SlideShare ist ein Scribd-Unternehmen logo
1 von 46
Downloaden Sie, um offline zu lesen
ADMINP DEEP DIVE

Olaf Boerner, BCC
UKLUG 2012
Cardiff 4.9.2012
Speaker introduction
CEO and founder of BCC in 1996
Working with Lotus Notes since Version 3 in 1993
• focused on Domino infrastructure
• CLP certification since Release 3
I am working
• with large enterprise customers as Senior Architect and
Project Manager
• to optimize Lotus Domino Infrastructure Managements
• with customers to enhance BCC products 

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP History
AdminP was a major breakthrough in Release 4
Inspired by enterprise customers like Deutsche Bank who
had developed similar Server AddIn tasks for their
administration
• Domino Directory Management
• Central PKI Management with User IDs on Lotus Notes
• Tasks to change fields in databases
• Support Distributed Systems
• Better performance than agents
Continuous improvement in each Domino version

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Architecture – Admin4
Admin4 Database
• Replica on each server (automatic deployment)
• Storage for Task documents and logs
• Users need access right to create documents in admin4.nsf (Notes Client
creates documents with users rights) - Archivar
How does a server know that he has to execute a task
• Check AdminP settings in server document
• Check for new task document in admin4.nsf
• Checks for its name or Wildcard
How does a server know that he has executed this task
• Keep in Memory
• Each server can write a log document
• Write a log document as response document to task document
Own Task for housekeeping (Delete Obsolete Change Requests)

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Architecture AdminP Server task
AdminP Server Entry in ACL defines AdminP Server for this
Database
• Only one AdminP Server for each Database Replica
• Every Server can be AdminP Server 
• Define “Administration Server for Databases” (next slide)
AdminP Options
• Do not modify names
• Modify all readers and authors fields
• Modify all names fields -> DO NOT USE for Mailfiles

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Architecture AdminP Server task
Domino Directory ACL (SPECIAL)
• AdminP Server Entry defines your Directory Server in
your Domain
• Every adminp tasks changing documents in Domino
Directory is executed on that server
• Changes must be replicated !
• Do not change this if you have “open” adminp
request documents in admin4 !
DR procedure needs define how to handle AdminP
Server of DD
• Using cluster member is not a good idea
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP Task execution & replication
Server which performs AdminP tasks :
• AdminServer for Domino Directory
• Users Homeserver
• AdminP Server of each Database -> Wildcard
Requests
Task documents are distributed with admin4 replication
or direct deposit „replication“ in R8.x

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP Task execution & replication
AdminP will do changes just once !
Example
• Change ACL
• Executed at Database AdminP Server
• AdminP Server replicates ACL change to all
replicas
• Change of field entries
• Executed only at Database AdminP Server
• Replicate modified documents to all replicas
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
How to define “Administration Server for
Databases”
Dedicated Server vs. Multi purpose server
• Group Applications to same AdminP Server (AdminP
Hub)
• Define a dedicated AdminP Server for all
Applications
Extended Administration servers ?
• Idea: Split up workload to multiple servers
• Requires extended ACL
• Do not do this !!!
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminRequest Document
One Standard form for all requests
All Fields start with Proxy...
• ProxyAction: contains current actioncode
• ProxyServer: server to perform the action
• ProxyAuthor: who has requested
• ...
Field ProxyAction
• Contains a list of all AdminP Request
• Field contains request numbers
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
All AdminP Requests – Field ProxyAction
Accelerated Create Replica|84
Add Information to Monitoring Report|130
Add Internet Certificate to Person Record|44
Add New Mailfile Fields|50
Add or Modify Group in Domino Directory|144
Add Resource|29
Add Server to Cluster|11
Approve Certificate Request|115
Approve Delete Person in Domino Directory|58
Approve Delete Server in Domino Directory|59
Approve Deletion of Hosted Organization Storage|139
Approve Deletion of Moved Replica|75
Approve Deletion of Private Design Elements|72
Approve Mail File Deletion|22
Approve New Public Key Request|117
Approve Person's Name Change Request|116
Approve Refused Name Change|106
Approve Rename Person in Domino Directory|60
Approve Rename Server in Domino Directory|61
Approve Replica Deletion|82
Approve Resource Deletion|31
Approve Revert Name Change|114
Certificate Authority Configuration To Be Signed|105
Certify New Certifier Key Request|171
Certify New Person Key Request|170
Certify New Server Key Request|169
Change HTTP Password in Domino Directory|127
Change the Server on which the Agent Runs|158
Change User Password in Domino Directory|35
Check Access for Move Replica Creation (time based execution)|151
Check Access for Move Replica Creation|33
Check Access for New Replica Creation (time based execution)|150
Check Access for New Replica Creation|32
Check Access for Non-cluster Move Replica (time based execution)|153
Check Access for Non-cluster Move Replica|65
Check Mail Server's Access (time based execution)|152
Check Mail Server's Access|45
Check Roaming Server's Access|93
Collect Monitoring Report Information|129
Configure Certificate Authority Publication|102
Copy Server's Certified Public Key|2
Create Hosted Organization Storage|135
Create IMAP Delegation Requests|131
Create Mail-In Database|64
Create Mailfile|24
Create Monitoring Report|128
Create New Mailfile Replica|49
Create Object Store|137
Create Replica|13
Create Roaming User's Replica Stubs|91
Create Roaming User's Replicas|94
Create Roaming User's Roaming Files|87
Create SSL Certificate and Keyring File|156
Delegate Mail File on Administration Server|149
Delegate Mail File on Home Server|167
Delegate Mail File|57
Delegate Web Mail File|78
Delete Group in Domino Directory|56
Delete Hosted Organization Storage|140
Delete Hosted Organization|132
Delete in Access Control List|17
Delete in Agent's Readers Field|165
Delete in Design Elements|177
Delete in Domino Directory|0

Delete in Person Documents|16
Delete in Reader/Author fields|18
Delete Mailfile|21
Delete Obsolete Change Requests|26
Delete Original Replica after Move|15
Delete Person in Domino Directory|54
Delete Person In Unread List|147
Delete Policy Record in Domino Directory|113
Delete Private Design Elements|74
Delete Replica After Move|69
Delete Replica|81
Delete Resource|30
Delete Server in Domain Catalog|111
Delete Server in Domino Directory|55
Delete Statistic Monitors in Domino Directory|7
Delete Unlinked Mailfile|23
Delete Vaulted User|181
Delete Web User in Domino Directory|126
Domain Catalog Configuration|77
Enable Server's SSL Ports in Domino Directory|157
Find Name in Domain|142
Get Hosted Organization Storage Information for Deletion|138
Get Mail File Information for Deletion|27
Get Replica Information for Deletion|79
Initiate Rename in Domino Directory|8
Initiate Web User Rename in Domino Directory|118
Maintain Server's Fault Recovery Settings|168
Maintain Trends Database Record|112
Modify CA Configuration in Domino Directory|99
Modify DB2 Access Connection|178
Modify ID Recovery Information in Domino Directory|146
Modify Room/Resource in Domino Directory|62
Modify User Information Stored in Domino Directory|97
Monitor New Mailfile Fields|51
Monitor Replica Stub|25
Monitor Roaming Server's Field in Person Record|90
Monitor Roaming User's Replica Stubs|148
Monitor Server's SSL Status in Domino Directory|166
Monitor Server Record for DB2 Fields|173
Move DB2 Tablespace to New Container|175
Move Person's Name in Hierarchy|6
Move Replica|14
Non Cluster Move Replica|66
Place Server's Notes Build Number into Server Record|3
Promote New Mail Server's Access|48
Promote New Roaming Server's Access|88
Push Changes to New Mail Server|53
Push Changes to New Roaming Server|100
Re-Initiate Rename in Domino Directory|110
Recertify Certificate Authority in Domino Directory|141
Recertify Cross Certificate in Domino Directory|136
Recertify Person in Domino Directory|10
Recertify Server in Domino Directory|9
Remove Certificate from Domino or LDAP Directory|98
Remove Certificate Revocation List from Domino or LDAP Directory|103
Remove Roaming User's Roaming Files|92
Remove Server from Cluster|12
Rename Group in Access Control List|42
Rename Group in Design Elements|180
Rename Group in Domino Directory|40
Rename Group in Person Documents|41
Rename Group in Reader/Author fields|43
Rename in Access Control List|1
Rename in Agent's Readers Field|164

