?
Solved

Adding domain

Posted on 2000-04-12
10
Medium Priority
?
270 Views
Last Modified: 2013-12-18
I need to add a domain to our lotus Notes mixed R5 and 4.6 environment. This domain needs to be able to access a replica of our NAB and replicate with other NABs on our other Notes named servers. We need to allow this domain to use the replica of NAB to send/address email but we want to limit or not allow them to look at or edit any other aspect of the NAB ex servers ACLs e.t.c. We also want to make sure our network is secure. Any ideas?
0
Comment
Question by:Jdillon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 

Author Comment

by:Jdillon
ID: 2716751
Adjusted points from 100 to 200
0
 

Expert Comment

by:Sandeep_Kohli_
ID: 2722141
First of all, you need to create the domain you have been talking about. I will call that Domain2. Now if I recall correctly, you need the email address of people from Domain1.

1) What you need to do is to create a minimal PAB from Domain1 and keep it onto Domain2's server. This will hide all your connection docs, server docs etc. and give Domain2 the bare minimum.

2) You will need to create a Master Address book in Domain2 so you can resolve the names in Domain1.

3) Additionaly, you need to specify to NOT accept any ACL changes. This will be done in Domain1 so no changes that are broadcasted from Domain2 are accepted.

4) Keep in mind that R4.6 and R5 uses different ODS(On Disk Structure). So once the 4.6 server and R5 server replicate, the 4.6 server will not be able to understand the database. For this, you can refresh the design of the database. Or you can specify not to accept any design changes.

For all this, you can use up the Admin help or alternatively go to www.notes.net and get yourself R5 documentation in PDF format. Read it thouroughly and you should have all the answerws.

Hope this help

Sandeep
0
 

Author Comment

by:Jdillon
ID: 2723950
Adjusted points from 200 to 300
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Jdillon
ID: 2723952
This answer is somewhat helpful but I need more information how does authentication take place? Can mail be routed between Domain 1 and Domain 2 using this method? Does an exchange of server ids need to take place? Can information be selectively replicated? In other words if I replicate from the "complete copy" of the PAB on Domain 1 to a pared down version on Domain2 will in not then be populated with Server information e.t.c?
Also if Domain 1 is Notes version 5.0 and Domain 2 is Notes version 4.6 when PAB is replicated does design need to be refreshed on Domain2 each time replication takes place?
0
 
LVL 3

Accepted Solution

by:
Simon_Hendry earned 1200 total points
ID: 2724669
I think the best thing to do is give that domain a read-only copy of your NAB ..

Firstly you will need to cross - certify with that domain if you have not all ready , this will mean that both domains trust each others certificates. If you need to know how to do this then look in the domino admin help, all the information you need is there... ( cross -certification is how authentication takes place)

Once you have setup a cross certificate , then you will need to do two things , set up a mail routing connection between the two domains and give the other domain a replica of your NAB and setup their MAB ....

The best thing to do for the NAB to make it secure is to create a new replica of domain1s address book on domain2's primary server and change the acl so that domain2's server is has only reader access and domain1's server is a manager, ( You will also need to specify in each of the server's server  documents that the other server has access to use the other server).  

The issue of domain1's address book being r5 doesn't really matter that much unless someone on the other domain2's side requires to look at it via a R4 notes client.. If this isn't the case then don't worry about it , if it is the case then only give domain1's server editor access to the replica on domain2's server and change the design of the replica back to a r4 address book... This way when replication occurs the domain1's server will not have access to update the design elements , only the data...

If you wanted to you could also set a replication rule on the new replica so that it only replicated a subset of data ( i.e only the servers that are needed for mail routing and users ).. You would need to test that this works, because I am unsure whether removing certain servers will effect mail routing to them from other domains.. Technically all you should is the server that the mail routes through but you never know !!!...

Now setup domain2's Master Address Book specifying the new replica of domain1's address book on the domain2 server as a trusted directory assistance.. Again check out the admin help how to do this....

Now create a connection document in domain2's address book between the domain1 and the domain2 server for mail routing... And all should be well!!

0
 

Author Comment

by:Jdillon
ID: 2724744
We are getting close I still need to know if it is necessary for Domain 1 and 2 to exchange server ids.  Also if server ids are exchanged will that allow domain 2 to change the ACL on their replica of Domain1's NAB which might change the ACL on Domain 1 once replication takes place. An explanation of cross-certifcation would also be helpful.
0
 
LVL 3

Expert Comment

by:Simon_Hendry
ID: 2724854
As I said, authentication is via cross-certification , so you need to exchange safe-ids , ( a safe cross certifiable id ) , this is done only once. Therefore no the server ids are not exchanged , what is exchanged is a safe copy of the domain certificates, only once. After that the servers trust each other so there is no need to exchange ids...

And No this does not allow a domain2 server to change the ACL , As I explained above if you only give domain2's server Reader Access to the database replica , then that server is only a READER , therefore they cannot change the ACL..
To be completely safe about this you should make sure that "Maintain consistant ACL across replicas" is on..

Cross certification is the process by which an external source gives you their certificates and you certify those certificates using your certifier to create a cross-certificate.. This means that any other certificates created using your certifier now trust the certificates of the external source...

As I said you don't have to cross certify at the top most certifer , but if the to domains are going to send mail backwards and forwards it is much easier than creating server by server or OU by OU cross certificates...

To cross certify here is what you have to do..

Get the Domain1 certifier id and switch to it in your client... Then choose File-> Tools->UserID ->More Options. And press the Create safe copy button. This creates a safe copy of  your certifier , which is a copy that contains certificate information that is only usable for cross certification not for creating any sibling certificates.  Now take this id that you just created and from a Domain2 Administrators client (r4) goto File->Tools->Server Administration->Certificates -> Cross Certify ID  and follow the prompts...

This will cross certify Domain1 for Domain2 ... Which means Domain2 now trusts domain1 certificates... Now repeat the process but in the opposite direction....

For further reading check out Lotus KB at lotus web site or look at Domino Admin Help....

If you need any more help just say.. I administor 5 domains and all cross certified and using MAB it works great and it secure
0
 

Author Comment

by:Jdillon
ID: 2728219
Thank you for your quick thorough response. I have a question about this part, "Now setup domain2's Master Address Book specifying the new replica of domain1's address book on the domain2 server as a trusted directory assistance" We using cascading address books is the use of a MAB necessary for this process to work? If not necessary why is this method preferred? Your assistance is much appreciated.
0
 
LVL 3

Expert Comment

by:Simon_Hendry
ID: 2728626
The reason I say MAB is because since 4.6.2 ( I think !) Domino no longer supports cascading address books ( i.e they still work , but they are not the recommended solution ) .. Also web authentication does not work using cascading address books, you must use an MAB for this , if required...

Cascading address books work for mail just fine .. So if you are only going to be using the secondary address book for MAIL ONLY and not as a Authentication Source for Web Clients then you would be fine to use cascading instead of MAB...  Everything else I have explained would be exactly the same , but instead of setting up the MAB , edit the notes.ini and add the new replica to the NAMES line on domain2's server...

0
 

Author Comment

by:Jdillon
ID: 2732406
Thank You your answers were very helpful.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question