Search This Blog

Monday, July 7, 2014

Application Pool Identities

Introduction

Whether you are running your site on your own server or in the cloud, security must be at the top of your priority list. If so, you will be happy to hear that IIS has a security feature called the application pool identity. This feature was introduced in Service Pack 2 (SP2) of Windows Server 2008 and Windows Vista. An application pool identity allows you to run an application pool under a unique account without having to create and manage domain or local accounts. The name of the application pool account corresponds to the name of the application pool. The image below shows an IIS worker process (W3wp.exe) running as the DefaultAppPool identity.

Application Pool Identity Accounts

Worker processes in IIS 6.0 and in IIS 7 run as Network Service by default. Network Service is a built-in Windows identity. It doesn't require a password and has only user privileges; that is, it is relatively low-privileged. Running as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.
However, a problem arose over time as more and more Windows system services started to run as Network Service. This is because services running as Network Service can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities. The Windows operating system provides a feature called "virtual accounts" that allows IIS to create a unique identity for each of its application pools. Click here for more information about Virtual Accounts.

Configuring IIS Application Pool Identities

If you are running IIS 7.5 on Windows Server 2008 R2, or a later version of IIS, you don't have to do anything to use the new identity. For every application pool you create, the Identity property of the new application pool is set to ApplicationPoolIdentity by default. The IIS Admin Process (WAS) will create a virtual account with the name of the new application pool and run the application pool's worker processes under this account by default.
To use this virtual account when running IIS 7.0 on Windows Server 2008, you have to change the Identity property of an application pool that you create to ApplicationPoolIdentity. Here is how:
  1. Open the IIS Management Console (INETMGR.MSC).
  2. Open the Application Pools node underneath the machine node. Select the application pool you want to change to run under an automatically generated application pool identity.
  3. Right click the application pool and select Advanced Settings...
  4. Select the Identity list item and click the ellipsis (the button with the three dots).
  5. The following dialog appears:
  6. Select the Built-in account button, and then select the identity type ApplicationPoolIdentity from the combo box.
To do the same step by using the command-line, you can call the appcmd command-line tool the following way:
%windir%\system32\inetsrv\appcmd.exe set AppPool <your AppPool> -processModel.identityType:ApplicationPoolIdentity

Securing Resources

Whenever a new application pool is created, the IIS management process creates a security identifier (SID) that represents the name of the application pool itself. For example, if you create an application pool with the name "MyNewAppPool," a security identifier with the name "MyNewAppPool" is created in the Windows Security system. From this point on, resources can be secured by using this identity. However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console.
You can try this by selecting a file in Windows Explorer and adding the "DefaultAppPool" identity to the file's Access Control List (ACL).
  1. Open Windows Explorer
  2. Select a file or directory.
  3. Right click the file and select Properties
  4. Select the Security tab
  5. Click the Edit button and then Add button
  6. Click the Locations button and make sure that you select your computer.
  7. Enter IIS AppPool\DefaultAppPool in the Enter the object names to select: text box.
  8. Click the Check Names button and click OK.
By doing this, the file or directory you selected will now also allow the DefaultAppPool identity access.
You can do this via the command-line by using the ICACLS tool. The following example gives full access to the DefaultAppPool identity.
ICACLS test.txt /grant "IIS AppPool\DefaultAppPool":F For more information, see ICACLS.
On Windows 7 and Windows Server 2008 R2, and later versions of Windows, the default is to run application pools as the application pool identity. To make this happen, a new identity type with the name "AppPoolIdentity" was introduced. If the "AppPoolIdentity" identity type is selected (the default on Windows 7 and Windows Server 2008 R2, and later), IIS will run worker processes as the application pool identity. With every other identity type, the security identifier will only be injected into the access token of the process. If the identifier is injected, content can still be ACLed for the ApplicationPoolIdentity, but the owner of the token is probably not unique. Here is an article that explains this concept.

Accessing the Network

Using the Network Service account in a domain environment has a great benefit. Worker process running as Network Service access the network as the machine account. Machine accounts are generated when a machine is joined to a domain. They look like this:
<domainname>\<machinename>$,
For example:
mydomain\machine1$
The nice thing about this is that network resources like file shares or SQL Server databases can be ACLed to allow this machine account access.

What about Application Pool Identities?

The good news is that application pool identities also use the machine account to access network resources. No changes are required.

Compatibility Issues with Application Pool Identities

Guidance Documentation

The biggest compatibilty issue with application pool identities is probably earlier guidance documents which explicitly recommend that you ACL resources for Network Service, that is, the default identity of the DefaultAppPool in IIS 6.0 and IIS 7.0. Customers will have to change their scripts to ACL for "IIS AppPool\DefaultAppPool" (or another application pool name) when running on IIS 7.5 or later (see the example above for how to do this).

User Profile

IIS doesn't load the Windows user profile, but certain applications might take advantage of it anyway to store temporary data. SQL Express is an example of an application that does this. However, a user profile has to be created to store temporary data in either the profile directory or in the registry hive. The user profile for the Network Service account was created by the system and was always available. However, with the switch to unique Application Pool identities, no user profile is created by the system. Only the standard application pools (DefaultAppPool and Classic .NET AppPool) have user profiles on disk. No user profile is created if the Administrator creates a new application pool.
However, if you want, you can configure IIS application pools to load the user profile by setting the LoadUserProfile attribute to "true".

Summary

Application pool identities are a powerful new isolation feature introduced for Windows Server 2008, Windows Vista, and later versions of Windows. It will make running IIS applications even more secure and reliable.
http://www.iis.net

Monday, June 30, 2014

Troubleshoot DNS Event ID 4013: The DNS server was unable to load AD integrated DNS zones

Some Microsoft and external content have recommended setting the registry value Repl Perform Initial Synchronizations to 0 in order to bypass initial synchronization requirements in Active Directory. The specific registry subkey and the values for that setting are as follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value name:  Repl Perform Initial Synchronizations
Value type:  REG_DWORD
Value data: 0
This configuration change is not recommended for use in production environments or in any environment on an ongoing basis. The use of Repl Perform Initial Synchronizations should be used only in critical situations to resolve temporary and specific problems. The default setting should be restored after such problems are resolved.

Viable alternatives include:
  • Remove references to stale domain controllers.

  • Make offline or non-functioning domain controllers operational.

  • Domain controllers hosting AD-integrated DNS zones should not point to a single domain controller and especially only to themselves as preferred DNS for name resolution.

    DNS name registration and name resolution for domain controllers is a relatively lightweight operation that is highly cached by DNS clients and servers.

