Open Mic: Rename Best Practices for SmartCloud Notes Hybrid Administrators. Matt Gray David Workman SmartCloud Notes Support September 21, 2016

Transcription

1 Open Mic: Rename Best Practices for SmartCloud Notes Hybrid Administrators Matt Gray David Workman SmartCloud Notes Support September 21, 2016

2 2016 IBM Corporation 2

3 Agenda - Hybrid Rename What is a Rename? How to trigger a Hybrid User rename Name/Rename Artifacts How to Prepare for a Hybrid Rename Rules for Renaming a user Rename Report: Common errors Overview of the Rename process On-premises In Service Must-Gathers for Renames Examples of validating the User ID in the Vault Additional Notes on User ID files Summary Hybrid Rename Process References Questions? 2016 IBM Corporation 3

4 What is a Rename? Any change in a person s hierarchical name. First name, last name, middle name and/or middle initial Ron Jones/Support/Acme -> Jon J. Jones/Support/Acme Change in the spelling of a name Jon J. Jones/Support/Acme -> John J. Jones/Support/Acme Move from one Organizational Unit and/or Organization to another. Notes: Jon J. Jones/SUPPORT/Acme -> Jon J. Jones/SALES/Acme Jon J. Jones/ALASKA/Acme -> Jon J. Jones/OHIO/Center Access to user's mail file and other resources is based on the user's hierarchical name - ACL / Groups / Rooms and Resources. Changing a user's Internet address in SmartCloud Notes is NOT a rename IBM Corporation 4

5 How to trigger a Hybrid User Rename After the Rename Report indicates a user is ready for a rename: From the Domino Administrator client -> People and Groups tab Select the user to be renamed. Right click and choose Rename or Tools -> People -> Rename Choose the rename type: Change common name Move to new certifier for OU change 2016 IBM Corporation 5

6 Name/Rename Artifacts A user record contains attributes, including names and certificates aka 'name artifacts. Rename artifacts are used during a rename in the service. They include: Notes DN Certificates AdminpOld* items Rename in progress flag in the service ChangeRequests (AdminP and AdminQ) For a rename to proceed successfully: The name artifacts must be consistent across the service and on-premises. There can be no artifacts from previous renames IBM Corporation 6

7 How to prepare for a Hybrid Rename Run the Rename Report in the IBM SmartCloud Notes AdminUI. If there are errors, follow recommendations provided in the report or consult IBM Support. After addressing any issues, re-run the Rename Report to confirm rename readiness IBM Corporation 7

8 Rules for Renaming a user USE the Rename Report tool to check for readiness. NEVER manually edit the user's name in the user s Person document in the Domino directory. Never start a second rename until the first rename completes. Use the Notes Admin client / AdminP process. The user's Notes ID must be stored in the ID Vault in the service. To change multiple parts of user s name, do it in one rename request. Samantha Brown/Renovations Samantha Smith/Sales/Renovations 2016 IBM Corporation 8

9 Rules for Renaming a user (concluded) Never rename a user who is in the process of being provisioned to the service. Wait until new users have accessed the service at least once before initiating a rename. Run the Rename Report tool again to verify the rename has completed. Additional points: After starting the rename, make sure the user does not switch from a Location document configured for the service to one that points to an on-premises server. If the rename includes a move to a new OU make sure the Directory includes a vault trust certificate for the new OU in the service vault IBM Corporation 7

10 Rename Report: Common errors The user's ID file is not in the vault. Do not rename this user yet. First, upload the user's ID file to the vault. There is a problem with the password that is associated with the user's ID in the vault. Do not rename this user yet. Reset the user's password, and tell the user to log in with the new password. The user is already in the process of being renamed. Do not rename this user yet. Wait for the current rename to complete. If this message occurs for more than 3 days in a row, contact IBM Support for additional assistance IBM Corporation 10

