Open Mic:
Rename Best Practices for
SmartCloud Notes Hybrid
Administrators
Matt Gray | David Workman
SmartCloud Notes Support
June 15th 2016
© 2016 IBM Corporation
2
Agenda
What is a Rename
Rename Artifacts
Rules for Renaming a User
How to Prepare for a Rename
How a Hybrid Rename Processes
• OnPremise Domino
• SmartCloud Service
• Must Gather Information
• Additional Resources
•
•
•
•
•
© 2016 IBM Corporation
3
What is a rename
• Any change in a persons Hierarchical name
• First name, last name, middle name, middle initial
Jon J. Jones/Support/Acme
• Correct a misspelled name ( Jon -> John )
• Move from one organization to another (/O or /OU)
Jon J. Jones/SUPPORT/Acme
Jon J. Jones/ALASKA/Acme
-> Jon J. Jones/SALES/Acme
-> Jon J. Jones/OHIO/Acme
Notes:
• Access to the service / mail / resources is based on your hierarchical name
• Changing a user's internet address is not considered a rename
© 2016 IBM Corporation
4
Name/Rename Artifacts
• A user record contains attributes including names and certificates
aka 'name artifacts‘
• Rename artifacts are used during a rename in the service. They include:
•
•
•
•
•
ChangeRequest
AdminpOld* items
Rename in progress flag in the service
AdminP requests
AdminQ requests
For a rename to proceed normally:
• The name artifacts must be consistent across the service and onPremise.
• There can be no artifacts from previous renames (associated with a previous rename attempts)
© 2016 IBM Corporation
5
Rules for Renaming a user
- Rename Report tool
 Use the rename report tool to check for
readiness
 Never start a second rename until the
first rename completes
 Verify completion with the rename
report tool
 NEVER manually change the Notes
Name by changing the user’s person
document in the Domino directory
 Use the Notes Admin client / AdminP
process
 The user's notes ID must be stored in
the ID Vault in the service
© 2016 IBM Corporation
6
Rules for Renaming a user
• If you want to change multiple parts of user’s name, do it in one rename request
Samantha Brown/Renovations 
Samantha Smith/Sales/Renovations
• Never rename a user who is in process of being provisioned to the service
• Wait until new users have accessed the service at least once before initiating a
rename
Additional points:
• After starting the rename, make sure the user does not switch from a location document configured for the
service to one that points to an OnPremise server
• If the rename includes a move to a new OU make sure the Directory includes a vault trust certificate for the
new OU in the service vault
© 2016 IBM Corporation
7
What to do before a Rename
• Run the Rename Report in the SmartCloud Notes AdminUI. If there are errors,
follow recommendations provided in the report or consult IBM support
• After addressing any issues, re-run the rename report to confirm rename
readiness
© 2016 IBM Corporation
8
Rename Report common errors
Some common rename report errors:
•
The user's ID file is not in the vault
• Do not rename this user yet
• First, upload the user's ID file to the vault
•
There is a problem with the password that is associated with the user's ID in the vault
• Do not rename this user yet
• Reset the user's password and tell the user to log in with the new
password
•
The user is already in the process of being renamed
• Do not rename this user yet
• Wait for the current rename to complete
• If this message occurs for more than 3 days in a row, contact IBM Support for
additional assistance
© 2016 IBM Corporation
9
How to trigger a User Rename
After the rename report indicates a user is ready for a rename:
• From the Domino Administrator client
• People and Groups tab –> select the user to be renamed
• Right click and choose Rename
or
• Tools -> People -> Rename
• Choose the rename type:
• Change common name
• Move to new certifier for OU change
© 2016 IBM Corporation
10
Summary of the Rename Process
© 2016 IBM Corporation
11
The Rename Process
OnPremise
• After the rename is initiated
OnPremise, the updates
are replicated with
SmartCloud Notes
(DirSync) for processing
Note - The rename process is initiated
OnPremise, sent to the service for
processing, and then the service
sends a request back OnPremise to
complete the rename.
