quest notes migrator for exchange (nme) what are...

Quest Notes Migrator for Exchange (NME) – What are the most minimum permissions needed in Domino to use

NME?

Version 1.0, Dated July 7, 2008

Contents

Purpose ......................................................................................................................................................... 4

Domino Actions ............................................................................................................................................. 5

Creating the Domino Account................................................................................................................... 5

Add the Domino Account to the ACL of all NSF files to be migrated ........................................................ 7

Quest Notes Migrator for Exchange Actions .............................................................................................. 12

Add ‘NotesMig User’ to the ‘Notes Server Configuration’ area ............................................................. 12

Migrating Mail with Quest Notes Migrator for Exchange....................................................................... 13

Set/Remove forwarding, ‘Allow foreign directory synchronization’, ‘Visibility’ ..................................... 15

Summary ..................................................................................................................................................... 21

NME Minimum Permissions

P a g e | 2 Copyright 2008 – Quest Software Inc. All Rights Reserved

© Copyright Quest Software, Inc. 2008. All rights reserved.

This guide contains proprietary information, which is protected by copyright. The software described in

this guide is furnished under a software license or nondisclosure agreement. This software may be used

or copied only in accordance with the terms of the applicable agreement. No part of this guide may be

reproduced or transmitted in any form or by any means, electronic or mechanical, including

photocopying and recording for any purpose other than the purchaser's personal use without the

written permission of Quest Software, Inc.

Warranty

The information contained in this document is subject to change without notice. Quest Software makes

no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS

THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest

Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in

connection with the furnishing or use of this information.

Trademarks

Quest® is a trademark of Quest Software, Inc. Other trademarks and registered trademarks used in this

guide are property of their respective owners.

Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA

www.quest.com e-mail: [email protected] U.S. and Canada: 949.754.8000

Please refer to our Web site for regional and international office information.

Quest Software complies with U.S. Export Control laws. Consequently, Quest Software will not ship products to or

provide support to anyone in prohibited destinations as defined by the U.S. Department of Commerce. For a copy

of the current export administration regulations, please visit their website at:

http://www.access.gpo.gov/bis/index.html.

http://www.quest.com/

mailto:[email protected]

http://www.access.gpo.gov/bis/index.html



Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at www.quest.com/support From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents) Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures.

http://www.quest.com/support



Purpose

When Quest Notes Migrator for Exchange (NME) is used to migrate from Domino, the person running

(NME) and the account specified within the ‘Notes Server’ area of the NME product needs to have

specific permissions to complete all of its migration actions. Actions include:

- Migrating Mail

- Send “You’ve been migrated” messages to Notes mailboxes

- Set/Remove forwarding

- Set ‘Allow foreign directory synchronization’

- Set user visibility

Quest Notes Migrator for Exchange manages all of these activities, but uses basic Domino/Notes

commands to perform these actions.

Certain environments dictate that certain rights, roles and permissions cannot be granted to one user.

For Quest Notes Migrator for Exchange to be able to perform all of these activities successfully, certain

Domino permissions, rights and roles must be granted to a migration account. This document will use a

simple one Domino Server scenario to describe (and show) how to grant the least amount of Domino

permissions/rights/roles to enable a non-authoritative (or limited permission) account to perform a

migration from Domino.

NOTE: This document is used for informational purposes only using a very basic Domino structure. For

larger, more complex environments, further investigation on the part of the end-user will be

warranted. If the provided information here does not allow for the said actions to work successfully,

Quest Technical Support will request that the recommended permissions/rights/roles given from the

current Quest Notes Migrator for Exchange “System Requirements” be implemented.



Domino Actions

Creating the Domino Account For example purposes, the user to be created will be called ‘NotesMig User’ in a single Domino domain

called ‘DOMINODOMAIN’. This user will be used to perform all the Domino actions.

- Open ‘Domino Administrator’ and expand the “Domino Directories | ‘DomainName’s |’

Directory” | People’. On the right-hand side, expand ‘People’ and click “Register...”. In the

“Register Person – New Entry” dialog, the following is entered, clicking “Register All” when

completed:

Figure 1 - Create the NotesMig Notes Account – Basics Screen



Resulting Notes User:

Figure 2 - NotesMig User's Personal Document

Note: For more information on creating users with Domino Administrator, please see the

following IBM/Domino article titled “Setting up Notes users” found at the following link:

http://infocenters.lotus.com/help7/topic/com.ibm.help.domino.admin85.doc/DOC/H_SETTING

_UP_NOTES_USERS.html

http://infocenters.lotus.com/help7/topic/com.ibm.help.domino.admin85.doc/DOC/H_SETTING_UP_NOTES_USERS.html

http://infocenters.lotus.com/help7/topic/com.ibm.help.domino.admin85.doc/DOC/H_SETTING_UP_NOTES_USERS.html



