10 Critical Policies and
Other Tweaks to Boost
Notes Performance
Andy Pedisich
Technotics
© 2012 Wellesley Information Services. All rights reserved.
In This Session ...
•
•
Policies make it easier to administer the users in your domain
 If you have never used policies, or if you have used them
sparingly this is a great time to start
 There have been many improvements to deployment
 Plus you missed some of the problems of early releases
This session will help bring you up to date by:
 Doing a quick overview of the basic
configuration concepts
 Focusing on configuration best practices
and the most powerful tools in the
policies system
 Troubleshooting problems with policies
1
What We’ll Cover …
•
•
•
•
•
•
Taking a run through types of policy settings documents
Inheriting and enforcing policy settings
Applying policies to users and groups
Nailing down the 10 policies every domain should use
Troubleshooting policies
Wrap-up
2
There Are Two Important Components of Policies
•
The two components of polices are:
 Policy settings documents
 They define the configuration of what you are managing
 Policy documents
 Policy documents control how the policy settings are applied
throughout your user population
 Organizationally to all or part of a certificate hierarchy
 To individual users explicitly
 Dynamically to members of a group
 They can specify only a single policy settings document per
category
3
A Policy Document with Policy Settings Specified
4
Components of Policy-Based Management in Lotus Notes
•
•
Policy settings are configurations you want to apply to your users
 These settings are organized by functionality
 For example, all registration settings are in one settings
document, while archive settings are in another document
The types of settings documents have increased since their
introduction
 Five types of settings documents in ND6
 Six types in ND7
 Nine types in ND8.0.1
 Ten types in ND8.5
5
The Role of the Policy Document
•
Policy documents connect the settings documents to users and
determine who gets what settings
 They can follow the organizational hierarchy
 They can be applied to specific users or groups
 So that you can apply settings across organizational
boundaries
 This makes them flexible enough to handle many different
requirements

Let’s look at the policy settings documents
6
10 Types of Policy Settings Documents
•
•
•
1. Registration settings documents
 Used with the registration process in the Admin client
 Predefine all user registration options
2. Set up settings documents
 Occurs once — during Notes client setup
 Controls the initial Notes 6 client configuration
 You probably won’t use these because of changes in the
Release 8 policy setting options
3. Desktop settings documents
 Applied by the dynamic configuration process on the client
 Controls settings in the user environment
7
10 Types of Policy Settings Documents (cont.)
•
•
•
4. Mail settings (new in ND7)
 Control user mail preferences in the mail profile document in
each user’s mail file
5. Security settings
 Controls client Execution Control Lists (ECLs), password
management, and ID Vault settings for the user
 Password management settings are applied by the dynamic
configuration process on the client
 Settings for ECLs determine when the ECLs are applied
6. Archive settings
 Settings are applied to the server-based mail database
by the dynamic configuration process
 Provides for both archiving and document retention
8
10 Types of Policy Settings Documents (cont.)
•
•
•
•
7. Traveler settings (new in 8)
 Configures mobile devices using Lotus Traveler
8. Activities settings (new in 8)
 Apply only to environments with Lotus Connections server
running Activities
9. Productivity Tool settings (new in 8)
 Controls the availability and behavior of the Symphony
Productivity Tools within the Notes environment
10. Roaming settings (new in 8.5)
 Controls roaming configuration for users who keep their
roaming files on a file share
9
Policy Settings You Will Use Often or Rarely Use at All
Policy Setting
Use Cases
Reason
Archiving
Seldom
Only if you use Notes archiving
Desktop
Frequent
Controls hundreds of settings on the client
Registration
Frequent
Makes registration a lot easier
Mail
Frequent
Controls dozens of mail settings
Security
Frequent
Important for ID vault and password settings
Setup
Almost never
Most sites skip Setup settings in favor of Desktop settings
Connections
Conditional
You won’t use these unless Activities/Connections deployed
Lotus Traveler
Often
Almost every site has deployed or is testing Traveler
Roaming
Rarely
This allows roaming on a file server – a very narrow use
case
Symphony
Conditional
Only if you’ve deployed Productivity Tools – not a bad idea
10
An Issue You Might Be Experiencing
•
•
During some upgrades of the Domino directory design, we’ve
seen instances where the “newer” Release 8 policy settings
document were missing
 Or there were duplicates listed
The missing ones prevented you from taking advantage of these
new policies
11
The Duplicates Made Policy Documents a Mess
•
Duplicates caused duplicate settings to appear in policy
documents
12
Caused by Extra Docs in the $PoliciesExt View
•
As it turns out these “extra” or “missing” policy settings were
