Distributing Notes Clients Automatically Front cover
advertisement
Front cover Distributing Notes Clients Automatically Creating customized Notes installation packages Automated Deployment Toolkit described Using Active Directory for client distribution Tommi Tulisalo Ted Dziekanowski Ben Morris Kurt Nielsen Carol Sumner ibm.com/redbooks Redpaper International Technical Support Organization Distributing Notes Clients Automatically July 2003 Note: Before using this information and the product it supports, read the information in “Notices” on page v. First Edition (July 2003) This edition applies to Lotus Notes and Domino 6.0.2 © Copyright International Business Machines Corporation 2003. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The team that wrote this Redpaper . . . . . . . . . . . . . . . . . . Become a published author . . . . . . . . . . . . . . . . . . . . . . . . Comments welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... ....... ....... ....... ...... ...... ...... ...... . . vii . . vii . . viii . . viii Chapter 1. Customizing client installations with transform files . . . . . . . . 1 1.1 Brief description of Windows Installer technology . . . . . . . . . . . . . . . . . . . . 2 1.1.1 Using the InstallShield Tuner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Chapter 2. Using Automated Deployment Toolkit for Notes clients . . . . . 11 2.1 Introduction to Automated Deployment Toolkit . . . . . . . . . . . . . . . . . . . . . 12 2.1.1 Integrating services and functions. . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1.2 Communication with the users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.3 Asset inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.4 Training Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.1.5 User ID Generation component . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.1.6 Client Software Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.1 Client PC requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.2 Server SMTP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.3 ADT server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2.4 Lotus Domino server changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.5 ADT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.6 Assign HTTP passwords to all users . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.7 Enable HTTP on the ADT server . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.8 Assign manager rights to the agent signer . . . . . . . . . . . . . . . . . . . . 19 2.2.9 Copy files to the ADT server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.2.10 Additional steps for automated client setup process . . . . . . . . . . . . 20 2.2.11 Sign the ADT database templates . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.2.12 Configure agent execution parameters in the ADT template . . . . . 21 2.2.13 Create the ADT and the ADT Log databases . . . . . . . . . . . . . . . . . 22 2.2.14 Create ADT Mail-In Database document . . . . . . . . . . . . . . . . . . . . 22 2.2.15 Creating the ADT encryption key . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.2.16 Installing data migration tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.2.17 Copying files to the Notes client installation set . . . . . . . . . . . . . . . 24 2.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 © Copyright IBM Corp. 2003. All rights reserved. iii 2.3.1 How to capture at Database Replica ID . . . . . . . . . . . . . . . . . . . . . . 25 Chapter 3. Deploying the Notes client with Active Directory . . 3.1 Active Directory basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Using Group Policies to deploy the Notes client . . . . . . . . . . . . 3.2.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Installing non-MSI applications . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv Distributing Notes Clients Automatically ...... ...... ...... ...... ...... ...... .. .. .. .. .. .. 27 28 34 46 46 50 Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. © Copyright IBM Corp. 2003. All rights reserved. v Trademarks The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: Domino™ DFS™ ™ ^ IBM® ibm.com® Lotus Notes® Lotus® Notes® Redbooks™ Redbooks (logo) Tivoli® ™ The following terms are trademarks of other companies: Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC. Other company, product, and service names may be trademarks or service marks of others. vi Distributing Notes Clients Automatically Preface This IBM Redpaper describes how to distribute Notes® clients automatically. The paper is not a complete guide on Notes client deployment, rather it is a collection of information about some of the different technologies that can be used for deploying Notes clients automatically. The basic idea behind automated software distribution is to make installing multiple clients more efficient. We begin by explaining how to use InstallShield Tuner for Lotus® Notes® to create customized Notes installation packages. We guide the reader through the process of customizing an installation of Lotus Notes using that technology. We then describe how to use Automated Deployment Toolkit (ADT), which is an automated, managed system for deploying, upgrading, or migrating an existing messaging system to Notes R5 and Notes 6. The final chapter describes how to use Active Directory for deploying Notes clients. Another option, not covered in this Redpaper, is to use one of the software products is are architected for distributing any software to the workstation. Some of the most used tools include IBM Tivoli® Configuration Manager, Microsoft SMS, and ZenWorks. The team that wrote this Redpaper This Redpaper was produced by a team of specialists from around the world working at the International Technical Support Organization, Cambridge Center. Tommi Tulisalo is a Project Leader for the International Technical Support Organization at Cambridge, Massachusetts. He manages projects whose objective is to produce redbooks in all areas of Lotus Software products. Before joining the ITSO in 2001, he was an IT Architect for IBM Global Services in Finland, designing solutions for customers, often based on Lotus software. Ted Dziekanowski is an independent consultant and owner of the Chatham Technology Group, which is based in the New York Metropolitan area. Ted is both a Lotus and Microsoft Certified Trainer, holds PCLP, MCSE+I, and Windows 2000 certifications, and has a BS in Accounting and an MBA in Management. His recent engagements include Active Directory infrastructure design for a Fortune 50 company, migrations from Exchange 5.5 to Exchange © Copyright IBM Corp. 2003. All rights reserved. vii 2000, as well as numerous engagements involving versions of Domino™ 3.0a to 6.0.1 and Exchange 4.0 to Exchange 2000. Ben Morris is an IT Specialist with IBM Global Services. He has supported Notes and related products within IBM for over two years, and has been involved in the Notes 6 project for much of that time. He can be contacted at morrisb@us.ibm.com. Kurt Nielsen is a Senior IT Specialist for ITS' Lotus Technology Group in Denmark, with an emphasis on architecture and infrastructure. He has been with IBM/Lotus since 1998, originally working as a systems programmer and systems specialist in Networking Services. His primary responsibilities are Domino design, infrastructure, migration, and analysis. Kurt has over 12 years of experience in consulting with client organizations in the insurance, banking, and manufacturing industries. Carol Sumner is an Advisory IT Specialist working for IBM Software Services for Lotus. She has 11 years of IT experience, including six years of specialization in messaging systems implementation, administration, and migrations. She received a BA from the University of Iowa, and holds a Master of Divinity degree from Texas Christian University. Become a published author Join us for a two- to six-week residency program! Help write an IBM Redbook dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You'll team with IBM technical professionals, Business Partners and/or customers. Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you'll develop a network of contacts in IBM development labs, and increase your productivity and marketability. Find out more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.html Comments welcome Your comments are important to us! viii Distributing Notes Clients Automatically We want our papers to be as helpful as possible. Send us your comments about this Redpaper or other Redbooks™ in one of the following ways: Use the online Contact us review redbook form found at: ibm.com/redbooks Send your comments in an Internet note to: redbook@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. JLU Building 107-2 3605 Highway 52N Rochester, Minnesota 55901-7829 Preface ix x Distributing Notes Clients Automatically 1 Chapter 1. Customizing client installations with transform files This chapter introduces you to Windows Installer technology and walks you through the process of customizing an installation of Lotus Notes using that technology. © Copyright IBM Corp. 2003. All rights reserved. 1 1.1 Brief description of Windows Installer technology Notes 6 takes advantage of the Windows Installer technology, which allows an administrator to standardize custom installations by distributing pre-configured installation packages. The administrator manipulates the configuration by means of a transform file that the Windows Installer service uses when it is installing an application. The InstallShield Tuner for Lotus Notes provides administrators with a graphical and easy-to-use method of modifying the default install options of the new installer in Notes 6. This allows administrators much more flexibility in their options and enhances control over what an end user can and cannot do or see when installing the program. 1.1.1 Using the InstallShield Tuner This section provides a brief introduction to using the InstallShield Tuner for Lotus Notes. For more information, along with training opportunities, visit the InstallShield Web site at: http://www.installshield.com Initial setup To set up the install: 1. Begin by installing the InstallShield Tuner for Lotus Notes from your Lotus Notes CD. After the install is complete, start the Tuner from your Lotus Applications program directory. You will immediately be prompted for a Tuner Configuration (.ITW) file. Select the lotusnotes.itw file from the x:\apps directory (where x is the location of your Notes install files) and click Open. 2. The first screen you are presented with is the InstallShield Today welcome screen. Select Create a new transform file in the second pane. 3. In the Base Windows Installer Package section of the third pane, click the Browse button and navigate to the x:\allclient directory on the Notes CD. Select the Lotus Notes 6.msi file, and click Open. 4. Create the transform file. In the Windows Installer Transforms section, specify the location and name of the install modification (.MST) file. This is the file that stores all of the modifications, and must be included in the install package that will be distributed to the users when they run the install. a. Browse to the directory to which you wish to save the .MST file, type a name, and click Save. 2 Distributing Notes Clients Automatically b. Click the Create Transform File button. Figure 1-1 Create the transform file Modify the transform file To modify the transform file: 1. MSI file prevalidation The next screen displayed is the MSI File Prevalidation screen. Since the Lotus Notes 6.msi file has already been verified, this step can be skipped. If you do perform the prevalidation check, you may receive many (up to 100) errors and warnings. These errors are harmless and should be ignored. 2. Setup organization In this step you select the features to install, as follows: a. Using the navigator in the first pane, select step 2, Setup Organization -> Features. (You will be specifying the information under “Default Destination and Organization” later in the process.) This is where you will choose the default features that will be installed on the user’s machine. b. Highlight each feature that you want installed by default in the second pane, and change the Initial State (in the third pane) to “The feature is installed on the local drive.” Chapter 1. Customizing client installations with transform files 3 c. If this is going to be a User Interface install, and you do not want the users to have the option of turning a certain feature on or off (for example, you do not want to give them the ability to install the designer client), then change the Visible field to either Not Visible or Visible, depending on your preference. d. Note that the default for the Notes client and CoreProgramFiles is “The feature is run from source, CD, or network.” In most cases, you will want to change both to “The feature is installed on the local drive.” Figure 1-2 Modifying the install options for the users 3. Target system configuration a. Files (optional) i. If there are any extra files you wish to have installed along with Notes (for example, a modified bookmark.nsf file with some bookmarks already selected), select Files under step 3, Target System Configuration. ii. In the “Source computer’s directory tree” box navigate to the location of the file you want to include. iii. In the “Destination computer’s folders” box, specify the destination directory path. To do this, highlight “Destination computer” and click Insert. This will create NewFolder1, which should be renamed at the top level directory (below the root) that you wish to use (that is, Notes). 4 Distributing Notes Clients Automatically Highlighting that directory and pressing Insert will create NewFolder2 beneath NewFolder1. It should be renamed to the next level folder (that is, data). iv. Drag the selected file from “Source computer’s files” to the “Destination computer’s folders.” See Figure 1-3 for an example. Figure 1-3 Adding files to the install package b. Registry Any registry changes you wish to make can be made in a similar way through the Registry tab in step 3. However, since Notes adds very little to the registry, this step can be skipped in most cases. c. Shortcuts/Folders The Shortcuts/Folders tab is used to control which shortcuts you wish to have installed on the user’s OS desktop and Start menu. To remove a particular shortcut, highlight it and press Delete. d. Notes.ini file changes If there are any preferences stored in the notes.ini that you would like to specify for all users, do so by clicking the IniFiles tab. e. The NT Services and ODBC Resources tabs should be skipped in most cases. Chapter 1. Customizing client installations with transform files 5 4. Identify Additional Servers If you are going to put the Notes install files on a network drive, specify it here. Doing so will allow users to automatically repair Notes installations through their add/remove programs option in the control panel if a file becomes corrupt. 5. Application Configuration Select that Setup Properties view, and leave the defaults for most of the options. The ones worth noting are: – DATADIR: This is the default location of the user’s data directory (usually a subdirectory called “data” under the PROGDIR). – PROGDIR: The directory that the main Notes files will be installed to. – AgreeToLicense: This must be set to “Yes” if you will be doing a silent install, and will require one less click from users in a User Interface install. Figure 1-4 Modifying setup properties – Other options If you would like to modify the options available to the users from the Add/Remove programs list in the Windows control panel (such as disabling their ability to uninstall the software), select Add/Remove Programs Setting, and select Yes for Disable Modify Button, Disable 6 Distributing Notes Clients Automatically Remove Button, and Disable Repair Button, depending on your preferences. 6. Prepare to Package a. The postvalidation step should be skipped since you will once again see many harmless errors and warnings if you run it. b. The final step is to package the installation. i. Select the Package view from the first pane, and Location from the second pane. This is the location (your local drive, a network drive, or an FTP site) to which Tuner will copy all of the files required for the installation. ii. Choose the Setup view. This option will create a customized setup.exe that includes the .MST file along with any other files needed for the install. This is much easier than running a command line with parameters for the transform file. If any of your users are running Windows 95, Windows 98, or Windows NT, then select the appropriate checkboxes. iii. In the Windows Installer Command Line Arguments field you can specify any switches that should be incorporated into the setup. For example, you can specify that this package should always do a silent install by typing /qn in this field. For a list and description of the various command line options available look in the MSI help file. Chapter 1. Customizing client installations with transform files 7 Figure 1-5 Creating the install package iv. The SMS tab is for companies that have deployed Microsoft Systems Management within their organization. To create the necessary files to use SMS with Notes 6, select the appropriate options (depending on the version of SMS), and the necessary .pdf and .mif files will be created. Save the transform file and the package To save the transform file and the package: 1. Click Save on the toolbar. 