© 2016 IBM Corporation
12
The Rename Process
OnPremise
Change Name
What Happens:
Administrator triggers rename via AdminP
-> “Request Move to a New Certifier”
OR
-> “Change Common Name”
Where:
This is done via the Admin Client onPremise
© 2016 IBM Corporation
13
The Rename Process
OnPremise
Initiate Rename in Domino Directory
What Happens:
The “Initiate Rename in Domino Directory” AdminP request is processed
This updates the user’s person document with the new name. The old name information is moved to AdminpOld* items
The following Rename artifacts are added to the person document:
•First, Middle, Last Name items
•FullName item (includes new name, old names and alias)
•Certificate item (includes user's certified name and public key)
•AdminpOld* items (the items listed above associated with the old name are populated here)
•ChangeRequest item (includes old name certifier and the user new name certifier signatures + date range the ChangeRequest is valid for)
Note: If a ChangeRequest is not completed within the defined time (typically 21 days), the request is considered invalid and the change is not “accepted”
Where:
The “Initiate Rename in Domino Directory” AdminP request is created in the onPremise Admin4.nsf
The specified Person record changes happen in the onPremise Domino Directory
© 2016 IBM Corporation
14
The Rename Process
In Service
© 2016 IBM Corporation
15
The Rename Process
In Service
Name change replicates to the service
What Happens:
Changes made in the OnPremise person document are replicated to the service
The name artifacts OnPremise should appear in the customer directory replica
Where:
DirSync servers
(Note – On premise replication may be required before changes are replicated to the service via DirSync)
© 2016 IBM Corporation
16
The Rename Process
In Service
Attributes synced to TDS
Key step
Once TDS is updated with the rename/name attributes, the rename can complete.
What Happens
When all required conditions are met:
The rename attributes will sync from the customer directory replica in the DirSync Server to TDS –updating the user's TDS record with:
•new name (in NDN and fullname field)
•new certificate
•ChangeRequest
•AdminPOld*
•RenameInProgress flag is set in the TDS record
If the sync is not successful initially and user’s TDS record is not updated:
•An AdminP request is generated 24hrs after the initial request.
•This request runs every 24hrs until all blocking conditions are resolved– or until the changerequest expires
•Once a blocker is resolved, there is a delay until the next cycle runs and the rename proceeds (up to 24hrs)
•If all the blocking conditions are not resolved, the rename attempt will fail
Possible Blockers preventing this step:
•no ID in the SmartCloud Notes ID Vault
•bad password doc in ID Vault
•RenameInProgress flag already set
Where:​
DirSync server and TDS
© 2016 IBM Corporation
17
The Rename Process
In Service
Name Change accepted
What Happens:
Once TDS has been synced with the new name, certificate, and ChangeRequest, the name change needs to be “accepted”
The change is “accepted” by one of the following means (which ever comes first):
When the user syncs with the SCN ID Vault
•Either authenticates with the user's home mail server or forces a sync (File/Security/User Security...”ID Vault Sync”)
OR
• The SCN's AdminQ process accepts the name change on the user's behalf, nightly
Note on AdminQ: AdminQ processes the "accepting" of changes:
•TDS is checked for users with a ChangeRequest items that have not been processed by AdminQ yet
•When such a user is found, a new AdminQ request is created (if there is not already one in that database)
•The AdminQ database is polled every hour to check for requests to process
•When a user is found with a changerequest that needs processing, the rename in the Vault is completed
Where
SCN Vault/AdminQ
© 2016 IBM Corporation
18
The Rename Process
In Service
SCN ID Updated &
Rename proceeds to completion
What Happens:
•After the change is accepted, the ID Vault is updated with the new name.
•Then, a set of AdminP requests is generated to complete the rename in the service and
OnPremise.
•The next time the user syncs with the Vault, their local ID file will be updated with the new name.
Where:
End User Notes Client
SCN Admin4.nsf
© 2016 IBM Corporation
19
The Rename Process
OnPremise
Rename proceeds OnPremise
What Happens
When the onPremise Administration server receives the request from SCN, the
“Rename Person in Domino Directory” is triggered which facilitates the completion
of the rename in the customer directory
Where
OnPremise Admin4.nsf
© 2016 IBM Corporation
20
MustGather for Renames
•OLD and NEW distinguished names
•User able to access via Web and/or Notes client?