caused by duplicate or missing documents in the $PoliciesExt
view
 Access this view using Ctrl-Shit as you click the Go To… menu
option
13
IBM Keeps the Newer Policy Specs $PoliciesExt
•
If you have duplicates, remove one of each type of document
 If you have no Release 8 settings available, copy the four from
the $PoliciesExt view in PUBNAMES.NTF into this view and the
policy settings will appear in your menu system
 I think IBM took this approach so they could dynamically add
more settings rather than hard-code them into the client
 Sometimes it breaks during the redesign
14
What We’ll Cover …
•
•
•
•
•
•
Taking a run through types of policy settings documents
Inheriting and enforcing policy settings
Applying policies to users and groups
Nailing down the 10 policies every domain should use
Troubleshooting policies
Wrap-up
15
Building Policy Settings
•
Policy settings are configurations that will be applied to users
 Among other things, this desktop settings document configures
the Notes client to display the sidebar and not hide any of the
default sidebar components
16
There Are Hundreds of Policy Settings
•
Policy settings documents hold dozens of configuration settings
 Some are fields that hold values you must provide
 Some have drop-down boxes
 Some are check boxes
17
You Can Control How Each Setting Is Applied
•
Configuration settings in policy settings documents can be fine
tuned in how they are applied
 You can decide when to turn on inherit and enforce options
 Let’s talk about these settings next
 We’ll talk about “how to apply this setting” later
18
Inherit and/or Enforce the Configuration Settings
•
These two checkboxes are the most misunderstood by almost
everyone who deploys them
 It’s critical that you understand them
 They change the way policy settings are applied
19
Let’s Clarify Inheritance vs. Enforce
•
•
Let’s try to cover some basics in policy application to help clarify
the inheritance and enforce functions
Consider the following example organizational structure:
 /Domlab
 Is the root organizational level certifier for the enterprise
 /EU/Domlab
 Is the OU1 certifiers representing Europe
 /Sales/EU/Domlab
 Is the OU2 certifier representing the European Sales division
20
Organization Levels and Policies
•
•
•
Each level can have their own unique policies and policy settings
Create three different organizational policy documents, each with
its own unique policy settings documents for:
 */Domlab
 */EU/Domlab
 */Sales/EU/Domlab
This is a very simple structure
 But if any of the settings are the same for these three levels you
can take advantage of the power of inherit and enforce
21
Looking at Policy Settings Without Inherit or Enforce
•
Let’s register Joe User/EU/Domlab
 The /Domlab organization registration policy settings
documents sets 2GB quota
 EU/Domlab OU1 registration policy settings document doesn’t
set a quota for mail files
 Joe User’s mail file will be configured with no quota
/Domlab
EU/Domlab
22
How Inherit Affects a Policy Setting
•
Inherit means to take the setting from a higher level in the
hierarchy, for example:
 /Domlab user registration policy sets a database quota of 2GB
 And there is also an EU/Domlab registration policy setting
 Which inherits the setting from a parent policy
 Joe User/EU/Domlab’s mail file will inherit the setting and
will have a 2GB quota
/Domlab
EU/Domlab
23
How Enforce Changes How Policies Are Applied
•
•
Enforce does not do what I thought it would do at first glance
 I first thought it would force someone to have a certain setting
and that they were unable to change it – I was totally wrong
 Enforce actually means to take the setting from an upper
level and make it the same all the way down the
organizational branch
For example, if the /Domlab policy indicated that passwords had
to be a strength of 8, and enforce was turned on:
 All other OUs below /Domlab would set password strength to
an 8
 This would include EU/Domlab and Sales/EU/Domlab
24
Summing Up Policy Hierarchy Inheritance and Enforce
•
•
•
Each setting has inherit and enforce options
Inherit and enforce only have meaning where there are multiple
layers of organizational or dynamic policies
 Setting with inherit will apply the setting from the level above
 But will not apply to the levels below unless enforced
 Setting with enforce will always be obeyed at all lower levels
EU/Domlab could be configured to inherit from /Domlab and
enforce to all organizations below
 Settings would be forced on Sales/EU/Domlab
25
The Power of Inherit and Enforce
•
•
Inheritance and enforcement of policies can be used to push
enterprise standards through your entire organization
 This can have a major affect on your domain because important
settings such as password strength can be set consistently
with very little effort using policies
But if your Domino domain certification levels are flat, with just
one level like /MyCompany, then forget about inherit and enforce
 You can’t use them
 There is no mechanism to inherit from or enforce downward
through the hierarchy if you don’t have a hierarchy
26
What We’ll Cover …
•
•
•
•
•
•
Taking a run through types of policy settings documents
Inheriting and enforcing policy settings
