Domino & Lotus Install 852

7/31/2019 Domino & Lotus Install 852

1/289

Lotus Notes and Domino

Version 8.5.2

Installing Domino Servers and Notes Clients

GC27-2404-


2/289

ThirdEdition - Revised(July13, 2010)This edition applies to IBM Lotus Notes 8.5.2 and IBM Lotus Domino 8.5.2, and to all subsequent releases and modificauntil otherwise indicated in new editions.

Copyright International Business Machines Corporation 1994, 2010. All rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.


3/289

Contents

Chapter 1. Deploying Domino . . . . . 1Domino server installation . . . . . . . . . . 1

Guidepost for deploying Domino . . . . . . 1Building the Domino environment. . . . . . 11

Chapter 2. Setting up the DominoNetwork . . . . . . . . . . . . . . 13Network Configuration . . . . . . . . . . 13

Lotus Domino and networks . . . . . . . 13Network security . . . . . . . . . . . 17Planning the TCP/IP network . . . . . . . 20Planning the NetBIOS network . . . . . . . 38Setting up Domino servers on the network . . . 40Setting up Notes named networks . . . . . . 41Fine-tuning network port setup on a server. . . 41Server setup tasks specific to TCP/IP. . . . . 48Server setup tasks specific to NetBIOS . . . . 57

Chapter 3. Installing and Setting UpDomino Servers . . . . . . . . . . . 59Installing and setting up Domino servers . . . . 59

Domino server evaluation software license . . . 59To install and set up a server . . . . . . . 59Entering system commands . . . . . . . . 60Using the Domino server with a trial evaluationlicense . . . . . . . . . . . . . . . 60Domino server installation . . . . . . . . 61Disabling concurrent I/O and direct I/O onDomino servers on AIX . . . . . . . . . 72

Domino server setup program . . . . . . . 72Dominos On-Disk Structure . . . . . . . . 74Setting up DOLS on a server . . . . . . . 75Setting up Lotus iNotes on a server . . . . . 77Using the Domino server setup program . . . 81Certification log . . . . . . . . . . . . 93Domino server registration . . . . . . . . 94Optional tasks to perform after server setup . . 97Starting and shutting down the Domino server 107Starting Domino as an application or aWindows service . . . . . . . . . . . 108Using instant messaging in the DominoDirectory . . . . . . . . . . . . . . 109Running the Domino-Portal integration wizard 109

Chapter 4. Setting Up and UsingDomino Administration Tools . . . . 111The Domino Administrator . . . . . . . . . 111

Installing the Domino Administrator. . . . . 111Setting up the Domino Administrator . . . . 111Starting the Domino Administrator . . . . . 111Navigating Domino Administrator . . . . . 112Selecting a server to administer in the DominoAdministrator . . . . . . . . . . . . 112Setting Domino Administration preferences . . 113

Tools and preferences for debugging in theDomino Administrator . . . . . . . . . 119

Domino Administrator tabs. . . . . . . . 120Domino Administrator tools . . . . . . . 123Web Administrator . . . . . . . . . . . 123

Setting up the Web Administrator . . . . . 124Starting the Web Administrator . . . . . . 127Using the Web Administrator . . . . . . . 127Configuring Domino and Portal Serverfederated administration . . . . . . . . 130Setting up and using Web Administration ServerBookmarks . . . . . . . . . . . . . 133

The Server Controller and the Domino Console . . 134Starting and stopping the Server Controller . . 134Starting and stopping the Domino Console . . 135

Modifying server properties for a server in the

Web Administration Server Properties Bookmarks . 136

Chapter 5. Installing and Setting UpNotes Clients . . . . . . . . . . . 137Planning for Notes client installation and upgrade 137

Products to install and order of installation . . 137Considerations for installing and deployingNotes on Windows . . . . . . . . . . 140Considerations for installing and deployingNotes on Linux. . . . . . . . . . . . 146Considerations for installing and deployingNotes on Mac OS X . . . . . . . . . . 147Considerations for installing and deployingNotes on Citrix . . . . . . . . . . . . 148Enabling Notes Client Single Login duringinstall or upgrade . . . . . . . . . . . 148Setting up Notes with a scriptable setup . . . 148

Setting up and customizing Notes installation . . 152Customizing the Notes install kit . . . . . . 153Customizing Notes install for Linux RPM orDEB . . . . . . . . . . . . . . . 168Installing and subscribing to preset feeds . . . 171Customizing Notes install using the tuner . . . 171Customizing Notes using aplugin_customization.ini file . . . . . . . 177Using the Multilingual User Interface (MUI)pack on Windows . . . . . . . . . . . 177Using the Native Language (NL) packs. . . . 181Instant messaging and client installation andsetup . . . . . . . . . . . . . . . 182

Installing Notes in a single user environment. . . 183Installing and upgrading Notes on Windows forsingle user . . . . . . . . . . . . . 184Installing and upgrading Notes on Citrix forsingle user . . . . . . . . . . . . . 185

Installing Notes in a multi-user environment . . . 186Installing and upgrading Notes on Windows formulti-user . . . . . . . . . . . . . 186Installing and upgrading Notes on Linux . . . 188

iii


4/289

Installing and upgrading Notes on Mac OS X 194Installing and upgrading Notes on Citrix formulti-user . . . . . . . . . . . . . 195

Configuring custom data directories for multi-userinstall or upgrade on Windows or Citrix . . . . 195

Upgrading to a new release or moving datadirectory content within a release. . . . . . 196

Adding or removing installed Notes featureswithin a release . . . . . . . . . . . . 197Upgrading a Notes single user install to multi-user 197Automating Notes installation using a silent install 198

Running a Notes silent install . . . . . . . 198Running a silent install or upgrade usingoptional arguments . . . . . . . . . . 199Using the install manifest default setting forsilent feature specification . . . . . . . . 201Performing a Notes silent install on Windows 201Performing a Notes multi-user silent install . . 203Performing a Notes silent install on Mac OS X 204Calling a transform file during Notes silentinstall . . . . . . . . . . . . . . . 204Providing a batch file for Notes client silentinstall . . . . . . . . . . . . . . . 204Providing command line utilities for Notesinstall . . . . . . . . . . . . . . . 205

Installing and running Notes on a USB drive. . . 205Installing Notes basic configuration on a USBdrive . . . . . . . . . . . . . . . 206Enabling the autorun process to start at Noteslogin . . . . . . . . . . . . . . . 208Running Notes basic configuration from a USBdrive . . . . . . . . . . . . . . . 208

Installing Notes in a shared network directory . . 209To set up the shared network installation . . . 209

Managing client plug-in deployment . . . . . 210

Client feature deployment . . . . . . . . 210Installing a new feature using the Notes installkit . . . . . . . . . . . . . . . . 212Deploying client plug-ins with widgets and thewidget catalog . . . . . . . . . . . . 212Updating a widget-deployed client feature orplug-in . . . . . . . . . . . . . . 219Creating a customized add-on installer . . . . 219Creating a new feature . . . . . . . . . 221Signing custom or third-party features andplug-ins for install and update . . . . . . 221Creating and using an NSF-based update site 227Limiting feature install and update with updatesites . . . . . . . . . . . . . . . 231

Configuring component update for compositeapplications . . . . . . . . . . . . . 237Enabling user-initiated update with EUM . . . 241Creating and using a traditional third-partyinstaller . . . . . . . . . . . . . . 242

Chapter 6. Upgrading Notes Clients 247Upgrading Notes clients . . . . . . . . . . 247

Before you upgrade the Notes client. . . . . 248Using Upgrade-by-mail . . . . . . . . . . 249

Before you use Upgrade-by-mail . . . . . . 249Backing up Notes client files . . . . . . . 250

Creating the upgrade notification forUpgrade-by-mail . . . . . . . . . . . 250Installing Lotus Notes with Upgrade-by-mail 251Upgrading the mail file template withUpgrade-by-mail . . . . . . . . . . . 251

Using Notes Smart Upgrade . . . . . . . . 252Prerequisites. . . . . . . . . . . . . 252To use Lotus Notes Smart Upgrade, follow thisprocedure: . . . . . . . . . . . . . 252How Smart Upgrade performs an upgrade . . 253Smart Upgrade server failover to anotherclustered server . . . . . . . . . . . 253Creating a Smart Upgrade application . . . . 254Smart Upgrade Tracking Reports application 254Controlling the number of concurrent SmartUpgrade downloads . . . . . . . . . . 255Creating a link to the Smart Upgrade database 256Adding update kits to the Smart Upgradeapplication . . . . . . . . . . . . . 257Creating a Lotus Notes Smart Upgrade desktoppolicy settings document . . . . . . . . 261Using Smart Upgrade to run a series of clientupgrades . . . . . . . . . . . . . . 262Notes users and Lotus Notes Smart Upgrade 262Maintaining Lotus Notes Smart Upgrade . . . 263Using the Smart Upgrade Run-As wizard . . . 263

