Admin Tips In 60 Minutes
In this high speed session I take you through the best admin tips for Domino, Notes, Sametime, Traveler and more. From notes.ini values, to server configuration settings and valuable customisations.
Some tips will be new to v10 and some have been around but rarely used for years.
Whatever your experience there will be something new for you to take away and enjoy.
Presented at Engage.ug in Brussels May 2019
1. 60 ADMIN TIPS IN 60 MINUTES
Gabriella Davis - IBM Lifetime Champion
Technical Director - The Turtle Partnership
Brussels May 14th 2019
2. • Admin of all things and especially quite
complicated things where the fun is
• Working with the design, deployment and security
of IBM technologies within global infrastructures
• working with the real world security and privacy
aspects of expanding data ecosystems
• Stubborn and relentless problem solver
• http://turtleblog.info
• https://www.turtlepartnership.com
• IBM Lifetime Champion
5. EFFECTIVE ACCESS
• Use effective access in each database ACL to determine what access a user or group has
and how that is calculated including access granted via deeply nested group memberships
2
10. DOMAINS VS CERTIFIERS
• A server that needs its own domain it does not need its own certifier
• For example both Traveler and Sametime Community Server should be in their own domain
• However creating new certifiers for those servers increases your admin overhead to no
benefit
• Certifiers are about security but the servers need to access each other
• Create a server ID using your existing certifier (it will create a server document in your current
domain but you can delete that)
• When setting up a new server tell it you have the server ID already
• it will also want the certifier and admin ids
6
11. WEB AUTHENTICATION & SSO
• WebAuth_Verbose_Trace=1
• Granted Access:
• WebAuth> LOOKUP in view $Users (user='Gabriella Davis' org='Turtle')
• WebAuth> VERIFY password
• WebAuth> LOOKUP in view $Users (user='CN=Gabriella Davis/O=Turtle' org='')
• WebAuth> Matched to a single entry in NAB for pre-authenticated user (user='CN=Gabriella
Davis/O=Turtle' org=''). Using the record that we match
• WebAuth> User CN=Gabriella Davis/O=Turtle found in group Cache!
7
12. WEB AUTHENTICATION & SSO
• Disable cookies on the Internet Site Document - Server authentication for the basic debugging
• To debug tokens use DEBUG_SSO_TRACE_LEVEL=1
Parsing fields from configuration [Turtle:LtpaToken]
SSO configuration name = LtpaToken
Config Type = CONFIGTYPE_DOMINO
Domino LtpaToken Cookie name = LtpaToken
Decoding Domino style Single Sign-On token.
Creation Ticks = 5CCDC5EE [04/05/2019 18:03:42]
Expiration Ticks = 5CCDCCF6 [04/05/2019 18:33:42]
Username = CN=Gabriella Davis/O=Turtle
8
13. WEB CONFIGURATION
• DDM Probe to ensure all web servers meet a defined configuration
• Using a baseline of an existing server configuration the probe creates a report of mismatches
9
14.
15. ARCHIVE LOG.NSF
• Setting in notes.ini Log= can limit the size of log documents and the number of days to retain
• Log files can get very large and hard to compact if you want to retain more than 7-10 then
archive the log.nsf as you would any mail file
10
16. ARCHIVE LOG.NSF
• load compact log.nsf -a
• Archiving documents from log.nsf (Clouds's Log)
• Assigning new DBIID for /data/notesdata/archive/a_log.nsf
• Pushing log.nsf to archive/a_log.nsf
• Replicator added 4,285 document(s) to archive/a_log.nsf from log.nsf
• Pushing log.nsf to archive/a_log.nsf
• Archived log.nsf, 4285 documents were archived and 4285 were deleted
• Compacting log.nsf (Clouds's Log), log.nsf -a
11
17. COMPACT REPLICA OPTION
• -REPLICA as an option for the Compact task creates a new replica and removes the original
allowing you to compact open databases such as log.nsf
• The program documents below archive log.nsf at 4am then compacts the free space at 5am
each day
12
18. DISABLE WEAK SSL CIPHERS
• In Domino 10.0.1 the notes.ini setting
SSLCipherSpec (which controlled
which ciphers were supported by the
HTTP task) is ignored and the list of
ciphers from the internet site document
is used exclusively
• The ciphers on the internet site
document are listed in declining order
of strength
13
19. UPDATE_FULLTEXT_THREAD
• The update task queues databases needing updating and then batches them to rebuild first
the views and then the FT indexes
• Often that means FT indexes can be delayed behind large view rebuilds or worse view rebuilds
can be delayed behind a corrupt FT index
• Let the update task separate the text indexing thread from the view indexing thread
• Yes it means more threads running but that’s a small overhead compared with adding
updaters= to try and resolve the same issue
14
20. FT_FLY_INDEX_OFF
• Searching a database requires that database to be full text indexed first ..
