Solved

Cross certification and server docs - 2 domains / 2 diferent releases

Posted on 2004-09-09
25
406 Views
Last Modified: 2013-12-18
Hi all

I tought I done this in the past, but I'm having trouble repeating the process....

Ok, then :

1 - Cross certify ORG id's (@ org level) - no problems until here
2 - Create connections between 2 servers in different domains - no problems either
3 - Create server documents across domains/pabs ... ok here is the problem...

Copy server document for server1/ORG1 (R5) and paste it in ORG2(R6.5) directory - FAILS
Copy server document for server1/ORG2 (R6.5) and paste it in ORG1(R5) address book - FAILS

ok how do I do this? not copying / pasting ? help?
0
Comment
Question by:sync957p
  • 12
  • 7
  • 5
  • +1
25 Comments
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12014529
Not copying, indeed. Open the Admin client, go for Certificates and Create Cross-certificate.
0
 
LVL 1

Author Comment

by:sync957p
ID: 12014543
No, sjef... in cross certification i have no problems.

What I want is to create server documents across diferent domains , so I can
have an entry for server1/ORG1 in ORG2's address book and vice versa.
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12014553
Why would you want to do that ????

0
 
LVL 1

Author Comment

by:sync957p
ID: 12014602
hummmm .... directory assistance across domains?

Let me check this :

2 diferent domains, diferent releases.

1 - cross certify at ORG level
2 - create connection records so servers can "talk"
3 - Create a db based on DA template for each server (lets think in just 1 server per domain to simplify)
4 - Add each server to the other domain address book ACL

Ok, here i'm going to pause to ask - if I don't have an entry for server1/ORG1 in ORG2's address book how
is adminp / ACL / etc know who he is? :)
so ...
5 - Create server documents across domains/pabs
6 - Change setup profile / policies so wrkstations can use DA
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12014746
Did you cross-certify domains or servers?
0
 
LVL 1

Author Comment

by:sync957p
ID: 12014753
What I cross certified was org.id's
0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 227 total points
ID: 12014774
Sorry, didn't see nr 1...

Adminp/ACL: it is up to the administrator to define ACL's. You can put anybody in the ACL, but only someone or some server which has been cross-certified can access the this server.
0
 
LVL 1

Author Comment

by:sync957p
ID: 12015068
well ok, but do I need to copy the server document or not?

the error msg while pasting is :

" Cannot store document; database has too many unique field names. Please ask your adminishtrator to compact the database "

I don't think it has anything to do with the subject in hand, since I already deleted the index and compacted the DB (names.nsf).

0
 
LVL 15

Assisted Solution

by:Bozzie4
Bozzie4 earned 150 total points
ID: 12015154
No, you don't need to put in the server document.

Just use the NAME of the server (server1/Org2) in ACL  (of names.nsf on server1/Org1), or put it in the group OtherDomainServers (that's what it's for)

You can't create server documents across domains.  You must use the Administrator client to create servers (not only server documents, but also the certificates, and the id file).  So you should create the new server ('register' server) on the administration server for the domain.  Since you can access it (your servers are able to access it), you can too with your administration client.
This doesn't mean you (as a user for Org1) can't create servers in Org2.  But you MUST register them on the Administration server for that domain (well, at least on A server for that domain).
BTW : If your server can access the other, you can create a passtru connection document in your personal addressbook, so you can access the server from your workstation via your server (is that clear ?)

So DON'T put servers (document) from 1 organization in the addressbook of the other - it's not necessary and can only hurt you.

To create setup profiles and stuff, you can create them directly in the addressbook of the other org.  If you have a replica on your server (to use in dir. assistance) and you have specified this, you can do it on your own server, and replicate the changes back.  I would only do this if you do the replication back manually (so don't allow changes in the replica on your server to be replicated back !, if you have changes, replicate them manually, which you are allowed to do as manager (right ?)).  Policies, same thing, although I think it's best to create them from scratch in the other domain - I don't think they will survive being copy-pasted over databases ....

cheers,

Tom


0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12015167
And you forgot 1 step in setting up directory assistance :

- create the dir ass. database on each server
- create REPLICA's of both names.nsf's on each server, and setup replication between the servers
- create the directory assistance documents on each server, using the local replica's.

cheers,

Tom
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 12016936
Go to the database properties, advanced tab, and enable the allow more field option.  Shut down the server, run ncompact -c names.nsf, restart server, and all should be well.
0
 
LVL 1

Author Comment

by:sync957p
ID: 12017790
wait a sec... qwaletee are you telling that my procedure was correct? bozzie just stated I shouldn't do that.

can you please explain?

