Solved

How to move databases to a server in another domain using adminp

Posted on 2002-03-21
23
2,557 Views
Last Modified: 2013-12-18
Hello fellow-experts,
I've got a bit of a problem and I can't seem to find where I went wrong righ away and I'm feeling lazy today, so here's the question:

I have two servers:
server/pbet
server/pbc

As you can see they are not in the same notes domain, there is however a cross-certificate present in both directions and server/pbet is in the group OtherDomainServers of server/pbc and vice versa.

The group OtherDomainServers is always in a database's ACL with Manager access.

I've setup a connection document to server/pbc in the address book of server/pbet, with the schedule being disabled, since I don't want automatic replicating, only when I request it.

Now, in the administration client I open server/pbet and go to the Files tab. I select a database to move and specify the destination server: server/pbc.

The move is initiated through adminp, I can see in the administration log the following entries appearing:
- server/pbet performed action "Check access for Non-cluster Move Replica"
- server/pbet performed action "Non Cluster Move Replica".

The first one is okay, but the second one returns an error:
Title: pbet's Address Book
File name: names.nsf; Name: server/pbc; Error: User or server not found in Name and Address Book

I've check against the documentation the following:
1. source and destination server are running adminp
2. the user performing the action has create database rights on the destination server and manager access with delete on the databases on the source server (it's actually an administrator with full rights on both servers)
3. The source server has create replica access in the ACL of the server. (I suppose, if I put the group OtherDomainServers in the section 'Create replica databases' of the server documents, this should be okay)
4. The destination server has at least reader access in the ACL of the replica on the source server. The group OtherDomainServers has manager access to the database and the server belongs to this group, so this should be okay.

Looks like adminp is looking for the name of the destination server in the address book of the source server and of course it doesn't find that name in there, except in the group OtherDomainServers.
What am I forgetting ????
0
Comment
Question by:Jean Marie Geeraerts
  • 12
  • 8
  • 3
23 Comments
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
you forget to tell us what is the source server and what is the destination :-)

Ok, entering group alone as manager is not enough. To be able to check whether server/pbc is allowed to access server/pbet is not enough to have the cross-cert betwean pbet and pbc. You need the publich key of server/pbc in pbet domains address book.

So my recomandation is to temporary cut'n paste server document of server/pbc from pbc domain address book to the address book of pbet domain.

Also check ACL of admin4.nsf on destination server server/pbet. But this seems to be right, because basic AccessCheck went well.

 
0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
of course I mean copy&paste of server document and not CUT (huh... :-)

0
 
LVL 24

Expert Comment

by:HemanthaKumar
Comment Utility
Doesn't Adminp works only in its own domain ???

Check this link for, troubleshooting points http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=2A0EE65D8D3217CC802563F10030D4D6

Why don't you replicate the database and delete the original one ?

~Hemanth
0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
Replicating gives similar problems, I'll try the copy/paste tomorrow and see how far that gets me.

Source server is server/pbet.
Destination server is server/pbc.

TTYL

Hemanth,
According to the documentation this should work across domains, if all necessary requirements are met as stated in the documentation (and repeated in my comment).
0
 
LVL 24

Expert Comment

by:HemanthaKumar
Comment Utility
Ok, let us wait for the results.
0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
Hello JM,

Please forget this server document copy. This would be too simple :-)
You need Cross-domain Configuration document on the request destination domain side ( pbc )

For the complete list of required tasks look please here:
http://doc.notes.net/domino_notes/5.0.3/help5_admin.nsf/078c27b23262ffff852566dd0029426a/ddf813a3e88ad6150525687b0065b86d?OpenDocument&AutoFramed
http://doc.notes.net/domino_notes/5.0.3/help5_admin.nsf/078c27b23262ffff852566dd0029426a/6c27a092f29e9f5b0525687b0065ebfc?OpenDocument&AutoFramed

Good luck,
zvonko

PS: the reason why I proposed server document copy was, that I had good experience with doing so when this dammed option "CheckPublicKeys" was turned on in our domain. After a while with similar dirty tricks we turned this option again off :-)

0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
Okay, so I have just added the Administrators group to the "List of administrators who are allowed to create Cross Domain Configuration documents in the Administration Process database:" of the Domino Directory Profile of the address books on both servers.
I've also added the same group to have manager access to the Administration Requests database.

