Follow up to the OpenNTF webinar on Domino administration best practices

During the webinar me and Heather ran out of time so we did not have time to talk about all the points that are highlighted in the slides.
Here are some details on those point that we did not cover

Program Documents
Program Documents provide a method for scheduling server tasks to run at a scheduled time/day.  A common usage is for proactive database maintenance.  Prior to release 9, program documents would typically be created to run the fixup and compact tasks against databases.  Release 9 includes the Database Management Task, DBMT, which does the following.

  • runs copy-style compact operations
  • purges deletion stubs
  • expires soft deleted entries
  • updates views
  • reorganizes folders
  • merges full-text indexes
  • updates unread lists
  • ensures that critical views are created for failover
  • System databases are not compacted
  • -compactThreads 8 -updallThreads 8 -range 2:00AM 7:00AM -compactNdays 5 -force 1
  • Remove ServerTasksAt2=Updall

To run DBMT via a program document, create a new one to run DBMT at server startup.  For the command line enter information that includes the number of compact threads, updall threads, time range for running updall and compact, number of days to wait unil running compact and day of the week to run fixup against databases that cannot be compacted.  For example, the following loads 8 compact and updall threads, runs the tasks between the hours of 2 – 7 AM , waits 5 days to run compact and runs fixup on Sundays.

-compactThreads 8 -updallThreads 8 -range 2:00AM 7:00AM -compactNdays 5 -force 1

Additionally, you will want to remove ServerTasksAt2=Updall from the server’s notes.ini.  Also, because the compact is a copy style compact set the ini parameter MailFileDisableCompactAbort=1.  This will cause the router to be compact aware, holding emails until compact finishes running against a mail database.

It is important to note that the DBMT tool does not run compact against the following databases.

  • names.nsf
  • log.nsf
  • admin4.nsf
  • ddm.nsf
  • lndfr.nsf
  • events4.nsf
  • statrep.nsf
  • dbdirman.nsf
  • dircat.nsf
  • clubusy.nsf
  • domlog.nsf
  • cldbdir.nsf
  • busytime.nsf
  • catalog.nsf
  • daoscat.nsf
  • mtdata/mtstore.nsf

Hence, it is recommended that the administrator creates a program document to run compact -B once a week to compact these databases.

Domino Certificate Authority

In many Domino environments the certifier ID that is used to register, rename and recertify users is stored in the Notes\Data folder of the administrator’s computer.  However, this approach has risks for the ID could potentially be stolen if someone gains access to the device or lost if the device is impaired.  Further, if the administrator decides to delegate these tasks to another entity, such as the help desk, then the certifier and its password have to be shared.

Hence, it is recommended that a Domino Certificate Authority be created.  From the administrator client’s configuration tab select Tools – Certificate – Migrate Certifier and follow the on screen prompts.  As a result, an ICL database will be created.  Now, the people you specify can perform user registrations, renames and recertifications without having physical access to the certifier ID nor do they need to know the password.

In addition, the CA task should be added to the ServerTasks lin of the server’s notes.ini.

ID Vault

Introduced with 8.5, the ID Vault provides a method for securely storing Notes IDs.  Further, as ID passwords are changed and as users are renamed and recertified, the ID in the Vault is updated.  The ID Vault is a core component of the Domino security model, is required for Verse on Premises and in Domino 12 will be automatically configured if one does not already exist.  Hence, if you do not have an ID Vault today then create one.

To create an ID Vault go to the Configuration tab of the administration client, select Tools – ID Vaults – Create and follow the on screen prompts.  An ID Vault will be created in the IBM_ID_Vault folder and a Vault ID will be generated.  It is important that you backup the Vault ID and its password.  Additionally, the ID Vault should be replicated to other servers using Tools – ID Vaults – Manage.

Now, users you assign to the vault and new users created will have their Notes ID added to the Vault.  From here the ID can be accessed for web authentication, downloaded as part of the Notes client set up and recovered when a password or ID is lost.