11 Overview of the Rename process 2016 IBM Corporation 11

12 The Rename Process: On-premises After the rename is initiated on-premises, the updates are replicated to IBM SmartCloud Notes (DirSync) for processing. Note: The rename process is initiated onpremises, sent to the service for processing, and then the service sends a request back to on-premises to complete the rename IBM Corporation 12

13 The Rename process: On-premises (continued) Change Name What Happens: Administrator triggers rename via AdminP. -> Change Common Name OR -> Request Move to a New Certifier Where: This is done via the Admin Client on-premises IBM Corporation 13

14 The Rename process: On-premises (concluded) Initiate Rename in Domino Directory. What Happens: The Initiate Rename in Domino Directory AdminP request is processed. This updates the user s Person document with the new name. The old name information is moved to AdminpOld* items. The following Rename artifacts are added to the person document: First, Middle, Last Name items FullName item (includes new name, old names and alias) Certificate item (includes user's certified name and public key) AdminpOld* items (the items listed above associated with the old name are populated here) ChangeRequest item (includes old name certifier and the user new name certifier signatures + date range that the ChangeRequest is valid for) Note: If a ChangeRequest is not completed within the defined time (default 21 days), the request is considered invalid and the change is not accepted. Where: The Initiate Rename in Domino Directory AdminP request is created in the on-premises Admin4.nsf. The specified Person record changes happen in the on-premises Domino Directory IBM Corporation 14

15 The Rename Process: In Service 2016 IBM Corporation 15

16 The Rename process: In Service (continued) Name change replicates to the service. What Happens: Changes made in the on-premises Person document are replicated to the service. The name artifacts on-premises should appear in the customer directory replica. Where: DirSync servers (Note: On-premises replication may be required before changes are replicated to the service via DirSync.) 2016 IBM Corporation 16

17 The Rename process: In Service (continued) Attributes synced to TDS. Key step Once TDS is updated with the rename/name attributes, the rename can complete. What Happens When all required conditions are met: The rename attributes will sync from the customer directory replica in the DirSync Server to TDS updating the user's TDS record with: New name (in NDN and the Fullname field) New certificate ChangeRequest AdminPOld* RenameInProgress flag is set in the TDS record. If the sync is not successful initially and the user s TDS record is not updated: An AdminP request is generated 24hrs after the initial request. This request runs every 24hrs until all blocking conditions are resolved or until the ChangeRequest expires. Once a blocker is resolved, there is a delay until the next cycle runs and the rename proceeds (up to 24hrs). If all the blocking conditions are not resolved, the rename attempt will fail. Possible Blockers preventing this step: No ID in the SmartCloud Notes ID Vault. Bad password doc in ID Vault. RenameInProgress flag is already set. Where: DirSync server and TDS 2016 IBM Corporation 17

18 The Rename process: In Service (continued) Name Change is accepted. What Happens: Once TDS has been synced with the new name, certificate, and ChangeRequest, the name change needs to be accepted. The change is accepted by one of the following means (which ever comes first): When the user syncs with the SmartCloud Notes ID Vault: Either authenticates with the user's home mail server, or forces a sync (File/Security/User Security... ID Vault Sync ). OR The SmartCloud Notes AdminQ process accepts the name change on the user's behalf overnight. Note: AdminQ can process the "accepting" of a change on behalf of a user. TDS is checked for users who have ChangeRequest items that have not been processed by AdminQ yet. When such a user is found, a new AdminQ request is created (if there is not already one in that database). The AdminQ database is polled every hour to check for requests to process. When a user is found with a ChangeRequest that needs processing, the rename in the Vault is completed. Where: SmartCloud Notes Vault/AdminQ 2016 IBM Corporation 18

19 The Rename process: In Service (concluded) SmartCloud Notes ID is Updated, and Rename proceeds to completion. What Happens: After the change is accepted, the ID Vault is updated with the new name. Then, a set of AdminP requests is generated to complete the rename in the service and on-premises. The next time the user syncs with the Vault, the user s local ID file will be updated with the new name. Where: End User s Notes Client SmartCloud Notes Admin4.nsf 2016 IBM Corporation 19 20