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 15

Expert Comment

by:Bozzie4
ID: 12017887
No, your procedure is not correct.  Well, it's not correct as long as you are not trying to merge your domains.  But you should still enable that option (it's enabled by default in a new installation, and I think (but I'm not sure) it's enabled when doing an upgrade too.

cheers,

Tom
0
 
LVL 1

Author Comment

by:sync957p
ID: 12018079
Sorry about the offtopic :

Are you all experts from Portugal / England ?

Just noticed the GMT+00:00 in your posts
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12018127
Belgium -  not GMT :-)  But I think you see all times displayed in your own timezone/timeformat....

cheers,

Tom
0
 
LVL 1

Author Comment

by:sync957p
ID: 12481233
Well I tought that cross certification went well, but as it turned it didn't.

When I open the DA database I created in both domains and servers across a domain ( admin.id for DOMAIN 1 opens Directory Assistance DB in server in DOMAIN 2 ) I get a warning that I need to cross certifiy.

What went wrong with cross certification ? I followed the admin client help procedures (cross certify via "postal service")

Created Safe copies, etc.. and I have an Cross certification document, under "certificates" in both domain/orgs.

help?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12482582
What do your cross-certificates look like? If the Domains are cross-certified, then you should have a Xref-document under the category Notes Cross Certificates\DomainA with the name /DomainB, and vice versa. If you cross-certified just id's, then you'll see a Xref-document under the category Notes Cross Certificates\DomainA with the name John Do/DomainB.

Did you get any errormessages in the log databases?
0
 
LVL 1

Author Comment

by:sync957p
ID: 12483844
Sjef,

They look just like you mentioned in your first description ( Xref-document under the category Notes Cross Certificates\DomainA with the name /DomainB, and vice versa ).

I get no errors in the log ( i looked in log.nsf under miscelanious events and in DOMAIN's certification log )

One thing I noticed is that in the certification log, when I open the cross certification document is that the "license type" for the cross certified domain is "unknow" instead of "north american" or "international" - could this be the problem?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12484024
Back to the start: how did you create those cross-certificates? Did you copy and paste those documents? Creating a cross-certificate can best be done as follows:
- get (a (safe) copy of) an id-file on DomainA (safe copy is not required)
- get an Admin client on DomainB
- get a certifier-id for DomainB
- run cross-certification for DomainA on DomainB using a server of DomainB
- repeat the lot for DomainB on DomainA, with the certifier-id for DomainA
0
 
LVL 1

Author Comment

by:sync957p
ID: 12484179
that was exactly it.

I performed the cross certification using the admin client(s), let's not forget the domains use diferent releases (6.5.2 and 5.11)
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12485247
Okay. Different releases: no big deal usually.

What happens when you try to access a server in DomainB with a user-id created for DomainA? From a normal Notes client? So ^O (or File/Database/Open), select or type the server from DomainB, and click Open so it will find the databases on the server. Does it show any database at all? If it does, then certification is indeed successfully completed.

The DA database is the same (replica) database on both systems? From the About in the DA database:
"To set up directory assistance, you create the Directory Assistance database from the DA50.NTF template. In the Directory Assistance database you define naming rules that associate naming hierarchies with each domain--this allows Notes to search only Public Directories of domains associated with those naming hierarchies when resolving the name of a recipient from another domain. You also use the Directory Assistance database to point to one or more strategically-located replicas of each domain's Public Directory. You then create a replica of the Directory Assistance database on all servers in each domain."
0
 
LVL 1

Author Comment

by:sync957p
ID: 12491737
When I do what you mentioned the notes client sugests I create a cross certificate....

Perhaps I should repeat the entire process ?

What should I do to erase the cross certification I created ? Just delete the cross certification docs ?

Thanks
0
 
LVL 46

Accepted Solution

by:
Sjef Bosman earned 227 total points
ID: 12491955
Indeed it might be best to do it again. I must say I never uncrossed a certification, so to make sure you could move those cross-certificate documents out of the way, i.e. cut and paste them into a separate database.

Good luck!
0
 
LVL 1

Author Comment

by:sync957p
ID: 12533903
Sorry for making this a 2-in-1 question, guys.

Thanks for making me realize my initial stupidity ( trying to paste server documents across domains ).

As for the cross certification issue I just found out that this is really how cross certification works ( while talking to Lotus Support )... what I mean is : don't matter if you cross certified at ORG level... all users will receive a notice to create a cross certificate in their personal address book, when they access a db in the other domain for their first time.

As usual thanks all for pointing me in the right directions.

0
 
LVL 1

Author Comment

by:sync957p
ID: 12533942
And just a notice for all your Lotus Administrators and/or employees out there :

Shouldn't the administrator's client help include some lines to explain this behaviour ( cross certification dialog boxes to end users) to admins?

I think that at least Rob Kirkland book should include this...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

For users on the Lotus Notes 8 Standard client, this article provides information on checking the Java Heap size and adjusting it to half of your system RAM in attempt to get the Lotus Notes 8.x Standard client to run faster.  I've had to exercise t…
Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now