domino policies deep dive

30
#engageug Domino Policies Deep Dive Martijn de Jong 1

Upload: martijn-de-jong

Post on 31-Aug-2014

324 views

Category:

Documents


1 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Domino policies deep dive

#engageug

Domino Policies Deep Dive

Martijn de Jong

!1

Page 2: Domino policies deep dive

#engageug

Who Am I• M.Sc. Electrical Engineering at the University of Delft, The Netherlands • Psychology & Ergonomics at the University of Stellenbosch, South Africa • Advanced Certified IBM Lotus® Notes® & Domino® 8.5 Application

Developer & System Administrator and a Certified Lotus Instructor

!2

Martijn de Jong [email protected] twitter.com/martdj

nl.linkedin.com/in/martdj www.socialsoftwareblog.info

Page 3: Domino policies deep dive

#engageug

Company profile

ilionx Group bv

‣Autonomous organization

‣7 Profit & Loss responsible units

‣Strong organic growth

‣220 professionals & 60 contractors

‣Annual financial turnover € 32 million in 2013 (Ebitda 11%)

‣Head office based in Utrecht

‣Office locations in Utrecht, Groningen, Almere & Apeldoorn

‣Working for > 170 large and SME organizations

Groningen

Almere

UtrechtApeldoorn

Page 4: Domino policies deep dive

#engageug

Competence units

ilionx group

IMN

IMO

IICS

ICON

IMZ

IBS

ISS

Page 5: Domino policies deep dive

#engageug

Skills in IBM Collaboration

ilionx group

IMN

IMO

IICS

ICON

IMZ

IBS

ISS

‣ Centre of excellence IBM Collaboration

‣ Experience in wide range of environments

‣ Infrastructure & Development

‣ Consultancy, Maintenance, Development

‣ 30 CLP certified professionals

‣ IBM Development partner

‣ IBM Partner since 2002

Page 6: Domino policies deep dive

#engageug

This session is not about…• What policies are • What you can do with policies !

• I assume you already know…

!6

Page 7: Domino policies deep dive

#engageug

Agenda• Types of policies • Policy settings • Policy precedence • Where are policies implemented • How are policies implemented • Expand your policies • Policy troubleshooting • Policy References

!7

Page 8: Domino policies deep dive

#engageug

Policy Hierarchy• Three types of policies

• Explicit • Dynamic • Organizational

!8

Best way to assign an archive policy to a mail-in

database

Page 9: Domino policies deep dive

#engageug

Policy / Policy Settings• A policy can contain one or more of the following policy

settings:

!9

• Archiving • Desktop • Registration • Mail • Security

• Setup • Connections • Notes Traveler • Roaming • Symphony

Page 10: Domino policies deep dive

#engageug

Policy / Policy Settings / Criteria• Policy Settings can also contain sub documents (Archive

Settings)

• Policy Settings are linked to policies by their DocumentUniqueID

• Same for Archive Criteria to Archive Settings !10

Page 11: Domino policies deep dive

#engageug

Tease your co-administrator• Select your policy settings documents !

• Press ctrl-x !

• Press ctrl-v !

• Go on holiday... !

• Not as bad as it used to be

!11

Page 12: Domino policies deep dive

#engageug

Inheritance• Inherit

• Plays an important role in parent-child policy hierarchy • A top level organisational policy is always a parent policy • Inherits setting from parent policy irrespective of the

setting made in child policy

!12

Page 13: Domino policies deep dive

#engageug

Enforcement• Enforce

• Plays an important role in parent-child policy hierarchy • Any setting with enforce checkbox ticked in parent policy

will be enforced in child policy

!13

Page 14: Domino policies deep dive

#engageug

Policy Precedence Determine the effective policy

• An example. For example a user is assigned three security settings through three different policies. Explicit, Dynamic and Organizational with below settings

• The resultant effective policy would be

!14

Required Change Interval

Assigned Vault Warning Period Allowed Grace Period

Explicit 120 Days Don't Set Don't Set 120 DaysDynamic Don't Set ExecutiveVault Don't Set Don't Set

Organizational 90 Days NA 14 Days 90 Days

Required Change Interval

Assigned Vault Warning Period Allowed Grace Period

Effective Policy 120 Days ExecutiveVault 14 Days 120 Days

Page 15: Domino policies deep dive

#engageug

Policy Precedence (2)• If Inherit/Enforce is used in settings document in previous

example

!• The resultant effective policy would be

!15

Required Change Interval

Assigned Vault Warning Period Allowed Grace Period

Explicit 120 Days Don't Set Don't Set 120 Days Inherit

Dynamic Don't Set ExecutiveVault Don't Set Don't Set

Organizational 90 Days Enforce NA 14 Days 90 Days

Required Change Interval

Assigned Vault Warning Period Allowed Grace Period

Effective Policy 90 Days ExecutiveVault 14 Days 90 Days

Page 16: Domino policies deep dive

#engageug

Where is a policy implemented

!16

Client Server

Desktop

MailRegistration

Archive

Connections

Setup

Security IBM Traveler

Symphony

Roaming

Archive

Desktop

Page 17: Domino policies deep dive

#engageug

Server-side policies• Server-side policies all interact with the mail file • calendarprofile, inotesprofile • Changes are implemented by AdminP • tell adminp process mailpolicy • tell adminp process traveler • AdminP process to write policies to calendar/inotes profile

runs by default every 12 hours • Setting in Server’s notes.ini to change it:

ADMINP_POLL_INTERVAL=x (x is the number of minutes)

• Server based native archiving is done by Compact -A. Ignores archive profile. Uses archive policy

!17

Page 18: Domino policies deep dive

#engageug

Client-side policies• How does a client pull policies from server and update them? !!!!!!