Policies and Settings Documents

Policies and settings documents provide several configuration options for managing the Notes and Domino infrastructure.  Hence, it is important that the administrator create policies and subsequent settings document.  To better understand policy types, hierarchy and settings documents reference the HCL Domino documentation.

Domino Server Monitoring

Like any system, Domino servers require monitoring in order to ensure they are optimally performing and hopefully detect problems before they cause service interruptions.  Natively included, Domino Domain Monitoring allows an administrator to view and manage server events.  In the events4.nsf database DDM probes and event handlers are created and managed.  These drive what is monitored on the Domino server.  When thresholds are met, a document is created in the DDM.nsf database.  The administrator should regularly review the DDM database to be aware of new events and take corrective action.

Domino Server Maintenance

While gone are the days when scheduled system reboots were necessary to avoid memory problems, it is still necessary to have a server maintenance plan.  As discussed earlier, program documents are used to perform database maintenance.  Further, for the system databases log.nsf, domlog.nsf and a recommended practice when Domino is not running is to rename these files and allow the server to create new ones at start up.  Note: change the extension to a different value so that Domino does not attempt to manage the file, i.e. log.old.

As with any server, it is important to stay current with software offerings and operating system patches in order to avoid security problems that hackers may exploit and repair known issues.  Hence, install Domino fix packs as they become available, plan to upgrade following new releases and apply OS patches on a regular basis.  Finally, keep supporting software, such as anti virus software, up to date.

Domino: how not to send delivery failures to the internet

A customer of mine made me a request: he doesn’t want a delivery failure with the indication that the user does not exist in the Directory to be sent back when someone outside his domain sends a mail to a non-existing address.

By default this non delivery report is sent, but you can easily change the behavior of Domino.
Go in the configuration document of the server, then  Router/SMTP -> Advanced -> Controls. Hold undeliverable mail: set to enabled.

This is the explanation of that setting
Enabled – When the Router cannot deliver a message, it leaves the message in MAIL.BOX rather than generate a delivery failure report
Disabled – (default) When the Router cannot deliver a message, it generates a delivery failure report

Remembering Nathan

Please join OpenNTF at an open online gathering to remember our co-founder and friend, Nathan T. Freeman.

We will host an open GoToMeeting for everyone in the Community to join and share their memories of Nathan, this coming Friday, from 1:00 – 2:00 PM EDT. You may use this link to join the meeting:

Sametime Proxy 11.5IF1 issues with iNotes integration

I updated the Sametime Proxy server 11.5 to IF1 for a customer, and the integration with iNotes broke.
When a user tried to start a chat with another user he received an error

I searched about this and I found some references to the Tomcat settings
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH and org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH
looks like by default are set to false and this is the cause of the error. The URL you see in the image should be converted to without the trailing part with the user name, but it doesn’t.

To resolve the issue edit the file in the sametimeproxy/conf directory and at the bottom add those two lines


Restart the Proxy server and the chat works from iNotes.

Update to Sametime embedded client in Notes 12

I received the following from Sametime Dev:

When Notes 12 ships officially, it will no longer be 122C – we’ll update our clientID listing when that ships to the official one. It will be 122C until then.

So if you allow this client in sametime.ini now, you will need to change the value when Notes 12 goes GA.

Sametime embedded client in Notes 12 beta

The Sametime embedded client in Notes 12 beta has a new client ID. Is 122C, so you have to add it in sametime.ini, on your Community server, in the allowed clients types if you want to use it

Please, see this post for an update

Sametime Chat Verse | iNotes integration stops working after upgrade to 11.5

I updated a customer Sametime server from 11.0 to 11.5 and the integration of iNotes and Verse on Premises with Sametime stopped working.
I asked if anyone has seen this happen and my fellow HCL Ambassador Mathieu Fabien pointed me to a HCL technote, here, that explain what the problem is due to and gives the solution.

Update Traveler before March 31 2021 if you use Apple devices

Apple will not support the legacy protocols used by APNS starting March31, but will only use HTTP/2 API.
This means that if you use an old version of Traveler push notifications will stop working after that date.
The solution is to upgrade to Traveler 11.0.1 or later

You can see all the details in this Technote