I created an Outbound Cross Domain Configuration document on the source server, server/pbet with the following :
- Domains to submit AdminP requests to: PBC
- List of AdminP requests to submit: Create Replica
- Only submit Create Replica Requests to the domains listed above if the destination server is one of the following: server/pbc (Server Name) - PBC (Domain name)
- List of approved signers: I specified the members of the admin group's fully qualified names here.

I created an Inbound Cross Domain Configuration document on the destination server, server/pbc with the following:
- Receive AdminP requests from domains: pbet
- List of AdminP requests allowed from other domains: Create Replica
- Only allow Create Replica requests if intended for one of the following servers: server/pbc
- List of approved signers : the members of the admin group with their fully distinguished name.

I even copied the server document from the directory of server/pbc to the directory of server/pbet, but I still get exactly the same error.

I can also notice on the server console of the destination server, that a session is opened by the source server, but nothing appears in the administration log.

Any ideas what's still going wrong?
0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
OK, here it comes :-)

fetch binary the server.id from server/pbc to your Notes client. Switch to this server.it on your client and try to open some of the concerned databases on . Observ whole the time live console of ... STOP!

Your destination server name is not found in source request domain address book. You see?

From my point of view was the AdminP request never replicated to admin4.nsf replica on pbc. Or are facts there showing you progress of the request on pbc side?

0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
That's exactly what's happening, but why?
0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
in the link from Heman are six question from Lotus support. Can you answer all six questions (to you :-)?

My I call you on the phone to discuss this all: not to give you a recomandation, but only in the hope when you explain the problem to me you are geting your answer yourself. May I?

0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
Let me look at the six questions first and then I'll send you a little mail if you can call me. (The weekend is getting close and I'm working on some other stuff too, so it may have to wait until Monday)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
Okay, so here's an answer to the questions from the troubleshooting link Hemanth sent:

1. Are hierarchical certifiers being used?
-> No
2. How many servers are running ADMINP?
-> There is one server in each domain and they all run AdminP
3. Do all servers have a replica copy of NAMES.NSF, ADMIN4.NSF and CERTLOG.NSF?
-> They are in different domains, so the databases are all there, but they are not replica's of each other.
4. Is replication of these databases working OK. (MUST have current/updated databases).
-> Doesn't matter for this question, imho.
5. What problems are being encountered and with which databases?
-> See problem description.
6. Which server is specified as the Administration server for their NAB? (check Advanced panel under File, Database, Access Control).
-> server/pbet is the administration server for domain pbet and server/pbc is the administration server for domain pbc

Does this help in any way?
0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
P.S.: Zvonko: you can call me, if I don't answer withing 4 rings, that means I have left the office ;-)
0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
Okay, so following our phone call I looked into the cross-certification.
From the domino administrator I did the following:
1. With the ID of an administrator for /pbet domain
  - cross-certify on domain level /pbc
  - create a cross-certificate for server/pbc
2. With the ID of an administrator for /pbc domain
  - cross-certify on domain level /pbet
  - create a cross-certificate for server/pbet

The cross-certificate on the server shouldn't be necessary, but when I switched to the server ID and tried to open a database on the other server, it asked me to create a cross-certificate, so apparently it still wasn't locating the server.
I then added the cross-certificates specifically for the servers and tried to open a database using one server's id on the other server, but still no luck.

Am I doing something wrong with the cross-certification procedure?
- In Administration client go to the Configuration tab
- Select Tools, Certification, Cross Certify...
- Select the certifier ID for the current domain as certifier
- Enter the password for the certifier
- Select the certifier ID for the other domain as "ID to be Cross-certified"
- Set the current domain's server as Server to perform the action
- Set the expiration date
- Click Cross Certify

I've also checked the ACL of certlog.nsf to be sure that administrators have manager access to the database.

This way the cross certificate is created in the domino directory and appears under Miscellaneous, Certificates, Notes Cross Certificates.

What's going wrong here ?

Well, I guess I'll read all about it on Monday. I'm of for the weekend now, so I'll see you on Monday...
0
 
LVL 24

Expert Comment

by:HemanthaKumar
Comment Utility
The procedure is correct, but once you have certified the cert.id of dest server, you have to recertify the dest server.id, etc., with dest cert.id !

Follow the same procedure for other server too.

