Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cross certification and server docs - 2 domains / 2 diferent releases

Posted on 2004-09-09
25
Medium Priority
?
416 Views
Last Modified: 2013-12-18
Hi all

I tought I done this in the past, but I'm having trouble repeating the process....

Ok, then :

1 - Cross certify ORG id's (@ org level) - no problems until here
2 - Create connections between 2 servers in different domains - no problems either
3 - Create server documents across domains/pabs ... ok here is the problem...

Copy server document for server1/ORG1 (R5) and paste it in ORG2(R6.5) directory - FAILS
Copy server document for server1/ORG2 (R6.5) and paste it in ORG1(R5) address book - FAILS

ok how do I do this? not copying / pasting ? help?
0
Comment
Question by:sync957p
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 7
  • 5
  • +1
25 Comments
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12014529
Not copying, indeed. Open the Admin client, go for Certificates and Create Cross-certificate.
0
 
LVL 1

Author Comment

by:sync957p
ID: 12014543
No, sjef... in cross certification i have no problems.

What I want is to create server documents across diferent domains , so I can
have an entry for server1/ORG1 in ORG2's address book and vice versa.
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12014553
Why would you want to do that ????

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 1

Author Comment

by:sync957p
ID: 12014602
hummmm .... directory assistance across domains?

Let me check this :

2 diferent domains, diferent releases.

1 - cross certify at ORG level
2 - create connection records so servers can "talk"
3 - Create a db based on DA template for each server (lets think in just 1 server per domain to simplify)
4 - Add each server to the other domain address book ACL

Ok, here i'm going to pause to ask - if I don't have an entry for server1/ORG1 in ORG2's address book how
is adminp / ACL / etc know who he is? :)
so ...
5 - Create server documents across domains/pabs
6 - Change setup profile / policies so wrkstations can use DA
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12014746
Did you cross-certify domains or servers?
0
 
LVL 1

Author Comment

by:sync957p
ID: 12014753
What I cross certified was org.id's
0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 908 total points
ID: 12014774
Sorry, didn't see nr 1...

Adminp/ACL: it is up to the administrator to define ACL's. You can put anybody in the ACL, but only someone or some server which has been cross-certified can access the this server.
0
 
LVL 1

Author Comment

by:sync957p
ID: 12015068
well ok, but do I need to copy the server document or not?

the error msg while pasting is :

" Cannot store document; database has too many unique field names. Please ask your adminishtrator to compact the database "

I don't think it has anything to do with the subject in hand, since I already deleted the index and compacted the DB (names.nsf).

0
 
LVL 15

Assisted Solution

by:Bozzie4
Bozzie4 earned 600 total points
ID: 12015154
No, you don't need to put in the server document.

Just use the NAME of the server (server1/Org2) in ACL  (of names.nsf on server1/Org1), or put it in the group OtherDomainServers (that's what it's for)

You can't create server documents across domains.  You must use the Administrator client to create servers (not only server documents, but also the certificates, and the id file).  So you should create the new server ('register' server) on the administration server for the domain.  Since you can access it (your servers are able to access it), you can too with your administration client.
This doesn't mean you (as a user for Org1) can't create servers in Org2.  But you MUST register them on the Administration server for that domain (well, at least on A server for that domain).
BTW : If your server can access the other, you can create a passtru connection document in your personal addressbook, so you can access the server from your workstation via your server (is that clear ?)

So DON'T put servers (document) from 1 organization in the addressbook of the other - it's not necessary and can only hurt you.

To create setup profiles and stuff, you can create them directly in the addressbook of the other org.  If you have a replica on your server (to use in dir. assistance) and you have specified this, you can do it on your own server, and replicate the changes back.  I would only do this if you do the replication back manually (so don't allow changes in the replica on your server to be replicated back !, if you have changes, replicate them manually, which you are allowed to do as manager (right ?)).  Policies, same thing, although I think it's best to create them from scratch in the other domain - I don't think they will survive being copy-pasted over databases ....

cheers,

Tom


0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12015167
And you forgot 1 step in setting up directory assistance :

- create the dir ass. database on each server
- create REPLICA's of both names.nsf's on each server, and setup replication between the servers
- create the directory assistance documents on each server, using the local replica's.

cheers,

Tom
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 12016936
Go to the database properties, advanced tab, and enable the allow more field option.  Shut down the server, run ncompact -c names.nsf, restart server, and all should be well.
0
 
LVL 1

Author Comment

by:sync957p
ID: 12017790
wait a sec... qwaletee are you telling that my procedure was correct? bozzie just stated I shouldn't do that.

can you please explain?

0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12017887
No, your procedure is not correct.  Well, it's not correct as long as you are not trying to merge your domains.  But you should still enable that option (it's enabled by default in a new installation, and I think (but I'm not sure) it's enabled when doing an upgrade too.

cheers,

Tom
0
 
LVL 1

Author Comment

by:sync957p
ID: 12018079
Sorry about the offtopic :

Are you all experts from Portugal / England ?