    Configuring domain controllers to point to a single DNS server's IP address, including the 127.0.0.1 loopback address, represents a single point of failure. This is somewhat tolerable in a forest with only one domain controller but not in forests with multiple domain controllers.

    Hub-site domain controllers should point to DNS servers in the same site as them for preferred and alternate DNS server and then finally to itself as an additional alternate DNS server.

    Branch site domain controllers should configure the preferred DNS server IP address to point to a hub-site DNS server, the alternate DNS server IP  address to point to an in-site DNS server or one in the closest available site, and finally to itself using the 127.0.0.1 loopback address or current static IP address.

    Pointing to hub-site DNS servers reduces the number of hops required to get critical domain controller SRV and HOST records fully registered. Domain controllers within the hub site tend to get the most administrative attention, typically have the largest collection of domain controllers in the same site, and because they are in the same site, replicate changes between each other every 15 seconds (Windows Server 2003 or later) or every five minutes (Windows 2000 Server), making such DNS records "well-known".

    Dynamic domain controller SRV and host A and AAAA record registrations may not make it off-box if the registering domain controller in a branch site is unable to outbound replicate.

    Member computers and servers should continue to point to site-optimal DNS servers as preferred DNS and may point to off-site DNS servers for additional fault tolerance.

    Your ultimate goal is to prevent everything from replication latency and replication failures to hardware failures, software failures, operational practices, short and long-term power outages, fire, theft, flood, earthquakes and terrorist events from causing a denial of service while balancing costs, risks and network utilization.
  • Make sure that destination domain controllers can resolve source domain controllers using DNS (i.e. avoid fallback)

    Your primary goal should be to ensure that domain controllers can successfully resolve the guided CNAME records to host records of current and potential source domain controllers thereby avoiding high latency introduced by name resolution fallback logic.

    Domain controllers should point to DNS servers that:
    • Are available at Windows startup
    • Host, forward, or delegate the _msdcs.<forest root domain> and primary DNS suffix zones for current and potential source domain controllers
    • Can resolve the current CNAME GUID records (for example, dded5a29-fc25-4fd8-aa98-7f472fc6f09b._msdcs.contoso.com) and host records of current and potential source domain controllers.
Missing, duplicate, or stale CNAME and host records all contribute to this problem. Scavenging is not enabled on Microsoft DNS servers by default, increasing the probability of stale host records. At the same time, DNS scavenging can be configured too aggressively, causing valid records to be prematurely purged from DNS zones.

  • Optimize domain controllers for name resolution fallback

    The inability to properly configure DNS so that domain controllers could resolve the domain controller CNAME GUID records to host records in DNS was so common that Windows Server 2003 SP1 and later domain controllers were modified to perform name resolution fallback from domain controller CNAME GUID to fully qualified hostname, and from fully qualified hostname to NetBIOS computer name in an attempt to ensure end-to-end replication of Active Directory partitions.

    The existence of NTDS replication Event ID 2087 and 2088 logged in the Directory Service event logs indicates that a destination domain controller could not resolve the domain controller CNAME GUID record to a host record and that name resolution fallback is occurring. See the following article in the Microsoft Knowledge Base for more information:

    824449 Troubleshooting Active Directory replication failures that occur because of DNS lookup failures, event ID 2087, or event ID 2088

    WINS, HOST files and LMHOST files can all be configured so that destination domain controllers can resolve the names of current and potential source domain controllers. Of the three solutions, the use of WINS is more scalable since WINS supports dynamic updates.

    The IP addresses and computer names for computers inevitably become stale, causing static entries in HOST and LMHOST files to become invalid over time. Experienced administrators and support professionals have spent hours trying to figure out why queries for one domain controller incorrectly resolved to another domain controller with no name query observed in a network trace, only to finally locate a stale host-to-IP mapping in a HOST or LMHOST file.
  • Change the startup value for the DNS server service to manual if booting into a known bad configuration

    If booting a domain controller in a configuration known to cause the slow OS startup discussed in this article, set the service startup value for the DNS Server service to manual, reboot, wait for the domain controller to advertise, then restart the DNS Server service.

    If the service startup value for DNS Server service is set to manual, Active Directory does not wait for the DNS Server service to start.
Additional considerations:
  • Avoid single points of failure.

    Examples of single points of failure include:
    • Configuring a DC to point to a single-DNS Server IP
    • Placing all DNS servers on guest virtual machines on the same physical host computer
    • Placing all DNS servers in the same physical site
    • Limiting network connectivity such that destination domain controllers have only a single network path to access a KDC or DNS Server
Install enough DNS servers for local, regional and enterprise-wide redundancy performance but not so many that management becomes a burden. DNS is typically a lightweight operation that is highly cached by DNS clients and DNS servers.

Each Microsoft DNS server running on modern hardware can satisfy 10,000-20,000 clients per server. Installing the DNS role on every domain controller can lead to an excessive number of DNS servers in your enterprise that can increase cost.

  • Stagger the reboots of DNS servers in your enterprise when possible.
    • The installation of some hotfixes, service packs and applications may require a reboot.
    • Some customers reboot domain controllers on a scheduled basis (every 7 days, every 30 days).
    • Schedule reboots, and the installation of software that requires a reboot, in a smart way to prevent the only DNS server or potential source replication partner that a destination domain controller points to for name resolution from being rebooted at the same time.
If Windows Update or management software is installing software requiring reboots, stagger the installs on targeted domain controllers so that half the available DNS servers that domain controllers point to for name resolution reboot at the same time.

  • Install UPS devices in strategic places to ensure DNS availability during short-term power outages.
  • Augment your UPS-backed DNS servers with on-site generators.

    To deal with extended outages, some customers have deployed on-site electrical generators to keep key servers online. Some customers have found that generators can power servers in the data center but not the on-site HVAC. The lack of air conditioning may cause local servers to shutdown when internal computer temperatures reach a certain threshold.

