2. Why You Might Care About What I Say …
• Technical Director, North America for Panagenda
• Over 14 years experience with Domino environments
Managing, architecting, and supporting
• Various site/version/size deployments
10 to 100,000 users
Versions 4-8
• Experienced Lotus instructor and speaker
Pretty good administrator and end user, too
• Several certifications
2
3. What We’ll Cover …
• Introduction
• The Client Management Challenge
• Managing the mail file
• Working with ACLs and ECLs
• ID Files, Certifiers and Security
• Connectivity and failover
• Wrap-up
3
4. The Client Management Challenge
• Your company started using Notes on version 4.x
Clients have been upgraded 5 times since then
You changed install directories and client type
Some data was migrated
Perhaps customized templates were deployed
IBM also changed client types and default directories
• Your user started creating icons/bookmarks to servers on version 4.x
You added new one’s and consolidated others since then
• Your users started creating local replicas on version 4.x
Anywhere they think is a good idea...
Mapped drives, outside the data directory, inside the data directory
• Users shared workstations at some point, various ID’s are all over
• This leave you with a HUGE problem when trying to manage our
environment …
4
5. The Client Management Challenge
• Who has bookmarks/icons/replicator entries pointing to which applications
on which servers
• Who has which location and connection documents
And who is already mis-configured and pointing to the wrong server/IP
• Who has which certificates and cross certificates
• Who has which local archives
• Who has an outdated version of a template locally
Hint: After an upgrade the client auto-performs a convert on the local
names.nsf with the local pernames.ntf
• .......
5
6. • Howdo you know how your Lotus Notes client are
configured?
• How
do you manage something you don’t know
much about?
6
7. The Client Inventory Challenge
• Specifically when upgrading, knowing what kinds of clients you have is
invaluable
Basic
Standard
Single-user
Multi-user
Roaming User
Citrix/Terminal Server
iNotes/DWA
Managed Mail file users
Admin and Designer clients
• CAUTION: Policies do NOT adapt to the above
7
8. The Client Inventory Challenge
• Gathering the notes.ini can be very helpful in answering the previous
questions, such as
InstallType=0 Designer License
InstallType=1 Admin License
InstallType=2 All clients, which is Admin and Designer
InstallType=6 Notes client license
InstallType=3 Notes client only
InstallType=7 Notes lite license
InstallType=3 Notes client only
InstallType=9 Unknown, which is set for multi-user installs
8
9. The Client Inventory Challenge
• When users authenticate, AdminP records the version of Notes and client
platform running, as well as machine name
There is a view in the Directory but it’s not very reliable
• Who has which calendars delegated
“Access & delegation” doesn’t tell you who is actually using delegation
9
10. The Client Inventory Challenge
• Is there any other Lotus interfacing software installed on the user’s
machine?
Sametime stand-alone client
Anti-virus products
Login scripts
Handheld device software
• What operating system are workstations utilizing?
• What kind of hardware are your clients using?
Memory and disk space are most important here
• What templates are mail files, archives and directories based on?
10
11. The Client Inventory Challenge
• The problem with any policy bases client management is that
Policies depend on an already functioning/setup client
In my experience less than 75% of users actually receive policies
They don’t provide you with an inventory before making changed
Client Management “in the dark”
They don’t adapt to your users’ unique situation
LAN vs VPN, Citrix user, function outside the data directory
They aren’t predictable
Can happen anytime.... or not...
Most settings cannot be UNset once set
Think about it...
They cannot repeat actions
So if the user breaks something it’s broken until they call for help
11
12. The Client Management Challenge
• And if you don’t know how your Lotus Notes clients are configured today,
how can you possibly
perform an standardized upgrade
fix existing client issues preventatively
provide your users with a predictable Notes experience
PREDICT the impact of server based changes on your user population
think about a server consolidation including icons/bookmark/replicator
page changes, location/connection document updates
• How do YOU deal with this situation?
