Search This Blog

Tuesday, September 6, 2016

Process for migrating users across Domino domains

The attached article highlights the main points faced by the Domino Administrators in migrating users across Domino domains and explains in detail the method which will help them in achieving this. It provides detailed instructions for creating the required server configurations.

Table of Contents
  • Creating AdminP Cross Domain Configuration document for Inbound & Outbound request for necessary capabilities for Migrating users. 
  • Configuring Connection documents.
  • Configuring Adjacent Domain documents.
  • Copying Certifiers documents.
  • Certifying Organization Certifier & subsequent Certifiers vice-versa.
  • Providing Administrator & Servers proper access for Migration.
  • Rename Users who requires migration.
  • Creating Replicas for Migrating Users.
  • Moving Migrated Person Documents.
  • Creating Agents & Necessary Buttons to populate the changes for the Migrated Users.
  • Other elements that you might take into consideration
Process for Migrating Users Across Domino Domains
Type of Submission: Article
Title: Process For Migrating Users Across Domino Domains.
Keywords: Lotus Domino, AdminP Process
Abstract: Administration process is a program that automates many routine administrative tasks, such as Deleting User, Moving users between Servers and many more. We can also use the AdminP process to migrate a user from one Domino Domain to another Domino Domain. This Article explains the various steps involved to accomplish the same & benefits for doing the same.
Introduction
We are using two fictitious Domino Domains LTSO(Source) & ITSO(Target) to demonstrate the process of migrating users using AdminP process to move a user “Anshul Gupta/IT Services/LTSO” from Domino Domain “LTSO” to “Anshul Gupta/ITSO IT Services” to Domino Domain “ITSO”.
Here is a brief summary of the steps involved & the details follow later:
1. Creating Administration Process - Cross Domain Request Configuration Inbound (ITSO Domain) & Outbound (LTSO Domain) documents to allow the necessary capabilities between Source (LTSO) and Target Domino Domain (ITSO).
2. Creating Connection Documents between Source (LTSO) Domain Server and Target Domain (ITSO) Server. These will Facilitate Replica Creation of the Mail File of the User “Anshul Gupta” moving from Source (LTSO) and Target Domino Domain (ITSO).
3. Configure Adjacent Domain document in Source (LTSO) so that the email to the "Administration Requests@" gets generated and delivered to the Target Domino Domain (ITSO).
4. Copying the Target Domino Domain (ITSO) Certifier Document (“/ITSO IT Service”) & Target Domino Domain (ITSO) Server Document in the Source (LTSO) Domino Domain Server.
5. Cross Certifying the Source (LTSO) Domino Domain and Target Domino Domain (ITSO) Servers and Administrator vice-versa. To facilitate smooth Cross Domain server access & replication.
6. Rename users with “Request Move to New Certifier” in the Source (LTSO) Domino Domain & completing all Administration Process involved with it. In this example we will rename user “Anshul Gupta/IT Services/LTSO” to “Anshul Gupta/ITSO IT Services” in the Source (LTSO) Domino Domain.
7. After User move to new certifier process completes, We will use AdminP to create new replicas of the mail files of the moved Users “Anshul Gupta” to the Target Domino Domain (ITSO) Domino Domain Servers.
8. Manually copy Person Document from the Source Domino Domain (LTSO) to Target Domino Domain (ITSO) Domino Directory.
9. Create an Agent on the Target Domino Domain Server’s Domino Directory to Populate the Target Domino Domain field in the Person Document. As Well write an agent which can populate the new Server Information and Domain Information in the Location document of the end user
10. Other elements that you might take into consideration.
 

Process in Detail

Step
Action
1(a)
Creating Administration Process - Cross Domain Request Configuration Inbound (ITSO Domain) & Outbound (LTSO Domain) documents to allow the necessary capabilities between Source (LTSO) and Target Domino Domain (ITSO).
 
In the Domino Administration Client, Select the Server Tab
 
Select the Analysis Tab
 
In Administration Request
 
Go to Cross Domain Configuration
 
Click on Add Configuration
 
& Create Outbound Configuration in LTSO Domain for ITSO Domain, as Shown in Figure 1 & 2
Figure 1
Figure1
Figure 2
Figure2


Step
Action
1(b)
In Similar Fashion Create a Inbound Cross Domain Configuration Document in ITSO Domain for LTSO Domain as Shown in Figure 3 & 4
Figure 3
Figure3
Figure 4
Figure4
Step
Action
2
Create a Connection document between LTSO & ITSO Domino Domains, the Source and the Target Domino Domains. To Facilitate Replica Creation of the Mail File of the user moving from Source to the Target Domino Domain. As Shown in Figure 5.
Figure 5
Figure5
Step
Action
3
Create a Adjacent Domain Document, to facilitate email to the "Administration Requests@" gets generated and delivered to the target domain. As Shown in Figure 6
 
Here we are creating a Adjacent Domain Document in LTSO Domino Domain for ITSO Domino Domain.
Figure 6
Figure6
Step
Action
4
Copying The Target Certifier Document & Source Server Document in the Source Domino Domain Server. (See Figure 7 & 8)( “ITSO IT Services” Certifier document from ITSO to LTSO Domino Directory)
Figure 7
Figure7
Figure 8
Figure8

Step
Action
5
Cross Certifying the Source (LTSO) Domino Domain and Target Domino Domain (ITSO) Servers and Administrator vice-versa. To facilitate smooth Cross Domain server access & replication.
 