• Not true. Domino will attempt to build an in memory index in response to a search query if
the database if not properly indexed
• This is both inefficient for the server and frustrating to the users who often don’t get the
accuracy they expect
• Use event monitors to look for databases being searched when they aren’t indexed
(“database is not full text indexed”) then choose whether to create an index for them
• When FT_FLY_INDEX_OFF=1 the server will refuse to perform a search on a database that
isn’t indexed
15
21. FTG_USE_SYS_MEMORY
• The Full Text engine uses a % of memory that is assigned to the Domino server and shared by
all the other server tasks
• FTG_USE_SYS_MEMORY tells Domino to draw the memory it needs from the operating
system directly and not from Domino’s own allocation
16
22. FTBASEPATH
• Full text indexes are created by in a directory underneath each database, indexes can contain
thousands of files on the file system being continually updated, created and deleted
• this results in a lot of fragmentation as well as consuming space assigned to the data
directory
• customers often delete indexes or not turn them on in order to save space
• Using FTBASEPATH the indexes can be moved away from the data directory to another path
or even drive
• recreate the indexes in the new location and delete the old ones using load updall -R
17
23. SERVER RESTRICTED
• No new opens are allowed.
• Existing opens still work.
• Allows the Administrator to connect using remote console.
• The restricted server will be able to initiate replication with other servers.
• server_restricted=3
• additionally prevents client replication to the server unless the user has manager access
• server_restricted=4 , setting 3 with restart persistence
18
24. COPY FILES OUT OF DOMINO ADMIN
• Move to directory in Files tab - Edit Select All - Edit Copy - Paste into Excel (or anywhere
• Makes it easy to find all files that are enabled for DAOS, all files using a certain template , all
files with and old ODS etc
19
26. INBOUND MAIL RESTRICTIONS
• Set in the Server configuration document
• Only accept mail for full internet addresses in either the internet address or fullname fields
• Prevent external people from sending to internal groups
• Return 550 “unknown user” where multiple matches are found
21
22
27. TOO MUCH RNRMGR
• RNRMgr (Resources and Reservations) can only run on two servers at a time
• One of those servers must be the admin server of the resources database(s)
• The other can be any single server in a cluster
• Running on more than one cluster server can cause conflicts in clubusy.nsf
23
28. MULTIPLE CONCURRENT SMTP TRANSFERS
• RouterAllowConcurrentXferToAll
• Domino uses transfer threads to route mail to other servers and also to SMTP destinations
outside your organisations
• If you have 100 messages going to another server or to gmail - only one transfer thread will be
generated
• This means that the server can more efficiently use multiple threads for multiple destinations
and mail is less likely to be backlogged
• Domino will create multiple threads per destination, delivering messages in the order they are
queued and not restricting each destination to a single thread
24
29. NSF_DBCACHE_MAXENTRIES PERFORMANCE
• Determines how many databases the Domino server will keep open in its cache
• sh st database.dbcache.hits reports how often a database request was found in the cache
• the higher the number the more times the database was found and your dbcache was
efficient
• Increase the default using set config NSF_DBCache_Maxentries
• the cache size can not be grown beyond the memory available so use statistics to work out
what max entries should be and if it needs increasing
25
30. NSF_DBCACHE_MAXENTRIES PERFORMANCE
• Database.DbCache.CurrentEntries = 177 - how many databases are currently in the cache