12
13. What We’ll Cover …
• Introduction
• The Client Management Challenge
• Managing the mail file
• Working with ACLs and ECLs
• ID Files, Certifiers and Security
• Connectivity and failover
• Wrap-up
13
14. Quotas
• Should be implemented in conjunction with archiving if mail files are larger
than 1GB
Those take up a disproportionate amount of server resources
Typically users will ignore quota warnings so be prepared to adjust
these limits frequently
Mail files get easily corrupt if they are too large
The more writes to a database/views the greater the chances of
getting corruption
Be sure to set quotas on all clustered servers as these settings don’t
replicate
Can be done via a
Desktop Settings
document
14
15. Inbox Management
• Too many items in your Inbox can corrupt it or stop new mail from being
delivered to the Inbox
Refresh the view indexes on the server-based mail file via an updall
Or have the user press Ctrl+Shift+F9
• A large inbox can also make Notes appear slow, especially in iNotes
Use a Mail Settings document to deal with this
15
16. Unread Marks
• Users often complain of not having unread marks synchronized after
failing over to another cluster server
Enable the Replicate unread marks feature
Located on the Advanced
property of database
Select Replicate unread marks
Over clustered servers
Or all servers
16
17. Archives
• If you don’t allow users to grow their mail files very large, you have to
provide them with another way to store their data
Don’t force your users to spend time on cleaning up their mail, that’s not
what they were hired to do
• Local archiving is almost never the way to go
Prevent this via a policy and use server to server archiving instead
Then lock down the archive settings altogether
17
18. DAOS to Help with Mail File Size
• It won’t help users with their quota but it will save up to 40% disk space
Domino Attachment Object Storage
Use the DAOS estimator tool to find out how much space this could
save you
• DAOS collects all shared copies of the same attachment and saves it in a
central repository
This is transparent to users
Requires far less back-up time
Less writes to your disks means less chances for corruption
In addition to faster servers
18
19. Notes Mail Security
• Sign Sent Mail and Encrypt Sent Mail
Works natively between Notes users, requires x.509 certificate when
used with other mail users
• Encrypt saved mail and Encrypt incoming mail
Uses the active user ID to encrypt, which means nobody else can read
mail
Including admins!
19
20. Notes Mail Security (cont.)
• Private folders
Show in the mail file but encrypted with the users’ ID
This information is lost if the user ID is lost
• Database encryption
Uses the user’s ID to secure local data so it cannot be read even if the
laptop gets stolen
Can be set manually
on the application
properties tab or
forced with a
desktop Settings
policy
20
21. Automated Local Application ODS Upgrade
• New to 8.5.2 is the ability to automatically upgrade local client databases
to ODS 51
Create a desktop policy setting document
Set preference on the Mail tab
• Requires Create_R85_Databases=1 to be deployed to clients
21
22. Managed Replicas — New to 8.5.2
• Local replicas are created in the background and users are switched over
automatically
Requires existing replication schedule and bandwidth!
22
23. Managed Replicas — New to 8.5.2 (cont.)
• If the managed replica requires a fixup to be run, users will be switched
over to the server mail file
Still requires network connectivity but forces users to work off local
when possible
• If managed replicas get corrupt, they will be deleted and re-created
I’m told, have not actually seen this happen
• Be careful though!
Managed replica feature isn’t aware of Citrix or low bandwidth
environments
23
24. What We’ll Cover …
• Introduction
• The Client Management Challenge
• Managing the mail file
• Working with ACLs and ECLs
• ID Files, Certifiers and Security
• Connectivity and failover
• Wrap-up
24
25. Mail File ACLs
• Get set originally when the mail file is created
And is based off the Access Control List (ACL) of your mail template
Add entries with brackets to your template ACL so new databases
inherit those. Example [LocalDomainAdmins]
