A couple of days ago, I wrote about how you can determine which database on a server has LargeSummary enabled using the show dir command from the Domino console.
You can use LS2CAPI to dertermine, if the flag is set. Here is the code
Public Type DBOPTIONS
options (3) As Long
End Type
Public Const W32_LIB = {nnotes.dll}
Public Const TUX_LIB = {libnotes.so}
Declare Function W32_NSFDbGetOptionsExt Lib W32_LIB Alias {NSFDbGetOptionsExt}_
(ByVal hdb As Long, retDbOptions As DBOPTIONS) As Integer
Declare Function W32_NSFDbOpen Lib W32_LIB Alias {NSFDbOpen}_
(ByVal dbName As String, hDb As Long) As Integer
Declare Function W32_NSFDbClose Lib W32_LIB Alias {NSFDbClose}_
(ByVal hDb As Long) As Integer
Declare Function TUX_NSFDbGetOptionsExt Lib TUX_LIB Alias {NSFDbGetOptionsExt}_
(ByVal hdb As Long, retDbOptions As DBOPTIONS) As Integer
Declare Function TUX_NSFDbOpen Lib TUX_LIB Alias {NSFDbOpen}_
(ByVal dbName As String, hDb As Long) As Integer
Declare Function TUX_NSFDbClose Lib TUX_LIB Alias {NSFDbClose}_
(ByVal hDb As Long) As Integer
Public Function NSFDbGetOptionsExt (hDb As Long, retDbOptions As DBOPTIONS)
If isDefined("WINDOWS") Then
NSFDbGetOptionsExt = W32_NSFDbGetOptionsExt(hDb, retDbOptions)
Else
NSFDbGetOptionsExt = TUX_NSFDbGetOptionsExt(hDb, retDbOptions)
End If
End Function
Function NSFDbOpen( db As string, hDB As Long) As Integer
If isDefined("WINDOWS") Then
NSFDbOpen = W32_NSFDbOpen(db,hDb)
Else
NSFDbOpen = TUX_NSFDbOpen(db,hDb)
End If
End Function
Function NSFDBClose (hDb As Long)
If isDefined("WINDOWS") Then
NSFDbClose = W32_NSFDbClose(hDb)
Else
NSFDbClose = TUX_NSFDbClose(hDb)
End If
End Function
And here is how you can use the code
Const DBOPTBITS_3 = 3
Const DBOPTBIT_LARGE_BUCKETS_ENABLED = &h104
Sub Click(Source As Button)
Dim hDb As Long
Dim rc As Integer
Dim sDb As String
Dim retDbOptions As DBOPTIONS
sDb = "serv04/singultus!!ua.nsf"
rc = NSFDbOpen(sDb, hDb)
If rc = 0 Then
rc = NSFDbGetOptionsExt (hDb, retDbOptions)
If retDbOptions.options(DBOPTBITS_3) _
And DBOPTBIT_LARGE_BUCKETS_ENABLED Then
Msgbox "LargeSummary enabled"
Else
Msgbox "LargeSummary not enabled"
End If
rc = NSFDbClose(hDb)
End If
End Sub
Barely 2 years later, DOTS is back. The first version was available in Domino v 12 Beta3 codedrop. It was not exactly, what I expected, and I had some discussion with Thomas Hampel and HCL Development.
HCL listened and the gave me a preview what they have changed based on the input provided during Beta testing.
In Beta3, DOTS needs an additional notes.ini parameter to locate the launcher.jar and to start the JVM. This requirement has been removed in the final version.
The ndots.exe delivered with Domino 9.x had a fixed value for the max. memory allocation pool size of only 64M. If you build complex DOTS applications that is way to small. DOTS v 12 now launches a JVM with Xmx = 1024M and Xms = 64M. There are 2 new notes.ini parameters (DOTSJavaMaxHeapSize & DOTSJavaMinHeapSize) to give you full control over this settings
DOTS v 12 supports JavaUserOptionsFile for any non DEFAULT JVM parameters.
A very unpleasant behavior of the installer was that it completely deleted the existing DOTS installation under <DominoPrgmDir>/osgi-dots when upgrading Domino to v 12. Thus all custom plugins were gone. This is handled now and the upgrade will not remove existing plugins in <DominoPrgmDir>/osgi-dots/shared/eclipe/plugins.
For developers it is important to know that plugins developed for the existing DOTS version can no longer be executed under Domino v 12. For all tasklets created using previous DOTS versions, you will need to update the package names and recompile all plugins created with a version of DOTS binaries integrated with Domino 12. Preferably using Eclipse SDK 4.6.2.