Add the Domino Account to the ACL of all NSF files to be migrated Because this is a new account, this account has no access to the source NSF files to be migrated. An easy

way to verify this is to be true is to log into either Lotus Notes (client) or Domino Administrator as the

new ‘NotesMig User’:

Figure 3 - Logging in as 'NotesMig User'

...and attempt to open a user to be migrated NSF file via the ‘File | Database -> Open...’, Open Database

dialog. For this example, an attempt to open ‘Carl User’ (cuser.nsf) database on the ‘cs-domino65-

01/MIG1’ domino server will be made:

Figure 4 - 'Open Database' dialog



When this occurs, the following “IBM Domino Administrator” dialog appears stating that the logged on

account has not the required permissions to access:

Figure 5 - Open Database not authorized dialog

Logging into Domino Administrator as a person who has access to the said ‘cuser.nsf’ file (‘File |

Database -> Open...’ then ‘File | Database -> Access Control...’), we can indeed see that ‘NotesMig User’

is not specified which is why the “You are not authorized to access that database” is returned:

Figure 6 - Access Control List for Carl User



To remedy this lack of access, the new ‘NotesMig User’ notes user will need to be added to ALL NSF files

that are too be migrated. This would be a daunting task to add manually to each NSF file individually,

however, this can be achieved using the ‘Manage ACL...’ option under the ‘Files’ tab in Domino

Administrator. In the ‘Files’ tab, locate the NFS files to add/modify the ACLs on (multi-select is available

if needed) and (under the ‘Database’ drop-down) click ‘Manage ACL...’ as shown:

Figure 7 - Manage ACL option for CUSER.NSF



If multiple NSF files are selected and the ‘Manage ACL...’ is selected, the following dialog will appear:

Figure 8 - Manager Multiple ACLs dialog

...if only one is selected, the normal ‘Access Control List to: UserName’ will appear:

Figure 9 - Access Control List for Carl User



For either dialog, click the ‘Add...’ button and select the desired user to be added. For this example,

‘NotesMig User’ will be added:

Figure 10 - Adding NotesMig User to Carl Users NSF ACL

...for this example ‘NotesMig User’ will be added as ‘User Type: Person’ and ‘Access:Manager’.

Note:

Anything set less than “Access:Manager” will result in errors when Quest Notes Migrator for

Exchange is run. Please see the section titled “Migrating Mail with Quest Notes Migrator for

Exchange” for examples of these possible errors.

For more information on adding domino users to ACLs of multiple NSF files, please see the

following IBM/Domino article titled “Manage ACL | Basic Options” found at the following link:

http://infocenters.lotus.com/help7/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/FIL

ES_TAB_TOOLS_MANAGE_ACL_0210.html

http://infocenters.lotus.com/help7/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/FILES_TAB_TOOLS_MANAGE_ACL_0210.html

http://infocenters.lotus.com/help7/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/FILES_TAB_TOOLS_MANAGE_ACL_0210.html



Quest Notes Migrator for Exchange Actions

Add ‘NotesMig User’ to the ‘Notes Server Configuration’ area Once the ‘NotesMig User’ has been created and added to the Access Control List of the needed NSF

files, ‘NotesMig User’ will need to be added to the ‘Notes Server Configuration’ area of Quest Notes

Migrator for Exchange as shown here:

Figure 11 - Specify ‘NotesMig User’ to the NME Notes Server area

Please be sure to click the ‘Apply...’ button and be sure the “Status” area states that it “Successfully

saved the Notes settings” before continuing.

Note: If this action fails, please launch the Lotus Notes Client on the same computer (as NME) and

attempt to login using the same ID file found in the same folder structure as shown in the ‘Notes Server

Configuration’, ‘User ID file (UNC path):’ area of Quest Notes Migrator for Exchange. This should succeed

without any errors or prompts.



Migrating Mail with Quest Notes Migrator for Exchange With the ‘Notes Server Configuration’ area now set with the correct user, an attempt to migrate ‘Carl

User’ mail sending a “You’ve been migrated” message will be performed:

Figure 12 - Migrating mail and Migrated Message options

Results:

Figure 13 - Migrating mail and Migrated Message results

...where the ‘2 warning(s)’ noted (in the screenshot) are for the ‘LocalDomainServers’ and

‘OtherDomainServers’ groups which do not have a corresponding Exchange Account in the target Active

Directory environment (so they can be safely ignored).