Rename in Design Elements|176
Rename in Person Documents|19
Rename in Reader/Author fields|20
Rename in Shared Agents|162
Rename Person in Calendar Entries and Profiles in Mail File|39
Rename Person in Domino Directory|5
Rename Person in Free Time Database|38
Rename Person in Unread List|68
Rename Server in Domino Directory|4
Rename Web User in Access Control List|119
Rename Web User in Calendar Entries and Profiles in Mail File|124
Rename Web User in Design Elements|179
Rename Web User in Domino Directory|120
Rename Web User in Free Time Database|123
Rename Web User in Person Documents|121
Rename Web User in Reader/Author fields|122
Rename Web User in Unread List|125
Replace Mailfile Fields|52
Replace Roaming Server's Field in Person Record|89
Request Mail File Deletion|28
Request Replica Deletion|80
Request to Delete Moved Replica|76
Request to Delete Private Design Elements|73
Retract Person's Name Change|107
Set DB2 Password in Server's ID File|174
Set Directory Assistance Field|37
Set Directory Filename|86
Set Password Fields|34
Set User Name and Enable Scheduled Agent|108
Set Web Admin Fields|83
Set Web User Name and Enable Scheduled Agent|160
Sign Database with Server's ID File|101
Store Certificate in Domino or LDAP Directory|95
Store Certificate Revocation List in Domino or LDAP Directory|96
Store Cross Certificate in Domino or LDAP Directory|159
Store DB2 Information in Server Record|172
Store Directory Type in Server Record|85
Store Server's CPU count|67
Store Server's DNS Hostname in Server Record|70
Store Server's Platform in Server Record|71
Unrecognized Request|145
Unrecognized Request|154
Unrecognized Request|155
Unrecognized Request|36
Unrecognized Request|999
Update Client Information in Person Record|46
Update Delegated User's Mailfile List|104
Update External Domain Information|47
Update License Tracking Information in Domino Directory|109
Update Replica Settings|161
Update Roaming User Information in Person Record|134
Update Roaming User State in Person Record|133
Update Server's Protocol Information|63
Verify Hosted Organization Storage|143
Web Set Soft Deletion Expire Time|163

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
All AdminP Requests – Field ProxyAction
Accelerated Create Replica|84
Delete in Domino Directory|0
Rename Group in Person Documents|41
Add Information to Monitoring Report|130
Delete in Person Documents|16
Rename Group in Reader/Author fields|43
Add Internet Certificate to Person Record|44
Delete in Reader/Author fields|18
Rename in Access Control List|1
Add New Mailfile Fields|50
Delete Mailfile|21
Rename in Agent's Readers Field|164
Add or Modify Group in Domino Directory|144
Delete Obsolete Change Requests|26
Rename in Design Elements|176
Add Resource|29
Delete Original Replica after Move|15
Rename in Person Documents|19
Add Server to Cluster|11
Delete Person in Domino Directory|54
Rename in Reader/Author fields|20
Approve Certificate Request|115
Delete Person In Unread List|147
Rename in Shared Agents|162
Approve Delete Person in Domino Directory|58
Delete Policy Record in Domino Directory|113
Rename Person in Calendar Entries and Profiles in
Approve Delete Server in Domino Directory|59
Delete Private Design Elements|74
Mail File|39
Approve Deletion of Hosted Organization
Delete Replica After Move|69
Rename Person in Domino Directory|5
Storage|139
Delete Replica|81
Rename Person in Free Time Database|38
Approve Deletion of Moved Replica|75
Delete Resource|30
Rename Person in Unread List|68
Approve Deletion of Private Design Elements|72
Delete Server in Domain Catalog|111
Rename Server in Domino Directory|4
Approve Mail File Deletion|22
Delete Server in Domino Directory|55
Rename Web User in Access Control List|119
Approve New Public Key Request|117
Delete Statistic Monitors in Domino Directory|7
Rename Web User in Calendar Entries and Profiles
Approve Person's Name Change Request|116
Delete Unlinked Mailfile|23
in Mail File|124
Approve Refused Name Change|106
Delete Vaulted User|181
Rename Web User in Design Elements|179
Approve Rename Person in Domino Directory|60
Delete Web User in Domino Directory|126
Rename Web User in Domino Directory|120
Approve Rename Server in Domino Directory|61
Domain Catalog Configuration|77
Rename Web User in Free Time Database|123
Approve Replica Deletion|82
Enable Server's SSL Ports in Domino Directory|157 Rename Web User in Person Documents|121
Approve Resource Deletion|31
Find Name in Domain|142
Rename Web User in Reader/Author fields|122
Approve Revert Name Change|114
Get Hosted Organization Storage Information for Rename Web User in Unread List|125
Certificate Authority Configuration To Be
Deletion|138
Replace Mailfile Fields|52
Signed|105
Get Mail File Information for Deletion|27
Replace Roaming Server's Field in Person Record|89
Certify New Certifier Key Request|171
Get Replica Information for Deletion|79
Request Mail File Deletion|28
Certify New Person Key Request|170
Initiate Rename in Domino Directory|8
Request Replica Deletion|80
Certify New Server Key Request|169
Initiate Web User Rename in Domino Directory|118 Request to Delete Moved Replica|76
Change HTTP Password in Domino Directory|127
Maintain Server's Fault Recovery Settings|168
Request to Delete Private Design Elements|73
Change the Server on which the Agent Runs|158 Maintain Trends Database Record|112
Retract Person's Name Change|107
Change User Password in Domino Directory|35
Modify CA Configuration in Domino Directory|99
Set DB2 Password in Server's ID File|174
Check Access for Move Replica Creation (time based Modify DB2 Access Connection|178
Set Directory Assistance Field|37
execution)|151
Modify ID Recovery Information in Domino
Set Directory Filename|86
Check Access for Move Replica Creation|33
Directory|146
Set Password Fields|34
Check Access for New Replica Creation (time based Modify Room/Resource in Domino Directory|62
Set User Name and Enable Scheduled Agent|108
execution)|150
Modify User Information Stored in Domino
Set Web Deep Dive, Olaf Boerner, BCC
UKLUG 2012: AdminPAdmin Fields|83Enable Scheduled
Check Access for New Replica Creation|32
Directory|97
Set Web User Name and
AdminP and Security
AdminP is fully integrated within Domino Security
• ACL – even if AdminP is using local access
• Reader
• Encrypted and signed documents
How does adminp server task know that he has a "real"
task document ?
• You might copy and modify a task document
• "misused" server tasks might be dangerous

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP Security
Well we have a great PKI built in
AdminP Security relies on Signatures (Private Key)
• AdminP Documents are signed
• Signature will ensure "correct" task documents
• Modification will break signature
• Documents with broken signature will not be
executed !