20 The Rename process: On-premises Rename proceeds On-premises. What Happens: The on-premises Domino Administration server receives the request from SmartCloud Notes. The Rename Person in Domino Directory is triggered. This facilitates the completion of the rename in the customer's Domino Directory. Where: On-premises Admin4.nsf 2016 IBM Corporation 20

21 Must-Gathers for Renames OLD and NEW distinguished names Is the user able to access via Web and/or Notes client? When was the rename done? What steps were followed to rename the user? Run Rename Report(s). Screen shots: On-premises Admin4.nsf Expand all documents pertaining to user rename & include response documents. On-premises Person document > Basics tab Available User IDs: User ID properties: File -> Security -> User Security Look for the name(s) in the ID file(s) IBM Corporation 21

22 Example of validating User ID in the Vault Confirm the user s Notes ID is in the Vault. Confirm the user successfully synced with the Vault using the current name. Check the user s local Notes client s log.nsf for details IBM Corporation 22

23 Additional Notes on User ID files A user's ID gets created: A new user is created/registered on-premises. During this process, the user's ID is created. Once the user is provisioned, during Notes Client setup (using CONFIG.NSF), a new Location document is created that defines the user's SmartCloud Notes Mail Server as the user s Home Server. When the user first authenticates with the new Home Server, a Cloud Policy is downloaded. The Cloud Policy defines the ID Vault in SmartCloud Notes. Within a day or two, the user s ID file is uploaded to the Vault. ID Download Count: To prevent attacks on the ID Vault by someone guessing passwords, we only allow ID downloads for 5 days after the password is changed/reset by customer Administrator. If a user loses his or her ID OR does not download a newly reset ID within five days (resulting download count is zero ) the Administrator MUST reset the user s password before the user can recover his or her ID file. Methods for an ID to be uploaded to the SmartCloud Notes ID Vault: The user successfully logs into the SmartCloud Notes mail file using a Notes client and a local ID file. The Admin uploads a local User ID file via the User s entry in the Admin UI, IBM SmartCloud Notes, Users section. The user selects File -> Security -> User Security -> Security Basics and clicks the "ID Vault Sync button. The user imports his or her local ID file into the mail file via a web browser. The user selects File -> Security -> Switch ID from a configured Notes client and switches to the correct local ID file IBM Corporation 23

24 Summary Use the Rename Report tool to verify the user's readiness for a rename. Do not manually edit the Person document in the Domino Directory. Use the Domino Administrator client to rename the user. Expect up to 24 hours before the rename is processed in the service (after rename blockers are resolved). Contact IBM SmartCloud Notes Support if the suggestion(s) in the Rename Report do not resolve the problem(s). Note: Steps that may resolve rename problems in a Notes/Domino on-premises environment can lead to problems and delays when renaming a user in a SmartCloud Notes Hybrid environment IBM Corporation 24

25 Hybrid Rename Process 1. Run the Rename Report to verify user readiness. a. Errors / Problems: i. Resolve (e.g. Upload ID to vault) ii. Open PMR with support if needed b. No errors / problems continue with rename 1. Use the Domino Administrator client to rename the user. 2. Wait 24 hours for rename to complete. 3. Verify user information updated in the Cloud. a. New name appears b. Manage Mail File Access - ACL includes new name as 'owner' and old name for historical reference 4. Verify information on-premises. a. AdminP database processes completed b. Person Document and User ID - name updated 5. Open PMR if information not updated in the Cloud or on-premises IBM Corporation 25

26 References Rename person flowchart: What you should know before you change a SmartCloud Notes user's name: Changing a Notes user name: Rules to follow when you change a Notes name: IBM Corporation 26

27 Questions? Press *1 on your telephone to ask a question. Visit our Support Technical Exchange page or our Facebook page for details on future events. To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: IBM Collaboration Solutions Support page IBM Collaboration Solutions Support 2016 IBM Corporation 27