Chapter 7. Uninstalling the NotesClient . . . . . . . . . . . . . . . 267Uninstalling Notes . . . . . . . . . . . 267

Uninstalling Notes from a Windows client. . . 267Uninstalling Notes from a Linux client . . . . 267Uninstalling Notes from a Mac OS X client . . 269Uninstalling Notes from a Citrix client . . . . 269Uninstalling Notes silently . . . . . . . . 270

Cleaning a previous or partial Notes installationfrom your client . . . . . . . . . . . 270

Chapter 8. Additional documentationresources . . . . . . . . . . . . . 273Additional documentation resources. . . . . . 273

Product wikis . . . . . . . . . . . . 273Lotus Notes and Domino Wiki . . . . . . 273Lotus Expeditor Wiki . . . . . . . . . . 273Information Centers . . . . . . . . . . 273Lotus Notes Help in the Domino and NotesInformation Center . . . . . . . . . . 273Domino Designer Help in the Domino and

Notes Information Center . . . . . . . . 274WebSphere Portal Information Center . . . . 274Sametime Information Center . . . . . . . 274Domino 8.0 Help in the Domino and NotesInformation Center . . . . . . . . . . 274IBM Lotus Expeditor Information Center . . . 275IBM Tivoli Enterprise Console InformationCenter . . . . . . . . . . . . . . . 275Lotus C API Toolkit . . . . . . . . . . 275Lotus Protector for Mail Security documentation 275DB2 Information Center . . . . . . . . . 275IBM i resources. . . . . . . . . . . . 275

iv Installing Domino Servers and Notes Clients


5/289

Installing and Managing Domino 8 for System i 275IBM i technotes and other sources . . . . . 275Support and other resources . . . . . . . 276Lotus Notes and Domino Support . . . . . 276WebSphere Portal Support . . . . . . . . 276Lotus Domino DeveloperWorks . . . . . . 276

Smart Upgrade Kits . . . . . . . . . . 276IBM Passport Advantage Web site . . . . . 276Search the Web to obtain more help . . . . . 276

Index . . . . . . . . . . . . . . . 279

Contents v


6/289

vi Installing Domino Servers and Notes Clients


7/289

Chapter 1. Deploying Domino

This chapter outlines the steps required to deploy IBM Lotus Domino(TM)successfully and introduces important concepts that you need to know before you

install Domino servers.

Domino server installation

The first step in deploying an IBM(R) Lotus(R) Domino(R) server is installation, orcopying the program files to the systems hard drive.

To install Domino, see the following procedures:

v Installing Domino on Microsoft(R) Windows(R) systems

v Installing Domino on UNIX(R) systems

v Installing Domino on IBM i

v

Using silent server installation to install Domino on Windows or UNIX systemsv Installing Domino on Linux on IBM(R) System z systems

v Using silent server install on Linux on System z systems

Guidepost for deploying DominoWhether youre setting up IBM(R) Lotus(R) Domino(R) and IBM(R) Lotus(R)Notes(R) for the first time or adding to an established Domino environment,planning is vital. Along with determining your companys needs, you need to planhow to integrate Domino into your existing network. After planning is complete,you can begin to install and set up Domino servers and the Domino Administratorand build the Domino environment. The following list describes, in order, theprocess to use to deploy Domino.

1. Determine your companys server needs. Decide where to locate each serverphysically, taking into consideration local and wide-area networks and thefunction of each server.

2. Develop a hierarchical name scheme that includes organization andorganizational unit names.

3. Decide whether you need more than one Domino domain.

4. Understand how server name format affects network name-to-addressresolution for servers. Ensure that the DNS records for your company are thecorrect type for the server names.

5. Determine which server services to enable.

6. Determine which certificate authority to use.

7. Install and set up the first Domino server.8. Install and set up the Domino Administrator client on the administrators

machine.

9. Complete network-related server setup.

10. If the Domino server is offering Internet services, set up Internet sitedocuments. There are some instances where Internet Site documents arerequired.

11. Specify administration preferences.

12. Create additional certifier IDs to support the hierarchical name scheme.

1


8/289

13. Set up recovery information for the certifier IDs.

14. Add the administrators ID to the recovery information for the certifier IDsand then distribute the certifier IDs, as necessary, to other administrators.

15. Register additional servers.

16. If you did not choose to do so during first server setup, Create a group in theDomino Directory for all administrators, and give this group Manager access

to all databases on the first server.17. Install and set up additional servers.

18. Complete network-related server setup for each additional server.

19. Build the Domino environment.

Getting started with Domino for IBM iFor information about getting started with IBM(R) Lotus(R) Domino(R) for IBM(R)i and other sources of information, see Techdoc number 7013148 - Domino 8.5 for i:Getting started.

Functions of Domino serversBefore you install and set up the first IBM(R) Lotus(R) Domino(R) server, consider

the function and physical location of the servers that your company needs anddetermine how to connect the servers to each other. The current configuration oflocal and wide-area networks affects many of these decisions.

Consider your companys need for:

v Servers that provide IBM(R) Lotus(R) Notes(R) or browser users with access toapplications

v Hub servers that handle communication between servers that are geographicallydistant

v Web servers that provide browser users with access to Web applications

v Servers that manage messaging services

v Directory servers that provide users and servers with information about how to

communicate with other users and serversv Passthru servers that provide users and servers with access to a single server

that provides access to other servers

v Domain Search servers that provide users with the ability to perform searchesacross all servers in a Domino domain

v Clustered servers that provide users with constant access to data and provideload-balancing and failover

v Partitioned servers that run multiple instances of the Domino server on a singlecomputer

v Firewall servers that provide Notes users with access to internal Dominoservices and protect internal servers from outside users

vxSP servers that provide users with Internet access to a specific set of Dominoapplications

Your decisions help determine which types of Domino servers your require. Whenyou install each server, you must select one of the following installation options:

v Domino Utility Server -- Installs a Domino server that provides applicationservices only, with support for Domino clusters. The Domino Utility Server is aninstallation type for Lotus Domino that removes client access licenserequirements. Note that it does NOT include support for messaging services. Seefull licensing text for details.

2 Installing Domino Servers and Notes Clients


9/289

v Domino Messaging Server -- Installs a Domino server that provides messagingservices. Note that it does NOT include support for application services orDomino clusters.

v Domino Enterprise Server -- Installs a Domino server that provides bothmessaging and application services, with support for Domino clusters.

Note: All three types of installations support Domino partitioned servers. Onlythe Domino Enterprise Server supports a service provider (xSP) environment.

Hierarchical naming for servers and usersHierarchical naming is the cornerstone of IBM(R) Lotus(R) Domino(R) security;therefore planning it is a critical task. Hierarchical names provide uniqueidentifiers for servers and users in a company. When you register new servers andusers, the hierarchical names drive their certification, or their level of access to thesystem, and control whether users and servers in different organizations andorganizational units can communicate with each another.

Before you install Domino servers, create a diagram of your company and use thediagram to plan a meaningful name scheme. Then create certifier IDs to implementthe name scheme and ensure a secure system.

A hierarchical name scheme uses a tree structure that reflects the actual structureof a company. At the top of the tree is the organization name, which is usually thecompany name. Below the organization name are organizational units, which youcreate to suit the structure of the company; you can organize the structuregeographically, departmentally, or both.

For example, the Acme company created this diagram for their servers and users:

Looking at Acmes diagram, you can see where they located their servers in thetree. Acme decided to split the company geographically at the first level and createcertifier IDs for the East and West organizational units. At the next level down,Acme made its division according to department.

Components of a hierarchical name: A hierarchical name reflects a users orservers place in the hierarchy and controls whether users and servers in differentorganizations and organizational units can communicate with each another. Ahierarchical name may include these components:

v Common name (CN) -- Corresponds to a users name or a servers name. Allnames must include a common name component.

v Organizational unit (OU) -- Identifies the location of the user or server in theorganization. Domino allows for a maximum of four organizational units in ahierarchical name. Organizational units are optional.

Chapter 1. Deploying Domino 3


10/289

v Organization (O) -- Identifies the organization to which a user or server belongs.Every name must include an organization component.

v Country (C) --Identifies the country in which the organization exists. Thecountry is optional.