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP Security Check
AdminP Security will check two fields :
• Name to perform the action on: User, Database or
Server
• Action requested by: User or Servername
• Entry must match signature !
• Entry will be checked with ACL and security
settings
Error Handling
• “You are not authorized to create new replica
databases on this server.”
• Check settings in server documents and ACL
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Sidestep: Why your server ID needs a
password ?
Server ID can
• sign adminp documents
• Agents signed with server id can Create adminp docs
• Server ID can create „fake“ adminp requests
Runing ID Vault you need to secure your Domino Server
ID
• http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vaultserver

• See Paul Mooneys 2012 AdminBlast Tip #42

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP and Security
Do never ever modify documents in adminP database !!!
Public key in person/server document must match with
key pair in idfile

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP Request Document
How to create AdminP Request Document
• Lotus AdminClient ->> 90%
• Script Agent – AdminP Class
• Server Tasks – AdminP API
Manually with Script / API
• Create a sample request
• Do some reengineering (field and values)
• Create a document and set all fields manually
• Sign the document !!!
Why do you need this ?
• Automation and batch processing
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP Interaction with Notes Client
Some tasks need interaction with Users
Interaction is done due to fields in person documents
and/or creating documents in admin4.nsf
• AdminP changes fields in person document
• Lotus Notes creates „response“ document in
admin4.nsf

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP Interaction with Notes Client
Example: Rename User
• Rename User > AdminP changes Field and Public key
in person document
• Lotus Notes Client checks at login for these field and
execute internal procedures inside Lotus Notes Client
• Notes Clients creates
• a „done successfull“ log document in admin4.nsf

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP Statistics
AdminP statistics reported to statrep.nsf
Useful to compare servers to see where AdminP activity
is high
Statistics (Sample from Domino Admin Help)
• ACLsModified
• ReaderAuthorModified
• ProfilesModified (mailfile)
• AppointmentsModified
• DirectoryDocumentsDeleted
• DirectoryDocumentsModified
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP Monitoring (even more important)
Monitoring
• How do you know when your AdminP task has completely
finished?
• Remember AdminP usually runs per User, Database etc !!!
Possible Solutions
• Create Monitoring Agent (run on server)
• which scans AdminP Request for response documents
• Create a report per Object
• Realtime “Scan” using Notes C API
• Analyzing Extension Manger Events before/after each
adminp execution
• Execute a monitoring action / log etc.
• Use Domino Domain Monitoring
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP – Monitoring „Enhanced Log“
Using DEBUG parameter for more useful information
about what AdminP is currently doing
• “DEBUG_ADMINP_REQUEST_PROCESSING=1”
• “DEBUG_ADMINP_REQUEST_PROCESSING=2”
DEBUG Output can be directed to text file
• “DEBUG_OUTFILE=<output file path>
Can be set using „set config“ at server console

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Cross Domain AdminP
Cross Domain AdminP
Most AdminP processes are only working inside a
domain which is the same admin4.nsf
• Not clear why !
Cross Domin AdminP Tasks are
• Rename User
• Delete User
• Rename Server
• Delete Server
• Create Replica

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Cross Domain AdminP: How it works
Architecture
• AdminP will be sent “mails” from the source domain
to the target domain.
• mail will be created at the administration server of
the source domain
• Mail will be delivered directly to the admin4.nsf in
the target domain
• Mail will be processed as a adminp request document
Security
• Still relies on PKI and „Signature Validation“
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Cross Domain AdminP: How to setup
Domino Directory
• Create cross certificate documents. Identify all required
certifiers !
• Create connection document to allow server to connect
to other domain
• Edit Domino Directory Profile: Who are allowed to create
Cross Domain Configuration in admin4.nsf
Admin4 Database
• Create Cross Domain Configuration document
• For each domain to import and
• For each domain to export request
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Best Practice using AdminP

Or how to deal with Mass Recertification
Project: Mass recertification
Move a number of user to new Org Certifier
• Rename company name
• Recreate Certifier due to security issues
• Integrate a new company
• Split off company
Move in hierarchy adminP for name change
• Two approvals for each user
• Response documents might be an issue or
nightmare
• No view update for admin4.nsf
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP limitations -> „Renames“
AdminP-Process Expiration
• Enlarge the interval for user to accept the name
change request. Default interval is 21 days. (can be
configured from 14 – 60 days)
• it is strictly necessary that User connects to his
server during that period to start the AdminP
• If a name change request expires, the user will be
reverted to it’s old username!
Same behaviour with ID Vault ! Error in Documentation.

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP Rename
What happens after User accept rename request ?
Notes Client is changing User Name in current ID File
ID File get synchronized with ID Vault
What happened with old user name
• It is still there !!!
• User ID contains old and new user name
• User can access Database which still have ist old
names in ACL
• Old User name get removed after expiration date
• You will not receive Help Desk Calls before 
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP limitations -> „Renames“
Manual interaction required
• Admin must confirm execution,
• Move Certifier
• Move Mailfile
• User must "confirm" execution
• Login / Access to server
• No pass thru server or replication access !!!
Same behaviour with ID Vault ! Error in Documentation

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP – Project Troubleshooting
User currently not working in Lotus Notes (21 – 60 days
expiration)
• Avoid absent User: In average 15% - 20% of all users
are not taking part in the daily working process.
• Define a Workaround for absent users with your
Audit Department or write an server tasks (C-API)
User is using a wrong ID (public key does not match to
AdminP request)

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP limitations -> „Renames“
ACL Settings „Modify / Do not modify names“ in each
database must be set properly
Solution
• New request: “Rename Person in Calendar Entries
and Profiles in Mail File Extended
• Overwrites ACL Setting
• Renaming users in ACLs, Calendar profiles, C&S
documents

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP limitations -> „Renames“
AdminP does not handle text fiedls
• Check your application using text field for application logic !
AdminP will not modify profile documents
• Check applications for profile documents using Reader / Author /
Names fields
AdminP does not modify wildcards (*USR/BCC)
• Check applications for use of wildcards in Reader / Author / Name
fields
• adjusted manually or by agent
The Administration Process can not modify encrypted documents.
• Reader / Author / Names fields in encrypted documents must be
adjusted manually by the user, who has encrypted the document.

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
AdminP limitations -> „Renames“
Default: AdminP scans all documents for reader, author or
names fields in a Database
Creating an AdminP View in an application with name
$AdminP
• Only documents which appear in that view will be
considered and processed
• Be careful 
AdminP in R8.x is using namelist for Rename
• namelist contains all users in that database
• Requires ODS 48
• If AdminP does not find the username in the namelist, it
does not search that database
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Mass Recertification – admin4 size issues
Domain size consideration belong to AdminP Size
• AdminP Database can grow to enormous sizes
• Number of documents are an issue
• Response documents slow down indexer tasks
Local AdminP Tasks and response documents will be
replicated to all admin4 databases
• User in Tokio will change ACL of Mailfile
• User Creates ACL Change Request in admin4 on his
current mail server
• Tokio Server will execute AdminP task document and
creates log document
• Documents will replicate to whole domain
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Mass Recertification – admin4 size issues
Recertification tasks are part of the ordinary user
management in Domino
Issues start with mass data / batch requests
Admin4.nsf database size
• admin4.nsf with 300.000 documents (1,5 – 2 GB size)
will have performance issues
• Replicator tasks requires index update
• Example “Move User in Hierarchy”:
Example „Move User in Hierarchy“
• The request requires 11 requests documents
• 20.000 users
• 50 Servers
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Mass Recertification – admin4 size issues
Request

Log Docs for 50
Server

Server

Timing

Move Person's Name in Hierarchy

1

Directory Server

Requires administrator approval in
Administration Requests database

Initiate Rename in Domino Directory

1

AdminP Server

Interval

Rename Person in Domino Directory

1

AdminP Server

Interval

Rename in Person Documents

1

AdminP Server

Execute once a day requests at

Rename Person in Unread List

50

One per Server

Execute once a day requests at

Rename in Access Control List

50

One per Server

Interval

Rename in Design Elements

50

One per Server

Delayed

Rename Person in Free Time Database

1

Mail Server

Immediate

Rename Person in Calendar Entries and
Profiles in Mail File

1

Mail Server

Immediate

Rename in Reader / Author Fields

50

One per Server

Start Executing On
Start Executing At

Rename Person in Address Book

1

AdminP Server

Multi Domain Configuration

Summary per User

207

20.000 User
4.140.000 documents!!!

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Mass Recertification – Replication Issues
Replication of names.nsf and admin4.nsf are critical !
• Domino Directory has to replicate before Administration
Database !!!
• Otherwise you may get errors that have to be corrected
manually (i.e. “Rename Person in Domino Directory” fails
because Domino Directory was not updated)
In the replication settings the value to purge documents shall
be set to 7 days on all replicas (not more than 14 days)
Prevent replication to all servers using replication formula:
• select (Form='AdminRequest') |
(ProxyServername=@username)

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Mass Recertification – Replication Issues
R8 is using Direct Deposit Feature by default
• Automatically „replicate“ requests
• AdminP requests can be directly deposited to „target
server“ admin4.nsf
• Wildcard requests must be replicated
Also enabled at the client
• Example: Change HTTP Password in Domino Directory
• You need direct access to the target server
Disable with notes.ini parameter
ADMINP_DONT_ATTEMPT_DIRECT_DEPOSIT=1

UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Mass Recertification – Performance
AdminP Tasks carried out on every server
• Rename in Reader/Author fields
• Rename in Access Control List
• Rename in Design Element
Time consuming tasks and will have performance impact
Performance Problems while processing the AdminP
• Indexing admin4
• Searching fields in Databases
Check AdminP Threads settings
• Default 3
• Check if you have idle tasks and CPU time
• Increase to 10 Threads max
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Best Practice performance issues
Servertask configuration
• Change “daily” and “delayed” request execution to “non
working times”.
• Use suspend AdminP at when you see performance
issues on mail servers
• Reduce the amount of (log) documents. A server that
has nothing done during the rename process should not
report. (server task configuration)
Split up threads in Domino 8 (max 10)
• ADMINP_IMMEDIATE_THREAD=X
• ADMINP_INTERVAL_THREAD=X
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Best Practice performance issues
Change AdminP Task execution

•
•
•
•

ADMINP_IMMEDIATE_OVERRIDE= x, x, x
ADMINP_INTERVAL_OVERRIDE=X, X, X
ADMINP_DAILY_OVERRIDE=X
ADMINP_DELAYED_OVERRIDE=X

Example (see Admin Help)
• Rename in Access Control List
• Interval
• Number 1.00
• Rename in Reader/Author Fields
• Delayed
• Number 20.00
Be careful !!!
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Best Practice to avoid performance issues
Kepp Admin4 small
• Plan renaming “waves”
• Do not rename all user at the same day
Clean-up Admin4
• reduce the amount of Admin4 documents.
• User that has been renamed successfully should not
stay in admin4.nsf
Replication
• Check Use of selective replication formula
• Ensure fast and reliable replication
UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
Questions ?

THANK YOU !

Weitere ähnliche Inhalte

Was ist angesagt?

Domino Server Health - Monitoring and Managing
 Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and ManagingGabriella Davis
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview hemantnaik
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientChristoph Adler
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...Ales Lichtenberg
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning Vladislav Tatarincev
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesHoward Greenberg
 
Lotus Domino Clusters
Lotus Domino ClustersLotus Domino Clusters
Lotus Domino Clustersjayeshpar2006
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingjayeshpar2006
 
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Christoph Adler
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsAles Lichtenberg
 
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenAlles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenpanagenda
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxDarren Duke
 
IBM Notes Performance Boost - Reloaded (DEV-1185)
IBM Notes Performance Boost - Reloaded (DEV-1185)IBM Notes Performance Boost - Reloaded (DEV-1185)
IBM Notes Performance Boost - Reloaded (DEV-1185)Christoph Adler
 
Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....DNUG e.V.
 
IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)Austin Chang
 
dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxUlrich Krause
 
JMP105 - "How Stuff Works" - Domino Style!
JMP105 - "How Stuff Works" - Domino Style!JMP105 - "How Stuff Works" - Domino Style!
JMP105 - "How Stuff Works" - Domino Style!NerdGirlJess
 

Was ist angesagt? (20)

Domino Server Health - Monitoring and Managing
 Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
 
Self Healing Capabilities of Domino 10
Self Healing Capabilities of Domino 10Self Healing Capabilities of Domino 10
Self Healing Capabilities of Domino 10
 
Lotus Domino Clusters
Lotus Domino ClustersLotus Domino Clusters
Lotus Domino Clusters
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routing
 
Daos
DaosDaos
Daos
 
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tips
 
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenAlles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptx
 
IBM Notes Performance Boost - Reloaded (DEV-1185)
IBM Notes Performance Boost - Reloaded (DEV-1185)IBM Notes Performance Boost - Reloaded (DEV-1185)
IBM Notes Performance Boost - Reloaded (DEV-1185)
 
Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....
 
IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)
 
dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptx
 
JMP105 - "How Stuff Works" - Domino Style!
JMP105 - "How Stuff Works" - Domino Style!JMP105 - "How Stuff Works" - Domino Style!
JMP105 - "How Stuff Works" - Domino Style!
 

Ähnlich wie Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012

Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Zoho Corporation
 
Microsoft Offical Course 20410C_06
Microsoft Offical Course 20410C_06Microsoft Offical Course 20410C_06
Microsoft Offical Course 20410C_06gameaxt
 
CREATING AND MANAGING USER ACCOUNTS.pdf
CREATING AND MANAGING USER ACCOUNTS.pdfCREATING AND MANAGING USER ACCOUNTS.pdf
CREATING AND MANAGING USER ACCOUNTS.pdfSolomonAnab1
 
Session 3 - Windows Server 2012 with Jared Thibodeau
Session 3 - Windows Server 2012 with Jared ThibodeauSession 3 - Windows Server 2012 with Jared Thibodeau
Session 3 - Windows Server 2012 with Jared ThibodeauCTE Solutions Inc.
 
Year in Review: Perforce 2014 Product Updates
Year in Review: Perforce 2014 Product UpdatesYear in Review: Perforce 2014 Product Updates
Year in Review: Perforce 2014 Product UpdatesPerforce
 
Implementing Dynamic Host
Implementing Dynamic HostImplementing Dynamic Host
Implementing Dynamic HostNapoleon NV
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02gameaxt
 
Best MCSA - SQL SERVER 2012 Training Institute in Delhi
Best MCSA - SQL SERVER 2012 Training Institute in DelhiBest MCSA - SQL SERVER 2012 Training Institute in Delhi
Best MCSA - SQL SERVER 2012 Training Institute in DelhiInformation Technology
 
SCU 2015 - My top 10 favorite items you need to look at in WK2012R2
SCU 2015 - My top 10 favorite items you need to look at in WK2012R2SCU 2015 - My top 10 favorite items you need to look at in WK2012R2
SCU 2015 - My top 10 favorite items you need to look at in WK2012R2Mike Resseler
 
Why Upgrade To Windows Server 2012
Why Upgrade To Windows Server 2012Why Upgrade To Windows Server 2012
Why Upgrade To Windows Server 2012Aidan Finn
 
Getting Started with Orchestrator and Service Manager
Getting Started with Orchestrator and Service ManagerGetting Started with Orchestrator and Service Manager
Getting Started with Orchestrator and Service ManagerAlexandre Verkinderen
 
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5Marek Zawadzki
 
Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07gameaxt
 
Microsoft Offical Course 20410C_01
Microsoft Offical Course 20410C_01Microsoft Offical Course 20410C_01
Microsoft Offical Course 20410C_01gameaxt
 
Office 365 UK User Group London 4th September 2012
Office 365 UK User Group London 4th September 2012Office 365 UK User Group London 4th September 2012
Office 365 UK User Group London 4th September 2012Office 365 UK User Group
 
Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365InnoTech
 

Ähnlich wie Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012 (20)

MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01
 
MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05
 
Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...
 
6421 b Module-02
6421 b Module-026421 b Module-02
6421 b Module-02
 
Microsoft Offical Course 20410C_06
Microsoft Offical Course 20410C_06Microsoft Offical Course 20410C_06
Microsoft Offical Course 20410C_06
 
CREATING AND MANAGING USER ACCOUNTS.pdf
CREATING AND MANAGING USER ACCOUNTS.pdfCREATING AND MANAGING USER ACCOUNTS.pdf
CREATING AND MANAGING USER ACCOUNTS.pdf
 
Session 3 - Windows Server 2012 with Jared Thibodeau
Session 3 - Windows Server 2012 with Jared ThibodeauSession 3 - Windows Server 2012 with Jared Thibodeau
Session 3 - Windows Server 2012 with Jared Thibodeau
 
Year in Review: Perforce 2014 Product Updates
Year in Review: Perforce 2014 Product UpdatesYear in Review: Perforce 2014 Product Updates
Year in Review: Perforce 2014 Product Updates
 
Implementing Dynamic Host
Implementing Dynamic HostImplementing Dynamic Host
Implementing Dynamic Host
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
 
Best MCSA - SQL SERVER 2012 Training Institute in Delhi
Best MCSA - SQL SERVER 2012 Training Institute in DelhiBest MCSA - SQL SERVER 2012 Training Institute in Delhi
Best MCSA - SQL SERVER 2012 Training Institute in Delhi
 