Applying policies to users and groups
Nailing down the 10 policies every domain should use
Troubleshooting policies
Wrap-up
27
Types of Policy Documents
•
•
•
There are several important types of policy documents
Organizational policy
 Follows the certifier structure such as Sales/EU/Domlab
Explicit policy can be applied to:
 Individual person documents
 People in groups
 Not directly to groups, but to the people in groups
 Groups
 An explicit policy that is applied to a group is known as a
dynamic policy
 The assignment of explicit policies requires a bit more
explanation
28
Once Again, Organizational Policies
•
Let’s look at a very simple organization structure to see the power
of organizational policies
 Register users consistently in
the EU/Domlab level by creating
an organizational policy
*/EU/Domlab
 And include a registration
policy settings document
 Those registration settings
will be used automatically
 But they can be changed
at registration time
29
How About Desktop, Security, and Archiving Settings?
•
With all the policy settings documents to
the right, settings are applied to all the
members of the hierarchy
 And if you move a user to a different
hierarchy, these policy settings are reset according to the policies setting
document of the new hierarchy
 The new policy settings become
effective the first time users
authenticate with their home server
30
Explicit Policies
•
An explicit policy applies to a collection of users that cross
organizational boundaries
 Before Release 8, explicit policies could be assigned only to
individuals in their person documents
31
Assigning Policies to Groups Was Limited
•
•
It was possible to assign explicit policies to groups
 But all that happened was that the “current” members of the
group had the policy assigned in their person document
 If new members were added to the group, the policy was not
applied to them
This major shortcoming was corrected in Release 8
 You can now apply policies to groups, and when the group
changes, the policies are re-applied to the new members
32
Using the Policy Assignment Tool for Explicit Policies
•
As a general rule with 8.5, using the policy assignment tool to
assign an explicit policy to selected users or a group would not
be the optimal way to do it
 If you try to assign policies that way, Notes will display this
screen reminding you of new functionality in Release 8.5
 Be sure to read this very carefully
33
Moving to the Next Step in Assigning Explicit Policies
•
If you continue to try to assign an explicit policy in Release 8, you
are asked whether you want to assign it the old way
 Which means iterating through the list of names (or the
selected names) and changing person documents
 Or the newer way of changing the policy documents
themselves
34
Creating a Dynamic Policy
•
Release 8 policy documents can be directly assigned to multiple
users and groups
 You can even use an auto-populated group
 We’ll talk about those special groups in a moment
35
New in Release 8.5 — Dynamic Policies
•
Dynamic policies are created as explicit policies
 But rather than being assigned to a person, they are assigned
to a group in the Domino Directory
 Since group membership changes over time and is flexible,
the dynamic policy that a user is assigned can potentially
change day by day
 This feature is new with ND8.5, but will work as long as
your servers are 8.5 or higher and your clients are 8.0.1
or higher
36
Applying Dynamic Policies
•
As mentioned, if your servers are 8.5 and your clients are 8.0.1 or
higher, then you can take advantage of group-based
dynamic polices
 In many organizations these will take the place of explicit
policies and may even take the place of organizational policies
 You may use these with the new auto-populated group
feature in 8.5 that will generate groups based on home
servers automatically
 But you can actually use them with any group
37
Auto-Populated Groups
•
Auto-populated groups are new in Notes and can be used
with policies
 So far the auto-population is strictly based on the members
having a particular home server
 Perhaps this will be expanded in a future release
38
Working with Auto-Populated Groups
•
•
Auto-populated groups can be used anywhere you’d use a group
 You can nest them in other groups
 Use them on ACLs
 Use them as a mailing list
Members are added and maintained by the Domino server’s
update task
 The default update interval is 30 minutes
 You can modify it in the Domino directory profile
39
Selecting User Home Mail Server Has Helpful Options
•
Specify the home server designated as mail server for the users
 You can specifically include additional users by entering them
manually
 And you can exclude members manually as well
 Changes to the “Members” field are automatically
performed by the Domino update task
40
Update Task Fills in the Details on Members
•
The update task completes
the adding of group members
 You cannot modify the
group members
 But you really don’t want
to, because this autopopulated group is going
to be controlled by the
user’s home server entry
Members are automatically
added based on mail server
assignment
41
Auto-Populated Groups Automatically Create Subgroups
•
•
•
