, 72, 216-218replicating, 73, 270-271

destination domains, 106destination servers, 106, 260dialog boxes

Activity Analysis, 340Administration Preferences, 352Administrator Name and Password, 167Advanced Domino Services, 168Certificate Expiration Date, 224, 367Certificates in Selected Entries, 369Certify ID, 219, 353Choose a Certifier, 220, 224, 366Choose the Domino Domain Name,

167Confirm Database Delete, 209Delete Group, 368Delete Person, 369Edit Master Recovery Authority List,

283Form Properties, 147

34 0789729180 Index 10/21/03 2:36 PM Page 570

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .documents 571

Manage Groups, 370Move Users(s) to Another Server, 221,

371New Tracking Request, 43People and Rename, 224, 367Processing Statistics, 367Recertify User, 220, 369Register Organization Certifier, 356Register Organizational Unit Certifier,

357Register Person—New Entry, 221, 373Registration Server, 353Rename Person, 224, 367Renew Certificates in Selected Entries,

220Replication Settings, 265User Preferences, 53

directoriesadministrator groups, 22central, 20-21, 87-88, 245, 352configuring, 19, 169-170distributed, 245, 352

configuring, 20-21migrating to central directories,

87-88, 183-184domains, 19Domino, 131

ACLs, 131-133authentication, troubleshooting, 396errors, 410-411file protection documents, 133roles, 133

errors, 410-411groups, 21hybrid, 245, 352

disablingcompression, 218user activity recording, 74

distributed directories, 245, 352configuring, 20-21migrating to central directories, 87-88,

183-184DNNs (Domino Named Networks), mail

routing, 36, 190configuring, 36-37forcing to specific servers, 40monitoring/maintaining, 41-46scheduling, 38-39troubleshooting, 46-48

documentsACLs, 101, 108

access, 109-112, 142-143Authors field, 146

consistency, 112Domino application security,

141-144Domino Directory, 131-133editor access, 111integrity, 413intermediate server access, 112manager access, 109manager/designer access, 110manager/editor access, 110manager/reader access, 111Readers field, 146-147reading, 112user types, 144

adjacent domains, 192, 229, 348archive policy settings, 50CA Configuration, 290Configuration, 198conflict, 114Connection, 36, 190, 260

changes, 39creating, 260-261mail routing, scheduling, 38-39replication, 104-108

deleting, 148, 414Domain, 348editing, 149, 307file protection, 133foreign domains, 229, 348global domains, 229, 348Location, 54-55locking in databases, 148Mail-In Database, 199-201main, 114non-adjacent domains, 194, 229, 348Person

explicit policies, assigning, 28policies, 341user management, 371

policies, 149applying, 26-28, 183existing users, 341-342explicit, 27-28new users, 318organizational, 27security, 345-346

Program, 342replication order, 101security settings, 150selecting for archiving, 210Site Profile, 178-179viewing, 149


34 0789729180 Index 10/21/03 2:36 PM Page 571

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Domain documents572

Domain documents, 348Domain Search, 354-355Domain view


domains, 19access, 247-248adjacent, 191capacity planning, 162-163Domain documents, 348external, 191-194maintenance, 228-229monitoring, 228-229names, 167non-adjacent, 192

DominoAdministrator client

monitoring preferences, 84-85replication, forcing, 258-259

application securityACLs, 141-144Authors field, 146groups, 144-146Readers field, 146-147troubleshooting, 148-149

Console, 241, 380-382exiting, 382File menu, 380jconsole, 241-244launching, 242views, 243-244, 381

Directory, 131ACLs, 131-133authentication, troubleshooting, 396file protection documents, 133roles, 133

Web Administrator. See WebAdministrator

Web Server Log database, 80Domino Named Networks. See DNNsDomino servers

access, 135administrators, 136-137allowing/denying, 137-138monitoring/maintaining, 139ports, 138server console, 135troubleshooting, 140-141

console, 86-87IDs, 218-220security, 129

Domino Directory, 131-133IDs, 130-131monitoring/maintaining access con-

trol, 139

server access, 135-138troubleshooting, 140-141Web authentication, 134

DOMLOG.NSF, 80

EECLs (Execution Control List), 68-69, 150Edit Master Recovery Authority List dialog

box, 283editing documents, 149, 307editor access, 110-111, 143, 267, 303effective policies, 88-89enabling

compression, 218protocols, 349

encryption, 52fields, 296keys, 25local databases, 129passwords, 129public/private keys, 52-53