Just noticed the GMT+00:00 in your posts
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12018127
Belgium -  not GMT :-)  But I think you see all times displayed in your own timezone/timeformat....

cheers,

Tom
0
 
LVL 1

Author Comment

by:sync957p
ID: 12481233
Well I tought that cross certification went well, but as it turned it didn't.

When I open the DA database I created in both domains and servers across a domain ( admin.id for DOMAIN 1 opens Directory Assistance DB in server in DOMAIN 2 ) I get a warning that I need to cross certifiy.

What went wrong with cross certification ? I followed the admin client help procedures (cross certify via "postal service")

Created Safe copies, etc.. and I have an Cross certification document, under "certificates" in both domain/orgs.

help?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12482582
What do your cross-certificates look like? If the Domains are cross-certified, then you should have a Xref-document under the category Notes Cross Certificates\DomainA with the name /DomainB, and vice versa. If you cross-certified just id's, then you'll see a Xref-document under the category Notes Cross Certificates\DomainA with the name John Do/DomainB.

Did you get any errormessages in the log databases?
0
 
LVL 1

Author Comment

by:sync957p
ID: 12483844
Sjef,

They look just like you mentioned in your first description ( Xref-document under the category Notes Cross Certificates\DomainA with the name /DomainB, and vice versa ).

I get no errors in the log ( i looked in log.nsf under miscelanious events and in DOMAIN's certification log )

One thing I noticed is that in the certification log, when I open the cross certification document is that the "license type" for the cross certified domain is "unknow" instead of "north american" or "international" - could this be the problem?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12484024
Back to the start: how did you create those cross-certificates? Did you copy and paste those documents? Creating a cross-certificate can best be done as follows:
- get (a (safe) copy of) an id-file on DomainA (safe copy is not required)
- get an Admin client on DomainB
- get a certifier-id for DomainB
- run cross-certification for DomainA on DomainB using a server of DomainB
- repeat the lot for DomainB on DomainA, with the certifier-id for DomainA
0
 
LVL 1

Author Comment

by:sync957p
ID: 12484179
that was exactly it.

I performed the cross certification using the admin client(s), let's not forget the domains use diferent releases (6.5.2 and 5.11)
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12485247
Okay. Different releases: no big deal usually.

What happens when you try to access a server in DomainB with a user-id created for DomainA? From a normal Notes client? So ^O (or File/Database/Open), select or type the server from DomainB, and click Open so it will find the databases on the server. Does it show any database at all? If it does, then certification is indeed successfully completed.

The DA database is the same (replica) database on both systems? From the About in the DA database:
"To set up directory assistance, you create the Directory Assistance database from the DA50.NTF template. In the Directory Assistance database you define naming rules that associate naming hierarchies with each domain--this allows Notes to search only Public Directories of domains associated with those naming hierarchies when resolving the name of a recipient from another domain. You also use the Directory Assistance database to point to one or more strategically-located replicas of each domain's Public Directory. You then create a replica of the Directory Assistance database on all servers in each domain."
0
 
LVL 1

Author Comment

by:sync957p
ID: 12491737
When I do what you mentioned the notes client sugests I create a cross certificate....

Perhaps I should repeat the entire process ?

What should I do to erase the cross certification I created ? Just delete the cross certification docs ?

Thanks
0
 
LVL 46

Accepted Solution

by:
Sjef Bosman earned 908 total points
ID: 12491955
Indeed it might be best to do it again. I must say I never uncrossed a certification, so to make sure you could move those cross-certificate documents out of the way, i.e. cut and paste them into a separate database.

Good luck!
0
 
LVL 1

Author Comment

by:sync957p
ID: 12533903
Sorry for making this a 2-in-1 question, guys.

Thanks for making me realize my initial stupidity ( trying to paste server documents across domains ).

As for the cross certification issue I just found out that this is really how cross certification works ( while talking to Lotus Support )... what I mean is : don't matter if you cross certified at ORG level... all users will receive a notice to create a cross certificate in their personal address book, when they access a db in the other domain for their first time.

As usual thanks all for pointing me in the right directions.

0
 
LVL 1

Author Comment

by:sync957p
ID: 12533942
And just a notice for all your Lotus Administrators and/or employees out there :

Shouldn't the administrator's client help include some lines to explain this behaviour ( cross certification dialog boxes to end users) to admins?

I think that at least Rob Kirkland book should include this...
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IBM Notes offer Encryption feature using which the user can secure its NSF emails or entire database easily. In this section we will discuss about the process to Encrypt Incoming and Outgoing Mails in depth.
This article covers general Notes 8.5 troubleshooting information including recreating the Notes\Data folder.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question