Tuesday, June 24, 2014

Modifying the Mail File Owner Field

Back in the day, which would be the Lotus Notes/Domino R5 days, if you needed to change the mail file owner field in a database, be it mail-in or person, it was a simple process. Open the mail file, click on Preferences – Mail – Basics, select a name from the Domino Directory, and save the Preference.
Apparently, to “prevent issues caused by the name in the Mail File Owner field not existing as a valid hierarchical name in the Domino Directory,” this behavior was changed in Release 6. The field was protected and usually required a change to the design of the mail file to allow this field to be edited.
That is a tiresome change.
If you have a mail file, or mail-in database, where you want to change the Owner field, it is as simple as creating a button and mailing it to the affected user (bad idea). I prefer using the same technique, but instead of waiting for the user to do something (click a button, in this case), open the mail file, create a button, and click it for the user.
Open the mail file.
Create a new messsage
In a blank line of the new message, click Create – Hotspot – Button. Give the button a name, in this case “ClickMe.”
button1
Now, add some code to the button:
@SetProfileField(“CalendarProfile”;”Owner”;”<hierarchical name of user>”)
Example: @SetProfileField(“CalendarProfile”;”Owner”;”CN=Gregg Eldred/O=Acme”)
button2
Click the green check mark, to save the code.
The button is now on a blank memo, created in the mail file of the person who has an issue with the Owner field. And, as you created the button, the field value is perfect.
Click the button.
To confirm that your code worked, open Preferences – Mail – Basics. You should see something like this:
button3 
There, problem solved and the user didn’t have to do a thing (that’s called a “win” in my book).
geldred.com

Monday, June 23, 2014

Row Not Found at the Subscriber - Replication Issue

When you find an issue in replication with the error “The row was not found at the Subscriber when applying the replicated command.”, first we have to get the Transaction sequence number and Command ID from the error.
This can be found at Distributer to Subscriber history in replication monitor.

Once we get the Transaction Sequence Number and Command ID we can easily drill down to the command which is causing the issue by using sp_browsereplcmds. Before to this, we have to also find out publisher_database_id.

For finding publisher_database_id, we need to make use of Transaction Sequence Number and Command ID.
Query to find publisher_database_id using Transaction Sequence Number and Command ID
select * from msrepl_commands
where xact_seqno = 0x000BF8FB0003411E000400000000 and command_id=6



Once we get the publisher_database_id from the above query, then we need to execute the below query to get the command which is causing the error.
Query to find the command which is causing error
exec sp_browsereplcmds @xact_seqno_start = '0x000BF8FB0003411E000400000000',
@xact_seqno_end = '0x000BF8FB0003411E000400000000', @Command_id=6, @publisher_database_id=60


Once we get the command, we can manually sync the missing data from publisher to subscriber to make the replication work fine as before.

Note: All these commands have to be run on distribution database.
 
http://www.sanssql.com

Tuesday, June 3, 2014

Notes.ini variables for Domino Web Access

Question

What Lotus Domino server Notes.ini parameter are applicable to Lotus Domino Web Access?

Answer

Index:

    I. Variables that affect iNotes Web Access
    II. Additional Notes.ini variables for DWA 6.5x
    III. Additional Notes.ini variables beginning in DWA 6.0.3 and 6.5
    IV. Additional DWA/Sametime Notes.ini variables beginning DWA 6.5.1
    V. Additional DWA/Sametime Notes.ini variables beginning DWA 6.5.2
    VI. Additional Notes.ini variables beginning in DWA 6.5.4
    VII. Additional Notes.ini variables beginning in DWA 7.0
    VIII. Obsolete Notes.ini variables in DWA 7.x

Note: Notes.ini parameters are case sensitive on Unix platforms.

I. Variables that Affect iNotes Web Access
iNotes_WA_DisableActCntSecurity
First available in 5.0.8, this variable enables/disables the iNotes Web Access Active Content Filter. A setting of 1 disables the filter. Setting this variable to 0 (or omitting it from the server's Notes.ini file) enables the filter. By default, this variable is set to 0.
_______________________
iNotes_WA_NameLookupMaxNumMatch
First available in 5.0.9, this variable specifies the maximum number of names to return on a name validation. The default is 200.
_______________________
iNotes_WA_LogoutRedirect
First available in 5.0.10, this variable specifies the URL to redirect users to after logging out from the server, doing normal cache clearing with the iNotes control, and clearing browser credentials. This variable allows sites that have additional actions that need to happen on a logout (such as logging out from a reverse proxy server) to specify a URL to do this additional activity. Or you can use this variable to return people to an initial login page. This variable has no default value.
_______________________
iNotes_WA_MessageFormat
First available in 5.0.11, this variable determines whether to use the plain text editor or the rich text editor when composing mail messages. Setting this to 1 forces all users on the server to use the plain text editor only. By default, this variable is set to 0.
_______________________
$DolsDirectoryCatalog
First available in 5.0.10, this variable specifies the name of the Domino Directory the user can take off-line. When this variable is set, an option appears on the user preference interface. For example, if Notes.ini contains $DolsDirectoryCatalog=catalog.nsf, the user sees a new preference setting, "Include server's Name and Address Book." If the user enables this setting, the server's catalog.nsf will be included among the files when the user goes off-line. This variable is actually part of Domino Off-Line Services (DOLS). iNotes Web Access uses DOLS to allow users to work off-line. This variable has no default value.
_______________________
Log_DirCat
First available in 5.0, this variable logs information about the Directory Cataloger task to the Miscellaneous Events view of the log file (LOG.NSF). This lets you monitor the Directory Catalog build process. This is a standard Domino Notes.ini setting, described in the Domino 5.0 Administrator's Guide. Set this to 1 for iNotes Web Access. This variable has no default value.




II. Additional Notes.ini Variables for Domino Web Access (DWA) 6.5x
inotes_WA_LogoutScrubType

Syntax: inotes_WA_LogoutScrubType=value
Description: Sets the automatic cache clearing level for the Domino Web Access server.
0 - Deletes all URLs that begin with the mail file path, except those that have a strategically placed KeepInCache (&KIC) argument.
1 - Deletes all URLs that begin with the mail file path.
2 - Deletes all URLs in the cache that originate from the server hostname, except for URLs that contain /iNotes/Forms6.nsf, the current Forms file (or iNotes/Forms5.nsf).
3 - Deletes all URLs in the cache that originate from the server hostname.
4 - Secure option) Deletes all URL s in the cache except for URLs that contain /iNotes/Forms6.nsf, the current Forms file (or iNotes/Forms5.nsf).
5 - (More Secure option) Deletes all URL s in the cache.
Applies to: Domino Web Access IE clients using the Domino Web Access Control.
Default: 0
UI equivalent: None
For a full description of each value, see the topic "Setting the level for automatic cache clearing" in the Domino 6.5 Administration help.
_______________________
iNotes_WA_OOO_RunOnWeekends
Syntax: iNotes_WA_OOO_RunOnWeekends=value
Description: Use this setting to run the Out-of-Office agent on weekends.
0 - Prevents Out-of-Office agent from running on weekends.
1 - Enables Out-of-office agent to run on weekends.
Applies to: Domino Web Access clients.
Default: 0
UI equivalent: None
_______________________
By default, Domino Web Access 6.5x uses compression (GZIP format) to reduce network bandwidth consumption and provide better performance, particularly for users with slow network connections. You can use the following Notes.ini settings to turn GZIP compression on and off, and to specify the types of content to compress.
After compression, Domino Web Access generated pages are cached in the web server's page cache, which also improves server performance.
--------
iNotes_wa_GZIP_Disable
Syntax: iNotes_wa_GZIP_Disable=value
Description: Use this setting to turn compression on and off.
0 - Enables this setting.
1 - Disables this setting.
Applies to: All Domino Web Access clients
Default: 0
UI equivalent: You can also specify this setting in the Domino Web Access tab of the Configuration Settings document in the Domino Directory, under "Other Settings - Compress HTTP response data."
_______________________
iNotes_wa_GZIP_Content_Types_Included
Syntax: iNotes_wa_GZIP_Content_Types_Included=value
Description: Use this setting to define which types of content you want to compress. For example, to compress all text:
iNotes_wa_GZIP_Content_Types_Included="text/*"
Applies to: All Domino Web Access clients
Default: "text/*;application/*"
UI equivalent: None
_______________________
iNotes_wa_GZIP_Content_Types_Excluded
Syntax: iNotes_wa_GZIP_Content_Types_Excluded=value
Description: Use this setting to define which types of content you do not want compress. For example to exclude XML data so that it will not be compressed:
iNotes_wa_GZIP_Content_Types_Excluded="image/*;text/xml"
Applies to: All Domino Web Access clients
Default: "image/*;application/pdf"
UI equivalent: None