An example of a hierarchical name that uses all of the components is:

Julia Herlihy/Sales/East/Acme/US

Typically a name is entered and displayed in this abbreviated format, but it isstored internally in canonical format, which contains the name and its associatedcomponents, as shown below:

CN=Julia Herlihy/OU=Sales/OU=East/O=Acme/C=US.

Note: You can use hierarchical naming with wildcards as a way to isolate a groupof servers that need to connect to a given Domino server in order to route mail.

Domino domainsA Domino domain is a group of IBM(R) Lotus(R) Domino(R) servers that share thesame Domino Directory. As the control and administration center for Dominoservers in a domain, the Domino Directory contains, among other documents, aServer document for each server and a Person document for each Notes user.

Planning for Domino domains: There are four basic scenarios for setting upDomino domains. The first scenario, which many small- and medium-sizecompanies use, involves creating only one Domino domain and registering allservers and users in one Domino Directory. This scenario is the most common andthe easiest to manage.

The second scenario is common when a large company has multiple independentbusiness units. In this case, one organization spread across multiple domains may

be the best scenario. Then all servers and users are members of the sameorganization, and each business unit administers its own Domino Directory.

For more information on administering multiple Domino directories, see thechapter Planning Directory Services.

A third scenario is common when multiple companies work closely together yetwant to retain individual corporate identities. Then one domain and multipleorganizations may work best.

Finally, the fourth scenario involves maintaining multiple domains and multipleorganizations. This scenario often occurs when one company acquires another.

Sometimes the decision to create multiple Domino domains is not based onorganizational structure at all. For example, you may want to create multipleDomino domains if you have slow or unreliable network connections that prohibitfrequent replication of a single, large directory. Keep in mind that working withmultiple domains requires additional administrative work and requires you to setup a system for managing them.

Domains can be used as a broad security measure. For example, you can grant ordeny a user access to servers and databases, based on the domain in which theuser is registered. Using an extended ACL is an alternative to creating multiple



11/289

domains, because you can use the extended ACL to specify different levels ofaccess to a single Domino Directory, based on organization name hierarchy.

For more information on extended ACLs, see the chapter Setting Up ExtendedACLs.

Partitioned servers

Using IBM(R) Lotus(R) Domino(R) server partitioning, you can run multipleinstances of the Domino server on a single computer. By doing so, you reducehardware expenses and minimize the number of computers to administer because,instead of purchasing multiple small computers to run Domino servers that mightnot take advantage of the resources available to them, you can purchase a single,more powerful computer and run multiple instances of the Domino server on thatsingle machine.

On a Domino partitioned server, all partitions share the same Domino programdirectory, and thus share one set of Domino executable files. However, eachpartition has its own Domino data directory and NOTES.INI file; thus each has itsown copy of the Domino Directory and other administrative databases.

If one partition shuts down, the others continue to run. If a partition encounters afatal error, Dominos fault recovery feature restarts only that partition, not theentire computer.

Partitioned servers can provide the scalability you need while also providingsecurity. As your system grows, you can migrate users from a partition to aseparate server. A partitioned server can also be a member of a cluster if yourequire high availability of databases. Security for a partitioned server is the sameas for a single server.

When you set up a partitioned server, you must run the same version of Dominoon each partition. However, if the server runs on UNIX(R), there is an alternativemeans to run multiple instances of Domino on the server: on UNIX, you can rundifferent versions of Domino on a single computer, each version with its ownprogram directory. You can even run multiple instances of each version byinstalling it as a Domino partitioned server.

If the server runs on IBM i, you can use multi-versioning support to install andrun multiple Domino servers at different release levels. For more information aboutsetting up partitioned or multi-version servers on IBM i, see the Installing and

Managing Domino 8 for System i documentation.

Deciding whether to use partitioned servers: Whether or not to use partitionedservers depends, in part, on how you set up Domino domains. A partitioned serveris most useful when the partitions are in different Domino domains. For example,

using a partitioned server, you can dedicate different Domino domains to differentcustomers or set up multiple Web sites. A partitioned server with partitions all inthe same Domino domain often uses more computer resources and disk space thana single server that runs multiple services.

When making the decision to use partitioned servers, remember that it is easier toadminister a single server than it is to administer multiple partitions. However, ifyour goal is to isolate certain server functions on the network -- for example, toisolate the messaging hub from the replication hub or isolate work groups forresource and activity logging -- you might be willing to take on the additionaladministrative work. In addition, running a partitioned server on a multiprocessor



12/289

computer may improve performance, even when the partitions are in the samedomain, because the computer simultaneously runs certain processes.

To give Notes users access to a Domino server where they can create and runDomino applications, use a partitioned server. However, to provide customers withInternet access to a specific set of Domino applications, set up an xSP serverenvironment.

Note: xSP is not supported on system IBM i.

Deciding how many partitions to have: How many partitions you can installwithout noticeably diminishing performance depends on the power of thecomputer and the operating system the computer uses. For optimal performance,partition multiprocessor computers that have at least one, and preferably two,processors for each partition that you install on the computer.

Certifier IDs and certificatesCertifier IDs and certificates form the basis of IBM(R) Lotus(R) Domino(R) security.To place servers and users correctly within your organizations hierarchical namescheme, you create a certifier ID for each branch on the name tree. You use the

certifiers during server and user registration to stamp each server ID and user IDwith a certificate that defines where each belongs in the organization. Servers andusers who belong to the same name tree can communicate with each other; serversand users who belong to different name trees need a cross-certificate tocommunicate with each other.

Note: You can register servers and users without stamping each server ID anduser ID if you have migrated the certifier to a Domino server-based certificationauthority (CA).

For more information about server-based CAs, see the chapter Setting Up aDomino server-based certification authority.

Each time you create a certifier ID, Domino creates a certifier ID file and a Certifierdocument. The ID file contains the ID that you use to register servers and users.The Certifier document serves as a record of the certifier ID and stores, amongother things, its hierarchical name, the name of the certifier ID that issued it, andthe names of certificates associated with it.

Note: During server setup, you can use an existing certifier ID instead of creatinga new one. The certifier ID that you specify cannot have multiple passwordsassigned to it. Attempting to user a certifier ID with multiple passwords generatesan error message and causes server setup to halt.

There are two types of certifier IDs: organization and organizational unit.

Organization certifier ID: The organization certifier appears at the top of thename tree and is usually the name of the company -- for example, Acme. Duringfirst server setup, the Server Setup program creates the organization certifier andstores the organization certifier ID file in the Domino data directory, giving it thename CERT.ID. During first server setup, this organization certifier IDautomatically certifies the first Domino server ID and the administrators user ID.



13/289

If your company is large and decentralized, you might want to use the DominoAdministrator after server setup to create a second organization certifier ID toallow for further name differentiation -- for example, to differentiate betweencompany subsidiaries.

For more information on working with multiple organizations, see the topicDomino domains earlier in this chapter.

Organizational unit certifier IDs: The organizational unit certifiers are at all thebranches of the tree and usually represent geographical or departmental names --for example, East/Acme or Sales/East/Acme. If you choose to, you can create afirst-level organizational unit certifier ID during server setup, with the result thatthe server ID and administrators user ID are stamped with the organizational unitcertifier rather than with the organization certifier. If you choose not to create thisorganizational unit certifier during server setup, you can always use the DominoAdministrator to do it later -- just remember to recertify the server ID andadministrators user ID.

For information on recertifying user IDs, see the chapter Setting Up andManaging Notes Users. For information on recertifying server IDs, see the chapter

Maintaining Domino Servers.

You can create up to four levels of organizational unit certifiers. To create first-levelorganizational unit certifier IDs, you use the organization certifier ID. To createsecond-level organizational unit certifier IDs, you use the first-level organizationalunit certifier IDs, and so on.

Using organizational unit certifier IDs, you can decentralize certification bydistributing individual certifier IDs to administrators who manage users andservers in specific branches of the company. For example, the Acme company hastwo administrators. One administers servers and users in West/Acme and hasaccess to only the West/Acme certifier ID, and the other administers servers andusers in East/Acme and has access to only the East/Acme certifier ID.

Certifier security: By default, the Server Setup program stores the certifier ID filein the directory you specify as the Domino data directory. When you use theDomino Administrator to create an additional organization certifier ID ororganizational unit certifier ID, you specify where you want the ID stored. Toensure security, store certifiers in a secure location -- such as a disk locked in asecure area.

User ID recovery: To provide ID and password recovery for Notes users, youneed to set up recovery information for each certifier ID. Before you can recoveruser ID files, you need access to the certifier ID file to specify the recoveryinformation, and the user ID files themselves must be made recoverable. There are

three ways to do this:v At user registration, create the ID file with a certifier ID that contains recovery

information.

v Export recovery information from the certifier ID file and have the user accept it.

v (Only for servers using the server-based certification authority) Add recoveryinformation to the certifier. Then, when existing users authenticate to their homeserver, their IDs are automatically updated.