• Users previously required Manager in previous versions to cope with Out
Of Office agents
Now Editor is sufficient and HIGHLY desirable
Editors can’t lock you out of the ACL nor delete their own mail file
• Admin rights are not required if you use Full Access Admin
Users may not understand why all admins can “read” their mail
25
26. Mail File ACLs (cont.)
• Require an admin server listed in order to properly work with renames
Advanced tab of the ACL, should be set to the home server
26
27. Mail File ACLs (cont.)
• Mass modifying mail file ACLs is easy: File – Select All – Manage ACL
This will help with server, admin, and admin server access
Don’t forget to change your template ACLs if you want to change
global mail file rights for future users
• Changing individual ACL entries is a bit more tricky
Requires manual one-by-one intervention
There’s a great tool on Paul Mooney’s site
www.pmooney.net/resources
27
28. ECLs
• Grants other entities
rights to execute code on
your workstation
• Resides on each Lotus
Notes client
Like preferences they
are machine-specific
• Gets populated upon first
launch of the Notes client
based on the Admin Execution Control List (ECL) in the Domino Directory
User Actions – Edit Admin ECL to modify this
28
29. ECLs (cont.)
• Especially if you are coming from an “unmanaged” environment, you need
to use policies to manage current and future users
Use a Security Policy to update the default ECL
• Make sure your servers are listed in the ECL
Groups cannot be added
Technically speaking they can but only Certifier IDs and User IDs will
get honored
29
30. ECLs (cont.)
• Create an internal signing ID you use to sign and deploy all code
That way you’re not dependent upon any one person
Then only untrustworthy people will set off the alarms!
• What you want to avoid is anyone ever getting ECL warnings
It’s scary and not very user
friendly
Please tell your support
staff not to instruct users
to click the last option
here
30
31. What We’ll Cover …
• Introduction
• The Client Management Challenge
• Managing the mail file
• Working with ACLs and ECLs
• ID Files, Certifiers and Security
• Connectivity and failover
• Wrap-up
31
32. Certifiers
• Physical certifiers should:
Be kept in a safe and NOT on a shared drive on the network
Too many people have access otherwise
Require multiple passwords to use
• Use the CA process to upload our certifiers to your server instead
Grants rights to use the uploaded certifier
Doesn’t require access to the physical cert.id
Look at help topic “CA Process” for more information
• Keep in mind that once you hand out an ID/certifier, you can never take it
back
Use certificate/key rollover and certificate checking to ensure former
admins no longer can use certifiers
32
33. ID Management
• The following native Notes tools can help manage IDs and certifiers:
AdminP
Does renames and re-certifications
Certification Log
Keeps track of all that
ID Vault
Is a self-service repository for user IDs
ID Repository
The pre-Lotus Notes and Domino 8 way to reset passwords
Domino Directory
Can hold IDs but may be a security risk to have them here
33
34. User IDs
• Should NOT be kept on a shared drive
All of IT doesn’t need to be able to impersonate users
• Should NOT have standard passwords
See above, this is a huge security risk and then add all users to the list
of people able to impersonate others
• If on Lotus Notes and Domino 7 or below, use an ID Recovery database
to store user IDs
• If on Domino 8, keep these in a vault and set up ID Vault instead
Will make your password and ID management duties MUCH easier
34
35. ID Vault
• Collects and stores current copies of existing IDs with the current
password in an encrypted database
Lost/missing IDs are downloaded from the vault automatically
The users current password still works = seamless
• Allows password resets if forgotten
Use ID Vault – Reset Password to immediately change the password of
the user’s
ID in the vault
Use random
passwords for
added security
35
36. ID Vault (cont.)
• After 10 tries at the user ID password from the vault the user gets locked
out requiring an admin password reset
Look at log.nsf – Vault Security Log for this activity
• Requires a Security Settings document to apply to all users
See help topic ID Vault for more information
36
37. Password Management
• Use a Security Settings document to control:
Password Quality Settings
Expire passwords
Password checking
When users enter their password to open the User ID file,
the password must match the current password stored in
the Person document or they will not be authenticated
Has to be enabled on both the client and the server
Update Internet password when the Notes ID password changes
This is especially helpful to keep Sametime/iNotes passwords in
synch
37
39. Password Checking
• Enabled on the Server – Security tab
• Won’t allow users to authenticate if they don’t provide the last valid
password
Effective especially when implemented in conjunction with password
expiration and public key checking
• Also allows you to lock out users with a click of a button
Although as soon as you delete the person document, this goes away
39
40. Public Key Checking
• Enabling public key checking prevents users not listed in the Domino
Directory from authenticating
Compares the public key in the person document to that of the ID file
and doesn’t grant access to the server if no match
Make sure you LOG mismatches before enabling this
Prevents stolen IDs from authenticating if the legitimate person’s User
ID has been recertified
Prevents cross-certification from working
40
41. What We’ll Cover …
• Introduction
• The Client Management Challenge
• Managing the mail file
• Working with ACLs and ECLs
• ID Files, Certifiers and Security
• Connectivity and failover
• Wrap-up
41
42. Compress Port Traffic
• Compressing TCPIP traffic on both the client and the server side will allow
your environment to communicate faster
Done on the client via a Desktop Settings document
Done on the server via the Server – Ports – Manage Ports tab
42
43. Notes Takes “Forever” to Open
• Several causes for this issue
The user starts the workstation from a cold boot
Login scripts are still running or taking inventory
Windows and anti-virus apps are still loading
Notes is launched and takes fooooorreeeeeveeerrr…
• The solution? Buy more RAM
and faster hard disks
- OR -
• Use the 8.5.2 Notes pre-loader
when installing clients
43
44. Cluster Failover
• Transparent in version 8.5.2 and above, can be set via policy
Desktop Settings – Mail – Client Settings
• In earlier versions, implement HidePromptFailoverInc=1 to hide the error
message below
Tip: pmooney.net Error customization tool
44
45. Roaming
• Allows users to roam their bookmarks.nsf, Notes ID, names.nsf,
journal.nsf, localfeedscontent.nsf, workspace (in 8.5.2) and Eclipse plug-
ins and settings (roamingdata.nsf)
Feeds and plug-in information requires 8.5 clients
45
46. Roaming (cont.)
• Upgrade/downgrade users to roaming users via the Admin client
• New 8.5.2 roaming policy allows for greater customization
46
47. What We’ll Cover …
• Introduction
• The Client Management Challenge
• Managing the mail file
• Working with ACLs and ECLs
• ID Files, Certifiers and Security
• Connectivity and failover
• Wrap-up
47
48. Resources
• Upgrading multiple local databases to a new ODS
www-01.ibm.com/support/docview.wss?rs=899&uid=swg21429889
• Customizing mail quota warning text using an INI setting
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/
com.ibm.help.domino.admin85.doc/
H_CUSTOMIZING_MAIL_QUOTA_WARNING_TEXT_USING_A_NOT
ES_INI_FILE_SETTING_STEPS.html
Disabling and re-enabling Notes roaming users on the fly
www-01.ibm.com/support/docview.wss?rs=0&q1=Disabling+and+
re-enabling+Notes+roaming+user+status+on+the
+fly&uid=swg21424754&loc=en_US&cs=utf-8&cc=us&lang=en
• Paul Mooney’s Blog
www.pmooney.net/resources
48
49. Resources (cont.)
• Using a Desktop Policy to set Notes.ini and Location parameters
www-01.ibm.com/support/docview.wss?uid=swg21196837
• Lotus Notes pre-installation checklist
www.ipi.org/help/help8_admin.nsf/
f4b82fbb75e942a6852566ac0037f284/71db25fc74354ee8852572fa004
e28e0?OpenDocument
• Automating client installation using a silent install
www.ipi.org/help/help8_admin.nsf/
b3266a3c17f9bb7085256b870069c0a9/3ccb28c079e9da3a852572fa00
4e2a3d?OpenDocument
• Tips and tricks for troubleshooting Notes Smart Upgrade issues
www-10.lotus.com/ldd/dominowiki.nsf/dx/tips-and-tricks-for-
troubleshooting-notes-smart-upgrade-issues
• Training and Education
www.waresource.com
49
50. In Summary...
• Understand your client landscape before making changes/upgrades so
the effect of server side changes can be predicted
• Use policies and other native tools to help control clients but be aware of
their short comings
• Stay on top of new features, such as ID Vault, DAOS and managed
replicas to see if they are a fit in your environment
• Train your users as much as you can to help them cope with all their IT
tools, including Lotus Notes
• The more Notes client issues you can proactively fix and standardize, the
happier and more predictable your users’ experience will be. Plus, less
support calls is nice
50
51. How to Contact Me
Francie.Tanner@panagenda.com
Caribbean Headquarters