Enterprise servers, 15, 164errors. See also troubleshooting

directory, 410-411mail routing, 231messages

Server Not Responding, 140, 294You Are Not Authorized to Access

the Server, 141Event Filter view (Domino server), 381event generators

creating, 328mail-routing, 46replication, 118, 272server tasks, monitoring, 226

Event Handler Wizard, 329, 400Event Monitor, 328events

Agent, 400handlers, 400

creating, 329server tasks, monitoring, 226

Mail, 400mail routing, 42monitoring, 86-87POP3, 400Replica, 400replication, 117SMTP, 400triggers, 400

EVENTS4.NSF database, 85event handlers, 329server tasks, 226system tasks, 328

34 0789729180 Index 10/21/03 2:36 PM Page 572

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .groups 573

Examination Score Report, 544exams

costs, 4formats, 7layout, 6objectives, 3practice test exams, 425, 463, 499questions, 5readiness assessment, 2reviewing, 8studying for, 9techniques, 7-9test exams, 445, 485, 519testing center, 4time allowed, 4vendors, 4Web site, 9

Execution Control Lists (ECLs), 68-69, 150Exhibit button (practice exams), 543exiting

Domino console, 382jconsole, 244

expirationIDs, 219

extending, 369-370servers, 219users, 26

passwords, 150explicit policies, 27-28, 183, 318Extended Access Control List (xACL),

269-270external domains, 191-194

Ffailovers, 182fault recovery, 75-76fields

Authors, 296, 305encrypted, 296hidden, 296Readers, 295, 305signed, 296

File menuDomino console, 380Preferences, User Preferences, Mail

command, 53file protection documents, 133files

ID, 130-131, 280backups, storing, 283-284CA process, 289-291recovering, 282-287

logmonitoring, 78-80replication, 117, 272

mail, 221, 371NSD, 394text, 80

Fixup, 233, 410, 414forcing

mail routing to specific servers, 40replication, 256-257

Domino Administrator client,258-259

Notes client, 257server console, 102-104

foreign domain documents, 229, 348foreign SMTP domain documents, 229, 348Form Access Lists, 297Form Properties dialog box, 147Form Read Access Lists, 147, 295formula agents, 67full access administrators, 136, 343full console administrators, 343full remote console administrators, 137full-text index searches (databases), 233, 413

Ggenerators (event)

creating, 328mail-routing, 46replication, 118, 272server tasks, monitoring, 226

global domain documents, 229, 348Grade Exam button (practice exams), 544group expanded messages, 230GroupCreator role, 133GroupModifier role, 133groups

Access Control List Only, 21, 364administrator, 22deleting, 368Deny Access, 145deny list only, 21, 364directories, 21Domino application security, 144-146mail only, 21, 364maintenance, 91-92managing, 370memberships, 222-223, 364-365multipurpose, 21, 364renaming, 372server only, 21, 364


34 0789729180 Index 10/21/03 2:36 PM Page 573

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .handling events574

Hhandling events, 226, 329, 400Header view


held messages, 42hidden fields, 296hierarchy

names, 18-19policies, 89user locations, 365-366

HTML-based applications, 64-65HTTP protocol, 349HTTP task, 384hub-and-spoke topology, 105hybrid directories, 245, 352

IIBM Redbooks Web site, 60ICLs (Issued Certificate Lists), 290IDs, 130-131, 280

backups, 283-284CA process, 289-291certifier, 18-19, 130, 281expiration dates, 369-370organization certifier, 173, 355-356organization unit certifier, 355organizational unit, 356-357organizational unit certifier, 173-174OU certifier, 18-19recovering, 282

backup ID files, 283-284from backups, 286-287recovery information, 283-285

replica, 100servers, 14, 130, 281

expiration dates, 219maintenance, 218-220names, 219passwords, 219recertifying, 353-354verification, 397

troubleshooting, 411user, 130, 281

deploying, 25expiring, 26maintenance, 26, 220

IIOP (Internet Inter-ORB Protocol), 349IMAP (Internet Message Access Protocol),

176, 349In queue messages, 230in-place compacting with space recovery,

414

in-place compacting with space recoveryand reduction in file size, 414

incremental installers, 320indexing servers, 354individual statistics, 385iNotes Web Access, 177installing

clients, 23-24Domino servers Web site, 33PrepLogic Practice Exams, Preview

Edition, 541server, 163-165

intermediate servers, 112Internet

certificates, 25clients, 319

Internet Inter-ORB Protocol (IIOP), 349Internet Message Access Protocol (IMAP),

176, 349ISpy task, 198Issued Certificate Lists (ICLs), 290Item Review button (practice exams), 543