2. Select Package from the Project menu. Tuner will copy all of the required files to the location you selected on the Location tab. You will see a log of the files being copied in the lower pane. 8 Distributing Notes Clients Automatically Figure 1-6 Packaging log 3. Click Save on the toolbar one more time and close Tuner. The package is now ready to be distributed to your users. They will run the install with the setup.exe included with the package. If you ever need to make changes to the package, simply start Tuner and choose Open an existing transform file from the menu. Note: Once you have made changes to a transform file you must save the .mst and then repackage the install by selecting Package from the project menu. Chapter 1. Customizing client installations with transform files 9 10 Distributing Notes Clients Automatically 2 Chapter 2. Using Automated Deployment Toolkit for Notes clients This chapter contains an overview of the functionality of the Automated Deployment Toolkit (ADT) from Wolcott Systems Group, and information needed to install ADT into an environment. This is not to be regarded as an installation guide, but more as a description of the tool, and a way to get around the few gotchas we encountered installing and using it. The documentation that ships with ADT is very thorough an we recommend using this. © Copyright IBM Corp. 2003. All rights reserved. 11 2.1 Introduction to Automated Deployment Toolkit Automated Deployment Toolkit (ADT) is an automated, managed system for deploying, upgrading, or migrating an existing messaging system to Notes R5 and Notes 6. ADT centrally manages and automates the client deployment process and integrates with industry-eading data migration and training tools—saving companies significant time and expense. One of the major obstacles in deploying new clients is actually not installing the clients, but managing the process. Wolcott Systems Group seems to have taken this approach on their deployment tool and wrapped it in management tools. The ADT provides functionality for maintaining a complete Notes deployment process from a centralized location, and automating other key processes during the deployment, upgrade, or migration porcess. 2.1.1 Integrating services and functions ADT is integrating the business workflow that a Notes deployment is, rather than having the set of engineering tasks that most IT departments are familiar with. The ADT has automated the following key deployment processes: Discovery: PC hardware and software determination Training: Integrates with third-party computer based or instructor-led training processes ID Generation: User ID and mail file creation Client Installation: Installation/upgrade and setup of the Notes workstation Data Migraiton: Integration with Lotus’ tools and third-party data migration products (like BinaryTree) Mail File upgrade: Upgrading the user’s mail file to the administrator-specified template(s) The tool is built in a way that makes management easy. Services not required, or not needed at the moment, can simply be turned off or have their order changes by the administrator. If required, it is actually possibly to add further steps to the framework using the workflow framework provided. The design The ADT is designed as a open and customizable framework. In this way, flexibility is added and specific tailoring is easier to do. Many of the customizations can be made without programming. The design of the database is open and allows easy integration of customer-specific processes. 12 Distributing Notes Clients Automatically User interface The ADT is equipped with a “Dashboard”, which helps configure the tool to the specific needs. The Dashboard helps track the progress of the users during the deployment. Some features of the Dashbord are: The administrator uses menu choices and configuration documents to easily build his own upgrade, deployment, or migration workflow. Shows the administrator where each user is in the deployment process. Gives the administrator the ability to manually control the progress of users, if needed. The administrator can have a fully updated snapshot of the number of users at each point in the process. Eliminates the need to create management progress reports. The management team can be pointed directly to the ADT database, and they can check status any time they wish. 2.1.2 Communication with the users One of the key factors affecting the success of any deployment project is being able to communicate in a meaningful way to users affected by the project. The ADT offers a feature to help communicate with the end-users via the Deployment Control Panel. This means that the administrator can customize the messages sent to his end users to meet specifics of their own corporate environments, thereby improving the quality of deployment, which again may reduce overall project cost. 2.1.3 Asset inventory One of the obstacles when planning a deployment project is “What is out there?” That is, asset inventory. The ADT framework provides a discovery component that helps to: Ensure that the users’ machines are capable of running the new Notes client software. Automatically gather and summarize key end-user workstation hardware and software configuration information using the PC Survey component. Administrators can set their own minimum system requirements for hard disk utilization, RAM, operating system, processor speed, etc. Provides e-mail notification of system failure to meet minimum requirements, which can be routed to the administrator or tech team responsible for physical system upgrades. Chapter 2. Using Automated Deployment Toolkit for Notes clients 13 Feeds user status to the ADT Dashboard, giving the administrator real-time information on the status of each user in the process. Automatically moves users, with systems that meet the requirements, to the next step in the deployment process without requiring administrator intervention. The PC Survey tool provides a “snapshot” of the current configuration. A more thorough version is available upon request. Figure 2-1 shows a screenshot from the PC Survey tool. Figure 2-1 PC Survey tool 2.1.4 Training Management The Training Management component of ADT reduces cost for customers by allowing customers to integrate training products into the deployment process. The company can in this way ensure that users know how to use the new Notes client prior to the client installation. This eliminates the training coordination bottleneck that can delay the deployment process. Another benefit is that this allows the administrators to restrict users from advancing on to the next step in the process, until they have completed the necessary training or to simply notify users of the training options available to them before automatically moving them onto the next step. 14 Distributing Notes Clients Automatically ADT tool integrates with third-party CBTs, such as tools from ReCor, OfCourse, and TLCC. 2.1.5 User ID Generation component The User ID Generation component of ADT delivers strong management features to administrators, simplifying the task of creating and storing user IDs. With this component, administrators can automate the creation of a Lotus Notes user ID, mail file, and public encryption key for each user. Configurable parameters are included to set the ID expiration date, password strength, and client license type. The User ID Generation component uses special algorithms to generate random passwords as well as validate mail file name and user short name uniqueness. The generated ID files and encrypted passwords are stored in the ADT database for simplified recovery by an authorized administrator if an ID file is lost or a password forgotten. 