Solved

Cross certification and server docs - 2 domains / 2 diferent releases

Posted on 2004-09-09
25
408 Views
Last Modified: 2013-12-18
Hi all

I tought I done this in the past, but I'm having trouble repeating the process....

Ok, then :

1 - Cross certify ORG id's (@ org level) - no problems until here
2 - Create connections between 2 servers in different domains - no problems either
3 - Create server documents across domains/pabs ... ok here is the problem...

Copy server document for server1/ORG1 (R5) and paste it in ORG2(R6.5) directory - FAILS
Copy server document for server1/ORG2 (R6.5) and paste it in ORG1(R5) address book - FAILS

ok how do I do this? not copying / pasting ? help?
0
Comment
Question by:sync957p
  • 12
  • 7
  • 5
  • +1
25 Comments
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12014529
Not copying, indeed. Open the Admin client, go for Certificates and Create Cross-certificate.
0
 
LVL 1

Author Comment

by:sync957p
ID: 12014543
No, sjef... in cross certification i have no problems.

What I want is to create server documents across diferent domains , so I can
have an entry for server1/ORG1 in ORG2's address book and vice versa.
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12014553
Why would you want to do that ????

0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 
LVL 1

Author Comment

by:sync957p
ID: 12014602
hummmm .... directory assistance across domains?

Let me check this :

2 diferent domains, diferent releases.

1 - cross certify at ORG level
2 - create connection records so servers can "talk"
3 - Create a db based on DA template for each server (lets think in just 1 server per domain to simplify)
4 - Add each server to the other domain address book ACL

Ok, here i'm going to pause to ask - if I don't have an entry for server1/ORG1 in ORG2's address book how
is adminp / ACL / etc know who he is? :)
so ...
5 - Create server documents across domains/pabs
6 - Change setup profile / policies so wrkstations can use DA
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12014746
Did you cross-certify domains or servers?
0
 
LVL 1

Author Comment

by:sync957p
ID: 12014753
What I cross certified was org.id's
0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 227 total points
ID: 12014774
Sorry, didn't see nr 1...

Adminp/ACL: it is up to the administrator to define ACL's. You can put anybody in the ACL, but only someone or some server which has been cross-certified can access the this server.
0
 
LVL 1

Author Comment

by:sync957p
ID: 12015068
well ok, but do I need to copy the server document or not?

the error msg while pasting is :

" Cannot store document; database has too many unique field names. Please ask your adminishtrator to compact the database "

I don't think it has anything to do with the subject in hand, since I already deleted the index and compacted the DB (names.nsf).

0
 
LVL 15

Assisted Solution

by:Bozzie4
Bozzie4 earned 150 total points
ID: 12015154
No, you don't need to put in the server document.

Just use the NAME of the server (server1/Org2) in ACL  (of names.nsf on server1/Org1), or put it in the group OtherDomainServers (that's what it's for)

You can't create server documents across domains.  You must use the Administrator client to create servers (not only server documents, but also the certificates, and the id file).  So you should create the new server ('register' server) on the administration server for the domain.  Since you can access it (your servers are able to access it), you can too with your administration client.
This doesn't mean you (as a user for Org1) can't create servers in Org2.  But you MUST register them on the Administration server for that domain (well, at least on A server for that domain).
BTW : If your server can access the other, you can create a passtru connection document in your personal addressbook, so you can access the server from your workstation via your server (is that clear ?)

So DON'T put servers (document) from 1 organization in the addressbook of the other - it's not necessary and can only hurt you.

To create setup profiles and stuff, you can create them directly in the addressbook of the other org.  If you have a replica on your server (to use in dir. assistance) and you have specified this, you can do it on your own server, and replicate the changes back.  I would only do this if you do the replication back manually (so don't allow changes in the replica on your server to be replicated back !, if you have changes, replicate them manually, which you are allowed to do as manager (right ?)).  Policies, same thing, although I think it's best to create them from scratch in the other domain - I don't think they will survive being copy-pasted over databases ....

cheers,

Tom


0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12015167
And you forgot 1 step in setting up directory assistance :

- create the dir ass. database on each server
- create REPLICA's of both names.nsf's on each server, and setup replication between the servers
- create the directory assistance documents on each server, using the local replica's.

cheers,

Tom
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 12016936
Go to the database properties, advanced tab, and enable the allow more field option.  Shut down the server, run ncompact -c names.nsf, restart server, and all should be well.
0
 
LVL 1

Author Comment

by:sync957p
ID: 12017790
wait a sec... qwaletee are you telling that my procedure was correct? bozzie just stated I shouldn't do that.

can you please explain?