Note: You can also disable GZIP compression using the "Compress HTTP response data" setting on the Domino Web Access tab of the Configuration Settings document.

III. Additional Notes.ini Variables Beginning in DWA 6.0.3 and 6.5
Note: Much of this information originated in the Notes/Domino 6.0.3 Release Notes.
_______________________
iNotes_WA_PortalLogout
Syntax: iNotes_WA_PortalLogout=value
Description: Set to 1 to offer the logout option on portals.
0 - Disables this setting.
1 - Enables this setting.
Applies to: Domino Web Access IE clients using the Domino Web Access Control
Default: 0
UI equivalent: None
Syntax: iNotes_WA_PortalLogout=value
Description: Set to 1 to offer the logout option when Domino Web Access is run from the DWA portlet or utilizing URLs with &ui=portal.
0 - Hides the logout option in the above scenarios
1 - Displays the logout option in the above scenarios.
Applies to: Domino Web Access when run from the Domino Web Access portlet or utilizing URLs with &ui=portal
Default: 0
UI equivalent: None

_______________________
iNotes_WA_PortalOffline
Syntax: iNotes_WA_PortalOffline=value
Description: Set to 1 to offer the offline option on portals.
0 - Disables this setting.
1 - Enables this setting.
Applies to: Domino Web Access IE clients using the Domino Web Access Control
Default: 0
UI equivalent: None
_______________________
iNotes_WA_PortalSkipEndIESession
Syntax: iNotes_WA_PortalSkipEndIESession=value
Description: Use this setting to avoid logging out of other web applications when logging out of Domino Web Access during a portal session (when using &ui=portal session).
0 - Disables this setting.
1 - Enables this setting.
Applies to: Domino Web Access IE clients using the Domino Web Access Control
Default: 0
UI equivalent: None
_______________________
iNotes_WA_SessionCheck
Syntax: iNotes_WA_SessionCheck=value
Description: Allows Domino Web Access clients to detect whether a connection to the server is present before submitting requests. This setting incurs an additional HTTP request on every POST operation, but helps greatly reduce the likelihood of lost user data due to the Web server being down or network problems.
0 - Disables this setting.
1 - Enables this setting.
Applies to: Domino Web Access IE clients using the Domino Web Access Control
Default: 0
UI equivalent: None
_______________________
iNotes_WA_SkipEndIESession
Syntax: iNotes_WA_=value
Description: Use this setting to avoid issues with other open Web pages being negatively impacted by a Domino Web Access logout. When the Domino Web Access control is in use, Domino Web Access makes a call to end the IE session as part of a Domino Web Access logout. This clears any login credentials stored in IE memory and in memory cookies being used within this IE process (or any child processes spawned from this process). It is preferable for users to log in to other web sites through a separate instance of IE, instead of using this setting. Users can start the additional instances from the desktop, the quick launch toolbar, or the start menu. When users start additional instances in this way, logging out of Domino Web Access does impact the other IE windows.
0 - Disables this setting.
1 - Enables this setting.
Applies to: Domino Web Access IE clients using the Domino Web Access Control
Default: 0
UI equivalent: None

_______________________
iNotes_WA_AutoUseWebmail
Syntax: iNotes_WA_AutoUseWebmail=value
Description: Use this setting to bypass the browser block and automatically go to WebMail, if Domino Web Access is not supported by the browser, and Webmail is.
0 - Does not fail over to Webmail when using a browser that is not supported by Domino Web Access.
1 - Automatically invokes Webmail if Domino Web Access is not supported by the browser in use.
Applies to: All Domino Web Access clients
Default: 0
UI equivalent: None

IV. Additional DWA/Sametime Notes.ini Variables beginning in DWA 6.5.1
iNotes_WA_STLinksLocal
Syntax: iNotes_WA_STLinksLocal
Description: For Internet Explorer only, use this setting to turn off loading \stlinks from the Domino application server. If you set this value to 0, \stlinks is loaded from a Sametime server set up in the user's Person document instead. This is useful if different releases of Sametime server are running in an organization.
0= off
1= on
Applies to: All Domino Web Access clients
_______________________
iNotes_WA_Chat
Syntax: iNotes_WA_Chat=value
Description: Use this setting to turn off instant messaging and live names for all users. By default, instant messaging is enabled for anyone that Domino Web Access determines has a Sametime token or Lightweight Third Party Authentication (LTPA) token and a Sametime Server assigned.
0= off
1= on
Applies to: All Domino Web Access clients
Default: 1
UI equivalent: None
_______________________
iNotes_WA_SametimeJavaConnect
Syntax: iNotes_WA_SametimeJavaConnect=value
Description: Use this setting to use the Sametime Connect for browsers user interface, rather than the Domino Web Access chat user interface.
0= off
1= on
Applies to: All Domino Web Access clients
Default: 1
UI equivalent: None
_______________________
iNotes_WA_SametimeServer
Syntax: iNotes_WA_SametimeServer=hostname
Description: Provides a way of setting a Sametime hostname (messaging.ibm.com for example) for all Domino Web Access users (useful for clustered configurations). If not specified, the Sametime server is looked up on an individual user basis, by looking within the current user's Directory entry for a "SametimeServer" field. This Domino server name is then looked up within the ($Servers) view to determine the Internet hostname of the Sametime server.
Applies to: All Domino Web Access clients
Default: none
UI equivalent: None
_______________________
iNotes_WA_SametimeToken
Syntax: iNotes_WA_SametimeToken=value
Description: Use this setting to turn off the usage of secrets and tokens authentication and use only LTPA token if it is present.
0= off
1= on
Applies to: All Domino Web Access clients
Default: 1
UI equivalent: None
_______________________
iNotes_WA_STLinksCodebase
Syntax: iNotes_WA_STLinksCodebase=URL
Description: Provides a way of specifying a different first parameter to the STLinksURL API call. Use this setting to set the path to https, to specify a port to the Sametime server, or to specify another reverse proxy path. For example:http://proxy.iris.com/messaging/sametime/stlinks
Applies to: All Domino Web Access clients
Default: None
UI equivalent: None
Note: This variable is obsolete for DWA 6.5.1.