2.1.6 Client Software Distribution Central to any solution for a deployment project is the ability to install the software on the users’ workstations. The Client Software Distribution component of the tool features the following: Eliminates the requirement to manually touch each PC to install the Notes client. Automatically sends a mail message to the user with an attachment that initiates the installation of the Notes client after the automated PC Survey component confirms that the user workstation can support the Notes client software. Reports confirmation of installation process to the ADT database, allowing the administrator to track the users’ process at a glance. Confirmation includes indication of when the installation started, completed, encountered an error, and finished successfully. Uses a distributed method of making the client software available to end users. The Notes client installation sets can be placed on servers close to the users, thus minimizing the impact on the WAN. Allows for the automated installation of the client software with administrators building the necessary response files for the installation, thus eliminating the errors caused during user interaction with the dialogs and prompts appearing in the standard installation. Allows administrators to support a manual installation by the users, if in a case this would be desired. Chapter 2. Using Automated Deployment Toolkit for Notes clients 15 Supports the installation from CD-ROM (could be a important feature for remote/disconnected users). Additional features: Notes Mover component: Allows administrators to automatically relocate Notes to a standard location on the user’s workstation prior to launching the Lotus Notes client installation. Setting up of the workstation via LotusScript code that is executed at the conclusion of the client installation, allowing administrators to add database icons, create local replicas and update replicator page entries, modify location documents, and many other client configuration tasks. Deployment of custom names.nsf and notes.ini. Integrated data migration components providing integration with standard tool providers like Lotus and BinaryTree. Automating upgrade of user’s mailfile using a standard or customized template. Server consolidation component. 2.2 Installation Be sure that your environment meets the requirements, which for the Notes 6, Domino 6, and ADT V2.1, include the following. 2.2.1 Client PC requirements The requirements are: Notes 6 client and ADT executables require a Win32 (Win98 or higher). All users must have TCP/IP installed and configured on their computer systems. All users must have access to the company servers through local network access or via the Internet or an intranet. For self-service registration, users must have browser (http) access to the server running ADT. Supported browser platforms are Microsoft Internet Explorer (Version 4 or higher) and Netscape Navigator (Version 4 or higher). 2.2.2 Server SMTP configuration During the PC Survey and client installation steps, SMTP is used to deliver survey results plus installation and client configuration status messages to the 16 Distributing Notes Clients Automatically ADT database. For this reason, your internal messaging environment must be configured to receive SMTP mail and route these incoming messages to the ADT database (a Notes mail-in database). If your messaging environment is not configured for SMTP, you must make the appropriate modifications to support this. If necessary, you can configure SMTP on the ADT server and route messages directly there. Organizations that have high volume inbound or outbound SMTP messaging traffic in their environment may not wish to configure ADT to send its messages through the company gateway. In this case it will be better to have the messages delivered directly to the ADT server. Enabling SMTP on the ADT server does not open up a new message routing option for your users, unless they are specifically enabled to do so. If the server running ADT is visible to the Internet and you have SMTP enabled on the system, you will need to configure Domino so the server cannot be used for spamming purposes. In most cases, the Domino server used by ADT (if it is a dedicated server) is not configured to be visible to the Internet. Note: ADT includes an application for testing the SMTP connection, SMTP Tester; refer to the SMTP Tester documentation for additional information. 2.2.3 ADT server In order to ensure the best performance, it is recommended that a Domino server is dedicated for the ADT processing server. The ADT processing server is the server that executes the scheduled agents that sends and processes the return messages sent during PC Survey, training, Lotus Notes client installation, and other processing steps. The dedicated server is recommended because ADT periodically launches external processes to create the self-extracting executables sent to the user, and the heavy use of the server might induce problems for other processes running on the system. Since ADT uses several 32-bit Windows applications during processing, the server running ADT must be running on a 32-bit Windows server (Windows NT, 2000, or XP). ADT server minimum system requirements: Windows NT, Windows 2000, or Windows XP Pentium III class processor (or equivalent) 256 MB of RAM 500 MB free disk space Lotus Domino 6 server or higher (can work with release 5; consult manual) SMTP routing and mail delivery TCP/IP communications protocol Chapter 2. Using Automated Deployment Toolkit for Notes clients 17 Additional server requirements: For the self-service option, the ADT server must have the HTTP protocol enabled on the server. All mail servers participating in the server consolidation process must be running Lotus Domino Server Version 4.6 or higher. It is possible to use a standard desktop system for running ADT. What you have to do is install Windows and Domino on the server and it is ready for the ADT installation. Note: A version of the ADT server that supports the Sun Solaris operating system is available; please contact Wolcott Systems Group to obtain further information. 2.2.4 Lotus Domino server changes Depending on the steps you are performing in your Notes deployment, different Domino servers in your organization will be affected. If you are doing a mail server consolidation, all of your existing mail servers will be involved. If you are doing an upgrade, then all of your mail servers will be involved. In order to provide support for the processes listed above, you must modify each affected server document to include the signer of the ADT database agents as a person allowed to run unrestricted agents. You will most likely sign the ADT database with a user ID that has manager rights to the server and Domino Directory. Several of the ADT process steps require messages to be delivered back to the ADT database so agents can update the user’s status. As part of the product installation, you will have to create a mail-in database document in the Domino Directory. Before the installation begins, administrators should review corporate naming standards to determine the mail-in database name that will be used for ADT. We recommended using the name “ADT” for the process, but local Notes administration standards may dictate a different naming convention. Once the mail-in database document has been created, you should test mailing documents into the database from Lotus Notes mail and Internet (SMTP) mail. 2.2.5 ADT groups The ADT templates are already configured with standard groups in the ACL. If you create the following groups (and populate them with the appropriate members) you will be able to easily access the ADT databases once they have been created. 18 Distributing Notes Clients Automatically Table 2-1 Recommended Domino Directory group Group name Function ADT Administrators Used to define the list of users who will have manager rights to the ADT database and the processes within. This group is usually assigned to the ‘[Admin]’ role in the ADT database. ADT Editors Defines the list of users who will have the ability to modify documents in the ADT database. This includes the ability to update the status of user documents in the ADT database. Remember that after adding new groups, the Domino Server needs a restart (this is not the case when users are added). Go to the server console and type Restart Sever to make your changes take effect. 2.2.6 Assign HTTP passwords to all users If the self-service registration option will be used, the participating users (who are going to use this process) must have HTTP passwords assigned to them in their person documents in the Domino Directory. The password is required, or the users will not be able to authenticate to the ADT server. Note: If you do not have an easy mechanism for setting the HTTP password for users in your Domino Directory, ADT includes an agent that will perform this function for you. Refer to the ADT Operations Guide for additional information on this. 2.2.7 Enable HTTP on the ADT server If you will be using the self-service registration option, the ADT server’s HTTP process must be running. If you have a dedicated server allocated for running Domino applications, you can place a replica of the ADT database on the Domino server for user registration and use a different server for ADT processing. The issue here is that there will be a processing delay—the processing will not begin before the user’s information has been replicated to the ADT server. 