Supporting multiple IBM® Domino® domains

Typically, the IBM Traveler server deploys in the same Domino® domain as production mail servers. However, there are a number of reasons why you may want to separate your IBM® Traveler server domain and your production mail server domains.

  • If you want to keep the IBM® Traveler server's directory (names.nsf) separate from production to prevent design changes from a higher level directory from synchronizing to a lower level directory server. In this environment, the directories would not sync unless it was explicitly enabled.
  • All IBM Traveler servers in an HA pool must be in the same domain.
  • To minimize the amount of data from the production servers that is accessible from the IBM Traveler server.

There are several items you must consider to make this possible. This checklist applies to any IBM Traveler installation. However, when installing in the same Domino® domain, many of these items typically work without any additional configuration.

  • The IBM Traveler server must be able to physically connect to mail servers in the other domains. Use the Domino® server trace command on the IBM Traveler server to verify that a physical connection can be made between the servers. For example, from within the Domino® administrator console, use the command trace test_server/your_domain, where test_server and your_domain are the actual identifiers of the mail server and domain.
  • The server ID file used by the IBM Traveler server must be cross-certified with any other Domino® domains that the IBM Traveler server needs a connection to.
  • The remote mail servers must grant server access to the IBM Traveler server. You can verify this using the Domino® Administrator client. On the remote mail server, open the server configuration document, click the Security tab, and verify that this server is not restricted in the Server Access section.
  • The IBM Traveler service queries the Domino® directory service whenever mobile users register with or connect to the IBM Traveler server. The Domino® directory must return the home mail server and the mail file path name for each user that registers with the IBM Traveler server. If the IBM Traveler server is in the same domain as the mail users, then typically the local names.nsf is already populated with person records for each user and this information is available by default. However, if the users are in other domains, then you must either configure Domino® directory assistance to find these other users or otherwise ensure that their person records are available in the local names.nsf.
  • The IBM Traveler service queries the cluster database on the user's home mail server to find other mail servers and mail file paths that can be used for each user. Without access to cldbdir.nsf, the IBM Traveler service will only use the user's home mail server and mail file path.
  • By default, the IBM Traveler service sends mail and meeting notices using the files on the users' mail servers. Without access to the files on the users' mail servers, no mails or meeting notices will be deliverable.
  • If you plan on implementing mobile security policies, use IBM Traveler default settings to define security policies. See Default device preferences and security settings for more information. Use these settings instead of IBM Traveler settings that are part of the Domino® admin policy setup. Otherwise you must define the IBM Traveler settings separately in every different Domino® domain for them to work correctly. If you are using IBM Traveler default settings, then these settings and security policies apply to any user that connects to the IBM Traveler server regardless of the Domino® domain that the user belongs to. For more information, see Assigning preferences and security settings to devices.
  • ID vaults only work when the IBM Traveler server and the user's mail servers are in the same Domain. This is a documented limitation of the ID vault in the Domino® Wiki.
When running in a multi-domain environment, you may need to change the default behavior for IBM Traveler name lookup. By default, when a lookup request for a name is executed on a IBM Traveler server, this request is resolved against the directory (names.nsf) on the mail server for the user executing the request. If names.nsf on the external domain does not allow this IBM Traveler server access, then this lookup will fail. In a multi-domain environment, you will likely setup Domino® Directory Assistance on the IBM Traveler server to access a specific Directory server in the production environment. If this is the case, set the following IBM Traveler notes.ini variable using this syntax on the Domino® server console:

This will force all lookups to run against the local directory, which will then use Domino® Directory assistance if it is configured and needed to resolve a name.