How to Troubleshoot Apps for the Modern Connected Worker
User management through administration process 2307
1. 1
Open Mic on
User Management using Administration
Process
25th
July, 2013
2. 2
Niraj Jani – Lotus Technical Support Engineer
Presenter
Ranjit Rai – Lotus Technical Advisor
Focussing on Entire Notes Domino
Hansraj Mali – Lotus Technical Advisor
Focussing on Entire Notes Domino
Vinayak Tavargeri – Lotus Support Manager
Open Mic Facilitator
Open Mic Team
Jayaval Rajendran – Lotus Technical Advisor
Focussing on Entire Notes Domino
Javed Batliwala – Lotus Technical Support Engineer
Presenter
3. 3
AgendaAgenda
Administration Process
Components of Administration Process
Default processing time of AdminP Requests
Different AdminP commands
Meaning of Icons in AdminP Requests/Responses
User Management
Best Practices
Troubleshooting
References
Q&A
4. 4
●
Administration Process (AdminP) automates many routine administrative tasks
For example, if you delete a user, the Administration Process locates that user's
name in the Domino Directory and removes it, locates and removes the user's
name from ACL's, and makes any other necessary deletions for that user.
●
Administration Process starts with server startup and there is no additional
configuration needed to utilize this feature
●
The Administration Process automates common tasks such as:
■
Name Management - Rename person, rename group, delete person, delete
group, delete server name, recertify users
■
Mail file management- delete mail file and move mail file.
■
Replica management - create replica, move replica, or delete all replicas of
a database
Administration ProcessAdministration Process
5. 5
●
AdminP server task
●
Administrator client
●
Notes client
●
Domino Directory (names.nsf)
●
Certification log database (certlog.nsf)
●
Administration Request database (admin4.nsf)
●
Administration server (assigned to each database in the domain)
Components of Administration ProcessComponents of Administration Process
6. 6
AdminP server Task:
■
Runs on all Domino Servers.
■
Loads with server startup and can be controlled using ServerTasks Notes.ini
■
Acts as per the default settings in Server Document ->Administration Process
tab
■
Excecutes requests in Admin4.nsf database.
■
After request execution, a response document gets created indicating status of
the request.
Administrator Client:
■
The Administrator client has all of the tools needed to initiate the AdminP
commands including renaming and deleting users, deleting a replica, moving a
database, and moving a user from one hierarchy to another.
Components of Administration Process (cont')Components of Administration Process (cont')
7. 7
Notes Client:
■
An active participant in the administration process.
■
Can complete and initiate many different administration processes. Eg: Client
can accept user name changes and x509v3 certificates into the Notes.id file.
The client is involved with the process to move a user to another server and can
issue a request to change the user's password and/or synchronize his Notes.id
and Web password.
Components of Administration Process (cont')Components of Administration Process (cont')
8. 8
Domino Directory (names.nsf):
■
Domino Directory stores person documents. When Administrator performs any
action like User rename or recertify, it updates certification information in
person document.
■
Administration server in Domain is determined based on the Administration
server mentioned in Domino Directory ACL.
■
When Administration process runs, it updates information like clusters, person
documents including client information, Notes Password Synchronization with
HTTP Password, Group updates and deletions, Server information (protocol
and version), policies etc in Domino Directory.
Components of Administration Process (cont')Components of Administration Process (cont')
9. 9
Certification log (Certlog.nsf):
■
Created when the first server is installed in domain
■
A replica of Certlog.nsf can be created on multiple Domino servers in a domain
if any action is initiated by Administrator on those servers.
■
Keeps track on certificate related activities
■
Eg: New User / Server Registration, User Rename from one OU to another OU,
User Recertification etc.
Example:
Components of Administration Process (cont')Components of Administration Process (cont')
10. 10
Administration Request(Admin4.nsf) database:
■
Created on Administration server for Domino Directory when server starts for
the first time
■
Contains all the administrative requests from a single domain
■
All requests for work to be done by the Administration Process are stored in
this database
■
Every server in the domain stores a replica of the Administration Requests
database
■
All requests placed in Admin4.nsf database replicates to every server in domain
■
Each request has an icon that indicates the status
■
Result of each processed request, called as response document is stored in this
database
Components of Administration Process (cont')Components of Administration Process (cont')
11. 11
Components of Administration Process (cont')Components of Administration Process (cont')
Administration Server:
●
In each domain, there's a single primary Administration server, determined by
the value in ACL of Domino Directory(name.nsf)
●
Assigned to each database on each server in single domain.