SCORCH: Tying it All Together
SCORCH: Tying it All TogetherSCORCH: Tying it All Together
SCORCH: Tying it All Together
 
SCU 2015 - My top 10 favorite items you need to look at in WK2012R2
SCU 2015 - My top 10 favorite items you need to look at in WK2012R2SCU 2015 - My top 10 favorite items you need to look at in WK2012R2
SCU 2015 - My top 10 favorite items you need to look at in WK2012R2
 
Why Upgrade To Windows Server 2012
Why Upgrade To Windows Server 2012Why Upgrade To Windows Server 2012
Why Upgrade To Windows Server 2012
 
Getting Started with Orchestrator and Service Manager
Getting Started with Orchestrator and Service ManagerGetting Started with Orchestrator and Service Manager
Getting Started with Orchestrator and Service Manager
 
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5
 
Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07
 
Microsoft Offical Course 20410C_01
Microsoft Offical Course 20410C_01Microsoft Offical Course 20410C_01
Microsoft Offical Course 20410C_01
 
Office 365 UK User Group London 4th September 2012
Office 365 UK User Group London 4th September 2012Office 365 UK User Group London 4th September 2012
Office 365 UK User Group London 4th September 2012
 
Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365
 

Mehr von BCC - Solutions for IBM Collaboration Software

Mehr von BCC - Solutions for IBM Collaboration Software (20)

Connections 5.x to 6.0 migration
Connections 5.x to 6.0 migrationConnections 5.x to 6.0 migration
Connections 5.x to 6.0 migration
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Systematisch: Von der alten in die neue Welt - Migrations-Szenarien
Systematisch: Von der alten in die neue Welt - Migrations-SzenarienSystematisch: Von der alten in die neue Welt - Migrations-Szenarien
Systematisch: Von der alten in die neue Welt - Migrations-Szenarien
 
MaRisk Andorderungen erfüllen - Analyse von Rechten und Rollen in IBM Domino ...
MaRisk Andorderungen erfüllen - Analyse von Rechten und Rollen in IBM Domino ...MaRisk Andorderungen erfüllen - Analyse von Rechten und Rollen in IBM Domino ...
MaRisk Andorderungen erfüllen - Analyse von Rechten und Rollen in IBM Domino ...
 
Protect your IBM Domino data from leaks with BCC DominoProtect
Protect your IBM Domino data from leaks with BCC DominoProtectProtect your IBM Domino data from leaks with BCC DominoProtect
Protect your IBM Domino data from leaks with BCC DominoProtect
 
IBM Connections Cloud Administration
IBM Connections Cloud AdministrationIBM Connections Cloud Administration
IBM Connections Cloud Administration
 
IBM Connect 2016: Speaker Session with Teresa Deane, Senior Developer, BCC
IBM Connect 2016: Speaker Session with Teresa Deane, Senior Developer, BCCIBM Connect 2016: Speaker Session with Teresa Deane, Senior Developer, BCC
IBM Connect 2016: Speaker Session with Teresa Deane, Senior Developer, BCC
 
Dr. Strangelove, or how I learned to love plug-in development - SNoUG 2014
Dr. Strangelove, or how I learned to love plug-in development - SNoUG 2014Dr. Strangelove, or how I learned to love plug-in development - SNoUG 2014
Dr. Strangelove, or how I learned to love plug-in development - SNoUG 2014
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
 
XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...
XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...
XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...
 
Keine Kompromisse! Mehr Sicherheit & Compliance für IBM Domino
Keine Kompromisse! Mehr Sicherheit & Compliance für IBM DominoKeine Kompromisse! Mehr Sicherheit & Compliance für IBM Domino
Keine Kompromisse! Mehr Sicherheit & Compliance für IBM Domino
 
Honey, I shrunk the data - Mehr Platz am IBM Domino Server
Honey, I shrunk the data - Mehr Platz am IBM Domino ServerHoney, I shrunk the data - Mehr Platz am IBM Domino Server
Honey, I shrunk the data - Mehr Platz am IBM Domino Server
 
Wie schützen Sie Ihre Messaging- & Collaboration-Infrastruktur? Lessons learn...
Wie schützen Sie Ihre Messaging- & Collaboration-Infrastruktur? Lessons learn...Wie schützen Sie Ihre Messaging- & Collaboration-Infrastruktur? Lessons learn...
Wie schützen Sie Ihre Messaging- & Collaboration-Infrastruktur? Lessons learn...
 
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
 
Platz schaffen auf dem Domino - Compact, Compress, De-Duplicate - Ulrich Krau...
Platz schaffen auf dem Domino - Compact, Compress, De-Duplicate - Ulrich Krau...Platz schaffen auf dem Domino - Compact, Compress, De-Duplicate - Ulrich Krau...
Platz schaffen auf dem Domino - Compact, Compress, De-Duplicate - Ulrich Krau...
 
XPages: Performance-Optimierung - Ulrich Krause (eknori) SNoUG 2013
XPages: Performance-Optimierung  - Ulrich Krause (eknori) SNoUG 2013XPages: Performance-Optimierung  - Ulrich Krause (eknori) SNoUG 2013
XPages: Performance-Optimierung - Ulrich Krause (eknori) SNoUG 2013
 
Deep Dive Domino Mail Routing - SMTP Cookbook - DNUG Herbstkonferenz 2013
Deep Dive Domino Mail Routing - SMTP Cookbook - DNUG Herbstkonferenz 2013Deep Dive Domino Mail Routing - SMTP Cookbook - DNUG Herbstkonferenz 2013
Deep Dive Domino Mail Routing - SMTP Cookbook - DNUG Herbstkonferenz 2013
 
Platz da! Platz schaffen auf dem Domino Server - Vortrag von Ulrich Krause be...
Platz da! Platz schaffen auf dem Domino Server - Vortrag von Ulrich Krause be...Platz da! Platz schaffen auf dem Domino Server - Vortrag von Ulrich Krause be...
Platz da! Platz schaffen auf dem Domino Server - Vortrag von Ulrich Krause be...
 
Wie gewährleisten Sie die Einhaltung von Sicherheitsanforderungen an Ihre Mes...
Wie gewährleisten Sie die Einhaltung von Sicherheitsanforderungen an Ihre Mes...Wie gewährleisten Sie die Einhaltung von Sicherheitsanforderungen an Ihre Mes...
Wie gewährleisten Sie die Einhaltung von Sicherheitsanforderungen an Ihre Mes...
 
Wie schützen Sie Ihre E-Mail-Kommunikation? Kurzfristige Lösungsansätze bis z...
Wie schützen Sie Ihre E-Mail-Kommunikation? Kurzfristige Lösungsansätze bis z...Wie schützen Sie Ihre E-Mail-Kommunikation? Kurzfristige Lösungsansätze bis z...
Wie schützen Sie Ihre E-Mail-Kommunikation? Kurzfristige Lösungsansätze bis z...
 

Kürzlich hochgeladen

100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Kürzlich hochgeladen (20)