2.2.8 Assign manager rights to the agent signer When performing a mail file upgrade or server consolidation using ADT, agents in the ADT database must have access to all mail files. In order for this process to work, a user ID that has manager access to all mail databases must sign the agents in the ADT database. Set up all mail databases’ Access Control Lists so Chapter 2. Using Automated Deployment Toolkit for Notes clients 19 that a person (or a user ID created for this purpose) has manager access to them. Note: Depending on the setup of your LocalDomainServers group, you may be able to use ADT without making any ACL changes in the user’s mail database. 2.2.9 Copy files to the ADT server Copy the ADT template files (called ADT_V210.NTF and ADT_Log.NTF) to the Domino server’s data folder (\lotus\domino\data by default). Be aware that the files copied off of a CD-ROM disc may have the Read-Only attribute enabled. If the Read-Only attribute is set, be sure to remove it on the files. The Domino Server will not be able to update or open the templates if they are set to Read-Only. In the Lotus Domino Server data folder on your ADT server (\lotus\domino\data\ by default), create a folder called “ADT”. Copy the installation CD’s Bin folder to the ADT folder you just created. Be sure to remove the Read-Only attribute on all of the files you copied. 2.2.10 Additional steps for automated client setup process If you are performing the automated client setup during a Notes deployment or migration, you must provide properly configured notes.ini and pernames.ntf files you will be using. During client setup, ADT will create a new names.nsf from the template and include the notes.ini in the installation package sent to the user. On the client side, the Lotus Notes client installation component of ADT will copy the files to the user’s workstation along with the user’s ID file and patch the notes.ini with the correct settings for the user. Create the necessary notes.ini file and customize the pernames.ntf template to your needs and place both of the files into the ADT server’s ADT\Bin folder with the rest of the ADT executables. The ADT will support multiple address book configurations. A setting on the User Option document in ADT contains a setting that allows you to specify the file name for the personal address book template you wish to be used for all users assigned to the User Option. ADT will support only one Lotus Notes client configuration file (notes.ini) for all users processed by this instance of ADT. 20 Distributing Notes Clients Automatically 2.2.11 Sign the ADT database templates After the ADT database templates have been copied to the ADT server, you must sign the design of the templates so that they will function in the Notes Security infrastructure within your organization. Open the Lotus Domino Administrator client using a user ID that has administrative rights to the Lotus Domino Domain and sign the templates. Note: If you did not remove the Read-Only attributes on the templates after you copied them to the ADT server, you will receive errors when you try to access the templates from the Administrator client. Now add the “ADT Administrators” group and insert the persons or groups who are supposed to be using this tool. After adding new groups, the Domino Server needs a restart for the group changes to take effect. When convenient, go to the server console and type Restart Server. When the server is ready, you are ready to make the final changes to the ADT templates. 2.2.12 Configure agent execution parameters in the ADT template Before you create the ADT database, you will need to change the configuration for the scheduled agents in the ADT database. Open the ADT Database Template on the ADT server from the Lotus Domino Designer client. Open the Agents section of the database design, and for each scheduled agent there will be a comment listed below the agent’s name. Open the agent and change the schedule option as indicated in the table below. Be carefull, there are many angents to handle. Table 2-2 ADT Agent Configuration Options comment Change ‘Run on’ to… R4.X Agent – Run on Mail Servers Any server R5 Mail Servers Only Any Server Run on ADT Server Choose when agent is enabled Run on Migration Server Choose when agent is enabled As part of the agent execution strategy, you may want to adjust the times at which the agents run, to support your specific requirements. Chapter 2. Using Automated Deployment Toolkit for Notes clients 21 2.2.13 Create the ADT and the ADT Log databases Create a new ADT database from the template you copied to the server’s data directory. Make sure you turn on the “Show advanced templates” option; otherwise you will not see the template in the list of available templates. Put the ADT database in the ADT folder you created earlier. Create the ADT Agent Log database from the standard Agent Log template. Again make sure you turn on the “Show advanced templates” option. Put the ADT Log database in the ADT folder. Update the ADT and ADT Log database ACLs with the appropriate settings for your organization. Enable the [Admin] role for any users or groups who will require access to the Configuration Profile or the ability to run agents in the ADT database. The [Admin] role controls access to the Admin action and the Execute Tasks option on the ADT navigator. Note: If you did not create the standard ADT groups in your Domino Directory, you may need to modify the ACL in the templates so you can access them from your workstation. 2.2.14 Create ADT Mail-In Database document Several of the components of ADT sends messages back to ADT, when steps performed by the user have been completed. This is accomplished by defining the ADT database as a mail-in database in the Domino environment. In Domino, the mail-in database is merely a configuration change in the Domino Directory, which allows mail messages to be automatically routed into the database. As far as the users are concerned, the mail-in database is another mail recipient. To set up the mail-in database configuration, you will need to add a Mail-in Database document in your organization’s Domino Directory. Use the “Mail-In Databases and Resources” to create a Mail-In Database document. Populate the fields on the form with the information pertinent to your installation of ADT; for Mail-in name, the recommended choice is “ADT”, but you may want to choose another name depending on your organization’s naming conventions or in order to ensure an unambiguous name. The Mail-in Database document should point to the main copy of the ADT database you created earlier. 22 Distributing Notes Clients Automatically Be sure to use the correct domain and server name to make sure that the messages are routed to the correct server. Once you have made the necessary changes, be sure to replicate the changes to all mail servers throughout your environment. Figure 2-2 Automated Deployment Toolkit When you are sure your changes have replicated, send a test message into the ADT database from a Lotus Notes mail client. The message will appear in the Process Inbox under the Monitoring option on the ADT database, as shown below. Test the mail routing to the ADT database and delete the test message from the process inbox. Note: Later in the process, when you are configuring ADT, you will populate the SMTP settings for ADT and will use the SMTP Tester program to test inbound message routing to ADT from an SMTP mail client. 2.2.15 Creating the ADT encryption key If you are using the ADT User ID Generation component for a deployment or migration, you will need to create the ADT encryption key and install it in the ADT server’s ID file. ADT uses a special encryption key, ADTUserRegistration, to Chapter 2. Using Automated Deployment Toolkit for Notes clients 23 encrypt the user’s password on the user documents and the certifier password on the certifier documents in the ADT database. Before you can save any certifier documents or create any user ID files, you must create the encryption key and store it in the ADT server’s ID file, plus the ID files for any users who will create or edit any certifier documents or any user who will need to read the user’s ID file password from the ADT database. Note: This is only required if you are performing a Lotus Notes client deployment or migration and have turned on the User ID Generation option within ADT. 2.2.16 Installing data migration tools If you are performing a migration using ADT, you should now begin installation of the data migration tools you will be using along with ADT. Installation instructions for the migration tools supported by ADT are provided in installation supplements; please refer to the appropriate document for your migration platform. 