●
Listed in Advanced tab of Database ACL
●
Tells Adminp where to process each database and controls how the
Administration Process does its work
●
Responsible to process many Adminp requests
Whenever restarting the AdminP task it prints the
message on console the Name of Administration
Server of Domino Directory
12. 12
Default processing time of Adminp RequestsDefault processing time of Adminp Requests
Default processing time of AdminP requests is defined in Server document → Server
Tasks →Administration Process tab
13. 13
Different Adminp CommandsDifferent Adminp Commands
You can force administration process request to run by using tell commands.
Command Description
Tell Adminp Process All Processes all new and modified immediate, interval, daily, and delayed requests.
This command doesn't override timed requests execution time
Tell Adminp Process New Processes all new requests
Tell Adminp Process Interval Processes all immediate requests and all requests that are usually processed
according to the Interval setting in the Server document.
Tell Adminp Process Delayed Processes all new and modified delayed requests. These are requests that are usually
carried out according to the "Start executing on" and "Start executing at" settings in the
Server document.
Tell Adminp Process Daily Processes All new and modified daily requests to update Person documents in the
Domino Directory as well as Any outstanding "Rename Person in Unread List"
requests.
Tell Adminp Process Mail Policy Applies mail policy to affected user's mail file
Load Adminp Starts the adminp task
Tell Adminp quit Stops the adminp task
16. 16
User Registration – Creating Mail File in BackgroundUser Registration – Creating Mail File in Background
Create file in background is to force the Administration Process to create the files in the
background. Use this option to save time during the user registration process. If you do not
choose to create the file in the background, mail files are created during the user registration
process
17. 17
Following are the request that will generate in Admin4.nsf to create the mail file on Mail
Server and Cluster Server.
Additional Information:-
Maintain Trends Database Record
http://www-01.ibm.com/support/docview.wss?uid=swg21174382
Accelerated Create Replica
http://www-01.ibm.com/support/docview.wss?uid=swg21308184
In Server document → Security tab → Server Access Section → Create new replicas
(Source Server name should be added in Target Server document).
User Registration – Creating Mail File in BackgroundUser Registration – Creating Mail File in Background
18. 18
Changing Common Name With AdminPChanging Common Name With AdminP
When you change the name of a user, the Administration Process implements the name
change by initiating requests to the affected documents, databases, database ACLs, and
Extended ACLs. Using the Domino Administrator Client you can use the “Rename” option to
perform the following activities:-
●
Upgrade a user name from flat to hierarchical (Obsolete)
●
Change a user's common name
●
Move a user to a new hierarchy
Administration Process requirements
●
In order for the Administration Process to facilitate the name changes, the databases
must have an assigned administration server.
●
In addition, the certifier ID you use and any ancestor of the certifier must have a
Certifier document in the Certificates view of the Domino Directory.
Viewing user name change requests
●
To review the administration requests that are generated when renaming a user name,
open the Administration Request (ADMIN4.NSF) database in your Domino
Directory.
19. 19
Changing Common Name With AdminPChanging Common Name With AdminP
●
Initially only single request will generate i.e. "Initiate Rename in Domino Directory".
●
This request will be processed by Administration Server of Domino Directory and only person
document will be updated.
●
In order to generate the further request or complete the renaming process the user need to
authenticate with the server using his/her id file.
Note:-
●
If the user is accessing the emails only through iNotes then in order to complete the renaming process
one need to import the id file into mail file or use the ID Vault.
●
After user has initiated with rename command Administrator need to send the encrypted email to user
who has been renamed, once the user accesses the encrypted email via iNotes then the ID file will be
used and the further request will get generated to complete the rename process
Following are the request will get generated in Admin4.nsf for Changing the Common
name
20. 20
Changing Common Name With AdminPChanging Common Name With AdminP
If you have implemented ID Vault then enable the below given option in Policy
Security Setting document, this will help you in using the ID File from ID Vault
while reading the encrypted emails and other features like recall of message from
iNotes.
Additional Information:-
How to rename an iNotes user
http://www-304.ibm.com/support/docview.wss?uid=swg21216004
21. 21
Moving user from one OU to another OU usingMoving user from one OU to another OU using
AdminPAdminP
Since the name hierarchy Domino is part of the user's name, when you move a user to a
different certifier you have essentially changed the user's name.