100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012

  • 1. ADMINP DEEP DIVE Olaf Boerner, BCC UKLUG 2012 Cardiff 4.9.2012
  • 2. Speaker introduction CEO and founder of BCC in 1996 Working with Lotus Notes since Version 3 in 1993 • focused on Domino infrastructure • CLP certification since Release 3 I am working • with large enterprise customers as Senior Architect and Project Manager • to optimize Lotus Domino Infrastructure Managements • with customers to enhance BCC products  UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 3. AdminP History AdminP was a major breakthrough in Release 4 Inspired by enterprise customers like Deutsche Bank who had developed similar Server AddIn tasks for their administration • Domino Directory Management • Central PKI Management with User IDs on Lotus Notes • Tasks to change fields in databases • Support Distributed Systems • Better performance than agents Continuous improvement in each Domino version UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 4. Architecture – Admin4 Admin4 Database • Replica on each server (automatic deployment) • Storage for Task documents and logs • Users need access right to create documents in admin4.nsf (Notes Client creates documents with users rights) - Archivar How does a server know that he has to execute a task • Check AdminP settings in server document • Check for new task document in admin4.nsf • Checks for its name or Wildcard How does a server know that he has executed this task • Keep in Memory • Each server can write a log document • Write a log document as response document to task document Own Task for housekeeping (Delete Obsolete Change Requests) UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 5. Architecture AdminP Server task AdminP Server Entry in ACL defines AdminP Server for this Database • Only one AdminP Server for each Database Replica • Every Server can be AdminP Server  • Define “Administration Server for Databases” (next slide) AdminP Options • Do not modify names • Modify all readers and authors fields • Modify all names fields -> DO NOT USE for Mailfiles UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 6. Architecture AdminP Server task Domino Directory ACL (SPECIAL) • AdminP Server Entry defines your Directory Server in your Domain • Every adminp tasks changing documents in Domino Directory is executed on that server • Changes must be replicated ! • Do not change this if you have “open” adminp request documents in admin4 ! DR procedure needs define how to handle AdminP Server of DD • Using cluster member is not a good idea UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 7. AdminP Task execution & replication Server which performs AdminP tasks : • AdminServer for Domino Directory • Users Homeserver • AdminP Server of each Database -> Wildcard Requests Task documents are distributed with admin4 replication or direct deposit „replication“ in R8.x UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 8. AdminP Task execution & replication AdminP will do changes just once ! Example • Change ACL • Executed at Database AdminP Server • AdminP Server replicates ACL change to all replicas • Change of field entries • Executed only at Database AdminP Server • Replicate modified documents to all replicas UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 9. How to define “Administration Server for Databases” Dedicated Server vs. Multi purpose server • Group Applications to same AdminP Server (AdminP Hub) • Define a dedicated AdminP Server for all Applications Extended Administration servers ? • Idea: Split up workload to multiple servers • Requires extended ACL • Do not do this !!! UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 10. AdminRequest Document One Standard form for all requests All Fields start with Proxy... • ProxyAction: contains current actioncode • ProxyServer: server to perform the action • ProxyAuthor: who has requested • ... Field ProxyAction • Contains a list of all AdminP Request • Field contains request numbers UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 11. All AdminP Requests – Field ProxyAction Accelerated Create Replica|84 Add Information to Monitoring Report|130 Add Internet Certificate to Person Record|44 Add New Mailfile Fields|50 Add or Modify Group in Domino Directory|144 Add Resource|29 Add Server to Cluster|11 Approve Certificate Request|115 Approve Delete Person in Domino Directory|58 Approve Delete Server in Domino Directory|59 Approve Deletion of Hosted Organization Storage|139 Approve Deletion of Moved Replica|75 Approve Deletion of Private Design Elements|72 Approve Mail File Deletion|22 Approve New Public Key Request|117 Approve Person's Name Change Request|116 Approve Refused Name Change|106 Approve Rename Person in Domino Directory|60 Approve Rename Server in Domino Directory|61 Approve Replica Deletion|82 Approve Resource Deletion|31 Approve Revert Name Change|114 Certificate Authority Configuration To Be Signed|105 Certify New Certifier Key Request|171 Certify New Person Key Request|170 Certify New Server Key Request|169 Change HTTP Password in Domino Directory|127 Change the Server on which the Agent Runs|158 Change User Password in Domino Directory|35 Check Access for Move Replica Creation (time based execution)|151 Check Access for Move Replica Creation|33 Check Access for New Replica Creation (time based execution)|150 Check Access for New Replica Creation|32 Check Access for Non-cluster Move Replica (time based execution)|153 Check Access for Non-cluster Move Replica|65 Check Mail Server's Access (time based execution)|152 Check Mail Server's Access|45 Check Roaming Server's Access|93 Collect Monitoring Report Information|129 Configure Certificate Authority Publication|102 Copy Server's Certified Public Key|2 Create Hosted Organization Storage|135 Create IMAP Delegation Requests|131 Create Mail-In Database|64 Create Mailfile|24 Create Monitoring Report|128 Create New Mailfile Replica|49 Create Object Store|137 Create Replica|13 Create Roaming User's Replica Stubs|91 Create Roaming User's Replicas|94 Create Roaming User's Roaming Files|87 Create SSL Certificate and Keyring File|156 Delegate Mail File on Administration Server|149 Delegate Mail File on Home Server|167 Delegate Mail File|57 Delegate Web Mail File|78 Delete Group in Domino Directory|56 Delete Hosted Organization Storage|140 Delete Hosted Organization|132 Delete in Access Control List|17 Delete in Agent's Readers Field|165 Delete in Design Elements|177 Delete in Domino Directory|0 Delete in Person Documents|16 Delete in Reader/Author fields|18 Delete Mailfile|21 Delete Obsolete Change Requests|26 Delete Original Replica after Move|15 Delete Person in Domino Directory|54 Delete Person In Unread List|147 Delete Policy Record in Domino Directory|113 Delete Private Design Elements|74 Delete Replica After Move|69 Delete Replica|81 Delete Resource|30 Delete Server in Domain Catalog|111 Delete Server in Domino Directory|55 Delete Statistic Monitors in Domino Directory|7 Delete Unlinked Mailfile|23 Delete Vaulted User|181 Delete Web User in Domino Directory|126 Domain Catalog Configuration|77 Enable Server's SSL Ports in Domino Directory|157 Find Name in Domain|142 Get Hosted Organization Storage Information for Deletion|138 Get Mail File Information for Deletion|27 Get Replica Information for Deletion|79 Initiate Rename in Domino Directory|8 Initiate Web User Rename in Domino Directory|118 Maintain Server's Fault Recovery Settings|168 Maintain Trends Database Record|112 Modify CA Configuration in Domino Directory|99 Modify DB2 Access Connection|178 Modify ID Recovery Information in Domino Directory|146 Modify Room/Resource in Domino Directory|62 Modify User Information Stored in Domino Directory|97 Monitor New Mailfile Fields|51 Monitor Replica Stub|25 Monitor Roaming Server's Field in Person Record|90 Monitor Roaming User's Replica Stubs|148 Monitor Server's SSL Status in Domino Directory|166 Monitor Server Record for DB2 Fields|173 Move DB2 Tablespace to New Container|175 Move Person's Name in Hierarchy|6 Move Replica|14 Non Cluster Move Replica|66 Place Server's Notes Build Number into Server Record|3 Promote New Mail Server's Access|48 Promote New Roaming Server's Access|88 Push Changes to New Mail Server|53 Push Changes to New Roaming Server|100 Re-Initiate Rename in Domino Directory|110 Recertify Certificate Authority in Domino Directory|141 Recertify Cross Certificate in Domino Directory|136 Recertify Person in Domino Directory|10 Recertify Server in Domino Directory|9 Remove Certificate from Domino or LDAP Directory|98 Remove Certificate Revocation List from Domino or LDAP Directory|103 Remove Roaming User's Roaming Files|92 Remove Server from Cluster|12 Rename Group in Access Control List|42 Rename Group in Design Elements|180 Rename Group in Domino Directory|40 Rename Group in Person Documents|41 Rename Group in Reader/Author fields|43 Rename in Access Control List|1 Rename in Agent's Readers Field|164 Rename in Design Elements|176 Rename in Person Documents|19 Rename in Reader/Author fields|20 Rename in Shared Agents|162 Rename Person in Calendar Entries and Profiles in Mail File|39 Rename Person in Domino Directory|5 Rename Person in Free Time Database|38 Rename Person in Unread List|68 Rename Server in Domino Directory|4 Rename Web User in Access Control List|119 Rename Web User in Calendar Entries and Profiles in Mail File|124 Rename Web User in Design Elements|179 Rename Web User in Domino Directory|120 Rename Web User in Free Time Database|123 Rename Web User in Person Documents|121 Rename Web User in Reader/Author fields|122 Rename Web User in Unread List|125 Replace Mailfile Fields|52 Replace Roaming Server's Field in Person Record|89 Request Mail