logo

Migrating Notes Domains

So, I've got a new Domino server (6.0.3 on Windows) in a brand-new domain called /ROCKALL. I've also got the old Domino server (6.0.1 on Linux) in a domain called /EPSILON. How to migrate?

Part of me wants the easy life, whereby I move all the application .nsf files over and run a script to update all ACLs - removing references to Epsilon before adding Rockall. Another part of me wants to take it slowly and move them over one-by-one. There's a load of junk in there and it's about time I had a good clearout. This can only be done manually.

What are the options available if I want to do it all at the push of a button? Should I just write an agent to loop all folders and edit the ACLs? Anybody got one? All users are going to be re-created, it's just the apps that I need to move over and make available.

As you can tell my admin skills are just enough to get by. What I could also do with is a naming convention and some best practice advice. Should server names be all uppercase? How should groups be named? I may not know exactly what I'm doing but I like to have things just so.

Comments

  1. I feel your pain... we had to rename our domain and had IBM do it after we gave up.

    Don't forget that names in documents using author/reader fields will need to be updated if you change the domain in the fully qualified user names.

    • avatar
    • David
    • Tue 2 Nov 2004 07:01

    Using the admin client and invoking full-access admin you can add & remove ACL entries to all databases in one action. For a real challenge you could set up cross-domain adminp, not that it's worth it in your case.

    Personally I'd stick to lower-case everything, it makes it easier on Unix-based servers. However case-sensitivity is quite inconsistent; I've known Domino deliver to mail file one minute and the next report that it can't find it as the physical name case did not match that in the person document.

    Groups - well most places prefix system groups with '$' or similar to put them to the bottom and have other prefixes to indicate their purpose such as SA for server access, DA for deny access. The most important thing is to stick to the allowable characters or weird things happen.

  2. There is an agent in the Sandbox called ACLAdjuster. There are actually several in the Sandbox. That is the basic code for changing the ACL of one or more database. I haven't looked at it in a while so it might be limited in what is does. However, you can easily set up a database collection and loop through all of the databases ( and folders, though I haven't done folders yet) and change the ACL entries.

    You have at least two other options which is to cross certify between /Rockall and /Epsilon and the organizational level and not bother with the rest of the renaming.

    You also could recertify the people involoved ( this maybe only you and let the admisitration process take care of changing your name in groups and in ACLs, etc.

    I always get confused aout reader and author fields and when they get updated through the recertification process.

    I would go for the agent since once you have it set up you can use it for so many other things.

    I also have dealt with a number of certifier changes in the past and have the opinion that changing them to keep up with name changes is mostly cosmetic and doesn't add a lot of value to you. Keep things nice and neat but doesn't really have to be done.

    Good luck

  3. Hi Jake!

    How many users? You don't have to recreate them, actually. You can move them to a new certifier with Adminp, and then it will update the database ACLs for you (provided they have an Administration server set).

    After that, some more scripting can change the domain, connection docs, location docs, etc.

    You can then either cross certify the two servers and move the users over without having to recreate them, or just re-create the users and bring all the databases and groups over (copy/paste). Even if you have a few users and don't mind re-creating them, still rename them using Adminp, and it will take care of all groups and database ACLs.

    • avatar
    • DC
    • Tue 2 Nov 2004 07:43

    Jake:

    If you have all of your databases in a root directory/folder and they stem out from there, a simple agent will loop through all of the databases in the sub-folders.

    We use this strategy in an agent to get a handle on every ACL entry. It would be very simple to modify this agent to delete/add ACL entries.

  4. On a side note, if the doctype is important to you, you can upgrade your server to 6.5.3 to use the DominoCompleteDoctype ini setting.

    {Link}

  5. Hi Rock,

    I would suggest you go back and do the Notes Admin exam again <g>... including people commenting <vbg>.

    (Please laught now, it's NOT intended as an offence! I love your blog and skills.)

    A notes DOMAIN is constituted by the domain name in the public name and address book and the fact that all servers are using a replica of the same address book (the later one can be blurred). What you are talking about is to change the certifier to a new "root" certifier. And that is a complete different cup of tea. It is the same difference between the internet domain (codestore.net, bounght from your registrar) and a X509 certificate for SSL (bought from a cert authority or handmade).

    The only thing you need to do to get the whole thing working is to add two cross certificates to your Domino directory one /ROCKALL -> /EPSILON and one vice-versa. Of course both cert entries need to be there as well.