• Database.DbCache.MaxEntries = 3072 - the maximum number that can be in the cache
• Database.DbCache.HighWaterMark = 178 - the highest number of databases the cache has
seen
• Database.DbCache.Hits = 164144 - the number of times a request was successfully found in
the cache, you want this to be high
• Database.DbCache.OvercrowdingRejections = 0 - the number of times a request could not be
added to the cache as it was already at maximum entries, you want this to be low
31. FILE PROTECTION DOCUMENTS
• Domino can be used / is used for serving non .nsf files
• HTML
• CGI
• Images
• You can protect these using an “ACL”
• File protection documents
• Protect a folder/file
• Works just like an ACL
26
32. REMOVING BANNER DETAILS
• Do you want your server coughing up unasked for information such as software, version and
platform in response to requests for connections? To prevent that
• For HTTP
• Add HTTPDisableServerHeader=1 to server notes.ini
• For SMTP
• SMTPNoVersionInRcvdHdr=1
27
28
33. CLUSTER PROBLEMS
• Tell ClRepl Dump will display all the information about cluster replication that the server has
• The number of Cluster Replicators running
• The work queue depth
• The number of cluster replication retries in progress
• The time of the last retry with each of the other cluster servers
• The last time cluster replication was unsuccessful
• The following information for each replication that still must be retried: the name of the
database, the time the next retry is due, and the retry interval
• Tell Clrepl Retry will retry failed replications
• Tell Clrepl Dump Retry will show the detail of databases awaiting retry and replication
29
35. NOTES CLIENT PERFORMANCE
• Test NRPC (Notes protocol) response times
• ClientClock=1 / 2 / 3 in notes.ini
• Restart
• Console now appears logging data found in Misc Events in local log.nsf
• Console_log_enabled=1 creates a text file under IBM_TECHNICAL_SUPPORT
30
31
36. LARGE DB REPLICATION
• To avoid creating a large replica in the foreground and tying up your client
• When creating a new replica choose “settings” and set a replication selection formula that will
resolve to “no documents” e.g Form=“GabNoDocs”
• The replica will be created with only design elements
• You can then remove the selection formula from the new replica and let it replicate all the
documents via background replication
32
37.
38. CLEANUP WORKSPACE
• Clear (rebuild) Workspace
• From a command prompt in the Notes program directory
• c:ibmnotesnotes -RPARAMS -resetconfig
• Clear Cache
• From a command prompt in the Notes program directory.
• c:ibmnotesnotes -RPARAMS -clean
33
34
44. CATALOG
• If you are running the catalog task each night there is some very valuable data in the
catalog.nsf
• even databases set not to update in the catalog will appear in hidden views
• Easily identify any databases where Anonymous or -Default- have unwanted high access
39
45. VIEW OPTIMISATION
• Domino creates temporary files due view rebuilds and then deletes them once complete
however often those files aren’t deleted and take up space in your data directory
• Domino uses the “temp” directory for these builds if it can but if it can’t find one it uses the
data directory instead
• With the server down those TMP files can be safely deleted
• Since they are intended to be temporary any older TMP files can be deleted
40
46. DISABLE_VIEW_REBUILD_OPT
• If the server continually reports that it’s unable to rebuild views due to insufficient disk space it
and that it will revert to using standard view rebuild that tells Domino to fallback to standard
view rebuilding instead of optimised using TMP files
• avoid using the setting and disabling view optimisation unless it is affecting a lot of
databases and view and you can’t free up disk space or reassign the rebuild directory using
VIEW_REBUILD_DIR
41
47. MOVE VIEWS OUT OF THE DATABASE
• Why would you do that?