File Deletion|28 Request Replica Deletion|80 Request to Delete Moved Replica|76 Request to Delete Private Design Elements|73 Retract Person's Name Change|107 Set DB2 Password in Server's ID File|174 Set Directory Assistance Field|37 Set Directory Filename|86 Set Password Fields|34 Set User Name and Enable Scheduled Agent|108 Set Web Admin Fields|83 Set Web User Name and Enable Scheduled Agent|160 Sign Database with Server's ID File|101 Store Certificate in Domino or LDAP Directory|95 Store Certificate Revocation List in Domino or LDAP Directory|96 Store Cross Certificate in Domino or LDAP Directory|159 Store DB2 Information in Server Record|172 Store Directory Type in Server Record|85 Store Server's CPU count|67 Store Server's DNS Hostname in Server Record|70 Store Server's Platform in Server Record|71 Unrecognized Request|145 Unrecognized Request|154 Unrecognized Request|155 Unrecognized Request|36 Unrecognized Request|999 Update Client Information in Person Record|46 Update Delegated User's Mailfile List|104 Update External Domain Information|47 Update License Tracking Information in Domino Directory|109 Update Replica Settings|161 Update Roaming User Information in Person Record|134 Update Roaming User State in Person Record|133 Update Server's Protocol Information|63 Verify Hosted Organization Storage|143 Web Set Soft Deletion Expire Time|163 UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 12. All AdminP Requests – Field ProxyAction Accelerated Create Replica|84 Delete in Domino Directory|0 Rename Group in Person Documents|41 Add Information to Monitoring Report|130 Delete in Person Documents|16 Rename Group in Reader/Author fields|43 Add Internet Certificate to Person Record|44 Delete in Reader/Author fields|18 Rename in Access Control List|1 Add New Mailfile Fields|50 Delete Mailfile|21 Rename in Agent's Readers Field|164 Add or Modify Group in Domino Directory|144 Delete Obsolete Change Requests|26 Rename in Design Elements|176 Add Resource|29 Delete Original Replica after Move|15 Rename in Person Documents|19 Add Server to Cluster|11 Delete Person in Domino Directory|54 Rename in Reader/Author fields|20 Approve Certificate Request|115 Delete Person In Unread List|147 Rename in Shared Agents|162 Approve Delete Person in Domino Directory|58 Delete Policy Record in Domino Directory|113 Rename Person in Calendar Entries and Profiles in Approve Delete Server in Domino Directory|59 Delete Private Design Elements|74 Mail File|39 Approve Deletion of Hosted Organization Delete Replica After Move|69 Rename Person in Domino Directory|5 Storage|139 Delete Replica|81 Rename Person in Free Time Database|38 Approve Deletion of Moved Replica|75 Delete Resource|30 Rename Person in Unread List|68 Approve Deletion of Private Design Elements|72 Delete Server in Domain Catalog|111 Rename Server in Domino Directory|4 Approve Mail File Deletion|22 Delete Server in Domino Directory|55 Rename Web User in Access Control List|119 Approve New Public Key Request|117 Delete Statistic Monitors in Domino Directory|7 Rename Web User in Calendar Entries and Profiles Approve Person's Name Change Request|116 Delete Unlinked Mailfile|23 in Mail File|124 Approve Refused Name Change|106 Delete Vaulted User|181 Rename Web User in Design Elements|179 Approve Rename Person in Domino Directory|60 Delete Web User in Domino Directory|126 Rename Web User in Domino Directory|120 Approve Rename Server in Domino Directory|61 Domain Catalog Configuration|77 Rename Web User in Free Time Database|123 Approve Replica Deletion|82 Enable Server's SSL Ports in Domino Directory|157 Rename Web User in Person Documents|121 Approve Resource Deletion|31 Find Name in Domain|142 Rename Web User in Reader/Author fields|122 Approve Revert Name Change|114 Get Hosted Organization Storage Information for Rename Web User in Unread List|125 Certificate Authority Configuration To Be Deletion|138 Replace Mailfile Fields|52 Signed|105 Get Mail File Information for Deletion|27 Replace Roaming Server's Field in Person Record|89 Certify New Certifier Key Request|171 Get Replica Information for Deletion|79 Request Mail File Deletion|28 Certify New Person Key Request|170 Initiate Rename in Domino Directory|8 Request Replica Deletion|80 Certify New Server Key Request|169 Initiate Web User Rename in Domino Directory|118 Request to Delete Moved Replica|76 Change HTTP Password in Domino Directory|127 Maintain Server's Fault Recovery Settings|168 Request to Delete Private Design Elements|73 Change the Server on which the Agent Runs|158 Maintain Trends Database Record|112 Retract Person's Name Change|107 Change User Password in Domino Directory|35 Modify CA Configuration in Domino Directory|99 Set DB2 Password in Server's ID File|174 Check Access for Move Replica Creation (time based Modify DB2 Access Connection|178 Set Directory Assistance Field|37 execution)|151 Modify ID Recovery Information in Domino Set Directory Filename|86 Check Access for Move Replica Creation|33 Directory|146 Set Password Fields|34 Check Access for New Replica Creation (time based Modify Room/Resource in Domino Directory|62 Set User Name and Enable Scheduled Agent|108 execution)|150 Modify User Information Stored in Domino Set Web Deep Dive, Olaf Boerner, BCC UKLUG 2012: AdminPAdmin Fields|83Enable Scheduled Check Access for New Replica Creation|32 Directory|97 Set Web User Name and
  • 13. AdminP and Security AdminP is fully integrated within Domino Security • ACL – even if AdminP is using local access • Reader • Encrypted and signed documents How does adminp server task know that he has a "real" task document ? • You might copy and modify a task document • "misused" server tasks might be dangerous UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 14. AdminP Security Well we have a great PKI built in AdminP Security relies on Signatures (Private Key) • AdminP Documents are signed • Signature will ensure "correct" task documents • Modification will break signature • Documents with broken signature will not be executed ! UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 15. AdminP Security Check AdminP Security will check two fields : • Name to perform the action on: User, Database or Server • Action requested by: User or Servername • Entry must match signature ! • Entry will be checked with ACL and security settings Error Handling • “You are not authorized to create new replica databases on this server.” • Check settings in server documents and ACL UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 16. Sidestep: Why your server ID needs a password ? Server ID can • sign adminp documents • Agents signed with server id can Create adminp docs • Server ID can create „fake“ adminp requests Runing ID Vault you need to secure your Domino Server ID • http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vaultserver • See Paul Mooneys 2012 AdminBlast Tip #42 UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 17. AdminP and Security Do never ever modify documents in adminP database !!! Public key in person/server document must match with key pair in idfile UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 18. AdminP Request Document How to create AdminP Request Document • Lotus AdminClient ->> 90% • Script Agent – AdminP Class • Server Tasks – AdminP API Manually with Script / API • Create a sample request • Do some reengineering (field and values) • Create a document and set all fields manually • Sign the document !!! Why do you need this ? • Automation and batch processing UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 19. AdminP Interaction with Notes Client Some tasks need interaction with Users Interaction is done due to fields in person documents and/or creating documents in admin4.nsf • AdminP changes fields in person document • Lotus Notes creates „response“ document in admin4.nsf UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 20. AdminP Interaction with Notes Client Example: Rename User • Rename User > AdminP changes Field and Public key in person document • Lotus Notes Client checks at login for these field and execute internal procedures inside Lotus Notes Client • Notes Clients creates • a „done successfull“ log document in admin4.nsf UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 21. AdminP Statistics AdminP statistics reported to statrep.nsf Useful to compare servers to see where AdminP activity is high Statistics (Sample from Domino Admin Help) • ACLsModified • ReaderAuthorModified • ProfilesModified (mailfile) • AppointmentsModified • DirectoryDocumentsDeleted • DirectoryDocumentsModified UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 22. AdminP Monitoring (even more important) Monitoring • How do you know when your AdminP task has completely finished? • Remember AdminP usually runs per User, Database etc !!! Possible Solutions • Create Monitoring Agent (run on server) • which scans AdminP Request for response documents • Create a report per Object • Realtime “Scan” using Notes C API • Analyzing Extension Manger Events before/after each adminp execution • Execute a monitoring action / log etc. • Use Domino Domain Monitoring UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 23. AdminP – Monitoring „Enhanced Log“ Using DEBUG parameter for more useful information about what AdminP is currently doing • “DEBUG_ADMINP_REQUEST_PROCESSING=1” • “DEBUG_ADMINP_REQUEST_PROCESSING=2” DEBUG Output can be directed to text file • “DEBUG_OUTFILE=<output file path> Can be set using „set config“ at server console UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 25. Cross Domain AdminP Most AdminP processes are only working inside a domain which is the same admin4.nsf • Not clear why ! Cross Domin AdminP Tasks are • Rename User • Delete User • Rename Server • Delete Server • Create Replica UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 26. Cross Domain AdminP: How it works Architecture • AdminP will be sent “mails” from the source domain to the target domain. • mail will be created at the administration server of the source domain • Mail will be delivered directly to the admin4.nsf in the target domain • Mail will be processed as a adminp request document Security • Still relies on PKI and „Signature Validation“ UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 27. Cross Domain AdminP: How to setup Domino Directory • Create cross certificate documents. Identify all required certifiers ! • Create connection document to allow server to connect to other domain • Edit Domino Directory Profile: Who are allowed to create Cross Domain Configuration in admin4.nsf Admin4 Database • Create Cross Domain Configuration document • For each domain to import and • For each domain to export request UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 28. Best Practice using AdminP Or how to deal with Mass Recertification