V. Additional DWA/Sametime Notes.ini Variables beginning in DWA 6.5.2
Note: This information originated in the Notes/Domino 6.5.2 release notes.
iNotes_WA_SametimeProtocol
Syntax: iNotes_WA_SametimeProtocol=value
Description: Set the value to https: or http: if you do not want to use the current Web page's protocol to access the Sametime server. For example, if the current protocol is http and you want to force the use of https:

iNotes_WA_SametimeProtocol=https:
Applies to: Domino Web Access clients using iNotes6.NTF based templates
Default: The current Web page protocol
UI equivalent: None
Note: If you use the Notes.ini setting iNotes_WA_STLinksCodebase=URL to point to the URL from which to load the STLinks toolkit, then the iNotes_WA_SametimeProtocol setting will not apply. It is recommended that you use iNotes_WA_SametimeProtocol (or iNotes_WA_SametimeServer) to resolve any sametime setup issues before using iNotes_WA_STLinksCodebase=URL. Information about iNotes_WA_SametimeServer is listed in "Notes.ini Settings" in the Reference section of Domino Administrator help.
Note: The Domino 6.5.2 Release Notes specify an incorrect syntax for the example above (iNotes_WA_SametimeProtocol=http) showing how to use the parameter if you want to force the use of https. The syntax has been corrected in this technote, above (iNotes_WA_SametimeProtocol=https:).
_______________________
iNotes_WA_SametimeOrg
Syntax: iNotes_WA_SametimeOrg=value
Description: Set the value to 1 to pass the current user's organization (O= part of their name) to Sametime. This setting is necessary for xSP environments.
1 = Uses the organization from the current user
<organization value> = to pass a specified organization value to Sametime instead of passing the O= part of the current user's name. Note: For this release, do not use zero (0) as a value. If you do, the zero is passed on as the organization name.
Applies to: Domino Web Access clients using iNotes6.NTF based templates
Default: Do not pass an Organization value when logging in to stlinks (Sametime)
UI equivalent: None
_______________________
iNotes_WA_SametimeNameFormat
Syntax: iNotes_WA_SametimeNameFormat=value
Description: Allows you to adjust the format of the name that is passed to Sametime for login, for awareness checking, and whether to pass RFC821 names. The value can contain up to 4 numeric digits in sequence.
For example:
iNotes_WA_SametimeNameFormat=1011
where the following values apply:

First digit (left most) -- controls the format of the name passed to Sametime routines that prepare links and start chat sessions:
0 = Use abbreviated canonical format (for example, Joe User/Acme) [the default]
1 = Use full canonical format (for example, CN=Joe User/O=Acme)
2 = Use abbreviated canonical format but use a comma ( , ) as a separator for the name components (for example, CN=Joe User,O=Acme)
3 = Use only the common name (for example, Joe User)
2nd digit -- controls whether RFC821 addresses (for example, Joe User@acme.com) should be sent to Sametime:
0 = No, do not send
1 = Yes, do send [the default]
3rd digit -- controls the format of the name passed to Sametime login routines:
0 = Use abbreviated canonical format (for example, Joe User/Acme)
1 = Use full canonical format (for example, CN=Joe User/O=Acme) [the default]
2 = Use abbreviated canonical format but use a comma ( , ) as a separator for the name components (for example, CN=Joe User,O=Acme)
3 = Use only the common name (for example, Joe User)
4 = Use LDAP distinguished name (for example uid=juser,cn=users,dc=ibm,dc=com
4th digit -- a debug aide that when the users hovers over a link, the name that displays is identical to the name sent to Sametime. Use any character in the fourth position to enable this.

Applies to: Domino Web Access clients using iNotes6.NTF based templates
Default: 011
UI equivalent: None

VI. Additional Notes.ini Variables beginning in DWA 6.5.4
You can use the following Notes.ini settings to customize your Domino Web Access sessions.
iNotes_WA_DisableBothFormats
Syntax: iNotes_WA_DisableBothFormats=value
Description: Use this setting to turn off the ability to send a message in both plain text and HTML format.
0 - on
1 - off
Applies to: Domino Web Access clients using iNotes6.NTF based templates
Default: 0
UI equivalent: None
_______________________
iNotes_WA_DisableRecodeMIMECharset
Syntax: iNotes_WA_DisableRecodeMIMECharset=value
Description: By default, Domino Web Access recodes charsets for any text parts if their charset is not the default charset for the charset group. Use this setting to turn off such behavior.
0 - on
1 - off
Applies to: Domino Web Access clients using iNotes6.NTF based templates
Default: 0
UI equivalent: None

VII. Additional Notes.ini Variables beginning in DWA 7.0

iNotes_WA_Areas
Syntax: iNotes_WA_Areas=value
Description: Use this setting to disable any combination of the six functional areas in Domino Web Access: Welcome, Mail, Calendar, To Do, Contacts, or Notebook. Each area can contain a value of 0 to disable an area, or 1 to enable an area. The format is iNotes_WA_Areas=ABCDEF where
A = Welcome
B = Mail
C = Calendar
D = ToDo
E = Contacts
F = Notebook

