Adding domain
I need to add a domain to our lotus Notes mixed R5 and 4.6 environment. This domain needs to be able to access a replica of our NAB and replicate with other NABs on our other Notes named servers. We need to allow this domain to use the replica of NAB to send/address email but we want to limit or not allow them to look at or edit any other aspect of the NAB ex servers ACLs e.t.c. We also want to make sure our network is secure. Any ideas?
First of all, you need to create the domain you have been talking about. I will call that Domain2. Now if I recall correctly, you need the email address of people from Domain1.
1) What you need to do is to create a minimal PAB from Domain1 and keep it onto Domain2's server. This will hide all your connection docs, server docs etc. and give Domain2 the bare minimum.
2) You will need to create a Master Address book in Domain2 so you can resolve the names in Domain1.
3) Additionaly, you need to specify to NOT accept any ACL changes. This will be done in Domain1 so no changes that are broadcasted from Domain2 are accepted.
4) Keep in mind that R4.6 and R5 uses different ODS(On Disk Structure). So once the 4.6 server and R5 server replicate, the 4.6 server will not be able to understand the database. For this, you can refresh the design of the database. Or you can specify not to accept any design changes.
For all this, you can use up the Admin help or alternatively go to www.notes.net and get yourself R5 documentation in PDF format. Read it thouroughly and you should have all the answerws.
Hope this help
Sandeep
1) What you need to do is to create a minimal PAB from Domain1 and keep it onto Domain2's server. This will hide all your connection docs, server docs etc. and give Domain2 the bare minimum.
2) You will need to create a Master Address book in Domain2 so you can resolve the names in Domain1.
3) Additionaly, you need to specify to NOT accept any ACL changes. This will be done in Domain1 so no changes that are broadcasted from Domain2 are accepted.
4) Keep in mind that R4.6 and R5 uses different ODS(On Disk Structure). So once the 4.6 server and R5 server replicate, the 4.6 server will not be able to understand the database. For this, you can refresh the design of the database. Or you can specify not to accept any design changes.
For all this, you can use up the Admin help or alternatively go to www.notes.net and get yourself R5 documentation in PDF format. Read it thouroughly and you should have all the answerws.
Hope this help
Sandeep
ASKER
Adjusted points from 200 to 300
ASKER
This answer is somewhat helpful but I need more information how does authentication take place? Can mail be routed between Domain 1 and Domain 2 using this method? Does an exchange of server ids need to take place? Can information be selectively replicated? In other words if I replicate from the "complete copy" of the PAB on Domain 1 to a pared down version on Domain2 will in not then be populated with Server information e.t.c?
Also if Domain 1 is Notes version 5.0 and Domain 2 is Notes version 4.6 when PAB is replicated does design need to be refreshed on Domain2 each time replication takes place?
Also if Domain 1 is Notes version 5.0 and Domain 2 is Notes version 4.6 when PAB is replicated does design need to be refreshed on Domain2 each time replication takes place?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We are getting close I still need to know if it is necessary for Domain 1 and 2 to exchange server ids. Also if server ids are exchanged will that allow domain 2 to change the ACL on their replica of Domain1's NAB which might change the ACL on Domain 1 once replication takes place. An explanation of cross-certifcation would also be helpful.
As I said, authentication is via cross-certification , so you need to exchange safe-ids , ( a safe cross certifiable id ) , this is done only once. Therefore no the server ids are not exchanged , what is exchanged is a safe copy of the domain certificates, only once. After that the servers trust each other so there is no need to exchange ids...
And No this does not allow a domain2 server to change the ACL , As I explained above if you only give domain2's server Reader Access to the database replica , then that server is only a READER , therefore they cannot change the ACL..
To be completely safe about this you should make sure that "Maintain consistant ACL across replicas" is on..
Cross certification is the process by which an external source gives you their certificates and you certify those certificates using your certifier to create a cross-certificate.. This means that any other certificates created using your certifier now trust the certificates of the external source...
As I said you don't have to cross certify at the top most certifer , but if the to domains are going to send mail backwards and forwards it is much easier than creating server by server or OU by OU cross certificates...
To cross certify here is what you have to do..
Get the Domain1 certifier id and switch to it in your client... Then choose File-> Tools->UserID ->More Options. And press the Create safe copy button. This creates a safe copy of your certifier , which is a copy that contains certificate information that is only usable for cross certification not for creating any sibling certificates. Now take this id that you just created and from a Domain2 Administrators client (r4) goto File->Tools->Server Administration->Certificat
This will cross certify Domain1 for Domain2 ... Which means Domain2 now trusts domain1 certificates... Now repeat the process but in the opposite direction....
For further reading check out Lotus KB at lotus web site or look at Domino Admin Help....
If you need any more help just say.. I administor 5 domains and all cross certified and using MAB it works great and it secure
And No this does not allow a domain2 server to change the ACL , As I explained above if you only give domain2's server Reader Access to the database replica , then that server is only a READER , therefore they cannot change the ACL..
To be completely safe about this you should make sure that "Maintain consistant ACL across replicas" is on..
Cross certification is the process by which an external source gives you their certificates and you certify those certificates using your certifier to create a cross-certificate.. This means that any other certificates created using your certifier now trust the certificates of the external source...
As I said you don't have to cross certify at the top most certifer , but if the to domains are going to send mail backwards and forwards it is much easier than creating server by server or OU by OU cross certificates...
To cross certify here is what you have to do..
Get the Domain1 certifier id and switch to it in your client... Then choose File-> Tools->UserID ->More Options. And press the Create safe copy button. This creates a safe copy of your certifier , which is a copy that contains certificate information that is only usable for cross certification not for creating any sibling certificates. Now take this id that you just created and from a Domain2 Administrators client (r4) goto File->Tools->Server Administration->Certificat
This will cross certify Domain1 for Domain2 ... Which means Domain2 now trusts domain1 certificates... Now repeat the process but in the opposite direction....
For further reading check out Lotus KB at lotus web site or look at Domino Admin Help....
If you need any more help just say.. I administor 5 domains and all cross certified and using MAB it works great and it secure
ASKER
Thank you for your quick thorough response. I have a question about this part, "Now setup domain2's Master Address Book specifying the new replica of domain1's address book on the domain2 server as a trusted directory assistance" We using cascading address books is the use of a MAB necessary for this process to work? If not necessary why is this method preferred? Your assistance is much appreciated.
The reason I say MAB is because since 4.6.2 ( I think !) Domino no longer supports cascading address books ( i.e they still work , but they are not the recommended solution ) .. Also web authentication does not work using cascading address books, you must use an MAB for this , if required...
Cascading address books work for mail just fine .. So if you are only going to be using the secondary address book for MAIL ONLY and not as a Authentication Source for Web Clients then you would be fine to use cascading instead of MAB... Everything else I have explained would be exactly the same , but instead of setting up the MAB , edit the notes.ini and add the new replica to the NAMES line on domain2's server...
Cascading address books work for mail just fine .. So if you are only going to be using the secondary address book for MAIL ONLY and not as a Authentication Source for Web Clients then you would be fine to use cascading instead of MAB... Everything else I have explained would be exactly the same , but instead of setting up the MAB , edit the notes.ini and add the new replica to the NAMES line on domain2's server...
ASKER
Thank You your answers were very helpful.
ASKER