[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Adding domain

Posted on 2000-04-12
Medium Priority
Last Modified: 2013-12-18
I need to add a domain to our lotus Notes mixed R5 and 4.6 environment. This domain needs to be able to access a replica of our NAB and replicate with other NABs on our other Notes named servers. We need to allow this domain to use the replica of NAB to send/address email but we want to limit or not allow them to look at or edit any other aspect of the NAB ex servers ACLs e.t.c. We also want to make sure our network is secure. Any ideas?
Question by:Jdillon
  • 6
  • 3

Author Comment

ID: 2716751
Adjusted points from 100 to 200

Expert Comment

ID: 2722141
First of all, you need to create the domain you have been talking about. I will call that Domain2. Now if I recall correctly, you need the email address of people from Domain1.

1) What you need to do is to create a minimal PAB from Domain1 and keep it onto Domain2's server. This will hide all your connection docs, server docs etc. and give Domain2 the bare minimum.

2) You will need to create a Master Address book in Domain2 so you can resolve the names in Domain1.

3) Additionaly, you need to specify to NOT accept any ACL changes. This will be done in Domain1 so no changes that are broadcasted from Domain2 are accepted.

4) Keep in mind that R4.6 and R5 uses different ODS(On Disk Structure). So once the 4.6 server and R5 server replicate, the 4.6 server will not be able to understand the database. For this, you can refresh the design of the database. Or you can specify not to accept any design changes.

For all this, you can use up the Admin help or alternatively go to www.notes.net and get yourself R5 documentation in PDF format. Read it thouroughly and you should have all the answerws.

Hope this help


Author Comment

ID: 2723950
Adjusted points from 200 to 300
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 2723952
This answer is somewhat helpful but I need more information how does authentication take place? Can mail be routed between Domain 1 and Domain 2 using this method? Does an exchange of server ids need to take place? Can information be selectively replicated? In other words if I replicate from the "complete copy" of the PAB on Domain 1 to a pared down version on Domain2 will in not then be populated with Server information e.t.c?
Also if Domain 1 is Notes version 5.0 and Domain 2 is Notes version 4.6 when PAB is replicated does design need to be refreshed on Domain2 each time replication takes place?

Accepted Solution

Simon_Hendry earned 1200 total points
ID: 2724669
I think the best thing to do is give that domain a read-only copy of your NAB ..

Firstly you will need to cross - certify with that domain if you have not all ready , this will mean that both domains trust each others certificates. If you need to know how to do this then look in the domino admin help, all the information you need is there... ( cross -certification is how authentication takes place)

Once you have setup a cross certificate , then you will need to do two things , set up a mail routing connection between the two domains and give the other domain a replica of your NAB and setup their MAB ....

The best thing to do for the NAB to make it secure is to create a new replica of domain1s address book on domain2's primary server and change the acl so that domain2's server is has only reader access and domain1's server is a manager, ( You will also need to specify in each of the server's server  documents that the other server has access to use the other server).  

The issue of domain1's address book being r5 doesn't really matter that much unless someone on the other domain2's side requires to look at it via a R4 notes client.. If this isn't the case then don't worry about it , if it is the case then only give domain1's server editor access to the replica on domain2's server and change the design of the replica back to a r4 address book... This way when replication occurs the domain1's server will not have access to update the design elements , only the data...

If you wanted to you could also set a replication rule on the new replica so that it only replicated a subset of data ( i.e only the servers that are needed for mail routing and users ).. You would need to test that this works, because I am unsure whether removing certain servers will effect mail routing to them from other domains.. Technically all you should is the server that the mail routes through but you never know !!!...

Now setup domain2's Master Address Book specifying the new replica of domain1's address book on the domain2 server as a trusted directory assistance.. Again check out the admin help how to do this....

Now create a connection document in domain2's address book between the domain1 and the domain2 server for mail routing... And all should be well!!


Author Comment

ID: 2724744
We are getting close I still need to know if it is necessary for Domain 1 and 2 to exchange server ids.  Also if server ids are exchanged will that allow domain 2 to change the ACL on their replica of Domain1's NAB which might change the ACL on Domain 1 once replication takes place. An explanation of cross-certifcation would also be helpful.

Expert Comment

ID: 2724854
As I said, authentication is via cross-certification , so you need to exchange safe-ids , ( a safe cross certifiable id ) , this is done only once. Therefore no the server ids are not exchanged , what is exchanged is a safe copy of the domain certificates, only once. After that the servers trust each other so there is no need to exchange ids...

And No this does not allow a domain2 server to change the ACL , As I explained above if you only give domain2's server Reader Access to the database replica , then that server is only a READER , therefore they cannot change the ACL..
To be completely safe about this you should make sure that "Maintain consistant ACL across replicas" is on..

Cross certification is the process by which an external source gives you their certificates and you certify those certificates using your certifier to create a cross-certificate.. This means that any other certificates created using your certifier now trust the certificates of the external source...

As I said you don't have to cross certify at the top most certifer , but if the to domains are going to send mail backwards and forwards it is much easier than creating server by server or OU by OU cross certificates...

To cross certify here is what you have to do..

Get the Domain1 certifier id and switch to it in your client... Then choose File-> Tools->UserID ->More Options. And press the Create safe copy button. This creates a safe copy of  your certifier , which is a copy that contains certificate information that is only usable for cross certification not for creating any sibling certificates.  Now take this id that you just created and from a Domain2 Administrators client (r4) goto File->Tools->Server Administration->Certificates -> Cross Certify ID  and follow the prompts...

This will cross certify Domain1 for Domain2 ... Which means Domain2 now trusts domain1 certificates... Now repeat the process but in the opposite direction....

For further reading check out Lotus KB at lotus web site or look at Domino Admin Help....

If you need any more help just say.. I administor 5 domains and all cross certified and using MAB it works great and it secure

Author Comment

ID: 2728219
Thank you for your quick thorough response. I have a question about this part, "Now setup domain2's Master Address Book specifying the new replica of domain1's address book on the domain2 server as a trusted directory assistance" We using cascading address books is the use of a MAB necessary for this process to work? If not necessary why is this method preferred? Your assistance is much appreciated.

Expert Comment

ID: 2728626
The reason I say MAB is because since 4.6.2 ( I think !) Domino no longer supports cascading address books ( i.e they still work , but they are not the recommended solution ) .. Also web authentication does not work using cascading address books, you must use an MAB for this , if required...

Cascading address books work for mail just fine .. So if you are only going to be using the secondary address book for MAIL ONLY and not as a Authentication Source for Web Clients then you would be fine to use cascading instead of MAB...  Everything else I have explained would be exactly the same , but instead of setting up the MAB , edit the notes.ini and add the new replica to the NAMES line on domain2's server...


Author Comment

ID: 2732406
Thank You your answers were very helpful.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month18 days, 23 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question