You can use the Administration Process to move a user name to a different location
(Organizational Unit) in the organization's hierarchical name scheme or to move a name to a
different Organization altogether.
There are two parts to moving a user name:
■
Request the move using the originating certifier.
■
Complete the move by using the target (new) certifier to approve the request and issue
the new certificate.
●
Once the request to move the user to
another certifier is initiated it will
generate the given request as shown.
●
Need to click on Complete Move for
selected entries, this will approve the
request and issue the new certificate
22. 22
Following are the request will get generated in Admin4.nsf for moving the user in
different Certifier
Moving user from one OU to another OU usingMoving user from one OU to another OU using
AdminPAdminP
23. 23
User Movement – Moving user to Another ServerUser Movement – Moving user to Another Server
You can use the Administration Process to move a person's mail file from one server in your
domain to another by performing a "Move To Another Server" using the Domino
Administrator client
Following are the request will get generated in Admin4.nsf.
“Push Changes to New Mail Server” & “Delete Mail File” request will get generated
after user authentication
24. 24
Recertify – User IDRecertify – User ID
Before a user ID reaches its expiration date, recertify the user ID using the original certifier
ID.
Use the Certificate expiration view to determine which certifiers need to be recertified.
Following are the request will get generated in Admin4.nsf.
Additional Information:-
How to Recertify User
http://www-01.ibm.com/support/docview.wss?uid=swg21087566
25. 25
Rename - GroupRename - Group
Use this procedure to rename a group in your domain.
1. From the IBM Lotus Domino Administrator, click People and Groups.
2. Choose Groups.
3. Select the name of the group you are going to rename.
4. From the Tools pane, choose Groups - Rename.
5. On the Rename Group dialog box, specify a new group name, and then click OK.
Following are the request will get generated in Admin4.nsf.
26. 26
Deleting UserDeleting User
You can delete a user name with the Administration Process by initiating a delete person
command from the Domino Administrator Client.
Delete User Prompt
Admin4 request when user has been deleted
Document will be moved to
Inactive User Ids view in ID Vault
database
27. 27
Other AdminP RequestsOther AdminP Requests
New Server Configuration
Following are the request generated when you configure the New Domino Server.
Similarly, such type of request will be seen when you upgrade the Domino Server to newer
release or update the Port information etc...
Update Client Information
Check Password
Update Internet Password When Notes Client Password Changes - Policy
28. 28
Admin4.nsf – Replica IDAdmin4.nsf – Replica ID
The replica IDs of some Lotus Domino server databases are related to that of the
Domino Directory (names.nsf)
The following is a list of Domino server databases that have a known replica ID based
on the replica ID of the domain's Domino Directory:
catalog.nsf, events4.nsf, statrep.nsf, ddm.nsf, admin4.nsf, billing.nsf, vpuserinfo.nsf
(Sametime Authorization Database), activity.nsf
Example:
names.nsf has a replica ID of: 852564AC:004EBCCF
catalog.nsf has a replica ID of: 852564AC:014EBCCF
events4.nsf has a replica ID of: 852564AC:024EBCCF
admin4.nsf has a replica ID of: 852564AC:034EBCCF
statrep.nsf has a replica ID of: 852564AC:044EBCCF
Notice that the similarity is in the last six (6) characters of the replica ID (4EBCCF in
this example). The distinguishing characters are the first two (2) characters of the
unique part of the replica ID (01, 02, 03, 04 in this example), such as
852564AC:034EBCCF.
29. 29
Best PracticesBest Practices
●
Adminp must operate efficiently in order for many items to run properly in
Lotus Domino
●
Periodic checks and proper settings will ensure that the system operates as
designed.
●
Disable Transaction Logging for Admin4.nsf.
●
As a part of best practices, an Administrator should consider below points
■
Admin4.nsf Replication
■
Admin4.nsf Size
■
Admin4.nsf ACL
■
Admin4.nsf Monitoring
30. 30
Best Practices (cont')Best Practices (cont')
Admin4.nsf Replication
●
Should be scheduled via a connection document with type pull-push
●
Keep the small interval between subsequent replications to speed up the adminp
request processing
●
All replica copies of the Admin4.nsf in domain should be roughly the same size
unless selective replication formula is used
●
If during troubleshooting, Admin4.nsf replication is temporarily disabled, Make
sure to re-enable it
31. 31
Best Practices (cont')Best Practices (cont')
Admin4.nsf Size
Multiple ways to control size
●
Document retention settings : Default retention interval is seven days (File →
Replication → Settings → Space Savers → Remove documents not modified in
the last # days). This can be lowered if increased too high. Make sure, all
replicas to have same setting
●
Replication Formula: By selecting replication, document counts can be
controlled and thus size. Should be applied on Administration server so
admin4.nsf size may be larger than the spoke servers
■
Use a selective replication formula to prevent the response Log documents
in ADMIN4.NSF from replicating.
