Adding domain

I need to add a domain to our lotus Notes mixed R5 and 4.6 environment. This domain needs to be able to access a replica of our NAB and replicate with other NABs on our other Notes named servers. We need to allow this domain to use the replica of NAB to send/address email but we want to limit or not allow them to look at or edit any other aspect of the NAB ex servers ACLs e.t.c. We also want to make sure our network is secure. Any ideas?
Who is Participating?
I think the best thing to do is give that domain a read-only copy of your NAB ..

Firstly you will need to cross - certify with that domain if you have not all ready , this will mean that both domains trust each others certificates. If you need to know how to do this then look in the domino admin help, all the information you need is there... ( cross -certification is how authentication takes place)

Once you have setup a cross certificate , then you will need to do two things , set up a mail routing connection between the two domains and give the other domain a replica of your NAB and setup their MAB ....

The best thing to do for the NAB to make it secure is to create a new replica of domain1s address book on domain2's primary server and change the acl so that domain2's server is has only reader access and domain1's server is a manager, ( You will also need to specify in each of the server's server  documents that the other server has access to use the other server).  

The issue of domain1's address book being r5 doesn't really matter that much unless someone on the other domain2's side requires to look at it via a R4 notes client.. If this isn't the case then don't worry about it , if it is the case then only give domain1's server editor access to the replica on domain2's server and change the design of the replica back to a r4 address book... This way when replication occurs the domain1's server will not have access to update the design elements , only the data...

If you wanted to you could also set a replication rule on the new replica so that it only replicated a subset of data ( i.e only the servers that are needed for mail routing and users ).. You would need to test that this works, because I am unsure whether removing certain servers will effect mail routing to them from other domains.. Technically all you should is the server that the mail routes through but you never know !!!...

Now setup domain2's Master Address Book specifying the new replica of domain1's address book on the domain2 server as a trusted directory assistance.. Again check out the admin help how to do this....

Now create a connection document in domain2's address book between the domain1 and the domain2 server for mail routing... And all should be well!!

JdillonAuthor Commented:
Adjusted points from 100 to 200
First of all, you need to create the domain you have been talking about. I will call that Domain2. Now if I recall correctly, you need the email address of people from Domain1.

1) What you need to do is to create a minimal PAB from Domain1 and keep it onto Domain2's server. This will hide all your connection docs, server docs etc. and give Domain2 the bare minimum.

2) You will need to create a Master Address book in Domain2 so you can resolve the names in Domain1.

3) Additionaly, you need to specify to NOT accept any ACL changes. This will be done in Domain1 so no changes that are broadcasted from Domain2 are accepted.

4) Keep in mind that R4.6 and R5 uses different ODS(On Disk Structure). So once the 4.6 server and R5 server replicate, the 4.6 server will not be able to understand the database. For this, you can refresh the design of the database. Or you can specify not to accept any design changes.

For all this, you can use up the Admin help or alternatively go to and get yourself R5 documentation in PDF format. Read it thouroughly and you should have all the answerws.

Hope this help

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

JdillonAuthor Commented:
Adjusted points from 200 to 300
JdillonAuthor Commented:
This answer is somewhat helpful but I need more information how does authentication take place? Can mail be routed between Domain 1 and Domain 2 using this method? Does an exchange of server ids need to take place? Can information be selectively replicated? In other words if I replicate from the "complete copy" of the PAB on Domain 1 to a pared down version on Domain2 will in not then be populated with Server information e.t.c?
Also if Domain 1 is Notes version 5.0 and Domain 2 is Notes version 4.6 when PAB is replicated does design need to be refreshed on Domain2 each time replication takes place?
JdillonAuthor Commented:
We are getting close I still need to know if it is necessary for Domain 1 and 2 to exchange server ids.  Also if server ids are exchanged will that allow domain 2 to change the ACL on their replica of Domain1's NAB which might change the ACL on Domain 1 once replication takes place. An explanation of cross-certifcation would also be helpful.
As I said, authentication is via cross-certification , so you need to exchange safe-ids , ( a safe cross certifiable id ) , this is done only once. Therefore no the server ids are not exchanged , what is exchanged is a safe copy of the domain certificates, only once. After that the servers trust each other so there is no need to exchange ids...

And No this does not allow a domain2 server to change the ACL , As I explained above if you only give domain2's server Reader Access to the database replica , then that server is only a READER , therefore they cannot change the ACL..
To be completely safe about this you should make sure that "Maintain consistant ACL across replicas" is on..

Cross certification is the process by which an external source gives you their certificates and you certify those certificates using your certifier to create a cross-certificate.. This means that any other certificates created using your certifier now trust the certificates of the external source...

As I said you don't have to cross certify at the top most certifer , but if the to domains are going to send mail backwards and forwards it is much easier than creating server by server or OU by OU cross certificates...

To cross certify here is what you have to do..

Get the Domain1 certifier id and switch to it in your client... Then choose File-> Tools->UserID ->More Options. And press the Create safe copy button. This creates a safe copy of  your certifier , which is a copy that contains certificate information that is only usable for cross certification not for creating any sibling certificates.  Now take this id that you just created and from a Domain2 Administrators client (r4) goto File->Tools->Server Administration->Certificates -> Cross Certify ID  and follow the prompts...

This will cross certify Domain1 for Domain2 ... Which means Domain2 now trusts domain1 certificates... Now repeat the process but in the opposite direction....

For further reading check out Lotus KB at lotus web site or look at Domino Admin Help....

If you need any more help just say.. I administor 5 domains and all cross certified and using MAB it works great and it secure
JdillonAuthor Commented:
Thank you for your quick thorough response. I have a question about this part, "Now setup domain2's Master Address Book specifying the new replica of domain1's address book on the domain2 server as a trusted directory assistance" We using cascading address books is the use of a MAB necessary for this process to work? If not necessary why is this method preferred? Your assistance is much appreciated.
The reason I say MAB is because since 4.6.2 ( I think !) Domino no longer supports cascading address books ( i.e they still work , but they are not the recommended solution ) .. Also web authentication does not work using cascading address books, you must use an MAB for this , if required...

Cascading address books work for mail just fine .. So if you are only going to be using the secondary address book for MAIL ONLY and not as a Authentication Source for Web Clients then you would be fine to use cascading instead of MAB...  Everything else I have explained would be exactly the same , but instead of setting up the MAB , edit the notes.ini and add the new replica to the NAMES line on domain2's server...

JdillonAuthor Commented:
Thank You your answers were very helpful.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.