• reduce database size
• improve performance
• locate large views on another drive
• CREATE_NIFNSF_DATABASES=1
• NIFNSFEnable=1
• NIFBasePath=path
• load compact -c -nifnsf on(off) appsstafflist.nsf
42
48. REPORTING ON NIF VIEWS
• Use the following server console command to show all databases, whether they use separate
view indexes (NIFNSF state ON), and if so the .NDX file size:
• show dir -nifnsf
• Use the following server console command to show only information about databases that
use separate view indexes:
• show dir -nifnsfonly
43
44
49. SLOW LDAP
• Schema.nsf is used by the ldap task to analyse and translate LDAP queries
• It’s based on schema.ntf which is a standard Domino template and the database should be
less than 10MB in size when created
• In some envrionments we’ve seen schema.nsf grow to 100s of MB or even multiple GBs in
size and when that happens the LDAP task will be slow to respond to queries and could take
up to an hour to load
• This usually happens when schema.nsf is on multiple servers which are different versions or
have been upgraded several times and all servers are allowed Editor access or higher to the
documents resulting in hundreds of thousands of duplicate documents each populated by a
different server
• Delete the schema.nsf from all servers, load LDAP on the administration server and let it
replicate out to the rest of the Domain
45
50. DISABLING LDAP WHEN NOT BEING USED
• For LDAP to work in your environment it must first be loaded at least once on the
Administration server of the domain
• The Administration server creates the schema.nsf
• Any other server in the domain that runs LDAP pulls a replica of schema.nsf from the
Administration server
• If you’re not using LDAP on the Administration server, once the schema.nsf is created you
don’t need to keep running it and can stop LDAP
• Just remember LOAD LDAP once on the administration server after each upgrade so the
schema.nsf gets updated and will replicate out to the other servers in the domain that are
running LDAP
46
51. STOP THE COMPACT STOPPING
• If you are compacting a mail file and mail is delivered to it, the compact stops
• Use MailFileDisableCompactAbort=1 to ensure the mail is queued for delivery until compact is
finished
• For large files that can take a while, sometimes too long for mail not to be delivered
• MailFileEnableDeliveryFailover=1 will ensure the server doesn’t queue the mail but instead
delivers to to a cluster mate
• Usually if your home server is up and responding the router will not deliver mail to a cluster
mate even if your mail file is inaccessible
47
48
52. COMPACT OPTIONS
• Run only against databases of ODS version X
• compact -O 43 -c
• Run against any databases that aren’t ODS version X
• compact -o 52 -c
49
53. DBMT
• Runs copy-style compact operations
• Purges deletion stubs
• Expires soft deleted entries
• Updates views
• Reorganises folders
• Merges full-text indexes
• Updates unread lists
• Ensures that critical views are created for failover
• Replaces Updall and Compact
• Load updall - nodbmt tells updall to run but not perform the functions that DMBT already does
50
54. DBMT PARAMETERS
• -compactThreads
-updallThreads
-ftiThreads
-timeLimit refers to compact timeout for DBMT -range starttime stoptime
• –compactNdays (run Compact every x days)
• –ftiNdays (run FT Index every x days)
• –force d (day Sunday =1) fixup if compact fails for consecutive day
55. PIRC
• A database doesn’t replicate with a server for a year and then suddenly, one day, someone
switches on an old machine and this old database (usually containing names.nsf) suddenly
replicates.