2.2.17 Copying files to the Notes client installation set When you configure ADT, you will be creating Lotus Notes client installation sets on servers throughout your environment. The Installer folder on the ADT installation CD contains files that need to be copied to each of the installation sets. By default, you must copy the notes6inst.exe files to each installation set. If you wish to perform some additional file copy activities during the installation, you will also need to copy notesconfig.exe and notesconfig.ini to the installation sets. These steps are described further in the ADT Configuration Guide. Note: Be sure to remove the Read-Only attributes on these files once you have copied them. This will eliminate any problems encountered when you attempt to update these files later. 2.3 Configuration The ADT tool has been designed in a way so that you should not have to modify the design of ADT in order to make ADT work in your environment. Most of the configuration options are maintained in documents in a Domino database rather than being hard-coded. The two major components of the ADT configuration are: Lotus Notes client installation configuration and ADT database configuration. The remaining 24 Distributing Notes Clients Automatically sections of the document provide instructions on how to create the necessary Lotus Notes client installation sets and get them distributed throughout your environment, plus detailed instructions on how to set the configuration options in the ADT database. There are two types of configuration options in ADT: Global options: Options that affect the overall operation of the ADT process and processing options that affect all users processed by ADT. Examples of Global options are options defined on the ADT Configuration Profile and the mail message content sent to users. Functional options: Options that affect a functional area of the system of which there can be a single option or multiple options defined within ADT. Examples of Functional options are Installation Path, Installation Type, or User option configuration documents. This topic has been described very thoroughly in the actual ADT Configuration Guide, please consult this for further information. 2.3.1 How to capture at Database Replica ID You will need to have Databse Replica IDs during the configuration. Capturing the Replica ID of a database for cut and paste is unfortunately not as simple as it seems, as it cannot be selected within the normally accessed screens. One way to get the Replica ID is by opening the Notes client, selecting the database on the workspace, and choosing File -> Database -> Design Synopsis. On the screen that appears select Choose DB Info, chekc the box Replication, and click OK. This will give you a page similar to the one you see below. Chapter 2. Using Automated Deployment Toolkit for Notes clients 25 Figure 2-3 Design synopsis of a Domino database 26 Distributing Notes Clients Automatically 3 Chapter 3. Deploying the Notes client with Active Directory Imagine getting a brand new computer without an operating system. You turn it on and then as if by magic you get an operating system, the Notes client, the Notes client’s desktop, and everything you might want on it. No, it is not magic, but a combination of Active Directory, RIS, Group Policies, and Organizational Policies in Domino. With the new policies feature of Domino you can configure different desktops for different groups of users as well. Creating a complete desktop with no one touching the machine represents a real reduction the total cost of ownership. To make this work for everyone, clients will need Windows 2000 or higher on their desktops, and Active Directory needs to be deployed as well. Your administrators will need to understand Group Policies thoroughly. Do not underestimate the complexity of this project. It can take a company many months to get it right. However, in these days of tight IT budgets, savings on support calls and desktop reconfiguration represent a real savings. So if you are migrating to Active Directory anyway, take the time and leverage Domino’s new desktop management features. You will not regret it. © Copyright IBM Corp. 2003. All rights reserved. 27 3.1 Active Directory basics You need to know some basics about the Active Directory so that you can deploy the Notes client using it. For more detailed information try the Microsoft Resource Kit for Windows 2000 as a starting point. The following is a table that compares some Active Directory features and tools to their Domino counterparts. Table 3-1 Active Directory components and their counterparts in Domino 28 Term Microsoft speak Lotus speak Active Directory A database that is a collection of objects and attributes associated with each. The database is divided into three partitions: Domain, configuration, and schema. Domain controllers of the same domain share the domain partition. Every domain in the forest shares configuration and schema partitions. All three partitions control the behavior of domains in a forest. The Domino Directory is a collection of documents that contain fields and values for those fields that control the behavior of a Domino Domain. All servers in a domain share the same Domino Directory. Administrative Tools The Microsoft Management Console is a program whose functionality is enhanced through the use of “snap-ins”. Restricting the number of objects that can be viewed can control the scope of functionality, as well as use of the predefined administrative groups. A basic set of predefined MMCs to control a forest can be found by executing adminpak.msi. Control of the Domino Directory is accomplished by the use of groups and entries in the Access Control List. Additionally, there is the Administrative client, Domino Administrator, which provides more tools for monitoring one or more domains. Distributing Notes Clients Automatically Term Microsoft speak Lotus speak Active Directory users and computers An MMC console that controls the creation of users, groups, computers, and organizational units. It is also used to publish shares and printers, and change the nature of the domain from mixed to native mode, and to access the default group policy for the domain. Registration of users, computers, and the creation of organizational certifiers is done through the Domino Administrator program. Active Directory Sites and Services An MMC console that controls replication and authentication and visualizes the topology of a forest. Sites, site links, and subnets are created here. A server document identifies the Notes Named Network a server belongs to. Connection documents control the method and time of replication. Domino Administrator can visualize the topology. Active Directory domains and trusts MMC console that can be used to add new trust relationships or modify existing ones. Cross certification of Domino Domains in the Domino Administrator is an equivalent here. Global Catalog Server A domain controller that has information not only from its own domain, but about 40% of the information that exists on domain controllers from other domains in the forest. Required for authentication in native mode. First machine in the forest is a GC. Others can be created in Active Directory sites and services. Directory Catalog, Directory Assistance. Chapter 3. Deploying the Notes client with Active Directory 29 30 Term Microsoft speak Lotus speak Flexible Single Master Operations (FSMO) In a domain, one machine is in charge of three specific functions, can be one server but should not be, PDC emulation (downward domain controller compatibility), RID master domain controllers are multi-master and need a pool of IDs to hand out, and infrastructure master that handles user and group relationships. Be very careful here: Loss of a FSMO can lead to significant functionality being lost. Roles can be “seized,” but the original machine cannot be brought back. Having the Domino Directory being authoritative on a server. Native Mode All domain controllers are Windows 2000. While there is a PDC emulator per domain, changes to users, groups, etc. can