J - K-j switch, 411jconsole, 241-242, 380

commands, 243Console views, 243-244exiting, 244

keys, 25kits (Smart Upgrade), 320

L-L switch, 415LDAP protocol, 349licenses, 23-25linear logging, 180, 350Live console, 258load balancing, 181Load Router command, 48local agents, 299local databases, 129Location documents, 54-55locations (hierarchy), 365-366LOG.NSF, 75logging

activityagents, 301configuring, 338-340

agents, 300, 329-330archived, 180circular, 180

34 0789729180 Index 10/21/03 2:36 PM Page 574

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .maintenance 575

database, 75linear, 180monitoring, 78-80replication, 117, 272transactions, 349-350

configuring, 179-181implementation planning, 180implementing, 350-351versions, 350

Look and Feel viewConsole, 243Domino server, 382

LotusDevelopers Domain Web site, 390, 421,

535Domino 6 Technical Overview Web site,

60, 535Live! Series: “What’s New in

Notes/Domino 6 Administration”Web site, 536

LZ1 compression, 70

Mmail

archiving, 210client-based, 210configuring, 211-212copying, 210document selection, 210mail file clean up, 210policies, 49-50server-based, 210

connectivity, 198delivery status messages, 408encryption, 52-53files

clean up, 210management tasks, 89moving, 221, 371

message tracking, 197-199quotas, 51, 195-197

controls, 195exceeding, 195limits, 195Router responses, 196-197setting, 51, 195-196warning thresholds, 51, 195

routingconfiguring, 36-37, 190-191databases, 199-201errors, 231event generators, 46

events, viewing, 42external domains, 191-194forcing to specific servers, 40messages, tracking, 230monitoring/maintaining, 41-46reports, viewing, 43scheduling, 38-39status, viewing, 42topology, 42, 47troubleshooting, 46-48, 399, 408-409

shared, 42tracing, 47tracking, 408usage reports, 44-45

Mail event, 400mail only groups, 21, 364Mail Routing and Server Response Wizard,

329, 400Mail Tracking Collector (MT Collector),

43, 198, 408Mail-In Database documents, 199-201, 283MAIL.BOX database, 36, 42, 190mailboxes, 41MAILER task, 190MailTracker Store database, 43, 198, 408main documents, 114maintenance

agents, 300-301databases, 232-234

adding, 208backing up, 210deleting, 209fault recovery, 75-76moving, 209restoring, 210size, monitoring, 74-75tasks, 234-235upgrading, 209

domains, 228-229Domino Server IDs, 218-220effective policies, 88-89groups, 91-92mail routing

errors, 231event generators, 46message tracking, 43-44, 230Messaging, Mail tab, 41-43usage reports, 44-45

migrating distributed directories to cen-tral directories, 87-88

replication, 272server access control, 139


34 0789729180 Index 10/21/03 2:36 PM Page 575

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .maintenance576

users, 89-91IDs, 26, 220profiles, 222-223

Manage Groups dialog box, 370Manager access, 109, 143, 303

designer access, 110editor access, 110reader access, 111servers, 266

managingcertificates, 291groups, 370users, 371

mappingcharacter set, 65HTML-based applications, 64topologies

mail-routing, 47replication, 118

Mark Item button (practice exams), 543Master Design templates, 70, 344Maximizing Domino Performance Web site,

163, 535memberships (groups), 222-223, 364-365memory cache, 81messages

configuringLocation document, 54-55user preferences, 53-54

dead, 41delivery status, 230, 408error

Server Not Responding, 140, 294You Are Not Authorized to Access

the Server, 141held, 42pending, 41tracking, 44, 197-199, 230

Messaging servers, 15, 164Messaging, Mail tab, 41-43Microsoft Windows Management

Instrumentation Software DevelopmentKit (WMI SDK), 245

modems, 240monitoring

administration monitoring tools, 84Domino Administrator client, 84-85Domino server console, 86-87Web Administrator client, 85-86

agents, 300-301database size, 74-75, 232, 392domains, 228-229events, 86-87log files, 78-80

mail routingerrors, 231event generators, 46message tracking, 43-44, 230Messaging, Mail tab, 41-43usage reports, 44-45

replication, 116-118, 272server access control, 139Server Monitor, 236-237server tasks, 77-78, 226-228, 393

databases, 228event generators, 226event handlers, 226show server command, 227tools, 228

users, 41Web servers, 80

memory cache, 81network timeouts, 81-82threads, 81Web application agents, 83Web Site rules, 83-84