When an auto-populated group becomes too large (beyond the
32KB limit for a text field), subgroups are automatically created to
hold all of the members of the group
 These are also auto-populated
The subgroup names have the following format:
 auto-populated group name>-AP<#####>
 ###### would be a number preceded by zeros
If the auto-populated group name is USMailMembers, the first
subgroup for that group would be called
 USMailMembers-AP00001
 This would be nested into the original USMailMembers group
42
Dynamic Policies Are Another Kind of Explicit Policy
•
When creating a policy document, selecting an organizational
policy hides the tab for the policy assignment and precedence
 Selecting an explicit policy lets you access the policy
assignment configuration tabs
 Use these dynamic policies in place of assigning an explicit
policy to individual users where appropriate
 It will eliminate the granular process of keeping track of
users who have been assigned an explicit policy
43
Dynamic Precedence Is Key
•
•
In a few moments we’re going to talk about how effective policy is
calculated
The precedence of dynamic policies will affect how they are
applied to a user
 Which dynamic policy will “win” and be applied if there are
several that are configured for the same person?
44
The Importance of Precedence
•
Which dynamic policy will “win” and be applied if there are
several that are configured for the same person?
 Answer: If there are two dynamic policies with different options
for the same setting, the user will receive the setting of the
policy with the highest precedence
 A policy with a precedence of 1 beats a policy with a
precedence of 2 or 3
45
Let’s Put It into Perspective
•
•
Here’s an exact quote from the Release 8.5.1 Administrator’s help
that will help you understand the nature of dynamic policies
 The lower the precedence number, the higher the precedence,
and the higher the precedence number, the lower the
precedence
 For example, a precedence of one (1) indicates the highest
precedence, and a precedence of two (2) or any other number
greater than one (1) indicates a lower precedence
And here’s the kicker:
 By default, when a new dynamic policy is created the policy is
assigned to the end of the existing precedence order
 Confused? Don’t be. It’s easy to change precedence!
46
Change Precedence in the Notes Administrator Client
•
Use this procedure to manually set policy precedence:
 From the Domino Administrator, click People and Groups 
Policies  Dynamic Policies
 Select the policy for which you are increasing or decreasing
precedence
 Click the Increase Precedence or Decrease Precedence buttons
accordingly
 Repeat for any other policy precedence changes you need to
make
47
What We’ll Cover …
•
•
•
•
•
•
Taking a run through types of policy settings documents
Inheriting and enforcing policy settings
Applying policies to users and groups
Nailing down the 10 policies every domain should use
Troubleshooting policies
Wrap-up
48
What Kind of Policies Should I Use?
•
•
Since users can have many settings documents apply to them
because of multiple levels of hierarchical policies, explicit policies
and dynamic policies, simplicity of design is critical
Tailor your policies’ use to your environment
 If your organizational structure matches your functional needs,
then use organizational policies
 If you are using ND8.5 and can take advantage of dynamic
policies, then use them
 Lastly, if you have users with specific needs that don’t fall into
the above categories then use explicit policies
49
Simplicity in Policy Strategy
•
In a perfect world you could use a single Organizational Policy
applied to your ORG level; all policy settings documents apply to
everyone in your Org
 The more layers of policies you add, the more complex your
administration becomes and the more likely you are to have
unintended consequences
50
A Safe, Low-Risk Methodology When Implementing Policies
•
When introducing policies, think in three stages
 Proof of concept
 Introduce the settings using an explicit policy on just a few
 Make sure you can back out of any policy
 Piloting the policy
 Expand the policy to affect a group
 Then expand the group to 50 to 100 users
 Make sure you get plenty of feedback on the effects from a
number of participants
 Full policy implementation
 While it depends on the policy, this generally involves a
change to an organizational policy and affects large numbers
51
#1 – Registration Settings
•
Registration settings are probably the first and easiest set you
should implement
 They are in action only during the process of registration
 They standardize your new user creation process
 The registration process is dramatically sped up because
almost every field is pre-populated with the correct values for
the user
 They have no impact on existing users
52
Correct Settings Are Magically Applied
•
Organizational level policy’s registration settings are
automatically in effect
 But you can also select a default explicit policy
53
Simplified User Registration
•
•
With policies, administrators can predefine all user registration
options
 Password quality
 Internet address format
 Mail file creation/template/server
 Certificate expiration
 And more!