For more information, see the chapter Protecting and Managing Notes IDs.



14/289

Example of how certifier IDs mirror the hierarchical name scheme: Toimplement their hierarchical name scheme, the Acme company created a certifierID at each branch of the hierarchical name tree:

To register each server and user, Acme does the following:

v Creates /Acme as the organization certifier ID during first server setup.

v Uses the /Acme certifier ID to create the /East/Acme and /West/Acme certifierIDs.

v Uses the /East/Acme certifier ID to register servers and users in the East coastoffices and uses the /West/Acme certifier ID to register servers and users in theWest coast offices.

v Uses the /East/Acme certifier ID to create the /Sales/East/Acme,/Marketing/East/Acme, and /Development/East/Acme certifier IDs.

v Uses the /West/Acme certifier ID to create the /HR/West/Acme,/Accounting/West/Acme, and IS/West/Acme certifier IDs.

v Uses the /Sales/East/Acme, /Sales/Marketing/Acme, and Development/East/Acme certifier IDs to register users and servers in the East coast division.

v Uses the /HR/West/Acme, /Accounting/West/Acme, and IS/West/Acmecertifier IDs to register users and servers in the West coast division.

Domino server servicesBefore you start the Server Setup program, decide which services and tasks to setup on the server. If you dont select the services during the setup program, youcan later enable them by editing the ServerTasks setting in the NOTES.INI file or

by starting the server task from the server console.

Internet services: The IBM(R) Lotus(R) Domino(R) Server Setup program presentsthese selections for Internet services:

v Web Browsers (HTTP Web services)

v Internet Mail Clients (SMTP, POP3, and IMAP mail services)



15/289

v Directory services (LDAP)

Advanced Domino services: These Domino services, which are necessary for theproper operation of the Domino infrastructure, are enabled by default when youset up a Domino server:

v Database Replicator

v Mail Router

v Agent Manager

v Administration Process

v Calendar Connector

v Schedule Manager

v DOLS (Domino Off-Line Services)

These are optional advanced Domino server services that you can enable:

v DIIOP CORBA Services

v DECS (Domino Enterprise Connection Services)

v Billing

v HTTP Serverv IMAP Server

v ISpy

v LDAP Server

v POP3 Server

v Remote Debug Server

v SMTP Server

v Stats

v Statistic Collector

v Web Retriever

Note: It is best to use activity logging instead of the billing service.

Table of Domino naming requirementsConsider these guidelines when naming parts of the IBM(R) Lotus(R) Domino(R)system.

Name Characters Tips

Dominodomain

31 maximumv This is usually the same as the organization

name.

v Use a single word, made up of only alpha(A-Z) or numeric (0-9) characters.

Notes named

network

31 maximumv By default, the Server Setup program

assigns names in the format port namenetwork -- for example, TCP/IP network.

v Edit Notes named network names to use anidentifier such as the location of the IBMLotus Notes named network and thenetwork protocol -- for example,TCPIP-Boston.



16/289

Name Characters Tips

Organization 3-64 maximum*v This name is typically the same as the

Domino domain name.

v The organization name is the name of thecertifier ID and is appended to all user andserver names.

Organizationalunit

32 maximum* v There can be up to four levels oforganizational units.

Server 255 maximumv Choose a name you want to keep. If you

change a server name, you must recertifythe server ID.

v Choose a name that meets your networksrequirements for unique naming. OnTCP/IP, use only the characters 0 through 9,A through Z, and - (dash). On NetBIOS, thefirst 15 characters must be unique. On SPX,the first 47 characters must be unique.

v Keep in mind that Domino performs

replication and mail routing on serversnamed with numbers before it does thosetasks on servers named with alphabeticcharacters.

User 79 maximum*v Use a first and last name. A middle name is

allowed, but usually not needed. Usernames may contain the (apostrophe).

Alternate user No minimumv Can have only one alternate name

Group 62 maximumv Use any of these characters: A - Z, 0 - 9,

& - . _ / (ampersand, dash, period,space, underscore, apostrophe, forwardslash). The only characters that are expressly

prohibited are @ and //.

Note: You can create groups with hierarchicaldistinguished names (DN). However, youmust surround the forward slash (/) in acomponent value of a DN by surrounding itwith double quotes. For example, 24/7Support.Note: Do not create group names containing a/ (slash) unless you are working in a hostedenvironment. Using the / in group names in anon-hosted environment causes confusionwith hierarchical naming schemes.Hierarchical names are required in a hosted

environment.v For mail routing, you can nest up to five

levels of groups. For all other purposes, youcan nest up to six levels of groups.

Port No maximumv Do not include spaces

Country code 0 or 2v Optional

* This name may include alpha characters (A - Z), numbers (0 - 9), and theampersand (&), dash (-), period (.), space ( ) , and underscore (_).



17/289

Building the Domino environmentAfter installing the first IBM(R) Lotus(R) Domino(R) server and any additionalservers, you configure the servers and build the environment.

This overview lists the features that you may want to include in your Dominoenvironment.

1. Create connection documents for server communication.2. If you have mobile users, set up mobile support and RAS.

3. Set up mail routing.

4. Establish a replication schedule.

5. Configure incoming and outgoing Internet mail (SMTP).

6. Customize the administration process for your organization.

7. Plan and create policies before you register users and groups.

8. Register users and groups.

9. Determine backup and maintenance plans and consider transaction logging.

10. Consider remote server administration from the Domino console or WebAdministrator console. Also consider the use of an extended administrationserver.

11. Set up a mobile directory catalog on Notes clients to give Notes users localaccess to a corporate-wide directory.

12. Consider implementing clustering on servers.



18/289



19/289

Chapter 2. Setting up the Domino Network

This chapter describes planning concepts and presents protocol-specific proceduresrequired to run IBM(R) Lotus(R) Domino(TM) on a network. The chapter describes

using network protocols from a Domino perspective and does not provide generalnetwork information.

Network Configuration

This section presents the planning concepts and setup procedures necessary for asuccessful IBM(R) Lotus(R) Domino(TM) deployment over a network. It providesinformation on network protocols from a Domino perspective but does not attemptto provide general network information.

v Lotus Domino and networks

v Network security

v Planning the TCP/IP network

v Planning the NetBIOS network

v Setting up Domino servers on the network

Lotus Domino and networksA variety of client systems can use wireless technology or modems to communicatewith IBM(R) Lotus(R) Domino(R) servers over local area networks (LANs), widearea networks (WANs), and metropolitan area networks (MANs). Computers useone or more protocols to govern how they share information over a network. Forexample, IBM(R) Lotus(R) Notes(R) workstations and Domino servers use theNotes remote procedure call (NRPC) protocol running over the LANs networkprotocol to communicate with other Domino servers. Other client systems, such as

Web browsers, Internet mail clients, wireless application protocol (WAP) devices,and personal information management (PIM) devices, can also communicate withDomino servers.

Note: Support for dialup modem (X.PC) connections is available only in releasesof Domino(R) earlier than release 8.5. You may continue to use DominoAdministrator 8.5 to configure and maintain modem support, but only on serversrunning pre-8.5 releases.

Isolated LANs can be connected by WANs. A WAN is either a continuousconnection -- such as a frame-relay, leased telephone line, or digital subscriber line(DSL) -- or a dialup connection over a modem or Integrated Services DigitalNetwork (ISDN) line. Dialup connections are either to an individual server or to a

LAN (through a provider network or your companys own communicationsserver).

Buildings or sites that are geographically close to each other can use a MAN,which is a continuous, high-speed connection that can connect corporate LANs orconnect a LAN to the WAN. Like a WAN, a MAN is usually shared by multipleorganizations.

Wireless technology that works with Domino ranges from localized transmissionsystems (802.11a or 802.11b) to national or international satellite transmissionsystems that are geostationary, mid-orbit, or tracked orbit.

13


20/289

If you are planning a network for geographically dispersed locations, consider howto achieve a cost-effective infrastructure. Placing servers in one location requiresthat users in other locations access the Domino server across WAN connections,which can be slow and expensive. Placing servers in every location and replicatingdatabases to make the same information available on several LANs requiresattention to administration at each location. One effective way to set up a networkis to use a hub server at each location to handle communication with hub servers

in other locations. Then, only the hub servers, not every server in the network, useWAN connections.

The functionality of Notes workstations and Domino servers depends on theeffectiveness and capacity of networks. To plan a Domino network with sufficientcapacity, you must consider not only the traffic to and from Domino servers butalso any other traffic on the network.