Monitoring Configuration database, 85Monitoring Results database, 46Move Users(s) to Another Server dialog

box, 221, 371moving

databases, 209mail files, 221, 371

MSTORE.NSF, 408MT Collector (Mail Tracking Collector),

43, 198, 408MTSTORE.NSF database, 43, 198multipurpose groups, 21, 364multiusers, 23, 176

N - Oname management tasks, 89name-and-password authentication, 281names

domains, 167groups, 372hierarchical, 18-19Master Design templates, 70networks, 344organization, 166owners, 25server IDs, 219servers, 166users, 223-224, 367

NetCreator role, 133NetModifier role, 133

34 0789729180 Index 10/21/03 2:36 PM Page 576

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .PrepLogic Practice Exams 577

networkscompression, 69names, 344timeouts, 81-82troubleshooting, 239

New Tracking Request dialog box, 43Next Item button (practice exams), 544No Access access, 143, 268, 303non-adjacent domains, 192-194, 229, 348Notes

certificates, 25client, 176, 257

NRPC (Notes Remote Procedure Calls),36, 190

NSD (Notes System Diagnostics) file, 394

organization certifier IDs, 173, 355-356organization names, 166organizational policies, 27, 183, 318OUs (organizational units), 18-19

certifier IDs, 173-174, 355IDs, 356-357

owner names, 25

Ppartitioning, 239Password Management tab, 150passwords, 287, 289

encryption, 129expiration, 150server IDs, 219servers, 167user, 247verification, 287-288

patches (server crashes), 393peer-to-peer topology, 105pending messages, 41People and Rename dialog box, 224, 367performance, 42Person document

explicit policies, 28management tasks, 90policies, 341user management, 371

Personal Address Book, 53-55physical security, 128-129policies

applying, 26-28archiving

creating, 48-49mail archiving management, 49-50settings documents, creating, 50

effective, 88-89explicit, 27-28, 183, 318hierarchy, 89organizational, 27, 183, 318Policy Synopsis report, 89security, 149-151

policy documents, 50, 149applying, 183

existing users, 341-342new users, 318

security, 345-346Policy Synopsis reports, 89Policy Viewer, 89Policy-based system administration with

Domino 6 Web site, 157, 536PolicyCreator role, 133PolicyModifier role, 133PolicyReader role, 133POP3 (Post Office Protocol), 349

clients, 177event, 400

portsaccess, 138, 293configuring, 17-18Replication Connection documents, 106

practice exams, 425, 463, 499, 537deleting, 541Examination Score Report, 544Flash Review mode, 543installing, 541interface, 540learning environment, 540options, 543-544Practice Exam mode, 542-543question quality, 540reviewing, 544simulation, 539software requirements, 540time remaining, 544

Preferences, User Preferences, Mail com-mand (File menu), 53

“Preparation and Test-Taking Strategieswith Lotus Education Managers,” 536

PrepLogic, 537, 545PrepLogic Practice Exams, Preview Edition,

537deleting, 541Examination Score Report, 544Flash Review mode, 543installing, 541interface, 540learning environment, 540options, 543-544


34 0789729180 Index 10/21/03 2:36 PM Page 577

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .PrepLogic Practice Exams578

Practice Exam mode, 542-543question quality, 540reviewing, 544simulation, 539software requirements, 540time remaining, 544

Previous Item button (practice exams), 544print resources, 535private keys, 25, 52-53Processing Statistics dialog box, 367profiles

statistics, 384users, 222-223

Program documents, 342protocols

configuring, 17-18enabling, 349HTTP, 349IIOP, 349IMAP, 349LDAP, 349POP3, 349SSL, 349troubleshooting, 239

public keys, 52-53pull command, 103, 258pull only replication, 107pull pull replication, 107, 258, 263pull push replication, 107push command, 104, 258push only replication, 107