~Hemanth

0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
JM, goto those two domain address books.
Look for Server\Certificates

On pbet domain you have to have this NotesCrossCertificate:
/pbet
  /pbc

On pbc address book the oposite:
/pbc
  /pbet

My error on the phone was that when switched to server.id, then this NotesCrossCertificates are not valid for this server common name in your local names.nsf :-)

Anyway, if the upper two NotesCrossCertificates are pressent in both domain address books, then no server recertication is needed. Otherwise would be two domains with hundred server on each side endless recerticated :-)
Also cross certificate on the fly for dialog user would not work without user.id recertification. That can not be true.

Still this error "server/pbc not found in names.nsf" make no sense to me...

Do you have AdjacentDomain documents on both domains?

Good luck,
zvonko

0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
Both certifiates were present, but I forgot to define the adjacent domains. -- It's been way too long since I had to do any serious administration, so I'm a bit rusty...
Anyway, I created the adjacent domain documents, but the error still stays the same.

I thought maybe, he's looking in the wrong address book, because I was doing all this with an administator from a third domain, who has administration rights on all domains, so I added the administrator of the source domain to the administration group of the destination domain and tried with this user. Switched to a location where the home server is the source server and used the ID-file of the administrator of the source domain, but all stays the same.

I'm starting to run out of ideas here (maybe I need to take the refresher course in administration).

Do you still have ideas of what could be wrong?
0
 
LVL 10

Accepted Solution

by:
zvonko earned 200 total points
Comment Utility
Check this please:
1.) Open on pbet side the names.nsf
2.) Choose Action: EditDirectoryProfile
3.) In the field ListOfAdminsForCrossDomainConfig enter local and remote admin
4.) Do the same on pbc side
5.) Open on pbet side the ADMIN4.NSF
6.) Open view CrossDomainConfiguration
7.) If neither Inbound nor Outbound document is present then select menu: Create->CrossDomainConfiguration
8.) For the content of the fields look here:
http://doc.notes.net/domino_notes/5.0.3/help5_admin.nsf/078c27b23262ffff852566dd0029426a/ddf813a3e88ad6150525687b0065b86d?OpenDocument&AutoFramed
9.) Give both sides the same privileges regardless whether Inbound or Outbound is required.
10.) Look on both server documents for the field: Security->WhoIsAllowedToCreateReplicas. I suppose you have your Admin group there. Check the chain of members for this groups.


Good luck,
zvonko



0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
Checked all of the above and still come up with the same error. Is this a lost cause ???

Here's my configuration in detail:

Domain pbet:
server document
- Create replica databases : Administrators, OtherDomainServers
Groups:
- Administrators : contains all administrators, local and from other domains
- OtherDomainServers : contains the servernames of all other servers
Connections:
- connection document to server in domain pbc
Domains:
- Adjacent domain PBC, without restrictions
Directory Profile:
- Domain defined : pbet
- List of administrators.... : Administrators
Cross certification:
- to domain pbc

Exactly the same is valid for pbc.
Have I left anything out ?
0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
Yes, I forgot to mention the cross domain configuration in admin4.nsf:
- Inbound:
      . Receive AdminP request from domains: pbc
      . List of AdminP requests allowed : Create Replica
      . Only allow Create Replica ... : server/pbet
      . List of approved signers : Administrators, OtherDomainServers
- Outbound:
      . Domains to submit AdminP requests to : pbc
      . List of AdminP requests to submit : Create Replica
      . Only submit ... : Server server/pbc, domain pbc
      . List of approved signers : Administrators, OtherDomainServers

The same two documents exist in pbc (with mirrored values of course).
0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
We didn't really solve my problem here, but I will still award points for the effort taken to help me here.
Thanks zvonko !!

FYI: I bypassed the problem by having the NT adminstrator create a temporary trust between the NT domains and copied the files through the operating system.
Then shutdown the old server and had the temporary trusts removed.

Regards,
JM
0
 
LVL 10

Expert Comment

by:zvonko
Comment Utility
Thank you JM for this :-)

At the moment I have very little time, so I am happy at least this is no more a question. It is a pity because there will not be as soon a requirement to test this adminp requests between domains.
Still I keep in mind your question with elegant mounting of shared drives on Domino running as service. I have an idea but no time to test :(

0
 
LVL 8

Author Comment

by:Jean Marie Geeraerts
Comment Utility
So maybe, I can move up the ladder in EE in the meantime :-) (Getting close to the #5 spot)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

For users on the Lotus Notes 8 Standard client, this article provides information on checking the Java Heap size and adjusting it to half of your system RAM in attempt to get the Lotus Notes 8.x Standard client to run faster.  I've had to exercise t…
This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now