Avoiding port conflicts on IBM iIBM(R) i and IBM(R) Lotus(R) Domino(R) both provide some of the same Internetprotocols; therefore, if your configuration is not correct it is possible to have portconflicts. Services such as SMTP, POP3, HTTP and LDAP need to be configured sothat they do not conflict.

For information about configuring services to avoid port conflicts, see thefollowing chapters of Installing and Managing Domino 8 for System i

v Chapter 15 - Using Domino as a mail server

v Chapter 16 - Domino as a Web server

v Chapter 17 - About Directory services and Domino, section title UsingLightweight Directory Access Protocol

NRPC communicationIBM(R) Lotus(R) Domino(R) servers offer many different services. The foundationfor communication between IBM(R) Lotus(R) Notes(R) workstations and Dominoservers or between two Domino servers is the Notes remote procedure call (NRPC)

service.

Network protocols for NRPC communication: To communicate, two computersmust run the same network protocol and software driver.

Notes and Domino support PPP using either Microsoft Dialup Networking (DUN)or Remote Access Service (RAS) for network dialup. In addition, you can use anyIETF-compliant PPP communications server to dial into the network on which theDomino server resides or though which the server can be accessed.

On LANs, Lotus Domino is compatible with the TCP/IP and NetBIOS over thelower transport IP For NetBIOS connections to work, both Notes workstations andDomino servers must use the same lower transport.

For detailed information on which protocols are compatible with Lotus Domino foreach supported operating system, see the Release Notes.

Notes network ports: During the Server Setup program, Domino provides a listof Notes network ports based on the current operating system configuration. Ifthese ports are not the ones you want to enable for use with the Domino server,you can edit the list during setup.



21/289

Because each network protocol consumes memory and processing resources, youmight want to exclude one or more ports and later remove the associated protocolsoftware from the system.

In TCP/IP and NetBIOS, you can install multiple network interface cards (NICs)and enable additional Notes network ports for each protocol, using the NOTES.INIfile to bind each port to a separate IP address or NetBIOS LANA number.

Notes named networks: Consider Notes named networks in your planning. ANotes named network (NNN) is a group of servers that can connect to each otherdirectly through a common LAN protocol and network pathway -- for example,servers running on TCP/IP in one location. Servers on the same NNN route mailto each another automatically, whereas you need a Connection document to routemail between servers on different NNNs.

When you set up Server documents, be sure to assign each server to the correctNNN. Lotus Domino expects a continuous connection between servers that are inthe same NNN, and serious delays in routing can occur if a server must dial up aremote LAN because the remote server is inadvertently placed within the NNN.Also bear in mind that the Notes Network field for each port can contain only one

NNN name, and no two NNN names can be the same.

NNNs affect Notes users when they use the Open Application dialog box. When auser selects Other to display a list of servers, the servers displayed are those on theNNN of the users home server for the port on which the Notes workstationcommunicates with the home server. Also, when users click on a database link ordocument link, if a server in their home servers NNN has a replica of thatdatabase, they can connect to the replica.

Note: If a server is assigned to two NNNs in the same protocol, as in the casewhere the server has two Notes network ports for TCP/IP, a Notes workstation orDomino server connecting to that server uses the NNN for the port listed first inthe Server document.

Resolving server names to network addresses in NRPCCommunications between IBM(R) Lotus(R) Notes(R) and IBM(R) Lotus(R)Domino(R) run over the NRPC protocol on top of each supported LAN protocol.When a Notes workstation or Domino server attempts to connect to a Dominoserver over a LAN, it uses a combination of the built-in Notes Name Service andthe network protocols name-resolver service to convert the name of the Dominoserver to a physical address on the network.

The Notes Name Service resolves Domino common names to their respectiveprotocol-specific names. Because the Notes Name Service resolves common names

by making calls to the Domino Directory, the service becomes available to the

Notes workstation only after the workstation has successfully connected to itshome (messaging) server for the first time. (The protocol name-resolver servicenormally makes the first connection possible.) When the Notes workstation makesa subsequent attempt to connect to a Domino server, the Notes Name Servicesupplies it with the Domino servers protocol-specific name -- that is, the namethat the server is known by in the protocols name service -- which is stored in theprotocols Net Address field in the Server document. The protocols name-resolverservice then resolves the protocol-specific name to its protocol-specific address, andthe workstation is able to connect to the server.

Chapter 2. Setting up the Domino Network 15


22/289

Note: When resolving names of Domino servers that offer Internet services, LotusNotes uses the protocols name-resolver service directly.

How name resolution works in NRPC: A Notes workstation or Domino serverfollows these steps to resolve the name of the Domino server to which it is tryingto connect over NRPC.

Note: If the Net Address field in the Server document contains a physical address-- a practice that is not recommended in a production environment-- the NotesName Service performs the resolve directly, thus placing the burden of maintainingphysical address changes on the Domino administrator.

1. If the workstation/server has a Connection document for the destination serverthat contains the protocol-specific name, the workstation/server passes theprotocol-specific name to the protocols name-resolver service. If the Connectiondocument contains a physical address, the Notes Name Service performs theresolve directly. Normal-priority Connection documents are checked first, andthen low-priority Connection documents.

Note: Unlike in Server documents, adding physical addresses in Connectiondocuments is not discouraged, since only the local workstation/server uses theConnection document.

2. To determine if the destination servers protocol-specific name is cached, theworkstation checks the Location document and the server checks its own Serverdocument. If the name is cached, the workstation/server uses the last-usedNotes network port to determine the protocol and passes this value to theprotocols name-resolver service.

3. If the protocol-specific name is not cached, one of the following occurs, basedon the list order of enabled Notes network ports:

v For a Notes workstation connected to the home (messaging) server, Notesgives the common name of the destination Domino server to the homeserver, which looks in the Domino Directory for the Server document of thedestination server. The home server locates the contents of the Net Addressfield for the Notes named network that the Notes workstation has incommon with the destination server and passes this name to the protocolsname-resolver service. If the workstation and the destination server are in thesame Domino domain but not in the same Notes named network, the homeserver locates the names of each protocol that the workstation has incommon with the destination server and passes each to the appropriateprotocol until a resolve is made. If the Notes workstation cant access itshome server, it connects to its secondary Notes name server, which carriesout the same actions as the home server.

v For a Domino server, Domino checks the Server document for the destinationserver, locates the contents of the Net Address field for the Notes namednetwork that the Domino server has in common with the destination server,

and passes this name to the protocols name-resolver service. If thedestination server is in the same Domino domain as the Domino server, butnot in the same Notes named network, the Domino server locates theprotocol name of each protocol that it has in common with the destinationserver and passes each to the appropriate protocol until a resolve is made.

4. If Steps 1 through 3 do not produce the servers network address, theworkstation/server offers the Domino common name of the destination serverto the name-resolver service of each protocol, based on the order of the enablednetwork ports in the Server document.



23/289

Network securityPhysical network security is beyond the scope of this book, but you must set it up

before you set up connection security. Physical network security preventsunauthorized users from breaking through the network and using one of theoperating systems native services -- for example, file sharing -- to access theserver. Physical network security also comes into play when any data is exposed,

as the potential exists for malicious or unauthorized users to eavesdrop both onthe network where the IBM(R) Lotus(R) Domino(R) system resides and on thesystem you are using to set up the server.

Network access is typically controlled using network hardware -- such as filteringrouters, firewalls, and proxy servers. Be sure to enable rules and connectionpathways for the services that you and others will access.

Newer firewall systems offer virtual-private-network (VPN) services, whichencapsulate the TCP/IP packet into another IP wrapper where the inner TCP/IPpacket and its data are encrypted. This is a popular way to create virtual tunnelsthrough the Internet between remote sites. If you want to have the Domino serveraccess both a private VPN and the Internet for SMTP mail, make sure your

solution is able to handle full TCP data packets and that it allows dualconnections. If not, the Domino server system may require a second NIC to workaround limitations of the VPN solution.

NRPC and Internet connection securityTo control connection access, you typically use a network hardware configuration,such as a firewall, reverse proxy, or IBM(R) Lotus(R) Domino(R) passthru server, towhich you can authorize connections and define access to network resources.

In addition, you can encrypt all connections by service type. Encryptingconnections protects data from access by malicious or unauthorized users. Toprevent data from being compromised, encrypt all Domino and IBM(R) Lotus(R)Notes(R) services that connect to public networks or to networks over which you

have no direct control. Encrypting the connection channel prevents unauthorizedusers from using a network protocol analyzer to read data.