■
Information in Log documents is a record of the status of the work a server
does in response to an administration request.
■
This response Log is interesting to you, the administrator, and to the server
that created it, but not to every server in the domain.
32. 32
Best Practices (cont')Best Practices (cont')
If you do not want to replicate the
response document then add the
replication formula Type!=”AdminLog”
in spoke servers which will not add the
response document.
Note: Under some conditions, the
replication formula for admin4.nsf can
cause AdminP requests to process
repeatedly on spoke servers.
●
Regular maintenance: Scheduled compaction should be run to recover unused space.
Fixup and Updall to be run whenever necessary
To resolve this issue, change the formula to the following:
SELECT Type != "AdminLog" | ProxyServerName = @UserName
This modification will prevent a server from deleting its own response documents, preventing the
repetitive processing described above.
33. 33
Best Practices (cont')Best Practices (cont')
Admin4.nsf ACL
●
Make sure correct server is listed as an Administration server in ACL →
Advanced tab
●
Default access should be Author with 'Create Documents' privilege as certain
requests deposited by users in Admin4.nsf
●
ACL of the Admin4.nsf should mirror the ACL of the Domino Directory
Admin4.nsf Monitoring
●
Administrators should monitor this database closely for any errors being
recorded and should take corrective actions to resolve those errors
34. 34
TroubleshootingTroubleshooting
To troubleshoot AdminP issues, an Administrator should check as below
●
Is AdminP running on all servers? If not, it should be. To check this, issue a
SHOW TASKS command at the server console
●
Has CERTLOG.NSF been created?
●
Has the Administration Server been specified in the Domino directory
(names.nsf) ACL? In the Domino directory, select File → Database → Access
Control → Advanced panel. List only one Administration Server for the
directory.
●
All databases that are expected to get the ACL updates must have an
Administration Server specified before the request is put into AdminP
●
Are both the names.nsf and admin4.nsf replicating properly between the
affected servers? Both of these databases must replicate correctly between the
directories' "Administration Server" and the spoke servers
●
Does admin4.nsf show the correct Request documents?
35. 35
Troubleshooting (cont')Troubleshooting (cont')
●
For each Request document, is there a Response document that shows that
AdminP has executed the request? Does the response document show an error
message or was is successful?
●
Is the time/date on the servers synchronized?
●
Be sure Certificate documents have the correct Public Key; the Public key must
match the key in each CERT.ID. Similarly public key must match between
Person document and User ID files.
36. 36
Troubleshooting (cont')Troubleshooting (cont')
Administrator can perform below steps if Admin4.nsf gets corrupted:
1 Write down the database size and number of documents found on the Info tab
of the Database properties .
2 Make a backup of the database.
3 Disable replication of the database.
4 Design Replace (File, Database, Replace Design) - making sure to use original
ADMIN4.NTF template file.
5 Load Fixup ADMIN4.NSF -f
6 Load Compact ADMIN4.NSF -c
7 Load Updall ADMIN4.NSF -R
8 IF the database is OK now, re-enable the replication of ADMIN4.NSF (that was
disabled in step #3 above).
37. 37
Troubleshooting (cont')Troubleshooting (cont')
If the database is still corrupted or too large after running maintenance,
Administrator can recreate the database with below steps:
●
Remove the corrupt Admin4.NSF from the data directory when the Domino
server is down and allow AdminP to recreate it automatically.
●
Only on server startup a new Admin4.NSF will be recreated with the original
replica ID.
●
The server must be restarted with the AdminP task enabled.
●
Delete or move the original Admin4.NSF off the server
●
Replicate Admin4.NSF from a Administration server. This should repopulate
the database.
38. 38
ReferencesReferences
Domino Administrator help is best to refer for AdminP help:
●
Administration Process Request – One Domain
To gain a better overall view of how AdminP works, read these documents:
●
All About Adminp Part 1
●
All About Adminp Part 2
●
Generic Troubleshooting Guide