  • 29. Project: Mass recertification Move a number of user to new Org Certifier • Rename company name • Recreate Certifier due to security issues • Integrate a new company • Split off company Move in hierarchy adminP for name change • Two approvals for each user • Response documents might be an issue or nightmare • No view update for admin4.nsf UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 30. AdminP limitations -> „Renames“ AdminP-Process Expiration • Enlarge the interval for user to accept the name change request. Default interval is 21 days. (can be configured from 14 – 60 days) • it is strictly necessary that User connects to his server during that period to start the AdminP • If a name change request expires, the user will be reverted to it’s old username! Same behaviour with ID Vault ! Error in Documentation. UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 31. AdminP Rename What happens after User accept rename request ? Notes Client is changing User Name in current ID File ID File get synchronized with ID Vault What happened with old user name • It is still there !!! • User ID contains old and new user name • User can access Database which still have ist old names in ACL • Old User name get removed after expiration date • You will not receive Help Desk Calls before  UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 32. AdminP limitations -> „Renames“ Manual interaction required • Admin must confirm execution, • Move Certifier • Move Mailfile • User must "confirm" execution • Login / Access to server • No pass thru server or replication access !!! Same behaviour with ID Vault ! Error in Documentation UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 33. AdminP – Project Troubleshooting User currently not working in Lotus Notes (21 – 60 days expiration) • Avoid absent User: In average 15% - 20% of all users are not taking part in the daily working process. • Define a Workaround for absent users with your Audit Department or write an server tasks (C-API) User is using a wrong ID (public key does not match to AdminP request) UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 34. AdminP limitations -> „Renames“ ACL Settings „Modify / Do not modify names“ in each database must be set properly Solution • New request: “Rename Person in Calendar Entries and Profiles in Mail File Extended • Overwrites ACL Setting • Renaming users in ACLs, Calendar profiles, C&S documents UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 35. AdminP limitations -> „Renames“ AdminP does not handle text fiedls • Check your application using text field for application logic ! AdminP will not modify profile documents • Check applications for profile documents using Reader / Author / Names fields AdminP does not modify wildcards (*USR/BCC) • Check applications for use of wildcards in Reader / Author / Name fields • adjusted manually or by agent The Administration Process can not modify encrypted documents. • Reader / Author / Names fields in encrypted documents must be adjusted manually by the user, who has encrypted the document. UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 36. AdminP limitations -> „Renames“ Default: AdminP scans all documents for reader, author or names fields in a Database Creating an AdminP View in an application with name $AdminP • Only documents which appear in that view will be considered and processed • Be careful  AdminP in R8.x is using namelist for Rename • namelist contains all users in that database • Requires ODS 48 • If AdminP does not find the username in the namelist, it does not search that database UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 37. Mass Recertification – admin4 size issues Domain size consideration belong to AdminP Size • AdminP Database can grow to enormous sizes • Number of documents are an issue • Response documents slow down indexer tasks Local AdminP Tasks and response documents will be replicated to all admin4 databases • User in Tokio will change ACL of Mailfile • User Creates ACL Change Request in admin4 on his current mail server • Tokio Server will execute AdminP task document and creates log document • Documents will replicate to whole domain UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 38. Mass Recertification – admin4 size issues Recertification tasks are part of the ordinary user management in Domino Issues start with mass data / batch requests Admin4.nsf database size • admin4.nsf with 300.000 documents (1,5 – 2 GB size) will have performance issues • Replicator tasks requires index update • Example “Move User in Hierarchy”: Example „Move User in Hierarchy“ • The request requires 11 requests documents • 20.000 users • 50 Servers UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 39. Mass Recertification – admin4 size issues Request Log Docs for 50 Server Server Timing Move Person's Name in Hierarchy 1 Directory Server Requires administrator approval in Administration Requests database Initiate Rename in Domino Directory 1 AdminP Server Interval Rename Person in Domino Directory 1 AdminP Server Interval Rename in Person Documents 1 AdminP Server Execute once a day requests at Rename Person in Unread List 50 One per Server Execute once a day requests at Rename in Access Control List 50 One per Server Interval Rename in Design Elements 50 One per Server Delayed Rename Person in Free Time Database 1 Mail Server Immediate Rename Person in Calendar Entries and Profiles in Mail File 1 Mail Server Immediate Rename in Reader / Author Fields 50 One per Server Start Executing On Start Executing At Rename Person in Address Book 1 AdminP Server Multi Domain Configuration Summary per User 207 20.000 User 4.140.000 documents!!! UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 40. Mass Recertification – Replication Issues Replication of names.nsf and admin4.nsf are critical ! • Domino Directory has to replicate before Administration Database !!! • Otherwise you may get errors that have to be corrected manually (i.e. “Rename Person in Domino Directory” fails because Domino Directory was not updated) In the replication settings the value to purge documents shall be set to 7 days on all replicas (not more than 14 days) Prevent replication to all servers using replication formula: • select (Form='AdminRequest') | (ProxyServername=@username) UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 41. Mass Recertification – Replication Issues R8 is using Direct Deposit Feature by default • Automatically „replicate“ requests • AdminP requests can be directly deposited to „target server“ admin4.nsf • Wildcard requests must be replicated Also enabled at the client • Example: Change HTTP Password in Domino Directory • You need direct access to the target server Disable with notes.ini parameter ADMINP_DONT_ATTEMPT_DIRECT_DEPOSIT=1 UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 42. Mass Recertification – Performance AdminP Tasks carried out on every server • Rename in Reader/Author fields • Rename in Access Control List • Rename in Design Element Time consuming tasks and will have performance impact Performance Problems while processing the AdminP • Indexing admin4 • Searching fields in Databases Check AdminP Threads settings • Default 3 • Check if you have idle tasks and CPU time • Increase to 10 Threads max UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 43. Best Practice performance issues Servertask configuration • Change “daily” and “delayed” request execution to “non working times”. • Use suspend AdminP at when you see performance issues on mail servers • Reduce the amount of (log) documents. A server that has nothing done during the rename process should not report. (server task configuration) Split up threads in Domino 8 (max 10) • ADMINP_IMMEDIATE_THREAD=X • ADMINP_INTERVAL_THREAD=X UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 44. Best Practice performance issues Change AdminP Task execution • • • • ADMINP_IMMEDIATE_OVERRIDE= x, x, x ADMINP_INTERVAL_OVERRIDE=X, X, X ADMINP_DAILY_OVERRIDE=X ADMINP_DELAYED_OVERRIDE=X Example (see Admin Help) • Rename in Access Control List • Interval • Number 1.00 • Rename in Reader/Author Fields • Delayed • Number 20.00 Be careful !!! UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC
  • 45. Best Practice to avoid performance issues Kepp Admin4 small • Plan renaming “waves” • Do not rename all user at the same day Clean-up Admin4 • reduce the amount of Admin4 documents. • User that has been renamed successfully should not stay in admin4.nsf Replication • Check Use of selective replication formula • Ensure fast and reliable replication UKLUG 2012: AdminP Deep Dive, Olaf Boerner, BCC