To encrypt NRPC network traffic, use the Notes port encryption feature. For trafficover Internet protocols, use SSL. For both NRPC and Internet protocols, you canenforce encryption at the server for all inbound and outbound connections. In thecase of the Notes client, you can also enforce encryption on all outboundconnections, even if the server to which you are connecting allows unencryptedconnections.

Because encryption adds additional load to the server, you may want to limit theservices for which the server uses encryption. Other ways to minimize the loadthat encryption puts on the system include:

v Using an additional Domino server acting as a passthru server for NRPCconnections

v Using a reverse proxy to manage authentication and encryption outside ofDomino servers when using SSL

v Removing unnecessary or unused protocols or services on the server system aswell as Domino server services

Using a Domino passthru server as a proxyA proxy is a system that understands the type of information transmitted -- forexample, NRPC or HTTP-format information -- and controls the information flow



24/289

between trusted and untrusted clients and servers. A proxy communicates onbehalf of the requester and also communicates information back to the requester. Aproxy can provide detailed logging information about the client requesting theinformation and the information that was transmitted. It can also cacheinformation so requesters can quickly retrieve information again.

A proxy stops direct access from an untrusted network to services on a trusted

network. If an application proxy is in use, then application-specific heuristics canbe applied to look at the connections from the untrusted networks and determineif what is being requested is legal or safe.

An application proxy resides in the actual server application and acts as anintermediary that communicates on behalf of the requester. An application proxyworks the same as a packet filter, except the application proxy delivers the packetto the destination. An application proxy can be used with any protocol, but it isdesigned to work with one application. For example, an SMTP proxy understandsonly SMTP.

A circuit-level proxy is similar to an application proxy, except that it does not needto understand the type of information being transmitted. For example, a SOCKSserver can act as a circuit-level proxy. You can use a circuit-level proxy tocommunicate using Internet protocols with TCP/IP -- that is, IMAP, LDAP, POP3,SMTP, IIOP, and HTTP, as well as Internet protocols secured with SSL.

HTTP is a special case. In IBM(R) Lotus(R) Domino(R), when the HTTP Connectmethod is used by an HTTP proxy, applications using other protocols can also usethe HTTP proxy, but they use it as a circuit-level proxy, not as an applicationproxy. SSL uses the HTTP Connect method to get through an application proxy

because the data is encrypted and the application proxy cannot read the data.HTTPS (HTTP and SSL) use both the HTTP proxy and the Connect method, whichimplies that the HTTP proxy is a circuit-level proxy for HTTPS. The same methodis used to get NRPC, IMAP, and other protocols through the HTTP proxy.

You can set up a Domino passthru server as an application proxy for NRPC. Apassthru server provides all levels of IBM(R) Lotus(R) Notes(R) and Dominosecurity while allowing clients who use dissimilar protocols to communicatethrough a single Domino server. The application proxy does not allow Internetprotocols -- for example, HTTP, IMAP, and LDAP -- to use a Domino passthruserver to communicate, however. For Internet protocols, you can use an HTTPproxy with the HTTP Connect method to act as a circuit-level proxy.

A Notes client or Domino server can also be a proxy client and interoperate witheither passthru (NRPC protocol only) or as a SOCKS or HTTP tunnel client (forNRPC, POP3, LDAP, IMAP, and SMTP protocols). You set this up in the Proxysetting in the client Location document.

To set up a Domino passthru server as an application proxy: When you set upan application proxy, make sure the following Domain Name System (DNS)services are correctly configured:

v The databases db.DOMAIN and db.ADDR, which DNS uses to map host namesto IP addresses, must contain the correct host names and addresses.

v Hosts files must contain the fully qualified domain name of the servers.

If you are using the Network Information Service (NIS), you must use the fullyqualified domain name and make sure NIS can coexist with DNS.



25/289

For information on configuring these settings, see the documentation for yournetwork operating system.

You must first connect the server to the untrusted network -- for example, theInternet -- and then set up Notes workstations and Domino servers to use thepassthru server as a proxy when accessing services outside the trusted network.

To set up a workstation or server to use the passthru server, you must specify thepassthru server in the Location document for a workstation and in the Serverdocument for a server.

TCP/IP security considerationsIn a TCP/IP network, configure all IBM(R) Lotus(R) Domino(R) servers to rejectTelnet and FTP connections. Furthermore, do not allow file system access to theDomino server or the operating system on which it runs, unless you are sure youcan properly maintain user access lists and passwords and you can guarantee asecure environment.

If you use the Network File System (NFS) without maintaining the password file,users can breach security by accessing files through NFS instead of through the

Domino server. If this back door access method is needed, isolate the networkpathway on a LAN NIC and segment, and make sure that the ability to access filesthrough NFS is exclusive to this isolated secure network.

Mapped directory links and Domino data securityTo ensure data security, do not create a mapped directory link to a file server orshared Network Attached Storage (NAS) server for an IBM(R) Lotus(R) Domino(R)server. These links can cause both database corruption and security problems.

Database corruption: If the network connection fails while the Domino server iswriting to a database on the file server or shared NAS server, the database can

become corrupted. In addition, the interdependence of the file sharing protocols --Server Message Block (SMB), Common Internet File System (CIFS), and NetworkFile System (NFS) -- and the remote file system can affect the Domino serversperformance. Domino sometimes needs to open large numbers of remote files, andlow latency for read/write operations to these files is desirable.

To avoid these problems on Domino servers, consider doing one or more of thefollowing:

v Create an isolated network and use cut-through (non-buffering) layer-2 switchesto interconnect the Domino server to the NAS system.

v Limit access to the NAS system to the Domino server.

v Reduce the number of hops and the distance between hops in the connectionpathways between the Domino server and the storage system.

v

Use a block protocol instead of a file protocol.v Use a private storage area network (SAN) instead of a shared NAS system.

v Avoid creating any file-access contention between Domino and otherapplications.

To avoid problems with IBM(R) Lotus(R) Notes(R) workstations, consider doingthe following:

v Locate Notes workstations so that they are not accessing a remote file server orNAS system over a WAN.



26/289

v To minimize the risk of database corruption because of server failure when aNotes clients Domino data directory is on a file server or NAS server, evaluatethe reliability of the entire network pathway as well as the remote systemsability to maintain uninterrupted sessions to the Notes client over the filesharing protocols it is using (SMB, CIFS, NFS, NetWare Core Protocol, orAppleShare).

v If a Notes clients Domino data directory is on a file server or NAS server,remember that only one user (user session) can have the user data directory filesopen a time. Lotus Notes does not support concurrent access to the same localdatabase by two clients.

Security problems: When Encrypt network data is enabled, all Domino serverand Notes workstation traffic is encrypted. However, the file I/O between theDomino server and the file server or shared NAS server is not encrypted, leaving itvulnerable to access by unauthorized users.

Planning the TCP/IP networkThe default TCP/IP configuration for an IBM(R) Lotus(R) Domino(R) server is oneIP address that is globally bound, meaning that the server listens for connections at

the IP addresses of all NICs on the computer. Global binding works as long as thecomputer does not have more than one IP address offering a service over the sameassigned TCP port.

For operating system requirements, see the Release Notes.

The default configurationUse these topics to plan how to integrate Lotus Domino with the TCP/IP networkwhen the Domino server has one IP address and is not partitioned:

v NRPC name-to-address resolution over TCP/IP

v Ensuring DNS resolves in TCP protocols

Advanced configurationsUse these topics to plan how to integrate Lotus Domino with the TCP/IP networkwhen the Domino server has more than one IP address or is partitioned:

v Advanced Domino TCP/IP configurations

v Partitioned servers and IP addresses

v Ensuring DNS resolves in advanced TCP/IP configurations

Changing a servers IP addressUse this topic to change a servers IP address:

v Changing a servers IP address

Moving to IPv6

This topic provides the information you need if your company is migrating to theIPv6 standard:

v IPv6 and Lotus Domino

Using Domino i with TCP/IPThe IBM(R) Lotus(R) Domino(R) server on IBM(R) i uses TCP/IP to communicatewith Notes workstations and other external resources such as the Internet. For theDomino server to work properly, TCP/IP must be set up and active on yoursystem.



27/289

For more information about setting up a TCP/IP environment, see the documentSystem i, Networking TCP/IP Setup at the IBM i Information Center.

NRPC name-to-address resolution over TCP/IPIn the TCP/IP protocol, the method most commonly used to resolve server namesto network addresses is the Domain Name System (DNS), an Internet directoryservice developed both to allow local administrators to create and manage the

records that resolve server names to IP addresses and to make those recordsavailable globally. While the POP3, IMAP, LDAP, and HTTP services use DNSdirectly, the NRPC service uses a combination of the Notes Name Service and DNSto resolve server names to network addresses.