Q - Rquotas

databases, 74mail, 51, 195-197

controls, 195exceeding, 195limits, 195Router responses, 196-197setting, 51, 195size quotas, setting, 196warning thresholds, 51, 195

reader access, 111, 143, 267-268, 303Readers field, 146-147, 295, 305readiness for exams, 2real-time statistics, 384-385Recertify User dialog box, 220, 369recertifying server IDs, 353-354recipient mail database, 191

recoveringdatabase space, 233-234ID files, 282

backups, 283-287recovery information, 283-285

server crashes, 393-394Refresh Design command, 72, 271Register Organizational Unit Certifier dia-

log box, 357Register Organization Certifier dialog box,

356Register Person—New Entry dialog box,

221, 373registering

servers, 14users, 22-23, 27, 175

Registration Server dialog box, 353registration servers, 351-352Remote Console, 245-247Rename Person dialog box, 224, 367Renew Certificates in Selected Entries dia-

log box, 220, 369Replace Design command, 72replacing

application designs, 216-218design changes, 72

Replica event, 400Replica task, 100-101replicas, 181

creating, 344IDs, 100management tasks, 90multiple, 263-265

replicate command, 102-103, 258Replicating/Routing tab (Replication

Connection documents), 106-107replication, 100

ACLs, 108, 266access, assigning, 109-112consistency, 112editor access, 111intermediate server access, 112manager access, 109manager/designer access, 110manager/editor access, 110manager/reader access, 111reading, 112server access, 266-269

changes, 264clustered, 115-116commands, 258-260configuring, 261-262conflicts, 113-115

34 0789729180 Index 10/21/03 2:36 PM Page 578

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .script libraries 579

Connection documentsconnection types, 106creating, 106-108destination domain, 106destination server, 106ports, 106priorities, 107pull only, 107pull pull replication, 107, 258, 263pull push replication, 107push-only, 107replication tasks, 106replication types, 107source domain, 106source server, 106time limits, 107usage priority, 106

defined, 256design changes, 73, 270-271destination servers, 260events, 117forcing, 256-257

Domino Administrator client,258-259

Notes client, 257server console, 102-104

history, 100, 116, 272maintenance, 272monitoring, 118, 272multiple replicas, 263-265pull only, 107pull pull, 107, 258, 263pull push, 107push only, 107Replica task, 100-101scheduling, 118, 260-262, 272

Connection documents, 106-108topologies, 104-105

server-to-server, 100streaming, 263tasks, 106time intervals, 263time limits, 107topologies, 104-105, 118, 272troubleshooting, 398-399workstation-to-server, 100xACL, 269-270

Replication Settings dialog box, 265reports

delivery failure, 46-47mail routing, 43-45Policy Synopsis, 89version reporting, 320

REPORTS.NSF database, 44Resource Reservations database, 177-179resources

print, 535sharing

configuring, 177-178site profiles, 178-179

Web, 535restricting administrator access, 136-137ring topologies, 105roaming users

configuring, 221-222, 372-374management tasks, 89

roles, 133, 304-305Route command, 40routing

configuring, 36-37errors, 231events, 42forcing to specific servers, 40mail

configuring, 190-191databases, 199-201external domains, 191-194quota responses, 196-197

mailboxes, 41messages, tracking, 230monitoring/maintaining

message tracking, 43-46Messaging, Mail tab, 41-43

reports, 43scheduling, 38-39SMTP, 191status, viewing, 42tables, 37, 191topology, 42troubleshooting, 46, 399, 408-409

console commands, 47-48delivery failures, 46-47mail trace, 47mail-routing topology maps, 47

SSchedule tab (Replication Connection docu-

ments), 108scheduling

configuring, 177mail routing, 38-39replication, 118, 260, 262, 272

Connection documents, 106-108topologies, 104-105

script libraries, 68


34 0789729180 Index 10/21/03 2:36 PM Page 579

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .section access lists580

section access lists, 296Secure Password view


Secure Sockets Layer (SSL) protocol, 349security

applications, 295-297ACLs, 302-304agent access, 297-301Authors/Readers fields, 296, 305encrypted fields, 296Form Access Lists, 297Form Read Access Lists, 295hidden fields, 296Readers fields, 295roles, 304-305section access lists, 296signed fields, 296View Read Access Lists, 296

authentication, 236, 280-281, 355organization certifier IDs, creating,

356organizational unit IDs, creating,

356-357troubleshooting, 395-397

authorization, 395-397CA keys, 175-176CA process, 289-291certificates, 172-174Domino application

ACLs, 141-144Authors field, 146groups, 144-146Readers field, 146-147troubleshooting, 148-149