Example: In this example, all sections except for Mail and Contacts are disabled:
iNotes_WA_Areas=010010
Applies to: Domino Web Access clients
Default: 111111 -- if this setting is not used, all functional areas are enabled by default.
UI equivalent: None
_______________________
iNotes_WA_ConfirmBlockedActiveX
Syntax: iNotes_WA_ConfirmBlockedActiveX=value
Description: If a user has not installed the latest Domino Web Access ActiveX control and if the installation is blocked by the browser, they will be asked once per session to confirm that Domino Web Access should continue to try to utilize the ActiveX control on subsequent pages (which is necessary to get the control installed). This setting provides a way to disable this prompt and for Domino Web Access to not use the Domino Web Access ActiveX control on subsequent pages (if it isn't already installed).
0 - Suppresses confirmation box.
1 - Confirmation box displays.
Note: If the confirmation box is suppressed, a user can now install the ActiveX control from the Domino Web Access Preferences dialog.
Applies to: Domino Web Access clients
Default: 1
UI equivalent: None
_______________________
iNotes_WA_Feeds
Syntax: iNotes_WA_Feeds=value
Description: Use this setting to enable the advertisement and access to various Inbox feed formats for Domino Web Access mail files. Possible values are:
iNotes_WA_Feeds=rss
iNotes_WA_Feeds=atom
iNotes_WA_Feeds=atom,rss
The default url format to retrieve the feeds are as follows:
<mailfile>/iNotes/Proxy/?OpenDocument&Form=s_RSS&NKA (for RSS)
<mailfile>/iNotes/Proxy/?OpenDocument&Form=s_Atom&NKA (for Atom)
Applies to: Domino Web Access clients
Default: not specified (no feeds are enabled/advertised)
UI equivalent: None
_______________________
iNotes_WA_FeedsSecured
Syntax: iNotes_WA_FeedsSecured=value
Description: By default only secure feeds are enabled to the mail file. This is to avoid insecure authentication occurring as part of a feed retrieval. If you wish to allow feeds to be accessed via http rather than https, this INI setting may be used to do so.
0 - Disables this setting.
1 - Enables this setting.
Applies to: Domino Web Access clients
Default: 1
UI equivalent: None
_______________________
iNotes_WA_FeedsProtocol
Syntax: iNotes_WA_FeedsProtocol=value
Description: Use this setting to have further control of the feed protocol advertised by the Inbox page. It is only applicable when iNotes_WA_FeedsSecured is set to "0."
http: - to have http: be the default advertised feed protocol
https: - to have https: be the default advertised feed protocol
Not specified: (default) -- advertise the feed to use the same protocol as the current page on which the feed advertisement occurs
Applies to: Domino Web Access clients
Default: not specified
UI equivalent: None
_______________________
iNotes_WA_DisplayArchiveList
Syntax: iNotes_WA_DisplayArchiveList=value
Description: Use this setting when users may have more than one private archive policy and/or the administrator has assigned an archive policy to the user. When this variable is set to one, dialog opens when the user clicks on the Archives button or tries to perform an Archive operation on a selected document from the virtual list or from an open message. The dialog will display a list of archive criteria that the user has set and/or the archive criteria settings as assigned through an archive policy by the administrator. The user can select the desired archive on which to perform the archive operation.
0 - Disables this setting.
1 - Enables this setting.
Applies to: Domino Web Access clients
Default: 0 (disabled)
UI equivalent: None
_______________________
iNotes_WA_PreferWebEngineCacheControl
Syntax: iNotes_WA_PreferWebEngineCacheControl=value
Description: Domino Web Access now sets Cache-Control response headers in a way to avoid the Domino Web Engine remapping them in certain scenarios. The default Domino Web Engine logic was disallowing Cache-Control: no-store responses for HTTP 1.0 requests. This setting provides a way to revert to prior behavior.
0 - Disables this setting
1 - Enables this setting
Applies to: Domino Web Access clients
Default: 0 (disabled)
UI equivalent: None
_______________________
iNotes_WA_PreferXMLHttpRequest

Syntax: iNotes_WA_PreferXMLHttpRequest=value
Description: Set this variable to 1 to use Microsoft.XMLHTTP ActiveX object instead of load() method of <xml> tag where possible.
0 - Disables this setting
1 - Enables this setting
Applies to: Domino Web Access clients
Default: 0 (disabled)
UI equivalent: None

_______________________
iNotes_wa_GZIP_Min_Bytes_To_Compress

default is 350 bytes
_______________________
iNotes_wa_GZIP_Max_Bytes_To_Compress

_______________________
iNotes_wa_GZIP_Write_To_File

default is 0
0 = do not write original and zipped pages to file
1 = write original and zipped pages to file
file written to data directory with filename
_______________________
iwagzip_PROCID_date@time.html/gz



VIII. Obsolete Notes.ini variables in DWA 7.x

Note: This information originated in the Notes/Domino 7.0 and 7.0.1 release notes.

The Notes.ini variables listed below have been made obsolete in 7.x; either because UI settings exist to enable the functionality or because the functionality is longer required.

Note: DWA 7 (mail files based on the DWA7.ntf design) will not honor these parameters if found in the Notes.ini; it will read only from the configuration document. If a particular obsoleted parameter does not exist the configuration document, the functionality is no longer required and there is no other method of enabling the functionality. DWA 6 (mail files based on iNotes6.ntf) will still honor these parameters, since there is no other method of enabling the functionality.


Variable Reason for obsolescence
iNotes_WA_Chat Functionality enabled by the Domino Web Access Instant Messaging setting "Instant Messaging features" in the Configuration Settings document of the Domino Directory server.
iNotes_WA_LiveNames Functionality enabled by the Domino Web Access Instant Messaging setting "Online awareness" in the Configuration Settings document of the Domino Directory server.
iNotes_WA_NoLocalArchive Functionality now enabled by the Domino Web Access setting "Local Archiving" in the Configuration Settings document of the Domino Directory server.
iNotes_WA_OOO_RunOnWeekends This setting was used to run the Out-of-Office agent for mail databases based on the iNotes5.ntf template only, and is not necessary for iNotes6.ntf or DWA7.ntf mail templates. The iNotes5.ntf mail template is not supported in Domino 7.
iNotes_WA_SametimeJavaConnect Functionality enabled by the Domino Web Access Instant Messaging setting "Prefer Sametime Java Connect for browsers" in the Configuration Settings document of the Domino Directory server.
iNotes_WA_SametimeServer Functionality enabled by the Domino Web Access Instant Messaging setting "Set an Instant Messaging server hostname for all DWA users" in the Configuration Settings document of the Domino Directory server.
iNotes_WA_SametimeToken Functionality enabled by the Domino Web Access Instant Messaging setting "Allow secrets and tokens authentication" in the Configuration Settings document of the Domino Directory server.
iNotes_WA_STLinksLocal Functionality enabled by the Domino Web Access Instant Messaging setting "Loading \stlinks from Domino application server" in the Configuration Settings document of the Domino Directory server.
iNotes_WA_OOO _RunOnWeekends This setting was used to run the Out-of-Office agent for mail databases based on the inotes5.ntf template only, and is not necessary for iNotes6.ntf or DWA7.ntf mail templates. The iNotes5.ntf mail template is not an available in Domino 7.
iNotes_WA_NoLocalArchive Functionality now enabled by the Domino Web Access setting "Local Archiving" in the Configuration Settings document of the Domino Directory server.