For background information on how the Notes Name Service works withname-resolver services such DNS, see the topic Resolving server names tonetwork addresses in NRPC earlier in this chapter.

When you set up an IBM(R) Lotus(R) Notes(R) workstation on the TCP/IPnetwork, you normally rely on DNS to resolve the name of the workstationsIBM(R) Lotus(R) Domino(R) home server the first time the workstation tries toconnect to it. As long as the Notes workstation and Domino home server are in the

same DNS domain level, DNS can accomplish the resolve.

When to edit the Net Address field in the Server document: The default formatfor a servers TCP/IP network address in Lotus Domino is its fully qualifieddomain name (FQDN) -- for example, app01.acme.com -- based on the DNS recordand the IP address references in the systems TCP/IP stack. When a Notesworkstation or Domino server requests this name, the TCP/IP resolver passes it toDNS, and DNS resolves the name directly to the IP address of the destinationserver, regardless of the DNS domain level of the requesting system.

If you do not want to enter the FQDN in the Net Address field, you can change itto the simple IP host name -- for example, app01 -- either during server setup orlater by editing the Server document. For example, you might use the simple IPhost name if you are setting up multiple TCP ports for NRPC, a configuration inwhich using the FQDN for each network address can cause connection failures ifthe Notes Name Service returns the FQDN for the wrong TCP port. In this case,using the simple IP host name ensures that DNS does a lookup in all domain levelswithin the scope of the domains defined in the requesting systems TCP/IP stacksettings.

CAUTION:In a production environment, do not use IP addresses in Net Address fields.Doing so can result in serious administrative complications if IP addresseschange or if Network Address Translation (NAT) connections are used, as thevalues returned by the Notes Name Service will not be correct.

Secondary name servers: To ensure that the Notes Name Service is alwaysavailable over TCP/IP, when you set up a Notes user, you can designate a Dominosecondary name server that stands in for the home server in these situations:

v The users home server is down.

v The users home server is not running TCP/IP.

v The users home server cannot be resolved over TCP/IP.

Note: In companies using multiple DNS domains, a Domino secondary nameserver ensures that a Notes workstation can connect with its home server even



28/289

when the home server is in a different DNS domain. You can use policies toautomate the setup of secondary name servers.

For more information, see the following topics:

v Ensuring DNS resolves in NRPC Best practices...

v Policies

Special case: The passthru server: By connecting to a passthru server, Notes userscan access servers that do not share a network protocol with their systems. If boththe Notes workstation and destination server are in a different Domino domainfrom the passthru server, it may not be possible for the passthru server to resolvethe name of the destination server. In this case, do one of the following:

v On the Notes workstation, create a Connection document that includes the IPaddress of the destination server.

v On the passthru server, create a Connection document to the destination server.

Internal alternatives to DNS: If you dont use DNS at your site or if a Dominoserver is not registered with DNS (as is sometimes the case if the server offersInternet services), use one of these methods to enable each Notes workstation and

Domino server to perform name resolution locally. Keep in mind that the upkeeprequired for both of these approaches is considerable.

v Place a hosts file, which is a table that pairs each system name with its IPaddress, on every system that needs private access. Set up each system so that itaccesses the hosts file before accessing DNS.

v Create a Connection document that contains the destination servers IP addresson every Notes workstation and Domino server that needs to access that server.

Alternative IP name services: Microsoft networking services offers fouradditional methods of IP address resolution. These methods are not as reliable astraditional DNS and hosts files and can cause name and address confusion. For

best results, do not use these methods when also using the Notes network port for

TCP/IP.v Direct NetBIOS broadcast -- The system sends out a name broadcast message so

that all of the systems on the local network segment can register the name andIP address in their name cache. If you must use NetBIOS over IP and useDomino with both the NetBIOS and TCP/IP port drivers, avoid name-resolutionproblems by giving the Domino server and the system different names.

Master Browser cache (for NT domains or SAMBA servers) -- Collects broadcastednames and IP addresses and publishes them across the NT domain to other MasterBrowser systems for Microsoft(R) Windows(R) systems to access in their namelookups.

v Windows Internet Name Service (WINS) -- Uses NetBIOS broadcasts. Unlike

DNS, which is static in nature, WINS is dynamic. Note that the TCP/IP stacks ofMacintosh and UNIX(R) client systems may not be able to access the WINSserver.

v LAN Manager Hosts (LMHosts) -- A static hosts file method.

CAUTION:On a Windows system, the combination of the systems native NetBIOS over IPname-resolver service and DNS can cause name resolution failure for theDomino server name.



29/289

Ensuring DNS resolves in TCP protocolsWhen you register a new IBM(R) Lotus(R) Domino(R) server, you specify acommon name for it. Within a Domino hierarchical name, the common name is theportion before the leftmost slash. For example, in the name App01/East/Acme, thecommon name is App01. The common name, not the hierarchical name, is thename that the Domino server is known by in DNS.

Note: When you choose a common name for a Domino server that uses DNS, useonly the characters 0 through 9, A through Z, and the dash (-). Do not use spacesor underscores.

Note: The DNS names held in IBM(R) Lotus(R) Notes(R) and IBM Lotus Dominoare not case sensitive; Notes workstations and Domino servers always pass DNSnames to DNS in lowercase.

You can avoid problems and extra work if you consider the DNS configuration, aswell as the effect of other protocol name-resolver services, when you choose theformat for the common name of the Domino server.

For procedures to help you avoid DNS problems in NRPC, see the referencedEnsuring DNS... topics.

Note that these procedures apply only to servers handling communicationsbetween Lotus Notes and Lotus Domino (NRPC services). If you administerservers that provide Internet services such as HTTP, SMTP, POP3, or LDAP, youcan skip these topics, as these services use DNS directly.

Ensuring DNS resolves on Windows systems -- All TCP protocols: If an IBM(R)Lotus(R) Domino(R) server is a Microsoft(R) Windows(R) system, often two nameservices exist on the system -- NetBIOS over IP and DNS. If you assign the samename to both the Domino server and the system, client applications that use eitherthe Notes Name Service or DNS can encounter name-space ghosting between the

two names. In other words, because the NetBIOS record for a systems host namehas already been found, the name resolving process ends and the DNS record forthe Domino server on that system is never found.

Note: For a Domino server on Windows 2000, problems occur only if you enablename services for NetBIOS over IP in order to join an NT domain using ServerMessage Blocks (SMB).

To prevent this problem:

1. Add a preface such as W2K- to the system name, using the NetworkIdentification tab on the System Properties dialog box.

2. Create an A record (or, for IPv6, AAAA record) in DNS for the system name.The IP address is the same as the one for the Domino server.

3. Create a CNAME record in DNS for the Domino servers name, linking it to thesystem name.

For example, for the Domino server BosMail02/Acme, the common name isBosMail02. You name the system NT-BosMail02. You create an A record in DNS forNT-BosMail02.acme.com and a CNAME record for BosMail02.acme.com, linking itwith NT-BosMail02.acme.com.

Ensuring DNS resolves in NRPC -- Best practices: The following proceduresprovide the best name-resolution practices for an IBM(R) Lotus(R) Domino(R)



30/289

server using the default NRPC configuration on a TCP/IP network (one IBM(R)Lotus(R) Notes(R) network port for TCP/IP). These procedures address thefollowing DNS configurations:

v One DNS domain

v Multiple DNS domain levels

When you have one DNS domain: If your company uses only one DNS domain,doing the following eliminates the need for CNAME records in DNS:

1. Assign the same name as both the Domino server common name and thesimple IP host name registered with DNS.

2. Make sure the Net Address field on the Server document contains the serversFQDN.

3. Create an A record (or, for IPv6, AAAA record) in DNS.

For example, you set up the Domino server App01/Engr/Acme. Thus, you registerthe server with DNS as app01, the servers common name. The Net Address fieldin the Server document contains app01.acme.com (the servers FQDN), and the Arecord is: app01.acme.com IN A 192.168.10.17.

When you have multiple DNS domain levels: If your company uses multiple DNSdomain levels -- for example, when each country in which a multinationalcompany has offices is a subdomain in DNS -- doing the following eliminates theneed for multiple CNAME records in DNS and ensures that DNS lookups alwayswork, regardless of the DNS domain level of the users system:

1. Assign the same name as both the Domino server common name and thesimple IP host name.

2. Make sure the Net Address field on the Server document contains the serversFQDN.


4. If users systems are in a different DNS domain than that of their home server

or in a DNS subdomain of their home servers domain, set up a secondaryname server. Place this secondary name server on the same physical network asthe users systems or on a network that the users can access.

