Solved

New domain

Posted on 2004-04-12
14
241 Views
Last Modified: 2013-12-18
Regarding my move to the new domain (for those who been answering my questions lately) ...

Let's suppose this :

I have this server with my users "server/DOMAIN" and want to move them to new server with new domain "server/NEWDOMAIN".

How do I do this? After cross certifying the 2 domains, when i make "user > rename > request move to new certifier" the admin client states it cannot find the certificate in the directory.

Can this be done?


Thanks all for the usual support and interest,

Joao
0
Comment
Question by:sync957p
  • 7
  • 3
  • 2
  • +1
14 Comments
 
LVL 1

Author Comment

by:sync957p
ID: 10806901
sorry, what i cross certified was both cert.id's
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 10807059
I am not sure what your previous posts have guided you on this subject.

There is a technote which describe detailed step-by-step procedure on how to move users to new domain, this is not as trivial as you might think.. Take a deep breath and follow the procedure listed in this note

http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21086417

~Hemanth
0
 
LVL 1

Author Comment

by:sync957p
ID: 10814297
Nice link hemanth,

but it doesen't mention moving mail files to new server or even if the person documents will be in the new nab when the process is over.

0
 
LVL 1

Author Comment

by:sync957p
ID: 10814338
note : after some reading i think that technote really refers to ORGs not domains... what do you think?
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 10814758
Yes.. It is the move to new domain.. If you are not doing that but decomissioning the server then use " Decommission Server Analysis Tool " which is available from R5, this will give you a nice summary of what will effect and what should be done kind of things

Also take a look at this technote..http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21087009
0
 
LVL 1

Author Comment

by:sync957p
ID: 10815101
Ok perhaps i putted this wrong, let me check it for you :

I plan to move about 400 users from server/OLDDOMAIN, wich are in various OU's (like Jonh Doe/MARKETING/SUB/OLDDOMAIN) to a new server/NEWDOMAIN, so they will be in a new server with a name Jonh Doe/MARKETING/NEWDOMAIN.

Also the servers/OLDDOMAIN are R5 and the servers/NEWDOMAIN are R6.5.

So I need to have all my users in NEWDOMAIN / NEWORG NAB, and their mailfiles in the new server.

The top domains are already cross certified. The directories are already working with Directory Assistance and Directory Catalog, altough there are no users (yet) in the NEWDOMAIN.

I'll leave the client part to further enquiries :-)
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 10825560
I think I answered you last time.

The trick is to not just cross-certify, but to actually have the new server in the old Directory first, even though it uses a different certifier.  This allows the move to take place within the "old domain."  Once everyone has been moved, you then split the domain.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Author Comment

by:sync957p
ID: 10826178
so tell if this is it please ....

1 - Create a new Org (NEW) and cross certify OLD and NEW (orgs)

2 - Create a new server id and document for this org in the (OLD) registration server

3 - Setup a new server ( newserver/NEW ) using the id created above (will a new NAB be automaticly created here? please advise)

4 - Configure Directory Assistance and Directory Catalog for both directories in all servers, and add all of OLD server's documents in the new nab (copy / paste will do ?)

5 - Check that adminp is running in oldserver/OLD and in newserver/NEW

6 - Rename (recert) all users in my company by using "Rename" > "request move to new certifier" (what about all the OU's? please advise)

7 - Wait (and pray) that all of our users accept the name change

8 - Move mail files of all our company users to the newserver/NEW (using the administrator "move" command)

9 - Configure all of our 400 workstations to use the new server (this could by done in a early stage with a button? please advise)

10 - Delete the old entries for our users and groups in OLD's nab

I'm getting an headache ... what am I missing?

btw : regarding mail only R5 clients should work fine with R6.5 server, right?


0
 
LVL 31

Accepted Solution

by:
qwaletee earned 500 total points
ID: 10827926
Step 3 -- no, you will be using the same old NAB

4 -- DA, yes, DC, should not be necessary.  There is usually only one DC server in a Doamin (defining Domain by a single Directory)

6 -- the OU's are up to you, OU's are "sub certifiers" of a root certifier (org certifier).  If you use OU's, just create them from your new root /NEW

7 -- don't forget to send some money to a good cause, can't hurt.  Like me, maybe?

8 -- using the MOVE MAIL FILE button in any of the people views of the directory (including the People & Groups tab in the admin client)

9 -- should not be necessary, you should just have another wait and pray step that the user's workstations all accept the server move automatically

10 -- no!!! you first need to split the nab, making a new non-replica copy for your /new server(s).  Only then shoudl you delete stuff from EACH.

And, 11 -- set up DA across the two NABs
0
 

Expert Comment

by:tuttiwala
ID: 10830013
Hi.

I think there is some confusion in regards to terminology and that is what is making this slightly difficult.

When you say "Domain", you are incorrectly referring it to the last qualifier in a user's name.

ie. joe smith/makerting/acme

"ACME" is NOT the domain. "ACME" is the organization name.