In theory, you could register a user without checking the
“Advanced” box!
54
Mail Settings
•
•
Mail settings were introduced in ND7
The mail settings document allows you to control the values in a
user’s mail preferences/calendar profile document
 Virtually every value in the preferences document is
configurable
 This is extremely valuable in lowering support costs, since
there are many support calls from people about the
configuration choices in their calendar profile
55
Mail Settings Update Process
•
•
•
Mail settings use a different update process than setup and
desktop settings, since they are acting on the mail file that resides
on the server
Mail settings are updated via AdminP
 Every 12 hours AdminP evaluates person documents and
policy documents to see if it needs to process the policies and
update users’ calendar profiles
 You can trigger an update with the “Tell AdminP Process
MailPolicy” console command
Be aware that once you implement the mail settings document it
will apply to ND6 mail files as long as your servers are at least R7
 This may be a very good thing, or it may have the unintended
consequence of modifying your un-upgraded users’ calendar
profiles
56
Critical Settings in Mail Policy Settings Documents
•
The majority of settings in the mail settings form indicate
preferences, but the following have significant impact on support
calls and administration:
 #2 – Allow Users to Change Mailfile Ownership
 Don’t allow this, it only leads to trouble
 #3 – Displaying Calendar Entries in Mail Views
 It’s important to set corporate standards
here, though you aren’t required to
lock these down
 These settings always cause confusion
for users when they are changed
57
Critical Settings in Mail Settings
•
#4 – Default Reservation Settings for choosing Site
 Resolves an issue that most users, including myself, hate —
when an organization has many sites
 Be aware that this setting is only effective if your organizational
hierarchy or explicit policies match up with your resource
reservation design
58
Critical Settings in Mail Settings (cont.)
•
#5 – Message Disclaimer
 Not to be ungrateful, but IT’S ABOUT TIME!
 Since the disclaimer is defined within a policy, you can apply
different disclaimers to different populations within your
organization
59
#6 – Mail Disclaimer – Client or Server?
•
To reduce the burden on your servers, enable the client for adding
disclaimers
 This will also allow for the addition of disclaimers to
Secure/MIME (S/MIME) and encrypted messages
 The server will attempt to add the disclaimer to encrypted
messages, but this tends to result in corrupted signatures
and encryption
 If the client isn’t enabled to add the disclaimer, the server will
take care of it
60
#7 – Message Recall
•
If you’ve made the decision not to roll out message recall, it’s
important to remove the button from the sent folder that says
“recall message”
 The alternative is to field a lot of help desk calls about why
you’re not using this feature
61
Saying No to Message Recall
•
This valuable mail policy setting will actually remove the button
from the sent view
 Of course, you can also craft your policies so that only certain
users are permitted to recall messages
62
Desktop and Setup Settings Documents
•
•
The Desktop and Setup settings are what control the behavior of
the desktop once you hand it to the user
 Prior to ND8, the setup settings were used to set default values
at setup time for the client
 ND8 changes the way settings are applied so that the setup
settings document is no longer required (once all your clients
are ND8)
By ND8, virtually every single setting and preference on the client
is configurable from the desktop settings document
 These documents are the most important and also the most
time consuming to configure since they control so much
63
#8 – Mail Template Information During an Upgrade
•
•
•
This area of the form is
sometimes called “Seamless
Upgrade”
It controls the automatic upgrade
of mail templates — and it works
great!
When a workstation is upgraded
or if the setup variables in the ini
file are reset, the workstation
evaluates the settings in
this area
64
Mail Template Information
•
The seamless upgrade triggers a convert on the server so that the
client/network isn’t bogged down with the task
 The convert will specify the template that is referenced in the
table for the specific release that the user is on
 The user cannot enter Notes until the convert is complete
 Even if the release of the client matches the template indicated,
the convert will still run
 But it won’t have any work to do, so it will complete quickly!
65
Mail Template Information (cont.)
