Running Domino Commands in Powershell

To avoid “Unable to open log file” and “log.nsf: File does not exist” errors remember to always start Powershell in “Run as Administrator” mode.

In newer versions like Microsoft Windows Server 2012 R2, navigate to the Domino binary directory and then prepend “.\” (without the quotes and with now spaces) before the traditional nwhatever.exe

For example, when binaries are at c:\lotus\domino and you want to run a copy-style compact on the entire data directory…

Start Powershell in “Run as Administrator” mode and your command line will look like this:

PS C:\lotus\domino> .\ncompact.exe -c

TLS For Domino SMTP

Those that are already using or considering enabling secure SMTP sessions using STARTTLS for Domino should either disable it / wait for now (until SPR# MKENA4SQ7R is resolved in an IF or 9.0.1 FP6), obtain hotfix(es) directly from IBM, or risk the inability to deliver/receive TLS with (at least) some @outlook.com addresses.

For those using (or planning to use) TLS, you should also look at adding the SSL_SESSION_SIZE notes.ini setting. When the setting is not used, the value defaults to 5000 and this is too low to prevent errors like:

02/25/2016 12:23:52 PM New SSL session data length of 5121 bytes is larger than the current size of 5000 bytes.
02/25/2016 12:23:52 PM You may want to set the Notes.ini variable SSL_SESSION_SIZE to at least 5121 bytes.

Note that the server suggested the 5121 value in this example (presumably based upon the handshake with the external server) and I’ve been unable, as yet, to find any other scientific method for determining what other value might be better.

Disable SMTP-AUTH To Stop Relay Hackers In Their Tracks

Sometimes setting up a system to allow password authentication is less secure.

Ever notice activity like this on your SMTP-enabled Domino server?

SMTP Server: Authentication failed for user guest ; connecting host 46.137.108.26
SMTP Server: Authentication failed for user backup ; connecting host 46.137.108.26
etc.

Guess what…  In this case, I am not happy that ec2-46-137-108-26.eu-west-1.compute.amazonaws.com (Amazon Web Services, Ireland) thinks they need to relay SMTP through my Domino server.

If this hacker is able to guess a user login and password combo, they can relay whatever they want.

There is a quick fix that prevents these hacking attempts from ever succeeding at circumventing SMTP relay restrictions:

If you are NOT using Internet Site documents, set the following field(s) to “No” in the corresponding server’s Server Document:

2016-02-09_21-45-04

If you ARE using Internet Site documents, just change the following field(s) to “No”:

2016-02-09_21-49-56

Want more info? Read more here.

Happy hacker snubbing!

 

Circumventing the DCT Loop

Domino Configuration Tuner is one of many oft overlooked Domino Administration and assessment tools. Another obstacle to its use is the annoying, “Lotus Notes has automatically updated some require files for this application. Before you can use the DCT you need to restart your Notes Client.” message. The problem is that restarting the Notes Client does not improve the situation. You may also notice the following on the status bar: “Unable to deploy 1 updated file (probably locked and in use)”.

One way to resolve the issue:

  1. Shut down all Notes programs running on your workstation.
  2. Delete your local dct.nsf and dct.ntf
  3. Download the “latest” dct.ntf version: http://www-01.ibm.com/support/docview.wss?uid=swg24019358&rs=0&cs=utf-8&context=SWA00&dc=D400&q1=dct
  4. Put dct.ntf in your Notes data directory.
  5. Restart Windows in Safe Mode (press F8 while restarting)
  6. Launch Notes and start Domino Configuration Tuner
  7. If prompted to restart Notes, restart Notes and try launching DCT again.

Agent Disabled During Design Update

I encountered the following fun when deploying Brian Green’s Domino TeamMailbox recently. The concept applies to any design, not just the TeamMailbox.

Designer: Agent ‘New Mail Reminder’ in ‘mailin\xyz.nsf’ disabled during Design Update from template ‘teambox3.ntf’. Agent signer ‘Server1/servers/abc’.: Enabled status can be preserved only on the server where the agent is scheduled to run or, for mail agents, on the home mail server. Enabled status cannot be preserved if ‘-Any server-‘ is specified for the agent.

I found the following in IBM Lotus Domino Administrator Help 8.x >

Updating the design of an enabled agent
In pre-8.0 releases of IBM Lotus Domino , when a design update for enabled agents occurred, the agents were disabled and stopped running. This occurred because there was no mechanism to update the agent’s design and retain the original signature of the agent. In Domino 8, design update can update many enabled agents without disabling the agents.

In Domino 8, design update preserves the identity of the agent owner in the “On Behalf” field and re-signs the agent with the server ID. The agent’s enabled status is preserved only if the original agent owner has the rights to run agents and if the agent is scheduled to run on the server on which the design update is performed. The server has explicit rights to run agents only on itself. If the agent’s enabled status cannot be preserved, the design update is performed and a warning message is generated and sent to the server console as well as to the Domino Domain Manager.

You may see the warning messages shown in the examples below depending on who signs the agent.

Examples
In this example, the agent was signed by the server, ServerA/DomainA, which did not have rights to run agents on the server Test/Acme. Design update updated the agent design and left the agent disabled.

Warning generated on server TEST/ACME:
Designer: Agent ‘OutOfOffice’ in ‘mail\rooks.nsf’ disabled during Design Update from template ‘mail8.ntf’. Agent signer ‘ServerA/DomainA.: Users without rights to sign ‘On Behalf’ agents can only run agents on their own behalf.
In this example, the agent was specified to run on -any server-; therefore, its enabled state could not be preserved because it could not be signed with the server ID Test/DomainB ID. If the agent was signed with Test/DomainB ID, the agent would not run on any server other than Test/DomainB, which was not the intention of the agent designer. Design update updated the design of the agent and left it disabled.

Warning message generated on server Test/DomainB:
Designer: Agent ‘LotusInboxCleanup’ in ‘AdminSurvey2007.nsf’ disabled during Design Update from template ‘mail8.ntf’. Agent signer ‘Lotus Notes Template Development/Lotus Notes’.: Enabled status can be preserved only on the server where the agent is scheduled to run or, for mail agents, on the home mail server. Enabled status cannot be preserved if ‘-Any server-‘ is specified for the agent.

Presumed Solution
So, the solution would seem to be editing (signing) the agent with an ID with proper rights AND specifying a server for the agent. Using ‘-Any server-‘ is a no no.

Changing the Primary ID Vault Server in IBM Domino

  1. Using the Domino Administration Client, select Security > ID Vaults in the left navigation pane.
  2. Highlight the vault in the view and expand the ID Vaults section of the Tools menu.
  3. Click on Manage.
  4. Click Next
  5. Select “Manage vault replica servers”
  6. Click on (select) the server that you want to be the primary ID Vault Server.
  7. Click Next
  8. Click Configure.
  9. You will be prompted to select and provide the password for the Vault ID.
  10. Click Done.