Domain = a group of servers that share the same Domino Directory.


With that said, I think what you want to do is the following:
1. rename users from an old organization to a new organization.
    ie. FROM: joe smith/OldOrg       TO: joe smith/NewOrg

2. You also want to move the user's mail files from the old server to a new server.


Hopefully, I did not misunderstand what you want. If I did, please let me know.

Here are the steps that you should follow in order to accomplish what I listed above.
1. Register a new Org (NewOrg = NewOrg_cert.id)
2. Cross certify NewOrg_cert.id with OldOrg_cert.id (OldOrg)
    (cross certify both ways: New w/ Old and then Old w/ New) - just to be safe.
3. Register a new server id and document in the existing NAB but with the NewOrg_cert.id
    ie. you should have registered: MailServer/NewOrg
4. Install and Configure new server (MailServer/NewOrg) with the id created above.
    You will continue to use the old NAB (You are NOT creating a new domain)
5. I'm not sure why you wanted to create Directory Assitance. It seems as though you want to change all users' and all servers' to the NewOrg.

At this point...
1. You have 2 servers running: OldMailServer/OldOrg and NewMailServer/NewOrg
2. Both top-level cert id's are cross-certified.
3. I suggest renaming users first and then moving mail files.


In Order to rename a user,
1. make sure adminp is indeed running on both servers
2. make sure both servers are setup to replicate often (names.nsf, admin4.nsf)
3. Rename all users in my company by using "Rename" > "request move to new certifier"
what about all the OU's? It depends if you want to move them to simlar OU's.

i.e. If you want to move:
FROM Joe Smith/Marketing/OldOrg
TO Joe Smith/Marketing/NewOrg

You will need to create a 'Marketing' OU using the /NewOrg certifier.

That way you can move Joe to a Marketing OU under the NewOrg.

REMEMBER: You can only do mass renames with users that share the same certifier.

i.e. You have 10 users.
5 with /Marketing/OldOrg => /Marketing/NewOrg
5 with /Sales/OldOrg         => /Sales/NewOrg

You can only choose the 5 users with the similar certifer when doing the rename.

You can't select 1 Marketing user and 1 Sales user and attempt to do the rename in the same request.

So, select all 5 Marketing users, click Rename to new certifier, select the /Marketing/OldOrg certifier, and then choose the /Marketing/NewOrg certifier.


7 - You could Wait (and pray) that all of our users accept the name change.
     Or you could do it for them, if you had access to their id's.

8. Monitor the name changes.. and make sure they complete.

Now it's time to move mail files.

9 - Move mail files of all our company users to the NewMailServer/NewOrg (using the administrator "move" command)

The adminp process will take care of updating user's location documents to use the new mail server.

10. Approve the mail file deletions on the old server in the admin4 database.

This will accomplish what you want if I understood you correctly.


In regards to your question about mail:
will only R5 clients work fine with R6.5 server?

Well, you should keep the r5 template for all of the mail files until you upgrade the clients to 6. But you can feel free to upgrade the ODS (file format) from 41 to 43 for the mail files using compact.

Hope that helps.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 10833477
tuttiwala,
Sync97p is trying to split a Notes environment in two, necessitating a new org, new directory, and new domain.  technically,  a domain is simply a group of users and servers that share the same "@xyz" in the Notes address.  It is sort of self defining: a domain consists of all server and person documents that share the same domain name and have native Notes mail routing available among them.

The purpose of Directory Assistance was to allow addressing between the two parts of the split, once the split is complete.\

I did leave out one step: After the split, and after setting up Directory Assistance, you also need to set up at least one connection document on each side indicating which server in domain old can reach which server in domain new at what network address, and vice versa.  The connection documents, one per Directory (or more) would go in the SOURCE server directory (the one from abc/old to xyz/new would go in the Directory servicing the /old organization).
0
 

Expert Comment

by:tuttiwala
ID: 10847586
Actually, it really doesn't look like sync957p needs to create a new domain (aka new directory) for what he is trying to accomplish. It looks like he just wants to create a new organization, and get rid of the old one... according to his mention of step 10 (10 - Delete the old entries for our users and groups in OLD's nab)

But, again, I may have misunderstood exactly what sync957p is trying to accomplish. sync957p can clarify that.
0
 
LVL 1

Author Comment

by:sync957p
ID: 10860059
qwaletee is right tuttiwala,

sorry if i didnt clarify that, we are a subsidiary company so the guys that own us still need to be in the old NAB, elsewhere i'd be fired ! :-)
0
 
LVL 1

Author Comment

by:sync957p
ID: 11715662
sorry about leaving this open so much time... my job function differed from the usual for a while.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
Notes Document Link used by IBM Notes is a link file which aids in the sharing of links to documents in email and webpages. The posts describe the importance and steps to create a Lotus Notes NDL file in brief.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now