•
•
•
Of course you want to upgrade
the design of custom folders
And never prompt users for
anything if you can help it
You may want to set up a
mail-in database to be notified
about mail upgrade status
66
Critical Settings for Diagnostic Collection Options
•
•
•
#9 – Make sure to enable the Diagnostic Collections setting,
regardless of your release
To avoid confusing users, set the following to “No”:
 “Prompt user to send diagnostic report”
 “Prompt user for comments”
Thanks to a new analysis task
in ND7 this is my favorite
feature in the upgrade
67
Critical Settings for Diagnostic Collection Options (cont.)
•
•
•
You must set up a mail-in database to collect the reports
 Use the Lotus Notes/Domino Fault Reports template
The default max size for diagnostic files is 10MB, though these
reports are seldom over 1MB
 Be aware that if 1% of your users crash every day and you have
10,000 users, this database could get 100MB of reports/day
 That adds up fast!
Once you have the data then the fun comes in with doing analysis
and troubleshooting
68
Security Settings
•
Security settings are an area where there is tremendous benefit in
standardizing
 You have audit requirements that say how everyone should
be set
 Without policies it is very difficult to validate and control
users’ security settings
 Policies make this part easy!
69
Security Settings (cont.)
•
These key types of security settings controlled by policy
 Password Management
 Notes ID and HTTP Password
 Key Management and Rollover
 Execution Control Lists (ECLs)
 ID Vault (ND8.5)
 Windows Shared Login (ND8.5)
70
#10 – Security Settings – Password Management
•
From here you can control:
 Detailed password quality
 Types and number of
special characters, etc.
 Server password checking
 Can override settings in the
person document and
eliminate the ability to use
the “lock out” setting in the
person doc
 ID file encryption to comply with FIPS
(8.0.1)
 Federal Information Processing
Standards
 Password expiration
 Sync of Internet and Notes passwords
 Internet password lockout
71
#11 – Force Network Compression
•
Unlike encryption, which only needs to be set on the server,
network compression needs setting on the client
 And it’s a good idea to lock it down
 You’re the admin, you get to say what happens
72
#12 – Hide the Things You Don’t Use
•
If you don’t support it, don’t show it to the users
 It’s your choice if you want to lock it down
73
#13 – Contact Configuration
•
Synchronize contacts via the replicator
 Everyone should do this
 Recent contacts need to follow your support and help desk
preferences
74
#14 – Encrypt Locally
•
Please! Just set initial value.
75
What We’ll Cover …
•
•
•
•
•
•
Taking a run through types of policy settings documents
Inheriting and enforcing policy settings
Applying policies to users and groups
Nailing down the 10 policies every domain should use
Troubleshooting policies
Wrap-up
76
Dynamic Client Configuration
•
•
•
Before we get into specific troubleshooting situations we need to
go over the way the client applies the policies
Client-side task that runs whenever the client authenticates with
their home server
 Task name is Ndyncfg.exe
 Looks for changes to client configuration based on a hash of
key information in the policy documents
 And in ND8.5 it also takes group membership into account
Can be disabled with ini parameter — though why you would want
to do this on any machine other than your own I’m not sure
 DisableDynConfigClient=1
77
Dynamic Client Configuration (cont.)
•
•
How policies are applied
 The process for determining when updates are pushed to the
client changes across releases
 But you can generally assume that any time the policy is
changed on the server it will be pushed to the client
A big change that occurred in 8.0.1 is that effective policies are
now calculated on the server rather than on the client
 Policy information is stored in documents available through the
$policies view in local address book
 Form does not exist to support viewing the documents
78
Dynamic Client Configuration (cont.)
•
The information is stored in the Personal Address book for the
user in the $policies view
 Good to delete them all if you’re having issues
79
Dynamic Client Configuration (cont.)
•
•
You can force dynamic client configuration to run by launching
the executable directly
 This doesn’t seem to do anything in earlier versions of 6.5.x,
but in more recent versions it will actually update settings
 The Notes client must be up and running for this to work
Open a system prompt and move to where the executables are
installed on the workstation
 Execute the command NDYNCFG.EXE
 It is not case sensitive and the EXE extension is optional
80
Troubleshooting Policies
•
The tools you will use to troubleshoot policies include:
 Policy Synopsis tool
 Admin Client Policy Viewer tool
 ($Policy) view in user’s names.nsf
 Local INI debug parameters
81
PROBLEM: No Settings Are Applied Whatsoever
•
•
To troubleshoot an individual workstation, confirm that the local
names.nsf is using the correct ND6/7/8 design
 Since this functionality has been enhanced in each release if
names.nsf has an old design it will be broken
Open the local names.nsf and then open the hidden $Policies
view
 There should be a copy of all the settings and policy
documents that apply to the user
 If the view is empty, then the NDYNCFG.EXE is either not
running, broken or is being blocked
82
PROBLEM: No Settings Are Applied Whatsoever (cont.)