be made on any domain controller and syncronized every 5 minutes within a site and per schedule between sites. Other changes include the ability to nest group types and the addition of a new group type called universal. Change to Native is done once only. No going back to old BDCs. Having the benefits associated with all servers being Version 6. Distributing Notes Clients Automatically Term Microsoft speak Lotus speak NTDSUTIL The most important utility. Can only be used in AD restore mode, F8, at startup. Used to seize roles, perform authoritative restore, compact database, and move log files. Need to know this one cold. Compact, Fixup. Group Policy Objects A collection of registry commands that can be used to control the desktop and capabilities of users. Can be implemented at site, domain, and OU levels. Notes clients can be deployed using this. Settings are kept in two places, sysvol and Active Directory. Setup and organizational profiles in the Domino Directory. Distributed File System (DFS™) Stand-alone or domain controller based it is the ability to have multiple share points appear as one. Directory links. Site Collection of domain controllers from one or more domains located on the same physical subnet. Domain controllers are put in “the default first site” until moved. Replication is uncontrolled (every 5 minutes) and not compressed. Topology can be change manually. Clients authenticate to domain controllers in the same site first. Notes named network for mail. Connection documents for Domino Directory replication manually created or enabled for replication. Chapter 3. Deploying the Notes client with Active Directory 31 32 Term Microsoft speak Lotus speak Site links Links between domain controllers on different subnets. Frequency can be adjusted and availability of links controlled. When amount of data is substantial, data is compressed. Connection documents. Trust relationships Ability to assign permissions to users and groups in other domains. Automatically created in 2000, they are bi-directional and transitive. Complete cross certification of all Domino domains. OU Organizational units created in AD users and computers. No security context is given to an OU. Security can be applied to an OU via group policies and delegation of authority wizard. OU does have a security context. Distributing Notes Clients Automatically Term Microsoft speak Lotus speak Schema Master A server for the forest that controls the design of Active Directory. Disabled by default, only schema admins can make changes to the design. If the schema master is unavailable you cannot add Active Directory integrated software to the forest. When you do this a very large amount of replication will take place to inform all the domain controllers in the forest of the change to AD. Things go into AD when you change the schema, but they do not come out. Templates, schema database. Domain Naming Maste One server that record domains added to a forest. If you cannot make a domain controller a domain naming master, or if you cannot contact it, you are unable to add or remove domains from the forest. Having a cert ID file to create a domain. Rights to the Domino Directory. ADSI Program tools used to change Active Directory. ADSI in the resource kit can be used to see if modifications to AD have occurred. Notes API. Chapter 3. Deploying the Notes client with Active Directory 33 Term Microsoft speak Lotus speak Dcpromo Program used to make a server a domain controller. Invoked automatically on the primary domain controller when it is upgraded. Make sure W2K DNS is functioning properly or it will fail. Install program. 3.2 Using Group Policies to deploy the Notes client Group Policies can be used to set the registries of Windows 2000 (and higher) machines. It can also be used to deploy software. Software deployment using Active Directory is not a complete answer for many organizations. If you were to, say, use SMS, you could do hardware inventories and check licensing. Software deployment with Active Directory will not check how much disk space or memory a machine has. It will install the software or make it available to end users through publishing. This technique needs to be fully tested before full deployment. Be sure to consider such issues as bandwidth when placing packages on servers from which users will have software. To demonstrate using Active Directory to deploy Notes 6, let us assume we have a small branch office and we would like to deploy the Notes software. We have Active Directory and a Domain Controller at the branch office. How can we install the Notes client on all of the workstations? First some assumptions: All of the machines at the branch office are Windows 2000 or better and have sufficient space for the Notes client. We have a file server and have placed a version of the Notes client software distribution files, configured the way we want, on a share point that all clients can get to. This share has at least read as a permission for authenticated users. Our administrators have rights to create Group Policies in Active Directory and child objects as well. We first begin by creating an organizational unit in Active Directory users and computers. This OU can look like your Domino certifier hierarchy if you wish. We want an OU for our branch office so that we can apply Group Policies here that might be very different than elsewhere in our organization. When Group Policies are evaluated, they start at the site level (see Table 3-1 on page 28 for the definition of a site), then the domain, then the OUs. Policies can cancel each 34 Distributing Notes Clients Automatically other out as they get to the object they affect. The last policy determines the final setting of the user or machine. Because we want the Notes client on every machine (note in our scenario there are no servers in this OU), we will create a policy at the branch office OU object. You could create additional policies further down in the hierarchy if you want to. The only penalties will be in additional logon time and complexity in resolving any client issues. Figure 3-1 Selecting the branch office object To create a Group Policy: 1. To create a Group Policy, select the properties of an OU (Figure 3-2 on page 36). Chapter 3. Deploying the Notes client with Active Directory 35 Figure 3-2 Select properties of an OU as a first step 2. The branch office object has a Group Policy tab that we will add a new Group Policy to. When giving it a name be very careful to give it one that is unique to the location and purpose. We are calling our Group Policy Branch Office. 36 Distributing Notes Clients Automatically Figure 3-3 Group Policy tab 3. Note the unique name number on the General tab. Figure 3-4 Branch office properties Chapter 3. Deploying the Notes client with Active Directory 37 4. Group policies are stored in two places: In Active Directory itself, where they are visible to everyone in the forest; and in the SYSVOL share of every domain controller of the domain they were created in. Figure 3-5 shows the contents of the SYSVOL share and a folder that has the settings of the Group Policies with a number identical to the property page of the policy itself. Because the group policies are visible to all, you need to manage who can use them. If, for example, an administrator from another domain in the forest decided to use your policy, the users from the other domain would look for a domain controller that contained the settings. This might mean going across a wide area network link to do so. Figure 3-5 The physical location of the group policies on a domain controller 5. Another important aspect of Group Policies is permissions to read those Group Policies (Figure 3-6 on page 39). The default behavior is to allow authenticated users to read Group Policies. If you did not want everyone who could log in to be impacted by a Group Policy, you would remove the ability to read about the policy in the permissions page. This can be a useful testing tool. You could create groups allowing them to read a policy. This could prevent impacting users in an adverse way. By all means test policy permissions carefully before putting them in a production environment. 38 Distributing Notes Clients Automatically Figure 3-6 Permissions page for a Group Policy To distribute software we will next create a software package in the Group Policy. 