Domino server, 129Domino Directory, 131-133IDs, 130-131monitoring/maintaining access con-

trol, 139server access, 135-138troubleshooting, 140-141Web authentication, 134

encryption, 52-53encryption keys, 25ID files, 282-287passwords, 287-289physical, 128-129policies, 149-151, 345-346servers

configuring, 169console, 135, 291

settings documents, 150user access, 306-308

Security tab (Form Properties dialog box),147

Server Monitor, 236-237, 385-386Server Not Responding error message, 140,

294server only groups, 364server-based agents, 299server-based applications, 62-64server-based archiving, 49, 210server-to-server replication, 100ServerCreator role, 133ServerModifier role, 133servers

access, 344administrator, 292assigning, 266-269configuring, 291-293Manager/Editor, 267Manager/Manager, 266Manager/No Access, 268Manager/Reader, 267Reader/Reader, 268troubleshooting, 293-294, 409-411

configuring, 14-16, 165-169additional, 16-17administrators, 167Country codes, 167domain names, 167names/titles, 166organization name, 166passwords, 167security, 169

consolereplication, 102-104security, 135, 291

crashescauses, 393fault recovery, 75-76NSD files, 394recovering from, 393-394

decommissioning, 346-347destination, 260document-management tasks, 89Domino, 129-141Enterprise, 15, 164IDs, 130, 281

expiration dates, 219maintenance, 218-220names, 219passwords, 219recertifying, 353-354verification, 397

indexing, 354information collecting, 330-331

34 0789729180 Index 10/21/03 2:36 PM Page 580

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Tell Router Update Config command 581

installing, 163-165intermediate, 112Messaging, 15, 164names, 166new, viewing, 294, 307not responding, 140partitions, 239ports, 17-18protocols, 17-18registering, 14, 351-352resource sharing, 177-179tasks

automating, 342monitoring, 77-78, 226-228, 393

titles, 166types, 164Utility, 15, 164viewing, 140Web, 80-84

servers only groups, 21sessions, 134, 281Set Secure command, 135sharing

installation, 23mail, 42resources, 177-179

Show Answer button (practice exams), 543show server command, 330

Domino console, 380server tasks, monitoring, 227

show tasks command, 380signing

agents, 67fields, 296script libraries, 68

simple agents, 67single-user client installation, 23Site Profile documents, 178-179size

databases, 74-75, 232, 392mail quotas, 196

Smart Upgrade, 24, 320SMTP event, 400SMTP routing, 191soft deletions (databases), 74source domains, 106source servers, 106Specify and Administrator Name and

Password dialog box, 167SSL (Secure Sockets Layer) protocol, 349statistics

bundled, 385collecting, 331-332

individual, 385profiles, 384real-time, 384-385viewing, 385-386

STATREP.NSF database, 46, 331storing

backup ID files, 283-284recipient mail database, 191

switches, 411, 415system administrators, 137, 343system tasks, 413-414

Ttables, 37, 191target servers, 106, 260tasks

Agent Manager, 394-395automating, 342Cluster Replica, 115Collector, 331-332Compact, 414database maintenance, 234-235Design, 70-72, 271Fixup, 414HTTP, 384ISpy, 198mail file management, 89MAILER, 190MTC, 43, 198, 408name management, 89Person document management, 90Replica, 100-101replica management, 90replication, 106roaming user management, 89server

document-management, 89monitoring, 77-78, 226-228, 393

system, 413-414Updall, 413Update, 413user mail file management, 89

Tell amgr debug command, 330Tell amgr schedule command, 330Tell amgr status command, 330Tell Router Compact command, 48Tell Router Delivery Stats command, 48Tell Router Exit command, 48Tell Router Quit command, 48Tell Router show command, 40Tell Router Show Queues command, 48Tell Router Update Config command, 48


34 0789729180 Index 10/21/03 2:36 PM Page 581

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .templates582

templates (master), 70, 344testing. See also exams

centers, 4connections, 411-412Mail-In Database documents, 201

text files, 80Thompson Prometric, 4threads, 81thresholds, 195tools

administration monitoring, 84Domino Administrator client, 84-85Domino server console, 86-87Web Administrator client, 85-86

Assign Policy, 28Decommission Server Analysis, 346-347Domain Search, 354-355replication, 272server tasks, monitoring, 228troubleshooting routing, 409

topologieshub-and-spoke, 105mail routing, 42maps, 118, 272peer-to-peer, 105replication, 104-105ring, 105

trace command, 412tracing mail, 47tracking

mail, 408messages, 43-44, 197-199, 230

transaction logging, 349-350configuring, 179-181implementation planning, 180implementing, 350-351versions, 350