During my tests with HCL Domino 12 Beta2 I ran into a couple of issues where the Active Directory Password Sync did not work as expected. The problems are not caused by the beta code. However, I am writing down my observations here, since the errors may also appear later in a productive environment. Maybe my lines will save one or the other a long search.
Request Creator replicates with multiple servers
In the console log of a request creator you see replcation events with multiple servers.
There are 2 databases that are replicated on the request creator, Domino Directory (names.nsf) and Directory Assistance (da.nsf). Both databases are replicated with their admin servers to start every config update cycle. Important to know is that the admin server for each database is determined seperately separately. In my test environment, the admin server for da.nsf was different than the one for names.nsf resulting in multiple replication events.
Wrong configuration document
If you have more than 1 Domain Controller that syncs users passwords with your Domino environment, you must install and configure a request creator on each Domain Controller. In addition, you need a configuration document for each of your request creators. Each request creator should have the same configuration settings. Best practice would therefore be a single configuration document that applies to a group of servers.
During my tests I could observe that instead of the assigned configuration document the default configuration document was used.
There was no Statistics output in the console log and I could also not see any DEBUG log output. Also the configuration was not refreshed in the configured interval. I discussed this with HCL Development and it turnd out that the configuration document was not used due to a problem with the view index in names.nsf on the request creator.
I needed to stop the sync process on the request creator, open names.nsf in the Notes Client. After restarting the AD Domain Controller machine, the correct configuration document was used.
Most likely, this issue occurs when you use a configuration document for a single request creator and later switch to a group based configuration document. I would suggest to use a group based configuration document from the start on.
Is Active Directory Password Sync cluster ready?
You can designate as many request processors as you want, and it’s a good way to provide failover.
The decision as to where the AD Domain Controller sends a request is admittedly not overly sophisticated. It works sequentially through an in-memory list it holds of all servers which are designated as request processors, until it finds an available one. Have a look at the ($PWSProcessors) view in the directory. (Mark De Lellis, HCL Development)
This is where the list is built from, using all servers with Role “2” (Request Processor), in the order they appear in the view.
The notes.ini parameter was added in 11.0.1FP2 (SPR# BSPRBSSPWH) to suppress output of Replication Currency alerts for specific databases that were intentionally marked as “replication disabled”.
I used it in my environment for all databases in DominoDataDir/traveler/map. After upgrading to FP3 a couple of days ago, this parameter seemed not to work any longer. On the console I saw the following output
[2D58:0005-2910] ReplCurrency Source="traveler\map\custom\MapDir.nsf", Dest=CN=serv02/O=singultus (Q:0) traveler\map\custom\MapDir.nsf, UpdateToRepl2="03.04.2021 01:01:06", LastRepl="02.04.2020 04:01:25", TimeDiff= 16167 min, TimeDiff2=543026 min Warning="5000+ mins on replication."
[2D58:0005-2910] ReplCurrency Source="traveler\map\iNotesPMap.nsf", Dest=CN=serv02/O=singultus (Q:1) traveler\map\iNotesPMap.nsf, UpdateToRepl2="10.04.2021 01:00:27", LastRepl="01.04.2020 15:26:41", TimeDiff= 6087 min, TimeDiff2=543781 min Warning="5000+ mins on replication."
[2D58:0005-2910] ReplCurrency Source="traveler\map\JournalEntryMap.nsf", Dest=CN=serv02/O=singultus (Q:3) traveler\map\JournalEntryMap.nsf, UpdateToRepl2="10.04.2021 01:00:38", LastRepl="01.04.2020 15:26:41", TimeDiff= 6087 min, TimeDiff2=543781 min Warning="5000+ mins on replication."
[2D58:0005-2910] ReplCurrency Source="traveler\map\MemoMap.nsf", Dest=CN=serv02/O=singultus (Q:3) traveler\map\MemoMap.nsf, UpdateToRepl2="10.04.2021 01:00:45", LastRepl="01.04.2020 15:26:41", TimeDiff= 6087 min, TimeDiff2=543781 min Warning="5000+ mins on replication."
[2D58:0005-2910] ReplCurrency Source="traveler\map\PersonMap.nsf", Dest=CN=serv02/O=singultus (Q:1) traveler\map\PersonMap.nsf, UpdateToRepl2="10.04.2021 01:00:51", LastRepl="01.04.2020 15:26:41", TimeDiff= 6087 min, TimeDiff2=543781 min Warning="5000+ mins on replication."