1. Begin by selecting edit of the Group Policy you want to modify (Figure 3-7 on page 40). Chapter 3. Deploying the Notes client with Active Directory 39 Figure 3-7 Edit the Group Policy object 2. Examine the properties of the software installation object (Figure 3-8). Figure 3-8 Select the properties of the object 3. Examining the properties page will show you some of the capabilities of software deployment on a collection of computer objects in an OU. Selecting categories allows you to organize what people will see when they go into the control panel in Windows and use Add and Remove Software -> add New Software. 40 Distributing Notes Clients Automatically Figure 3-9 Property page for software installation Notice the ability to remove software deployed by a policy. Group policies have immense power as far as controlling application deployment. We will next create a software package for Notes. 1. When we create a package there are two ways of deploying it. We can install it on every machine (Figure 3-10 on page 42) before the users log on or we can install it after a user logs into a machine that does not have an application and invokes a download by clicking an icon or file extension of an application (Figure 3-11 on page 42). Chapter 3. Deploying the Notes client with Active Directory 41 Figure 3-10 Creating a new package for every machine Figure 3-11 A package for users of a Group Policy 2. The next step is to point to an MSI file for a software package. You should put all of the software that will be downloaded by users in an OU on a server that is close to them. For creating customized MSI files for Notes see Chapter 1, “Customizing client installations with transform files” on page 1. 42 Distributing Notes Clients Automatically Figure 3-12 Selecting a package 3. Open the properties for the package. The General tab contains the name and and other general information for the package. Figure 3-13 Properties of the package Tip: You could remove applications deployed by a Group Policy as well as install them. Chapter 3. Deploying the Notes client with Active Directory 43 Figure 3-14 Deployment options 4. Notice all of the information stored in the package. The property page also gives you the ability to uninstall the application if you wish (Figure 3-14), and add install shield msi files to the package as well (Figure 3-15 on page 44). Figure 3-15 Adding an MSI file 44 Distributing Notes Clients Automatically 5. If you want to control whether you can see a package in order to use it, that can be done through a Security tab of the Property page. See the Microsoft documentation for best practices on Group Policy permissions. Figure 3-16 Permissions for a software package 6. After you have deployed an application, you can return to the package and either remove it or redeploy it, if you made significant changes to it. Figure 3-17 You have the ability to change versions and remove applications You can use the same exact steps to publish or assign an application for users. If you publish an application end users will see the Notes client offered as a software application available for install (Figure 3-22 on page 49). If the Chapter 3. Deploying the Notes client with Active Directory 45 application is assigned, the user would have the download occur if she clicked the Notes icon or tried to open an NSF file. 3.2.1 Summary With the new support for MSI files in the Notes 6 client, it is not only easy to customize the installation package, but it is possible to use Active Directory to deploy the software. Remember software deployment with Group Polices does not deal with getting hardware or software inventories from clients. To get those features you would need a fully featured software distribution program. The technique of software distribution might be an ideal solution to those companies that have Active Directory and want to use Domino and Notes but do not require the full feature set of Tivoli or SMS. This technique can help bring down the cost of deployment, a benefit worth working toward. 3.3 Installing non-MSI applications Group Policies software distribution is not limited to software packages that use MSI files. You can publish non-MSI based software by creating what is referred to as a ZAP file. Say, for example, you are still on Notes 5.0.x and want to rollout the Domino Unified Messaging Client. You would create a share point for the DUCS software, making sure that the licensing components ae available. You then need to create a text file with a .zap extension that has information like in the sample that follows. [Application] ; Only FriendlyName and SetupCommand are required, ; everything else is optional. ; FriendlyName is the name of the program that ; will appear in the software installation snap-in ; and the Add/Remove Programs tool. ; REQUIRED FriendlyName = "DUCS Client Software for Avaya" ; ; ; ; ; ; ; ; ; ; 46 SetupCommand is the command line used to Run the program's Setup. If it is a relative path, it is assumed to be relative to the location of the .zap file. Long file name paths need to be quoted. For example: SetupCommand = "long folder\setup.exe" /unattend or SetupCommand = "\\server\share\long _ folder\setup.exe" /unattend REQUIRED Distributing Notes Clients Automatically SetupCommand = "setup.exe" ; Version of the program that will appear ; in the software installation snap-in and the ; Add/Remove Programs tool. ; OPTIONAL DisplayVersion = 1.1 ; Version of the program that will appear ; in the software installation snap-in and the ; Add/Remove Programs tool. ; OPTIONAL Publisher = IBM Lotus Software After you create the file, you would put it into the folder where the application resides. Once in place you can create a software package for users that you can publish. Figure 3-18 shows selecting a zap file located on the distribution sharepoint. Figure 3-18 Make sure under file type you select zap as the file type You have the option of publishing or advance publishing. See the Microsoft documentation for a further explanation of these options. Chapter 3. Deploying the Notes client with Active Directory 47 Figure 3-19 Select the Publishing option Since there might be several hundred packages to choose from, you might elect to give your package a unique category. This is done under the machine software installation (Figure 3-20). Figure 3-20 Categorizing a software package 48 Distributing Notes Clients Automatically Figure 3-21 Lotus applications category has been selected Assuming a user has the rights to read about the software package, Figure 3-22 shows what he would see if the user had a Windows 2000 or higher client. Notice some the information we placed into the ZAP file appears here. Figure 3-22 Selecting an application Figure Figure 3-23 shows the different categories and software available to this user. Chapter 3. Deploying the Notes client with Active Directory 49 Figure 3-23 Multiple categories for software in add/remove programs Tip: For further information about creating ZAP files see Microsoft Knowledge Base article 231747. 3.4 Summary If you have Active Directory, Domino and Notes can take full advantage of it. Software can be deployed and used in conjunction with Domino policies to fully deploy your new Notes clients. 50 Distributing Notes Clients Automatically Back cover ® Distributing Notes Clients Automatically Redpaper Creating customized Notes installation packages Automated Deployment Toolkit described Using Active Directory for client distribution This IBM Redpaper describes how to distribute Notes clients automatically. The paper is not a complete guide on Notes client deployment, rather it is a collection of information about some of the different technologies that can be used for deploying Notes clients automatically. The basic idea behind automated software distribution is to make installing multiple clients more efficient. INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION We begin by explaining how to use InstallShield Tuner for Lotus Notes to create customized Notes installation packages. We guide the reader through the process of customizing an installation of Lotus Notes using that technology. BUILDING TECHNICAL INFORMATION BASED ON PRACTICAL EXPERIENCE We then describe how to use Automated Deployment Toolkit (ADT), which is an automated, managed system for deploying, upgrading, or migrating an existing messaging system to Notes R5 and Notes 6. The final chapter describes how to use Active Directory for deploying Notes clients. IBM Redbooks are developed by the IBM International Technical Support Organization. Experts from IBM, Customers and Partners from around the world create timely technical information based on realistic scenarios. Specific recommendations are provided to help you implement IT solutions more effectively in your environment. For more information: ibm.com/redbooks