Transfer failed messages, 230Transferred messages, 230troubleshooting

Administration Process, 237-238,397-398

Agent Manager, 394-395authentication, 395-397authorization, 395-397certificates, 411clustering, 238-239connections, 411-412data access control, 412-413databases, 413-416Domino application access control,

148-149IDs, 411

mail routing, 399, 408-409console commands, 47-48delivery failures, 46-47errors, 231mail trace, 47mail-routing topology maps, 47

modems, 240networks, 239partitions, 239protocols, 239replication, 398-399server access, 140-141, 293, 409-411

administrators, 140commands, entering, 293directory errors, 410-411new servers, viewing, 294Server not responding message, 140,

294unauthorized access, 141viewing new servers, 140

server crashescauses, 393fault recovery, 75-76NSD files, 394recovering from, 393-394

user access, 306access level conflicts, 308agents, creating, 308can’t access applications, 306document editing, 307new servers, viewing, 307viewing all items, 307

users, 241workstations, 416

Troubleshooting Wizard, 329, 400

Uunauthorized server access, 141Unknown messages, 230unrestricted methods, 67Updall, 233, 413Update, 233, 413updates

design changes, 270-271view indexes, 233, 413WEBADMIN.NSF database, 384

upgradesclients, 320databases, 209server crashes, causing, 393Smart Upgrade, 24

34 0789729180 Index 10/21/03 2:36 PM Page 582

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Web sites 583

Upgrading to Domino 6: PerformanceBenefits Web site, 421, 536

usage priorities, 106User Preferences dialog box, 53UserCreator role, 133UserModifier role, 133users

access, 306-308activity, recording, 74Administration Process, 225configuring, 24-25creating, 175deleting, 225, 368-369existing, 27-28, 341-342groups, 222-223, 364-365hierarchy locations, 365-366IDs, 130, 281

deploying, 25expiration date, extending, 369-370expiring, 26file recovery information, 284-285maintenance, 26, 220

mail files, 89, 221, 371maintenance, 89-91managing, 371monitoring, 41multiuser support, 176names, 223-224, 367new, 318passwords, 247policy documents, applying, 183preferences, 53-54profiles, 222-223registering, 22-23, 27, 175roaming, 221-222, 372-374troubleshooting, 241types, 144viewing, 41

utilities. See applicationsUtility servers, 15, 164

Vversions

reporting, 320transaction logging, 350

view indexes, 233, 413View, Agents command, 329View Read Access Lists, 296view-only administrators, 137viewing

Agent log, 301, 329-330Console, 243-244

console commands, 258databases

corrupted, 413rebuilding, 233

dead messages, 41Deny Access groups, 145documents, 149Domino console, 381held messages, 42mail routing, 42-43new servers, 294, 307pending messages, 41policies, 89real-time statistics, 384-385replication

events, 117mailboxes, 41schedules, 118, 272topology maps, 118

servers, 140shared mail, 42statistics, 385-386users, 41

W – X – Y – Zwarning thresholds, 51, 195Web

applicationsagents, running, 83deploying for internationalization,

65-66authentication, 134browsers, 177client, 246resources, 535servers, monitoring, 80-84

memory cache, 81network timeouts, 81-82threads, 81Web application agents, 83Web Site rules, 83-84

Web Administrator, 382-384client, 85-86database, 86Web client, compared, 246WEBADMIN.NSF database, 383-384

Web sitesaccessing and protecting the file system,

157, 535CAT Global, 4exams, 9


34 0789729180 Index 10/21/03 2:36 PM Page 583

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Web sites584

IBM Redbooks, 60installing Domino servers, 33Lotus

Developers Domain, 390, 421, 535Domino 6 Technical Overview, 60,

535Live! Series: “What’s New in

Notes/Domino 6 Administration,”536

Maximizing Domino Performance, 163,535

Policy-based system administration withDomino 6, 157, 536

“Preparation and Test-Taking Strategieswith Lotus Education Managers,” 536

PrepLogic, 537rules, 83-84Smart Upgrade, 24Thompson Prometric, 4Upgrading to Domino 6: Performance

Benefits, 421, 536Webcast: “Lotus Live! Series: What’s

New in Notes/Domino 6Administration,” 60

Webcast: “Preparation and Test TakingStrategies with Lotus EducationManagers,” 60

What’s in Store for the Domino R6Database, 125, 536

WEBADMIN.NSF database, 86, 246,383-384

Webcast: “Lotus Live! Series: What’s Newin Notes/Domino 6 Administration,” 60

Webcast: “Preparation and Test TakingStrategies with Lotus EducationManagers,” 60