    That's all bingo finish.

    However valid question: How to move a certifier. With the setting above you have a good start. Next item: use a tool (Admin Client - in flat db view and full access switched on - will do) to make sure every db has an admin server and setting "change names fields" is checked (only Readers/Authors is not enough). Then use the AdminP recertification mechanism, it will take care of groups, acls and names/readers/author fields. The trick for the whole exercise are the cross certs and the acl settings.

    Hth

    :-) stw

  6. I have a number of things that worked always well when naming:

    1) If your server has a public DNS entry, name it after the entry e.g: newrock.codestor.net/ROCKALL. servernames allways lower case, Certifier: either all upper or all lower, up to your taste. The big advantage: you would find the server without any connection document. Disadvantage: if you reshuffle your dns names you would need to rename your Domino servers too.

    2) NO individual names in the server document, only groups, see also tip3

    2) Hierarchical Group Names: Your Domain first, then application (or sys for the Domino directory stuff) then purpose. This are internal groups not necessarily mailing groups people would use (of course alias them with "human" names is an option). YOu could use a $ in front of the Domain:

    Examples:

    $rockall.sys.fullaccessadmins

    $rockall.sys.rununrestrictedagents

    $rockall.sys.server1.accessserver

    $custdom.sys.support

    $rockall.leave.users

    ... the group names might only serve as shells (e.g. accessserver probably contains department groups rather than individuals... if your company is big enough). The Domain prefix is handy when developing for customers, because you never mix up your own ACL with theirs (of course you need to get the customers to adapt that scheme too).

    Hth

    :-) stw

  7. Why dont you keep both domino domains and use hosted orgs?

    • avatar
    • Jake
    • Tue 2 Nov 2004 13:43

    Thanks guys. Some food for thought there. I didn't realise Adminp was so useful. Whenever I've used it I've had nightmares and had to do everything myself.

    I might have a go with some of the ACL scripts out there. If they don't work I will end up doing it all manually.

  8. Hi Jake,

    You don't need to change the Domain. As posted before adding the certifier would do the trick. If you want to change the Notes Domain Name an agent (@Formula) looking for the Domain fields in the DomDir would be sufficient - since Notes Domains (unlike certifiers) are never part of any ACL.

    just to add to the Admin scripts. On my corporate website (www.taoconsulting.com.sg/downloads ) there is a database that parses all databases on a server for the ACL entries into Notes documents. You can update these documents (do I smell custom agents) however way you want and then make the agent write them back. Have a look and let me know what you think.

    :-) stw

  9. We normlly add a Group called 'NSFAdmins' in the DB ACL which has got the maximum access. If you have to move apps from 1 domain to another all you have to do is copy-paste the NSF file & create a New Group called 'NSFAdmins' in the New Domain.

  10. Stephan,

    As far as I know, adding the domain name to the server name (i.e. DOM01.rockall.co.uk/Rockall) would only be of some use when dealing with multiple DNS domains. i.e. if you are working in de.rockall.co.uk then you would be able to get to DOM01.uk.rockall.co.uk without a connection record. If there is no multiple layer DNS in place then a single entry in the local DNS for "DOM01" would suffice.

    The only other reason would be if the server is to be opened up to connections over the internet (over port 1352). Although if you fancy a European branch in the future (and split level DNS)perhaps adding the DNS domain would be useful.

    I would echo the other comments about adding prefixes such as $ for groups - it ensures that people names come up first in the address books when creating mail and also ensures you can find particular types of groups fast. I have used the following:

    $ for ACl groups

    # for mailing groups

    ! for Sametime groups

    I'm no expert but I'd use "manage ACLs" in the Admin client to update all the entries. I would also add a server group rather than the explicit name of your server. Make sure that you old server is defined as the Admin server in the ACLs of your databases. Once they are all across, "manage" the ACLs again and update the "Admin server" to be your new server.

    AdminP is your friend.

    HTH - good luck

    Jon

  11. I think stw is right on with using adminp to recertify. One of the most useful Domino admin posts I have seen in a while! Thanks for that.

    • avatar
    • Ben
    • Thu 4 Nov 2004 05:31

    Just a quick gotcha - don't forget to re-sign all your templates / databases otherwise nothing's going to work properly.

    All, the old adage "more work now, less work later" is very appropriate here. You've got a great opportunity to sort all the acl's, roles, group names, etc so I suggest you take your time and do it manually if it's not too much work.

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Tue 2 Nov 2004

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content