0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12017887
No, your procedure is not correct.  Well, it's not correct as long as you are not trying to merge your domains.  But you should still enable that option (it's enabled by default in a new installation, and I think (but I'm not sure) it's enabled when doing an upgrade too.

cheers,

Tom
0
 
LVL 1

Author Comment

by:sync957p
ID: 12018079
Sorry about the offtopic :

Are you all experts from Portugal / England ?

Just noticed the GMT+00:00 in your posts
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12018127
Belgium -  not GMT :-)  But I think you see all times displayed in your own timezone/timeformat....

cheers,

Tom
0
 
LVL 1

Author Comment

by:sync957p
ID: 12481233
Well I tought that cross certification went well, but as it turned it didn't.

When I open the DA database I created in both domains and servers across a domain ( admin.id for DOMAIN 1 opens Directory Assistance DB in server in DOMAIN 2 ) I get a warning that I need to cross certifiy.

What went wrong with cross certification ? I followed the admin client help procedures (cross certify via "postal service")

Created Safe copies, etc.. and I have an Cross certification document, under "certificates" in both domain/orgs.

help?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12482582
What do your cross-certificates look like? If the Domains are cross-certified, then you should have a Xref-document under the category Notes Cross Certificates\DomainA with the name /DomainB, and vice versa. If you cross-certified just id's, then you'll see a Xref-document under the category Notes Cross Certificates\DomainA with the name John Do/DomainB.

Did you get any errormessages in the log databases?
0
 
LVL 1

Author Comment

by:sync957p
ID: 12483844
Sjef,

They look just like you mentioned in your first description ( Xref-document under the category Notes Cross Certificates\DomainA with the name /DomainB, and vice versa ).

I get no errors in the log ( i looked in log.nsf under miscelanious events and in DOMAIN's certification log )

One thing I noticed is that in the certification log, when I open the cross certification document is that the "license type" for the cross certified domain is "unknow" instead of "north american" or "international" - could this be the problem?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12484024
Back to the start: how did you create those cross-certificates? Did you copy and paste those documents? Creating a cross-certificate can best be done as follows:
- get (a (safe) copy of) an id-file on DomainA (safe copy is not required)
- get an Admin client on DomainB
- get a certifier-id for DomainB
- run cross-certification for DomainA on DomainB using a server of DomainB
- repeat the lot for DomainB on DomainA, with the certifier-id for DomainA
0
 
LVL 1

Author Comment

by:sync957p
ID: 12484179
that was exactly it.

I performed the cross certification using the admin client(s), let's not forget the domains use diferent releases (6.5.2 and 5.11)
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12485247
Okay. Different releases: no big deal usually.

What happens when you try to access a server in DomainB with a user-id created for DomainA? From a normal Notes client? So ^O (or File/Database/Open), select or type the server from DomainB, and click Open so it will find the databases on the server. Does it show any database at all? If it does, then certification is indeed successfully completed.

The DA database is the same (replica) database on both systems? From the About in the DA database:
"To set up directory assistance, you create the Directory Assistance database from the DA50.NTF template. In the Directory Assistance database you define naming rules that associate naming hierarchies with each domain--this allows Notes to search only Public Directories of domains associated with those naming hierarchies when resolving the name of a recipient from another domain. You also use the Directory Assistance database to point to one or more strategically-located replicas of each domain's Public Directory. You then create a replica of the Directory Assistance database on all servers in each domain."
0
 
LVL 1

Author Comment

by:sync957p
ID: 12491737
When I do what you mentioned the notes client sugests I create a cross certificate....

Perhaps I should repeat the entire process ?

What should I do to erase the cross certification I created ? Just delete the cross certification docs ?

Thanks
0
 
LVL 46

Accepted Solution

by:
Sjef Bosman earned 227 total points
ID: 12491955
Indeed it might be best to do it again. I must say I never uncrossed a certification, so to make sure you could move those cross-certificate documents out of the way, i.e. cut and paste them into a separate database.

Good luck!
0
 
LVL 1

Author Comment

by:sync957p
ID: 12533903
Sorry for making this a 2-in-1 question, guys.

Thanks for making me realize my initial stupidity ( trying to paste server documents across domains ).

As for the cross certification issue I just found out that this is really how cross certification works ( while talking to Lotus Support )... what I mean is : don't matter if you cross certified at ORG level... all users will receive a notice to create a cross certificate in their personal address book, when they access a db in the other domain for their first time.

As usual thanks all for pointing me in the right directions.

0
 
LVL 1

Author Comment

by:sync957p
ID: 12533942
And just a notice for all your Lotus Administrators and/or employees out there :

Shouldn't the administrator's client help include some lines to explain this behaviour ( cross certification dialog boxes to end users) to admins?

I think that at least Rob Kirkland book should include this...
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
For beginners of Lotus Notes user this is important to know about the types of files and their location supported by IBM Notes. Mostly users are unaware about how many file types are created and what their usages are. This Article is fully dedicated…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question