• Client Sends hash value of policy information to server during authentication with user's home server

• Server calculates similar hash value that client should have and compares if it matches with what client provided

• If it’s not matching then server tells client to refresh the policy !18

Server

Client

Server tell client to refresh policy information

Hash value for policy information

Page 19: Domino policies deep dive

#engageug

Where are client policies stored• In your Contacts (aka Personal Address Book) • Dynamic Client Configuration(Ndyncfg.exe) uses

NAMEGetPolicy API, which asks the server to calculate the effective policy for the user

• Then stores the effective policies locally in the client's NAMES.NSF database

• Cached policy documents are stored in hidden ($Policies) view (via Ctrl+Shift View\Go To) in local NAMES.NSF

• New hashed value received from server are stored by ndyncfg and sent back to server during next authentication, starting whole process again

!19

Page 20: Domino policies deep dive

#engageug

Where are policies stored (2)

!20

Page 21: Domino policies deep dive

#engageug

Dynamic Client Configuration (DCC)• DCC is the process that synchronizes local Notes Client

settings with the user profile stored on the Domino Server • Actual program name: ndyncfg • Used to run once per day on the first authentication • In version 6.5.5 and higher changed to run on each

authentication • Can be run manually. Needs to be run with an option. Any

option... • ndyncfg /? • For DCC logging add these parameters to the client

Notes.ini. DEBUG_DYNCONFIG=1

!21

Page 22: Domino policies deep dive

#engageug

Where are policies stored next

!22

names.nsf $Policies

notes.ini names.nsf Eclipse *.xml

Page 23: Domino policies deep dive

#engageug

Expand your policies• Pre-8.5 method !!!!!

• 8.5+ method

!23

Page 24: Domino policies deep dive

#engageug

Expand your policies - Examples• notes.ini

DisabledPorts=LAN0,COM1,COM2,COM3,COM4,COM5, EnforcePorts=TCPIP, Enforce FooterWeekNo=2, EnforceOpenViewThreads=1, EnforceNSF_UpdateODS=1, Enforce !

• Managed SettingsloginByToken=true; com.ibm.collaboration.realtime.community, EnforcestartWebContainer=true; com.ibm.collaboration.realtime.webapiport=1533; com.ibm.collaboration.realtime.communityloginAtStartup=true; com.ibm.collaboration.realtime.community, EnforceproviderId=Sametime; com.ibm.collaboration.realtime.community, EnforceuseGlobalConnSettings=true; com.ibm.collaboration.realtime.community, EnforceuseOsPass=false; com.ibm.collaboration.realtime.community, EnforcetokenLoginOnly=true; com.ibm.collaboration.realtime.community, EnforcedefaultAuthType=ST-DOMINO-SSO; com.ibm.collaboration.realtime.community, EnforcesavePassword=false; com.ibm.collaboration.realtime.community, Enforcecom.ibm.collaboration.realtime.community, Enforce

!24

Page 25: Domino policies deep dive

#engageug

Troubleshooting• Problem:

You have rolled out a policy, but it’s not working for the users !• Problem Determination:

• Is the policy failing for all users or just some users? • In case of single users it’s probably a local problem • Check Policy synopsis if the users are supposed to

receive the policy • Are the affected users on the same server?

• Problem with policies view index? Load updall -t ($Policies) names.nsf -R

!25

Page 26: Domino policies deep dive

#engageug

Policy Synopsis

!26

Page 27: Domino policies deep dive

#engageug

Troubleshooting (2)• Problem Determination

• Where is the policy suposed to be implemented? Server (mail, traveler, archive) or client (rest)

• In case of server, does the mailfile have the proper Owner in the calendar profile?

• Remember, AdminP processes the policies every 12 hours

• In case of client, delete policy documents from local names. Run ndyncfg /?. Did policy documents reappear? Does problem persist?

• If policy documents didn’t reappear

!27

Page 28: Domino policies deep dive

#engageug

Troubleshooting - When all else fails• Debug Parameters

DEBUG_POLICY=1 • Also enable console_log_enabled=1

Used for general troubleshootingEnable the debug and force the policy to be updatedContact support and provide console.log for reviewYou can also set this debug with value 2 or 4 for verbose logging Can be enabled on client as well as on server

• Other parameter like Debug_DynConfig,DEBUG_DUMP_POLICY=1 and DEBUG_POLICY_SIGNBIT=1 can be enabled based on type of problem a console.log needs to be collected for further review

!28

Page 29: Domino policies deep dive

#engageug

References• Open Mic Webcast: Troubleshooting Policies on a Domino Server

http://www-01.ibm.com/support/docview.wss?uid=swg27036076 • Open Mic Webcast: What’s new in Policies for Domino 9.0

http://www-01.ibm.com/support/docview.wss?uid=swg27039462 • Troubleshooting Domino policies and settings documents

https://www-304.ibm.com/support/docview.wss?uid=swg27010353 • Wiki articles on Domino Policies

http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewCategories.xsp?lookupName=Domino%20policies • Domino Policy Precedence Explained

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/domino-policy-precedence-explained • When will a Domino policy take effect

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/when-will-a-domino-policy-change-take-effect • How Dynamic group policies can reduce your overhead

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/how-the-new-dynamic-group-policies-can-reduce-your-administration-overhead

• Domino Policy Flow Charthttp://www-10.lotus.com/ldd/dominowiki.nsf/dx/Notes__Domino_Policy_Flow_Chart

!29

Page 30: Domino policies deep dive

#engageug

Questions?

!30