Processing administration requests across domains

The Administration Process for the Domino® Directory must be set up on a server in each domain.

Cross-domain processing offers these benefits:

  • Processing administration requests across domains can protect the integrity of the data in databases. For example, if a person is deleted from the directory in one domain, corresponding deletions occur in the other domains.
  • Access to information is enhanced because a name change is propagated to other domains. For example, people and servers registered in one domain can also be listed in the directory documents and database ACLs in another domain. Cross-domain processing allows users and servers to have access to databases and servers in both domains.
  • Applications are easily distributed because databases are easily replicated from servers in one domain to servers in other domains. Administrators do not have to install and update applications individually on all servers.

These tasks can be processed across domains:

  • Delete person in Domino® Directory
  • Delete server in Domino® Directory
  • Rename server in Domino® Directory -- that is, upgrade the server name from flat to hierarchical
  • Rename person in Domino® Directory
  • Create replica
  • Get replica information for deletion -- This request is generated when you delete a database and its replicas

Setting up cross-domain processing of administration requests

To set up cross-domain processing of administration requests, you need to do the following:

  • Create the necessary cross-certificate documents in the Domino® Directory. Requests going to another domain require cross certificates between the two domains.
  • Create a Connection document in the Domino® Directory allowing a server in one domain to connect to a server in another domain. Each domain must have a Connection document.
  • Create one or more Cross-domain Configuration documents in the administration requests database for each domain from which you will import administration requests and to which you will export administration requests.
  • Set up an administration server for the outbound domain to allow processing of the outbound requests.

Edit the Directory Profile document for the Domino® Directory to include the names of anyone allowed to create a Cross-domain Configuration document. On the Directory Profile document, add the administrators' names to the field List of administrators who are allowed to create Cross-domain Configuration documents in the administration requests database. If a Cross-domain configuration document is created by someone whose name is not in that field or who is not a manager of the Domino® Directory, that configuration will be ignored.

The Administration Requests database contains Cross-domain Configuration documents that specify how domains exchange and process administration requests. When you configure a Cross-domain Configuration document, you designate the trusted entities, which are persons, servers, or certifiers. All requests received from the domain must be signed by one of its trusted entities. Rename requests are the exception; they are signed by certifiers so their validity is determined by the certificates and the cross-certificate in the destination domain's Domino® Directory. For Rename requests going to another domain, there must be appropriate cross-certificates between the two domains. Additionally, the Domino® Directories of both the originating and destination domains must have all Certifier documents, with the certifier's public key, for the organizational structure represented in the name change request.

Tip: Copy the necessary set of Certifier documents from the originating domain to the destination domain. However, keep in mind that documents copied in this manner may need to replaced later if newer certifiers are used.
Note: Check the Connection documents for the servers involved in the cross-domain request processing. The fields on the Connection document that have particular impact on the processing of administration requests across domains are on the Basics tab: Source server, Source domain, Destination server, and Destination domain fields.

Other fields on the Connection should be set up to allow for replication and communication between source and destination servers as usual.