Welcome pages, 170-171What’s in Store for the Domino R6

Database Web site, 125, 536wizards

Database and Statistic, 329, 400Event Handler, 329, 400Mail Routing and Server Response, 329,

400Troubleshooting, 329, 400

WMI SDK (Microsoft WindowsManagement Instrumentation SoftwareDevelopment Kit), 245

workstation-to-server replication, 100

workstationsclient, 176-177ECL, 68messaging configuration

Location document, 54-55user preferences, 53-54

troubleshooting, 416

xACL (Extended Access Control List),269-270

You Are Not Authorized to Access theServer error message, 141

34 0789729180 Index 10/21/03 2:36 PM Page 584

What if Quejoined forces to deliver the besttechnology books in a common

digital reference platform?

We have. Introducing InformIT Online Books

powered by Safari.

■ Specific answers to specific questions.InformIT Online Books’ powerful search engine givesyou relevance-ranked results in a matter of seconds.

■ Immediate results.With InformIt Online Books, you can select the

book you want and view the chapter or sectionyou need immediately.

■ Cut, paste, and annotate.Paste code to save time and eliminate

typographical errors. Make notes on the materialyou find useful and choose whether or not to

share them with your workgroup.

■ Customized for your enterprise.Customize a library for you, your department,

or your entire organization. You pay only for what you need.

info

rmit

.com

/onli

nebooks

Get your first 14 days FREE!InformIT Online Books is offering its members a 10-book subscription risk free for 14 days. Visit http://www.informit.com/onlinebooks for details.

As an InformIT partner,

Que has shared the

knowledge and hands-

on adv ice o f ou r

authors with you online.

Visit InformIT.com to see

what you are missing.

35 QUESafari6x9.QXD 10/21/03 4:11 PM Page 419

www.informit.com

Your Guide to

Information Technology

Training and Reference

Que has partnered with InformIT.com to bring technical

information to your desktop. Drawing on Que authors

and reviewers to provide additional information on

topics you’re interested in, InformIT.com has free,

in-depth information you won’t find anywhere else.

Articles

Keep your edge with thousands of free articles, in-depth

features, interviews, and information technology reference

recommendations – all written by experts you know and trust.

Online Books

Answers in an instant from InformIT Online Books’

600+ fully searchable online books. Sign up now

and get your first 14 days free.

Catalog

Review online sample chapters and author biographies

to choose exactly the right book from a selection of more than

5,000 titles.

As an InformIT partner, Que has shared the knowledge andhands-on advice of our authors with you online. Visit InformIT.com to see what you are missing.

w w w. q u e p u b l i s h i n g . c o m

36 QUEInformIT6x9.qxd 10/21/03 4:33 PM Page 420

37 vue ad 6x9 10/21/03 4:11 PM Page 421

CramSession.com is #1 for IT Certification on the 'Net.

There's no better way to prepare for

success in the IT Industry. Find the best

IT certification study materials and

technical information at CramSession.

Find a community of hundreds of thou-

sands of IT Pros just like you who help

each other pass exams, solve real-

world problems, and discover friends

and peers across the globe.

CramSession – #1 Rated Certification Site!

• #1 by TechRepublic.com

• #1 by TechTarget.com

• #1 by CertMag’s Guide to Web Resources.

CramSession has IT all!

• The #1 study guides on the 'Net. With over250 study guides for IT certification exams, weare the web site every techie visits beforepassing an IT certification exam.

• Practice questions. Get the answers and explanations with our CramChallenge practicequestions delivered to you daily.

• The most popular IT Forums. Cramsessionhas over 400 discussion boards loaded withcertification infomation where our subscribersstudy hard, work hard, and play harder.

• e-Newsletters. Our IT e-Newsletters are written by techs for techs: IT certification, technology, humor, career and more.

• Technical Papers and Product Reviews.Find thousands of technical articles and whitepapers written by industry leaders, trainers, and IT veterans.

• Exam reviews. Get the inside scoop before you take that expensive certification exam.

• And so much more!

www.cramsession.com

"On top of everythingelse, I find the bestdeals on trainingproducts and servicesfor our CramSessionmembers".

Jami Costin, Product Specialist

38 CS_ad_6x9.qxd 10/21/03 4:10 PM Page 422

Lotus 6 Exam2

Documents

Transcript of Lotus 6 Exam2