Cross Certifying the Source and Target Servers and Administrators for access.
 
Cross Certify ITSO Server & ITSO Administrator in LTSO Domino Domain & vice-versa, See Figure 9 & 10.
Figure 9
Figure9
Figure 10
Figure10

Step
Action
6
Rename users with “Request Move to New Certifier” in the Source Domino Domain & completing all Administration Process involved with it. Here we are Renaming User Anshul Gupta/IT Services/LTSO to Anshul Gupta/ITSO IT Services/ITSO. See Figure 11,12,13,14,15,16,17,18 & 19.
Figure 11
Selecting the User & Selecting the Option “Rename User” & Selecting “Request Move to New Certifier” Figure11 
Figure 12
 Figure12 Selecting the Present Certifier “IT Services” under “LTSO” Domain
Figure 13
 Figure13  Selecting the Target Certifier, Which has been copied from the Target (ITSO) Domino Domain to Source (LTSO) Domino Domain.
Figure 14
Figure14 Successful request get Posted in Admin Request “Name Move Request” view
Figure 15
Figure15 Complete Move for Selected Entries by getting the Target Certifier Id through Mail from the Target(ITSO) Domino Domain.
Figure 16
Figure16 You must have the Access to the Certifier ID & Password of the Target Certifier from the Target (ITSO) Domino Domain.
Figure 17
Figure17 It Should result in successful completion of the “Name Move Request”
Figure 18
Figure18 Make sure AdminP successfully completes the “Request Move to New Certifier”.
Figure 19
Figure19 Make Sure AdminP completes all Process Involved with “Request Move to New Certifier”. Like in Figure shown Above, Mail File Owner too has been changed to new certifier.

Step
A Action
7
After User move to new certifier process completes, have adminp create new replicas of the mail files of these moved Users to the Target Domino Domain Servers.
In The current scenario we are moving the renamed user Anshul Gupta/ITSO It Services/ITSO mail File to the Target Domain i.e. ITSO. This Request also looks for the Cross Domain AdminP Configuration document created in the Beginning in Source LTSO (Outbound) & Target ITSO (Inbound) Domain. See Figure 20 & 21.
Figure 20
Figure20  Give Appropriate Rights to the Target Server, Where you are moving the Mail File. In this Scenario we are moving the mail file in ITSO Domain.
Figure 21
Figure21  Put a “Create Replica” request by Selecting the User Mail File & Putting a Request for Moving it to the Target (ITSO) Domino Domain Server.

Step
Action
8
Manually copy Person Document from the Source Domino Domain to Target Domino Domain Domino Directory.
Here We are Copying Anshul Gupta/ITSO IT Services/ITSO into ITSO Domino Directory, as the User has been Successfully moved to a New Certifier. See Figure 22.
Figure 22
Figure22 

Step
Action
9
Create and Agent on the Target Domino Domain Server’s Domino Directory to Populate the Target Domino Domain field in the Person Document. As Well write an agent which can populate the new Server Information and Domain Information in the Location document of the end user. See Figure 23 & 24 & 25.
Figure 23
Figure23 
Figure 24
Figure24  Create an Agent to Change to Reflect in the Location Documents New Home Mail Server & Domino Mail Domain, See more on this on Tech Note “1092794”.
Figure 25
Figure25    Create an Agent to Change to Reflect in the Location Documents New Home Mail Server & Domino Mail Domain, See more on this on Tech Note “1092794”.


 10. Other elements that you might take into consideration:

In the source domain the user's ID Files were uploaded into the vault. Now, after the users have been migrated to the new target domain, you might expect that the user's ID Files will be harvested automatically on the new target domain's vault without any administrative intervention.
After applying, to the migrated users, the effective policy,  that has a Security Settings document specifying the vault name on the target domain. You experience that the user's ID files are not harvested into the target domain's vault straightaway.

The users are able to work around this issue with one of these 2 actions:
1. By switching the user.id to itself.
2. By deleting the notes.ini parameters referencing the old id vault server in the client's notes.ini.

Additionally the following SPRs have been identified in the ID Vault area that are related :

SPR # NEKO88FT7H: If user has a nonexistent server specified in notes.ini var IDVaultLastServer, might not connect with vault server
LO61997: IF USER HAS A NONEXISTENT SERVER SPECIFIED IN NOTES.INI VAR IDVA ULTLASTSERVER, THE USER MAY NOT CONNECT WITH THE VAULT SERVER

SPR # NEKO9CRKX6: The notes.ini last ID vault server accessed value should be flushed every 2 weeks.
IDVaultLastFlushTime
https://www-10.lotus.com

Thursday, April 7, 2016

How to Install IBM Notes Client, Domino Administrator & Designer 9.0.1 Social Edition With Active Directory Integration

We have installed IBM Domino 9.0.1 Social Edition in previous post. Now we are going to install IBM notes client 9.0.1 with Domino Administrator & Designer Social Edition and Active Directory Integration.