Note: Register the secondary name server in the root of the companys DNSdomain.

5. Set up all Notes users or a subset of users affected by Step 4, or set up anindividual Notes user.

For example, you register the Domino server ParisMail01/Sales/Acme with DNSas parismail01.france.acme.com. Parismail01 is the home server for some users inthe DNS subdomain spain.acme.com. You set up a secondary name server,Nameserver/Acme, register it with DNS as nameserver.acme.com, and ensure that

the Location documents of users who need a secondary name server point to thisserver.

When a user in spain.acme.com attempts a first connection with the home server(parismail01.france.acme.com), the connection fails because the DNS subdomain forspain.acme.com has no records for the subdomain france.acme.com. Notes thenconnects successfully with the secondary name server (nameserver.acme.com),since the DNS subdomain for spain.acme.com does include the records foracme.com. When the secondary name server supplies the Notes workstation withthe FQDN from the Net Address field in the Server document for ParisMail01,DNS resolves the FQDN to an IP address, and the user can access mail.



31/289

As long as all Server documents in the Domino domain have the TCP/IP networkaddress in FQDN format, this approach allows any Notes workstation or Dominoserver to locate any Domino server, regardless of its DNS domain level.

Ensuring DNS resolves in NRPC -- Alternative practices: The followingprocedures provide alternative name-resolution practices for an IBM(R) Lotus(R)Domino(R) server using the default NRPC configuration on a TCP/IP network

(one Notes network port for TCP/IP).

Domino server names that differ from their DNS names: When your name scheme forDomino servers is different than that for DNS, use one of the following methods totranslate the Domino servers name to the host name:

v Create a local Connection document on each IBM(R) Lotus(R) Notes(R) clientand Domino server that needs to connect to the Domino server, and enter theFQDN for the system that hosts the Domino server in the Net Address field. Forexample, for the Domino server named App01/Sales/Acme on the systemregistered with DNS as redflier, enter redflier.acme.com in the Net Address fieldsof the Connection documents.

v Use an alias (CNAME) record in DNS to link the Domino server common name

to the simple IP host name. For example, for the Domino serverApp01/Sales/Acme on the system registered with DNS as redflier, use aCNAME record to link the name App01 to the name redflier. When a Notesworkstation first accesses this server, it obtains the host name from the NetAddress field of the Server document and caches it, thereby making futureconnections faster.

IP addresses in Connection documents: In situations in which you dont want to useany name-resolver service -- such as bringing up a new server system that youdont want known yet, or having a server on the Internet that you want accessible

but for which you cant use DNS -- create Connection documents that directly tellNotes workstations or Domino servers how to access this Domino server by usingthe servers IP address in the documents Net Address fields.

Network Address Translation (NAT): NAT is a method of translating an IP addressbetween two address spaces: a public space and a private space.

Public addresses are assigned to companies by the Internet Corporation ofAssigned Names and Numbers (ICANN) or leased from the companys ISP/NSP.Public addresses are accessible through the Internet (routable) unless firewalls andisolated networks make them inaccessible.

Private addresses are IP address spaces that have been reserved for internal use.These addresses are not accessible over the Internet (non-routable) becausenetwork routers within the Internet will not allow access to them.

The following address spaces have been reserved for internal use. It is best to usethese IP addresses and not make up your own.

v Class A: 10.0.0.0 to 10.255.255.255

v Class B: 127.16.0.0 to 172.31.255.255

v Class C: 192.168.0.0 to 192.168.255.255

For example, users inside a company access the Domino server based on itsassigned IP address, which is a private address (192.168.1.1). Internet users mustaccess the Domino server through a NAT router, which converts the private



32/289

address to one of its static public addresses (130.20.2.2). Therefore, a Notes clientaccessing the server from the Internet uses the public address.

Ensuring DNS resolves in NRPC -- A practice to use with caution: Thefollowing practice, if followed precisely, should ensure good DNS resolves inNRPC for companies with multiple DNS domain levels, but might result in extrawork if the infrastructure changes. Using this practice has the following

disadvantages:v You can never assign more than one IP address in DNS to the IBM(R) Lotus(R)

Domino(R) server.

v If the FQDN changes, the Domino server name will not match the FQDN, thusinvalidating the DNS resolve. You will then need to create a new server andmigrate users to it.

v If you use network address translation (NAT), the servers FQDN must beidentical in both instances of DNS (internal and external shadow DNS).

v You cannot use other network protocols, as many of them use flat network nameservices, and those that use hierarchical name systems will not function unlessthe name hierarchy is exactly the same.

v Diagnosing connectivity issues can be much harder.

When you have multiple DNS domain levels: If your company uses multiple DNSdomain levels -- for example, when each country in which a multinationalcompany has offices is a subdomain in DNS -- do the following:

1. Use the servers FQDN as the Domino server common name.


For example, if you register a server with DNS as app01.germany.acme.com, youcan also assign the Domino servers common name as app01.germany.acme.com. Inthis case, the servers Domino hierarchical name might beapp01.germany.acme.com/Sales/Acme.

Changing a servers IP addressBefore changing a servers IP address, consider the following potential problems:

v Problem 1: If the servers previous IP address is stored in any Server Connectiondocuments or Server documents, when that servers IP address is changed inDNS and on the server itself, these old Server Connection documents or Serverdocuments will cause connection failures.

Solution: Use the DNS fully-qualified domain name, not the IP address, as thenetwork address stored in the Server Connection documents and Serverdocuments. You can then change the servers IP address in DNS without havingto change the Server Connection documents or Server documents. Changing thenetwork address from the IP address to the DNS name can be done at any time.

To modify the Server Connection document, open the Server Connection

document. On the Basics tab, if Local Area Network is chosen in the ConnectionType field, click the Advanced tab and check the entry in the Destination serveraddress field. If the field contains the servers IP address, delete the IP addressand enter the fully-qualified domain name. Remember, both the server-basedDomino Directory and the client-based Address Book can have this problem.

To modify the Server document, click the Ports tab for the Net Address for TCPports. If the field contains the IP address, change the entry to the properfully-qualified domain name.

v Problem 2: The algorithm that all IBM(R) Lotus(R) Notes(R) clients and IBM(R)Lotus(R) Domino(R) servers use to connect to a Domino server can cache the IP



33/289

address that was used to successfully connect to a server. If this cache entryexists, when the servers IP address is changed, the old cached address may beused causing the connection to fail.

It is important to understand why this caching is performed. Notes supports awide range of networking technologies implemented as Notes ports. If Notesattempts to connect to a server that is down, and tries every possible technology(Notes port) using every possible Name to Address resolution tool until eachone fails, the connection attempt takes a long time. To prevent the long delaythat would occur in reporting the error when the server goes down, Notes hasimplemented two server connection algorithms. One algorithm is fast, usingcached addresses, and the other is slower, using the complete algorithm which

bypasses the cache when it fails.

The following solutions can resolve this problem. Solutions are listed in theorder in which they should be used.

Solution 1: The fast connection algorithm is only used if the client or server hadsuccessfully connected to the same server earlier in the day. If a successfulconnection has not yet occurred today, the slower algorithm is used and thecache is bypassed. To avoid this problem, change a servers IP address late in theevening, but before midnight. This is the easiest solution because it is

transparent to the user and involves no help desk calls or any action on theusers part.

Solution 2: The cache is rewritten following successful connection to the server.The cached address is the address entered by the user, not the resolved IPaddress. Therefore, if users have the habit of connecting to servera/acme byentering servera.acme.com, the cached address will be servera.acme.com, not1.2.3.4 and the problem will not occur.

Solution 3: The cache is rewritten following any successful connection to theserver. If a user tries to connect to the server by its Notes name, for example,servera/acme, the stale cache entry is used. If the user tries to connect using theservers fully-qualified domain name, for example, servera.acme.com, then thecache will not be used, the new address will be fetched from DNS and the

correct new address entered in the cache. To make this successful connectionusing the fully-qualified domain name of the server, use the File - Application -Open menu command or the File - Preferences - User Preferences - Ports - Tracemenu selections.

Solution 4: The cache is stored in the following Notes fields in the Locationdocuments for the client and in the Server document for the server:

$Saved Addresses

$SavedDate

$SavedPorts

$SavedServers

$SavedTriedDate

If these fields are deleted from the Location or Server document, for example,using a formula agent, the old IP addresses in the cache cannot be used. Thismethod can be confusing because the Notes items are rewritten when the clientor server exists from an in-memory copy. Therefore, to use this method to clearthe cache for the client, create the agent in the Local Address Book, and thenswitch to the Island Location

Domino & Lotus Install 852

Documents

Transcript of Domino & Lotus Install 852