Domino Administration Back to Basics (Part 2) - Networking
In Part 1 we learned about the marvelous world of Notes Names, X400 and the perils of messing with certificates. One big difference to X509 is the (almost) absence of certificate Command Line tools that can be so much fun.
Domino predates the rise of TCP/IP and the internet. To no surprise it has its own idea about networking. Starting with protocol support:
- Netbios using NDIS (doesn't route) and
- IPX/SPX A protocol from days long past, when red boxes weren't Redhat but Novell
- X.PC DialUp - Yes. A modem or something that takes modem commands and will establish a serial connection, no longer ships with Notes
- A few more obscure protocols: Vines, SPXII
- last not least TCP/IP
Having this zoo of protocols, Notes needs its own version of name resolution. That version is called Notes Named Network
A Notes Domain consists out of one or more server that use a Domino directory (a.k.a Public Name & Addressbook a.k.a
names.nsf) with the same replica id (a story for another time) as the other member servers and have the same Domain name in their server document (that's where most of the server's setting are stored).
A popular point of confusion: Notes Names (from Part1) and Notes Domains: It is quite common to name your Domain after your orgID, but not mandatory. SO you could have
Machine/Blowup@Acme The first and the last would be in the same Domain, while the first and second share the Org certifier. Anything goes, but to keep it simple, keep OrgId and Domain the same - unless you have 5 good reasons not to.
Another one: NEVER name your Notes Domain so it could be mistaken for an internet Domain. So no
. in the name. Spaces interestingly are OK!
A NNN is defined as: "a group of servers sharing the same protocol, being able to see each other using this protocol and having a common name for that protocol". A server can be part of more than one NNN, at least one per protocol stack it is using. When a server has multiple IP addresses, it can participate in multiple TCP/IP NNN. Routing and connections inside a NNN happen automatically, no further configuration required.
Domino can function as an application level firewall. Imagine a Domino server with 2 network addresses (can be even two different protocols) that do not route. By having them configured in 2 NNN, the Domino server is able to forward proper NRPC packages, while any other network traffic ends there.
For connections to servers in different NNN, or different Domains or for Internet protocols Domino uses Connection documents. Those documents live in the
names.nsf both on the client and the server.
In such a connection document, the Notes Name of the destination (always some kind of server, Notes clients don't do peer to peer (yet)) gets matched to a network address. Today that's typically a TCP/IP address. Notes can deal both with IP addresses and DNS names. The former has the advantage to work without a valid DNS server, the later the freedom to change the physical IP as long as the DNS record is current.
Connection documents can be limited to time and place (Locations) and design a quite sophisticated connection web.
Each network port in server and client has 3 switches:
- enabled y/n
- encryption y/n
- compression y/n
The first one is self explanatory. Suggestion here: switch off all ports you don't use. For the other two these are the rules:
- If one side in a connection requested encryption, encryption gets enabled (The ID files have the public/private keys to make that happen)
- If both sides have compression enabled, compression will happen. That's one of the easiest performance wins in Domino: switch on network compression. The ability to switch it off stems from a time where an 80836 was a highend machine
- NNN, Protocols and Connection documents can be confusing at first, but they are actually logical when looking at them closely
- There are hundreds of settings in a Server document, take care when configuring
- If, and only if, you are sure your DNS is stable, name your common server name after its fully qualified Domain name. Any server or client will try that IP address the DNS resolved to
- If the OS can't see the other side, so can't Domino. Ping, Tracert or Terminal (on port 1352) are your friend
Stay tuned for more!