•
If there are no policy documents displayed in the view, open the
user’s LOG.NSF and confirm that NDYNCFG.EXE is running
 You will see entries that look like:
83
PROBLEM: No Settings Are Applied Whatsoever (cont.)
•
•
If Dynamic Config is running here are some things to check:
 The problem is often a personal firewall that is blocking the
executable
 If a user has the wrong public key in their person document it
will prevent policies from being downloaded
 Check to make sure that the user’s location documents are
configured correctly, especially their home mail server
Some options to try if ndyncfg isn’t running are:
 Try stripping the ini and setting up the workstation again
 If Dynamic Config still fails to run, uninstall/reinstall Notes (this
almost always resolves the problem)
84
PROBLEM: Policies Seem to Be Incorrectly Applied
•
There are two tools in the Domino Administrator that are helpful in
establishing what the effective policies for a user are:
 The policies interface on the configuration tab of the
Administrator client
 Gives a nice GUI for assessing effective policies
 There are situations where this doesn’t present accurate
information (TN: 1386245)
 Policy synopsis on the People & Groups tab
 Much more detailed information on how policies are derived
 Not a great graphic user interface (GUI)
 Some other situations where this doesn’t present accurate
information (TN: 1386250)
85
PROBLEM: Policies Seem to Be Incorrectly Applied (cont.)
•
•
•
The tool in the config tab is very effective in determining the
derived settings for an individual
 Policy synopsis
Use this tool first to see if your expectations are correct or if the
settings themselves are incorrect
 Select Policies-By Hierarchy
 Select Specific User (then pick the user)
 Select Effective Policy
You can now see what the derived policy should be for the user
 This will help determine if there is a problem with the
workstation or with the settings themselves
86
Troubleshooting Additional Tools
•
•
•
You can also enable debug parameters in your Notes client
NOTES.INI that may give you insights on what the problem is
 These should only be used for troubleshooting:
 Debug_policy=2
 Debug_Dynconfig=1
 Debug_ClientRecord=1
Use these with Debug_console=1 to get a glimpse into a console
that displays the inner workings of Notes
Use these with Debug_outfile=(filename) to capture all the
debugging into a file to be examined later
87
Rich Output from Debug Parameters
•
Using the debug options will provide a wealth of information as
the client sifts through the policy data
 Use this only when in an extremely difficult situation and must
have more data
 And try not to complain about how much data is produced
88
What We’ll Cover …
•
•
•
•
•
•
Taking a run through types of policy settings documents
Inheriting and enforcing policy settings
Applying policies to users and groups
Nailing down the 10 policies every domain should use
Troubleshooting policies
Wrap-up
89
Additional Resources
•
•
•
•
Administrator Help
Timothy Speed and Terry Fouchey, “Creating Mail policies in
Lotus Notes/Domino 7” (developerWorks, April 2006).
 www-128.ibm.com/developerworks/lotus/library/domino7-mailpolicy
Using a Desktop Policy to set notes.ini and Location parameters
 IBM technote 1196837
 www-1.ibm.com/support/docview.wss?rs=463&uid=swg
21196837
Domino Wiki (A number of awesome articles on policies)
 www-10.lotus.com/ldd/dominowiki.nsf
90
7 Key Points to Take Home
•
•
•
•
The “enforce” option in a policy settings document controls how
settings are pushed down through the hierarchy and does not
necessarily “force” the user to have a setting that can’t be
changed
Auto-populating groups is a great way to automatically include
everyone from specific mail servers in a group
Dynamic policies link a policy to a group and are the preferred
explicit policy type in R8.x
When introducing new policies, always put through proof of
concept with an explicit policy before turning it on domain-wide
91
7 Key Points to Take Home (cont.)
•
•
•
The “set initial value” setting eliminates the need for setup
policies in Release 8.5.x — but make sure all servers are on that
same release
Be sure to use seamless upgrade to automatically upgrade a mail
file to the template of the newly upgraded release
Start collecting client crash diagnostic reports today, but it’s not
necessary or even helpful to prompt the user for comments
92
Your Turn!
How to contact me:
Andy Pedisich
Andyp@technotics.com
www.andypedisich.com
93