More iNotes .ini settings can be found here in the "I" section:
http://www.ibm.com/developerworks/lotus/documentation/notes-ini/ftoj.html#I

Related information


Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM iNotes Not Applicable Linux, Windows 8.5

Historical Number

197592

Product Alias/Synonym

iNotes Web Access for Domino Server
IWA
iNotes WA
iNotes for Web Access

Tuesday, May 13, 2014

2 Free Microsoft Windows Server 2012 Antivirus Solutions.

 

2 Free Microsoft Windows Server 2012 Antivirus Solutions.

Hai phần mềm diệt virus miễn phí cho Windows Server 2012

By default, Windows Server 2012 comes without a security solution.
This is especially important if you use 2012 as a robust workstation OS for your studying needs.
So, to protect your time-consuming lab-rat experiments, you might feel left “high and dry“.
‘Though not everything is lost, since there are 2 hacks you might wish to implement to provide a minimum form of protection to your lab.

1. Microsoft Security Essentials for Windows 7 into Windows Server 2012.

The first hack allows you to install Microsoft Security Essentials (MSE).
Microsoft Security Essentials is designed for Windows 7 and is not compatible (nor supported) on Windows Server 2012.
But if you insist, you might as well end-up installing it on your Windows Server 2012.
  1. Download a copy of MSE from Microsoft: http://windows.microsoft.com/en-us/windows/security-essentials-all-versions
  2. Right Click on the “mseinstall.exe”.
  3. Click on Properties.
  4. Click on the “Compatibility”-tab.
  5. Locate the “Compatibility mode”-section.
  6. Check “Run this program in compatibility mode for:”.
  7. Select From the (now active) dropdown menu “Windows 7″.
  8. Open a Command Prompt as Administrator.
  9. cd to your Downloads folder (ie. cd C:\Users\%username%\Downloads).
  10. Run “mseinstall /disableoslimit” and follow the installer prompts to install MSE on your Windows Server 2012.

2. Microsoft Endpoint Protection 2012 (part of the System Center 2012 suite).

Microsoft Endpoint Protection 2012 is part of a freaking awesome Microsoft System Center suite.
For further info, please refer to http://en.wikipedia.org/wiki/System_Center#Microsoft_System_Center
They are all fully integrated & automated Client/Server solutions that satisfy specific system administration requirements (in addition to the already excellent features provided by Windows Server).
Among those, there’s Microsoft Endpoint Protection 2012, which is a Client/Server Security solution that fully integrates with your Active Directory Domain.
In layman’s words, Microsoft Endpoint Protection 2012 could be considered as the “full” version of Microsoft Security Essentials (aka Windows Defender on Windows 8/8.1).
The solution includes both a “Server” application (ie. to deploy on your application server) and a “Client” counterpart (ie. for your workstations).
  • The hack here is the possibility to run the Client as a “standalone” product (ie. without the Server application).
Not only, you can get the client “for free”, by simply downloading the Trial version of the entire Microsoft Endpoint Protection 2012 suite (trial refers to the Server Application).
To install System Center 2012 Endpoint Protection on Windows Server 2012 proceed as follows:
  • Download Microsoft System Center Configuration Manager and Enpoint Protection 2012 SP1 from the following address:
http://technet.microsoft.com/en-US/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33
Once you obtain the package (mine was named SC2012_SP1_RTM_SCCM_SCEP.exe and it was 613MB):
  1. Right Click on it and open the archive with 7zip.
  2. Extract the “CLIENT”-Folder from SC2012_SP1_RTM_SCCM_SCEP.exe into a temporary location.
  3. Browse to the CLIENT folder with Windows Explorer and run “SCEPINSTALL.exe”.
  4. Follow the installer Prompts and you’ll end up with a fully featured  Security Solution courtesy of Microsoft.
System Center 2012 Endpoint Protection System Center 2012 Endpoint Protection System Center 2012 Endpoint Protection System Center 2012 Endpoint Protection


Personal remarks.

Now, apart from what’s moral and what’s not, Microsoft highly likely wishes you to “give it a go” (at their own Security solutions).
Despite glorious bugs that made glowing news during the previous decade, Microsoft takes a serious stand when it comes to Security.
How?! For one, by constantly releasing Windows “Security Updates”.
Pair that with a basic form of malware protection and you might just end up covering 80% of your security needs.
Independent testing says:”meh..!“.
If you asked me what’s my favourite professional security suite, I’d say:”it depends“.
If you’re an SMB with limited resources (and perhaps close to none IT personnel), then I’d lean towards a fully managed OOB solution (like Bitdefender).
If you’re a Windows-only Enterprise or Government organization, then I’d lean towards a secured Active Directory domain environment (ie. w/Applocker & IPSec), with the integration & automation provided by Microsoft System Center-based solutions (such as Endpoint Protection 2012).
Thoughts welcome.

[UPDATE] 2014-02-12 -- Windows Server 2012 R2 compatibility:

Jens (a reader of this article), reports SCCM 2012 SP1 is not working on his Windows Server 2012 R2.
  • I tried to run MS SCCM 2012 R2 EP Client on Windows Server 2012 R2 Datacenter and it just worked!
So yes, the above procedure is confirmed to work on Windows Server 2012 R2 -- provided you use Microsoft System Center 2012 R2 Endpoint Protection Client.

Updated procedure for Windows Server 2012 R2.

  1. Obtain SCCM 2012 R2 TRIAL from http://technet.microsoft.com/en-us/evalcenter/dn205297.aspx
  2. Extract the SCCM 2012 R2 EP “Client”-Folder from SC2012_R2_SCCM_SCEP.exe.
  3. Run “SCEPINSTALL.exe” as Admin.

http://www.pwrusr.com

Tuesday, March 25, 2014

Tạo nhóm và người dùng Notes

(Notes user registration and groups)
Trong suốt quá trình setup server, tài khoản Administrator tự động được tạo. Trong bài này, tôi sẽ giới thiệu với các bạn, cách tạo (đăng ký) người dùng trong Notes (Notes user registration).
Để việc quản trị được dễ dàng hơn, bạn nên quản lý việc truy cập và server hoặc database bằng cách sử dụng nhóm.

Thế nào là đăng ký người dùng Notes?