• and brings back all the deleted documents that are more than 90 days old with it
• Suddenly your server replica is full of old documents you deleted months ago
• A new database property on a database running on 8.5.3 or higher will prevent documents
old than the purge date from replicating back in
• To turn on PIRC to a large number of databases use Compact '-PIRC On'
51
56. CLUSTER SYMMETRY & AUTO REPAIR
• Use Cluster Symmetry to populate a folder on a new server in a cluster
• The server to be populated must be running the AutoRepair and RepairCleanup tasks (put
them in the servertasks= line)
• the cldbdir.nsf will be used to verify if the files in the folders are present and to find the server
to retrieve them from
52
57. FIND PRIVATE AGENTS
• Use sh agents <dbname> to display all shared and private agents in a database
• sh agents names.nsf
53
59. CLIENT TYPE RESTRICTIONS
• In the [config] section of sametime.ini use the value with each approved type separated by a
comma
• VPS_ALLOWED_LOGIN_TYPES=0x130F,0x122A
• ST Connect 9.0.1, ST 9.0.1 embedded in Notes 10
• Whilst we wait for persistent chat across clients
• VPS_PREFERRED_LOGIN_TYPES=0x130F,0x143A
• ST Connect 9.0.1, Mobile for iOS
• https://www-01.ibm.com/support/docview.wss?uid=swg21114318
54
55
60. COMMUNITY NAME
• A user’s contact list is stored along with the Community name of the Sametime server
• If someone logs onto different servers that are not clustered they will have different community
names and so different contact lists
• The ST_COMMUNITY_ID= value in the [Config] section of the sametime.ini determines the
Community name
• if the value isn’t set (which it isn’t by default) then the community name defaults to the
server’s hostname
• ST_COMMUNITY_ID is very useful when adding new servers or moving servers in an
environment to ensure users keep their contact/buddy lists intact
56
62. COLLECT TRAVELER LOG INFORMATION
• Tell Traveler Log Collect
• Collect all information and upload it to a specific PMR directly to IBM
• Tell Traveler pmr <PMR NUMBER>
57
63. DEFAULT LOGGING
•Data is written to
•..dataibm technical supporttraveler
•Default is informational
•Can change via console or server doc
•Tell traveler log level <level>
58
64. INCREASING LOGGING
•Tell traveler log adduser <level> <username>
•List field types logged
•Tell traveler log fields <fieldinitials>
•S=Subject, B=Body, L=Location, A=Address, P=Phone
•*=show all fields
•blank=hide all fields
59
65. TELL TRAVELER USER <NAME>
• Outputs all the information about the user including their mail file location, assigned devices,
security and policy settings
• Mail File Replicas:
• [CN=Clouds/O=Turtle, Mail/ghedley.nsf] is reachable.
• [ACL for Graham Hedley/Turtle: Access=Designer,Editor
Capabilities=create,update,read,delete,copy Missing Capabilities=none
• ACL for DEW/Turtle: Access=Manager
Capabilities=create,update,read,delete,copy Missing Capabilities=none
• ACL for Graham Hedley/Turtle: Access=Designer,Editor
Capabilities=create,update,read,delete,copy Missing Capabilities=none
• ACL for DEW/Turtle: Access=Manager
Capabilities=create,update,read,delete,copy Missing Capabilities=none
• Notes ID: Mail File does not contain the Notes ID.
• Auto Sync User State: Monitoring enabled
• Device ID: 16MAQ9UMGL0NN5S8AJDV5HCUUG
• Device Description: iPhone 5c:Apple-iPhone5C4/1407.60 (OS 10)
• Last Sync: Thursday, April 25, 2019 9:03:30 PM BST
• IBM Traveler has validated that it can access the database Mail/
ghedley.nsf.
• Monitoring of the database for changes is enabled.
• Encrypting, decrypting and signing messages are enabled because the
Notes ID is in the mail file or the ID vault.
• Canonical Name: CN=Graham Hedley/O=Turtle
• Internet Address: graham@turtlepartnership.com
• Master Server: DEW/Turtle, version 40
• Master Server Locked: May 7, 2019 6:44 PM, type=Soft
• Home Mail Server: CN=Clouds/O=Turtle
• Home Mail File: mail/ghedley.nsf
• Current Monitor Server: CN=Clouds/O=Turtle Release 10.0.1
• Current Monitor File: mail/ghedley.nsf
60