We have 3 separate companies with 3 separate Domino servers. Lets say:
server1/company1
server2/company2
server3/company3
Company1 is the parent company of company2 and company3.
Is it possible to have a scenario where server1 is the master directory and changes made to any of the directories are replicated to the other 2 directories? The objective is to have a common directory of all users available at any company.
Subject: Configuring Domino Domains
Hi Nigel,
There are normally two methods for configuring this:
Single Domain - containing multiple Organizations, or
Multiple Domains - containing single Organizations
Single Domain Configuration:
When you set up Domino initially you need to enter two key settings during your server configuration:
The DOMAIN name, and
The ORGANIZATION name.
In a simple configuration, many Domino sites have the same Domain and Organisation name, in this scenario users sending Notes email will be in the format: name/organisation@domain; eg:
Nigel Ayen/company1@company1
One of Domino’s best features is the ability to configure a single Domain and have multiple Organisations within that Domain. In your case, that sounds exactly what you require. Remember that the definition for a Domino Domain is:
A Collection of Servers and Users who share the SAME Domino Directory.
So you CAN have a single Domain, that contains many Organizations, where ALL of the Domain members can “see” one-another for mail-addressing purposes. An example would be IBM, where IBM contains several software organisations, so IBM users could be set up as:
Ed Brill/lotus@IBM
Don Wildman/tivoli@IBM
Jean-Louis Vignaud/rational@IBM
Even though the above members of the Domain belong to different organisations, they all SHARE the SAME Domino Directory, therefore address look-ups natively include all of the members.
Your FIRST organisation (eg:“company1”) will be the one created when you configure the first server. Once the First server has been created, you use the Domino Administrator client, go to the “Configuration” tab, use the “Registration” tool to create your additional Organizations (ie: “company2” and “company3”).
Once you have created the additional Organization certifiers, you can use the cert.id’s to register users/servers under the appropriate organization. Remember that you will need to create a “cross-certificate” for each of the Organisation certifiers so that they “trust” one another, a Cross Certificate must be created in BOTH directions.
The neat thing about this configuration is the way you can set up the cross-certificates and the access to servers. If you only want “company1” users to access the “company1” server, and the “company2” users to access the “company2” server, etc … you create the cross-certificates ONLY between the Servers’ and change the Security tab of the server document so that only those members of “company*” (AND THE OTHER SERVERS) can access the Domino server.
Since all of the Servers and Users are members of the same domain, whenever anyone creates an email message they will be able to “see” ALL of the other users within the same Domino Directory.
To configure this you will need:
Cross Certificates
Multiple Domain Configuration:
This is where each of the servers are set up as “First Servers within the Domain”, so each server has it’s OWN Domino Directory, and it’s OWN set of users.
It’s a little trickier to configure, but you STILL need the cross-certificates to create the “trust” between the different servers, since they are STILL in different Organisations.
In addition, you can create replica’s of each of the servers Domino Directories on each of the other servers, and then use either “Directory Assistance” or a “Directory Catalogue” to allow your users to address a message to a person within another Domain.
You can also create “Domain Documents” that identify the other Domain’s and assist in (Native Notes/NRPC) mail-routing between the servers in the different Domains. You will also need to create Connection documents so that each of the servers know how to get mail to the other servers and when to replicate.
To Configure this you will need:
Cross Certificates
Domain Documents
Connection Documents
Directory Assistance/Directory Catalogue (or both)
Replica’s of the Directories on each server (depending on the config and network options)
If you’re responsible for the maintenance of all three companies - my personal recommendation would be to go for the Single Domain config.
Hope this helps,
Mat
Subject: Re: Configuring Domino Domains
Hi Mathew,
We purchased those companies through acquisition so each server was setup as the first server. Looks like multiple domain configuration would be the way to go.
Would it make a difference if there a multiple versions of Domino in use at each company? For example, v5.x Wintel, v8.x Wintel, v6.x iSeries.
Subject: Interoperability is one of Domino’s Great Strengths
Both OS Platform and between Domino Versions… Will work just fine… My thoughts would it would be more important to get all Domino Versions up to Release 8.5.1 between the companies and mainly for support purposes… I’m making an assumption that with these acquisitions you want to consolidate your Notes & Domino Administration and saving costs by having a single Admin staff for Notes & Domino would make sense and much easier for them to manage if all domains working with same Release… but until you get there the interoperability should be fine…
PS: Internally at IBM we use Multiple Domains and a Directory Catalog as Matthew so aptly described in option 2. If we were starting from scratch though I think we would go with option 1 as that is bit easier to Administer but both work great!
Subject: Configuring the Domains to communicate
Hi Nigel,
As John indicated, Interoperability between operating systems and versions is not a problem for Domino.
If you could get the Domino versions synchronised, then you could move towards merging the domain, this would get you to an “option 1” scenario. I would not recommend this until all the systems were within a similar code stream (eg: 8.*).
After licensing and hardware considerations, I would be pushing for the organisation on Notes 5 to upgrade as soon as possible - those poor folks are having an extremely outdated user experience. Even without upgrading you can get this underway.
To get things started, if you are the “God Admin”, I would get you (or your Notes Admin’s ID) cross-certified with company* as soon as possible. Once that’s done, ensure the other Domains include a LocalDomainAdmins group, and include your name in that group. Once you’ve done that - the rest becomes fairly straight forward and easy to manage.
Create the Cross-Certificates between the Organisations (it’s the Org’s, not the Domains that have “Trust”) in both directions, ie: Company1-Company2, Company1-Company3, Company2-Company1, etc.
Create “Adjacent” Domain Documents within the individual Domains (company1 needs DD for company2 and company3)
Create Connection Documents to map the Domain documents above (eg: server1-server2, Server1-server3…)
In each Domain, add the “foreign” servers to the “OtherDomainServers” groups.
Ensure that each Domino Directories ACL contains the OtherDomainServers group and is set to at least “Reader”
Create a replica for each of the Adjacent Domain’s Domino Directories on the server (server1 should have replica’s for Company2 and Company3). Ensure you set the filename on the replica’s properly, eg: on Server1 you already have names.nsf, therefore the replica’s from the other domains should be namesc2.nsf and namesc3.nsf. Be mindful of the OS File name conventions here.
Use the connection documents created earlier to set the replication schedule for the Domino Directories.
On the Domino 8 and 6 systems, configure a Directory catalog, On the Domino 5 system - I would recommend using Directory Assistance instead.
Once the Catalog/DA is configured, a restart of the servers should see the users able to use any name immediately from any other Domain in an Address or Security field.
That should be it, Generate The Trust, Establish the connectivity and update schedule, Use the local replica’s to configure Address options.
The Catalog/DA allows the Name look-ups; the Cross-Certs, Domain Docs and Connection Docs ensure native (NRPC) connectivity between the servers. Not only will you be able to do name look-ups, users will be able to send Native Email, Calendar Invites, Links, etc between Domains, and even do a “free-time” look-up for a meeting with a user in another Domain.
Hope this helps,
Mat