Domain Administrator has to be installed on an system which you use to manage Active directory to achieve the Active directory integration with domino. We are going to install it on Windows 7 32Bit Workstation in our domain. Remote Administration tool need to be installed on that windows 7 Machine. You can download remote server administration tools from following Link.

https://www.microsoft.com/en-pk/download/details.aspx?id=7887

After installing Remote server tools, Open Control Panel -- Programs and features -- Turn windows features on or off -- Remote server administration tool -- Role Administration tools -- Select AD DS and AD LDS tools and select all option under. After This you will see Active Directory Users and Computers under Administrative tools in start menu.




Notes Client Package 9.0.1 is Client only. I have downloaded the Domino Designer package which includes Notes Client, Domino Administrator & Designer.
DOMINO_DESIGNER_901_WIN32_EN.exe

Before Running the Client Setup we have to Turn on the Domino Web Server and Ldap Server.

Double click the IBM Domino Console Icon on Domino server Desktop and Run the Command "load http" and "load ldap" send in the Domino Console one by one.


Restart the Domino Server. Now you can Browse Domino Server from any client machine browser.


Now Start the Installer and click next


This will extract the installer files and start the setup. Click next


Accept the license terms and click next


As we are not using client only package. We don't have multi-user option available. You can change the install and data files directory. Click next.


Chose features you want to install. We have selected all features and click Next.


Click Install


Installation Started


Setup completed. Click Finish


Now you can see following three icons on the desktop



Now We have to install ADSync tool for Active directory integration.

Before Active Directory Integration download IBM Notes 9.0.1 Fix Pack 3 

notes901FP3_basic_win.exe

Intall this Notes 9.0.1 FP3 on Windows 7 32bit

After FP3 Installed Open a DOS command prompt
window, and navigate to the directory where you installed the client. Enter the
following command and press Enter.

regsvr32 nadsync.dll

If you face Access Denied Error 




Do the following.


These steps require modifying the registry of a Windows 7 workstation. Please use caution and make backups of the registry, as incorrect modifications to the registry can render the workstation OS unusable.

1) Using regedt32, go to HKLM\Software\Microsoft\MMC\SnapIns\{E355E538-1C2E-11D0-8C37-00C04FD8FE93}

2) Right click the key, and go to "permissions." Confirm that the Administrators group has "Full Control" checked.

3) Expand the key, and right click on NodeTypes. Attempt to give SYSTEM and Administrators "Full Control" if not already enabled.

4) If that fails, click the "advanced" button and go to the owner tab. Change the owner to Administrators, and click the checkbox "replace owner on subcontainers and objects" then click OK.

5) Give SYSTEM and Administrators "full control" for the NodeTypes, all subfolders under NodeTypes, and StandAlone.

Re-run "regsvr32 C:\Lotus\Notes\nadsync.dll" and this time the nadsync.dll registers successfully.


Open Active Directory Users and Computers from windows 7 32bit and u will see following




You can Do Install Adsync Tool on widnows 7 64bit or on the Domain Controller too. because of 64bit we need to make changes in following regedit.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MMC\SnapIns\{E355E538-1C2E-11D0-8C37-00C04FD8FE93}

Do the same as we have done for windows 7 32bit in above key. And open a command prompt "Run As Administrator" and open c:\windows\SysWOW64\dsa.msc
I have done same on My Windows Server 2012 R2 64bit Domain Controller and got following



If Synchronization is not enabled right click "Domino Directory Synchronization" and click Options. 
This will ask you for Administrator Password. Type the password. Specify the Domino Server and you will get following



On Notes Settings TAB set the following



Field Mappings. Use this tab to map Active Directory fields to Domino Directory fields. Select a row (Active Directory field), and choose the Domino field to map to it.



Container Mappings. Use this tab to map Active Directory containers to specific Domino certifiers and/or policies. By default, the certifier and policy selected during setup are used for all operations



Click Apply and OK. 

Now When you create a new user in domain you will have following Option too while creating a User.



You can register Old users in Domino too. Just right click the User and click Register in Domino. 



Click Register now.



Select Certifier and Registration Policy and click Ok



Now Right Click the user and Click Synchronize with Domino. This will ask the common password for the user. Type in the password. 



You can do same to Register and Synchronize and Group with Domino.
Now Open Domino Administrator. And you will see Active Directory Users in People Tab and Groups in Groups Tab




Now we can manage Users for Active Directory and Domino from one place.  Next we will configure email clients for domino in our Lab. 
http://it-solutions-blog.blogspot.com