Đăng ký người dùng Notes là một tiến trình mà bạn phải:

  • Tạo một tài liệu người dùng Person document trong Domino Directory
  • Tạo một file Notes User ID, và việc này phụ thuộc vào kiểu hệ thống mail mà người dùng sử dụng, lưu nó vào một hoặc nhiều nới trong những nơi sau:
  • Person document
  • Trên ổ đĩa của máy tính
  • Trong mail file của người dùng
  • Trong Address book của người dùng
  • Gửi tới Notes User ID Vault
  • Nếu người dùng sử dụng Notes Mail, tạo Mail database trên máy chủ
  • Bạn có thể gán người dùng vào một hoặc nhiều nhóm
  • Nếu bạn sử dụng Windows Server và đã cài đặt + cấu hình Domino Directory Sync Services, tạo người dùng trong Domino sẽ tạo luôn trên Windows Server, thêm người dùng vào Nhóm trong Domino sẽ thêm người dùng vào nhóm trong Windows
Người dùng được đăng ký sẽ không "active" cho đến khi bạn cài đặt Notes Client.

Tạo người dùng Notes

Bước 1: Trước khi bạn đăng ký người dùng, bạn phải truy cập vào file ID, mặc định Domino sẽ truy cập vào file Cert.ID, ở đây tôi chọn file OU.ID
Bước 2: Từ công cụ Domino Adminitrator chọn tab Configuration
Bước 3: Mở rộng công cụ Registration, chọn Person
Bước 4: Bước tiếp theo phụ thuộc vào bạn đã đăng ký người dùng lần nào chưa
Nếu Domino Administrator đã sử dụng ID để đăng ký người dùng lần trước, thì lần này bạn chỉ việc nhập mật khẩu của ID đã dùng.
Nếu đúng là cert mà bạn cần, điền vào mật khẩu của Certifier ID file và nhấn chuột vào OK
Nếu không phải cert ID bạn cần, nhấn chuột vào Cancel. Sau đó hệ thống sẽ hiện hộp thoại cho bạn chọn cert ID khác.
Bước 5: Nếu Domino Administrator chưa sử dụng để đăng ký người dùng lần nào, bạn sẽ phải chọn Registration Server và Certifier ID:
Nhấn chuột vào:
Server: để chọn Server mà bạn muốn sử dụng để đăng ký
Certifier ID: Để lựa chọn Certifier ID file
Nhấn chuột vào OK, sau đó nhập vào mật khẩu
Bước 6: Hộp thoại Person Registration hiện ra, hình dưới thể hiện một phần của hộp thoại

Bước 7: Nếu Registration Server hiện lên, không phải là server bạn muốn dùng để đăng ký, bạn nhấn chuột vào Registration Server để chọn server cần đăng ký.
Bước 8: Điền vào Fist và last name
Bước 9: Điền vào mật khẩu phù hợp với chính sách về độ phức tạp của mật khẩu
Chú ý 1: Để thiết lập độ phức tạp của mật khẩu, nhấn chuột vào Password Option. Nếu bạn lựa chọn Set internet password trong trường Internet password. Thì mật khẩu này sử dụng để xác thực qua trình duyệt web mà còn cho các giao thức khác (LDAP, POP3, HTTP, SMTP...). Nếu bạn không sử dụng trình duyệt web để xác thực vào hệ thống, thì bạn không cần thiết lập Internet Password.
Chú ý 2: Mỗi người dùng Domino có thể có 1 hoặc hai mật khẩu ( Mật khẩu của file Notes ID và mật khẩu để xác thực khi sử dụng trình duyệt web HTTP) cái này tùy thuộc vào thiết lập của người quản trị.
Bước 10: Nhấn chuột và Advanced để hiện thị thêm lựa chọn
Bước 11: Nhấn chuột vào Mail tab, đây là nơi bạn thiết lập các cấu hình hòm thư cho người dùng.
Bước 12: Nhấn chuột vào ID Infor tab để ý rằng cách hiển thị tên cert, nếu thấy chưa đúng hoặc chưa hợp lý bạn hãy chỉnh lại
Bước 13: nhấn chuột vào Group tab, đây là nơi bạn muốn đưa người dùng vào nhóm nào.
Nếu bạn không muốn đưa người dùng vào nhóm nào thì bỏ qua bước này.
Bước 14: Nhấn chuột vào nút tích để đăng ký một người
Bước 15: Nhấn chuột vào nút để hệ thống hoàn tất. Đăng ký xong, nhấn chuột vào nút Done để đóng hộp thoại đăng ký
Bước 16: Xem kết quả, nhấn chuột vào People, bạn sẽ nhìn thấy người dùng mình vừa đăng ký ở khung bên phải, nếu không thấy ấn phím F9 để refesh lại khung nhìn.

Tại sao phải sử dụng nhóm

Nếu bạn chỉ có một số lượng nhỏ người dùng trong Domino Domain, thì bạn không cần phải nghĩ tới việc sử dụng nhóm. Nhưng nhóm là một phần bảo mật của server và database, sẽ hiệu quả hơn khi bạn phân quyền bằng nhóm thay vì việc sử dụng tên từng user trong mục Server Access Lists và Database Access Control Lists (ACLs).
Để việc quản trị dễ dàng hơn, bạn có thể điều khiển truy cập tới server hoặc databse bạn có thể sử dụng kiểu server/user:
  • Những thành viên trong nhóm được lưu trong Group document
  • Tên tổ chức có thể được thay thế bằng ký tự đại diện: ví dụ */vsd hoặc */vsd/com/vn, sẽ nhanh hơn khi so với Group khi server truy vấn

Các nhóm chuẩn của Domino

  • LocalDomainServers: có quyền truy cập tới tất cả server, quản lý truy cập tới tất cả databases, có quyền tạo database, tạo đồng bộ hóa
  • Terminations: danh sách những người bạn muốn từ chối truy cập tới tất cả server
  • Developers: có quyền truy cập và tạo databases trên tất cả server
  • Department X, DepartmentY, Department Z: sử dụng để điều khiển truy cập và gửi mail cho những người thuộc nhóm
  • WholeCompany hoặc LocalDomainPeople: bao gồm các nhóm phòng ban có quyền truy cập tới tất cả server và mail server
  • OtherDomainServers: đại diện cho server thuộc công ty khác, hạn chế truy cập tới server và database
  • OtherDomainUsers: giống OtherDomainServers
  • WebUsers: điều khiển truy cập từ trình duyệt tới database

 Tạo nhóm

Bước 1: Đăng nhập vào Domino Administrator, chọn tab People & Groups
Bước 2: Mở rộng khung nhìn Domino Directory và chọn Groups
Bước 3: nhấn chuột vào Add Group
Bước 4: Hoàn thiện các trường trong phần tạo nhóm, nhấn chuột Save & Close để hoàn tất