[2D58:0005-2910] ReplCurrency Source="traveler\map\R6JournalEntryMap.nsf", Dest=CN=serv02/O=singultus (Q:2) traveler\map\R6JournalEntryMap.nsf, UpdateToRepl2="03.04.2021 01:01:20", LastRepl="02.04.2020 04:01:51", TimeDiff= 16166 min, TimeDiff2=543026 min Warning="5000+ mins on replication."
[2D58:0005-2910] ReplCurrency Source="traveler\map\R6PersonMap.nsf", Dest=CN=serv02/O=singultus (Q:1) traveler\map\R6PersonMap.nsf, UpdateToRepl2="10.04.2021 01:00:57", LastRepl="01.04.2020 15:26:42", TimeDiff= 6087 min, TimeDiff2=543781 min Warning="5000+ mins on replication."
I opened a support case with HCL. Here is the answer
“In FP2 there was a bug where it excluded all except the first entry in the INI. The notes.ini does not allow directories to be listed, only databases. In your case, it appeared to work in FP2 because it blocked all databases except for “traveler/map” which is not a database. So, it blocked all databases from currency checks. And, this is now fixed in 1101FP3 (SPR # BSPRBY9RPA).“
The upcoming FP4 and V12 will not list replication disabled databases in the currency alerts (so no notes.ini is required to exclude databases disabled for replication). The notes.ini is still in FP4 and V12, but the need to exclude replication disabled databases is no longer necessary.
So, here, you need to add individual NSF names as comma separated list of dbs in the INI entry to exclude them from the replication currency check.
Active Directory Password Sync applies the Windows passwords of users registered in an Active Directory domain to their Domino HTTP and/or Notes ID passwords.
Password synchronization is supported for
Registered HCL Notes, HCL Nomad, HCL Verse, and HCL iNotes users accessing Domino servers with HTTP passwords or Notes IDs.
HCL Traveler users accessing their mail through the web browser on their mobile devices.
Web users who are not registered in Domino but who have Person documents in the Domino directory accessing Domino web applications with HTTP passwords.
To setup and configure Active Directory Password Sync, you need at least 2 Domino v12 servers. One server acts as Request Creator and the other one has the role Request Processor.
On the “Active Directory Password Sync” tab of the configuration document for each of the servers you can configure which password changes should be processed. The refresh interval specifes the amount of times in minutes after a request is created to allow the request to be processed.
To sync passwords to Notes IDs, the Request Processor servers require password reset authority to the ID vault. I you miss this configuration step, you’ll see an error message on the console of the Request Processor:
[1DFC:0059-1694] 07.04.2021 10:13:23,00 AD Password Sync> PWSyncProcessStoredRequests: Failed to update password in Notes ID for CN=Herbert Feuerstein/O=singultus: Agent containing ResetUserPassword method must be signed by a designated Password Resetter.
[1DFC:0059-1694] 07.04.2021 10:13:23 Password Sync: Active Directory Password Sync failed for objectGUID 6630b191119c8b45b78b77865a37cc70: Agent containing ResetUserPassword method must be signed by a designated Password Resetter.
Request Creator must be installed on the AD Domain Controller. The install type is “Utility Server”. The server must be configured but will never run as a service.
After you have successfully configured the Request Creator, The installer will remove some of the Domino server executables
[0C14:0002-1284] Deleted Executable File 'C:\Domino\nserver.exe' for security reasons.
[0C14:0002-1284] Deleted Executable File 'C:\Domino\nhttp.exe' for security reasons.
[0C14:0002-1284] Deleted Executable File 'C:\Domino\nldap.exe' for security reasons.
[0C14:0002-1284] Deleted Executable File 'C:\Domino\nsmtp.exe' for security reasons.
[0C14:0002-1284] Deleted Executable File 'C:\Domino\npop3.exe' for security reasons.
[0C14:0002-1284] Deleted Executable File 'C:\Domino\nimap.exe' for security reasons.
The installer finally adds the Domino password library “npwsync.dll” to the Windows registry. The entry can be found here
For security reason, the server id that is used for the Request Creator is encrypted during the installation and configuration process. Make sure that the id does not have a password on it. The secured id cannot be used on any other machine than the Request Creator.
A new application is created on the Request Processor. The application stores the requests that are created by the Request Creator. After a request has been successfully processed, the document is removed from the database.
Most of the items in the document are encrypted.
After you have setup and configured Request Creator and Request Processor, you should restart both machines (OS level).
When a user now updates his / her password, LSA processed the change thru the Domino password library, and a new document is created in the Active Directory Password Sync application. The Request Processor reads new documents from the application and processes them according to its configuration.
Here is an example of what you see on the Request Processor console