•When was the rename done?
•Steps followed to rename the user?
•Rename reports for the user
•Screen shots:
• OnPremise Admin4.nsf
• (Expand all documents pertaining to user rename + include response documents)
• OnPremise person Doc – basics tab
• Available user Ids:
• User ID properties (File ->security-> user security)
• Look for name in ID file(s)
© 2016 IBM Corporation
21
Example of validating user ID in the Vault
• Confirm the user’s Notes ID is in the Vault
• Confirm the user successfully synced with the vault using the current name
• Check the local Notes client log.nsf for details
© 2016 IBM Corporation
22
Additional Notes on Users ID files
A user's ID gets created:
• A new user is created/register onPremise. During this process, the user's ID is created
• Once provisioned, during Notes Client setup (using config.nsf), a new location document is created that defines the
user's SCN Mail Server as their home server
• When first authenticating with the new home server new, a cloud policy is downloaded
• The cloud policy defines the ID Vault in SCN
• Within a day or two, the ID is uploaded to the vault
ID Download Count:
• To prevent attacks on the ID Vault by guessing passwords, we only allow ID downloads for 5 days after new ID for
hosted only users or after password is changed/reset by customer Admin
• If a user loses their ID OR a user does not download a newly reset ID within five days (resulting “download count is
zero”) the Admin MUST reset their password before they can recover their ID
Methods for an ID to be uploaded to the SCN ID Vault.
• User successfully logs into their SmartCloud Notes mailfile using a SmartCloud Notes client with a local ID file
• Customer administrator uploads a local user ID file via the SmartCloud Notes Users user interface
• User selects File - Security - User Security - Security Basics and uses the "ID Vault Sync“ button
• User imports their local ID file into their SmartCloud Notes Web mailfile
• User selects File - Security - Switch ID from a configured SmartCloud Notes client and switches to the correct local ID
© 2016 IBM Corporation
23
References
Rename person flowchart:
https://www.ibm.com/support/knowledgecenter/SSKTMJ_8.0.1/com.ibm.help.domino.admin.doc/DOC/H_Rename_person_admini
stration_requests.html
Steps to rename a user:
https://www.lotus.com/ldd/bhwiki.nsf/dx/Exercise_2.6_Changing_user_names_LLNHcourse
What You Should Know Before You Change a SmartCloud Notes User's Name:
https://www.lotus.com/ldd/bhwiki.nsf/dx/What_You_Should_Know_Before_You_Change_a_SmartCloud_Notes_Users_Name
Changing a Notes User Name:
https://www.ibm.com/support/knowledgecenter/SSPS94/hybrid/topics/adm_hy_changing_a_user_name_t.html
Rules to follow when you change a Notes name:
https://www.ibm.com/support/knowledgecenter/SSPS94/hybrid/topics/adm_hy_requirements_for_changing_Notes_name_c.dita
© 2016 IBM Corporation
24
Summary
• Use the rename report tool to verify user's readiness for a rename
• Do not manually edit the person document in the Domino directory
Use the Domino Administration client to rename the user
• Once rename blockers are resolved, expect up to 24 hours before the rename is
processed in the service
• If the suggestions indicated in the rename report do not resolve the problem,
please contact SmartCloud Notes Support
Steps that may have resolved rename problems in a Domino onPremise environment may lead to additional
problems and delays when renaming a user in a SmartCloud Notes Hybrid environment
© 2016 IBM Corporation
25
Questions?
Press *1 on your telephone to ask a question.
Visit our Support Technical Exchange page or our Facebook page for details on
future events.
To help shape the future of IBM software, take this quality survey and share your
opinion of IBM software used within your organization: https://ibm.biz/BdxqB2
IBM Collaboration Solutions Support
IBM Collaboration Solutions Support page
© 2016 IBM Corporation
26