Note: If an attempt to migrate Carl User was made with “Quest Notes Migrator for Exchange” having

‘NotesMig User’ set as the default ‘Editor’ (or lower) to the said NSF files ACL, the following (possible)

error(s) may be seen in the logs (as an example, other errors may be seen depending upon the content

being migrated):

13:22:15 ERROR: [4618-33-102-00000246] Unable to open NSF file 'cs-domino65-01/MIG1!!mail\cuser.nsf' 13:22:15 NSFDbOpen: 13:22:15 You are not authorized to perform that operation ... 13:42:36 WARNING: [4619-33-2-00000246] Unable to get unread note table for user '' in database 'cs-domino65-01/MIG1!!mail\cuser.nsf'; assuming all notes are read 13:42:36 NSFDbGetUnreadNoteTable: 13:42:36 You are not authorized to perform that operation ... 13:42:37 WARNING: [4619-33-2-00000246] Unable to get unread note table for user 'CN=Carl User/O=MIG1' in database 'cs-domino65-01/MIG1!!mail\cuser.nsf'; assuming all notes are read 13:42:37 NSFDbGetUnreadNoteTable: 13:42:37 You are not authorized to perform that operation ... 13:43:15 ERROR: [4996-33-192-00000246] Unable to migrate contents of folder 'HeadlinesView' 13:43:15 NIFOpenCollection: 13:43:15 You are not authorized to perform that operation ... 13:43:15 WARNING: [4652-33-165-00000000] Unable to migrate one or more mail messages.



Set/Remove forwarding, ‘Allow foreign directory synchronization’, ‘Visibility’ The following actions:

- Set/Remove forwarding

- Set ‘Allow foreign directory synchronization’

- Set user visibility

...all modify the personal document of the Notes user. Giving only ACL permissions to the NSF file will

not be enough to perform these actions. These actions require the ability to modify personal

documents, similar to modifying the personal documents when utilizing Domino Administrator.

As per the following IBM/Domino documentation, the following chart summarizes what needs to be

done to allow a said user to perform certain actions (within specific environments).

For more information on setting up users to perform additional administrative tasks, please see

the following IBM/Domino article titled “Setting up ACLs for the Administration Process” found

at the following link:

http://infocenters.lotus.com/help7/topic/com.ibm.help.domino.admin.doc/DOC/H_MODIFYING

_ACLS_TO_USE_THE_ADMINISTRATION_PROCESS.html

http://infocenters.lotus.com/help7/topic/com.ibm.help.domino.admin.doc/DOC/H_MODIFYING_ACLS_TO_USE_THE_ADMINISTRATION_PROCESS.html

http://infocenters.lotus.com/help7/topic/com.ibm.help.domino.admin.doc/DOC/H_MODIFYING_ACLS_TO_USE_THE_ADMINISTRATION_PROCESS.html



So the same procedure as section “Add the Domino Account to the ACL of all NSF files to be migrated”

will be needed to add ‘NotesMig User’ to the ACL of the names.nsf, admin4.nsf and certlog.nsf files

(based upon this example scenario). This can be achieved using the ‘Manage ACL...’ option under the

‘Files’ tab in Domino Administrator. In the ‘Files’ tab, locate the names.nsf, admin4.nsf and certlog.nsf

files to modify the ACL on (multi-select is available if needed for the particular environment) and under

the ‘Database’ drop-down, click ‘Manage ACL...’.

Figure 14 - Selecting the needed NSF files for ACL modification



For this example, ‘NotesMig User’ is added as ‘User type:Person/Access:Editor’ to the names.nsf,

admin4.nsf and certlog.nsf files as shown below:

Figure 15 - Adding NotesMig User to the ACL of the needed NSF files

Note: Once set, this may take time to replicate within the Notes Environment before having the ability

to modify the Person Documents. Log in as ‘NotesMig User’ frequently to Domino Administrator to see if

the Personal Document can be manually edited prior to attempting the same action within Quest Notes

Migrator for Exchange.



Results

Results of ‘Disable foreign directory synch’ and ‘Set user visibility’:

Figure 16 – NME results of visibility and foreign directory synch

Figure 17 - Results of visibility and foreign directory synch



Results of ‘Set forwarding’:

Figure 18 - NME results Set Mail Forwarding

Figure 19 - Results of Set Forwarding



As an example, if an attempt is made to set the ‘Allow foreign directory synchronization’ via the ‘Notes

administrative functions’ option within Quest Notes Migrator for Exchange and the Notes ID file

specified does not have sufficient privileges, the following error will be seen in the Quest Notes Migrator

for Exchange log file:

15:07:57 ERROR: [1395-31-14-00000000] Unable to set forwarding and/or disable foreign dirsync for user 'Carl User' 15:07:57 Person document is read-only.

...and if the same action is attempted via Domino Administrator, it will be noticed that there is no ‘Edit

Person’ button to modify the value which means the person logged into Domino Administrator has

insufficient privileges to modify the Person Document:

Figure 20 - Results of having and not having sufficient privileges

What this means is the user being specified in the Notes Server section of Quest Notes Migrator for

Exchange will require certain privileges to make these activities work.



Summary Quest Notes Migrator for Exchange manages the activities of Migrating Mail (from Notes mailboxes),

sending “You’ve been migrated” messages to Notes mailboxes, setting/removing of forwarding (within

the Notes Personal Documents), setting the ‘Allow foreign directory synchronization’ (within the Notes

Personal Documents) and setting user visibility (within the Notes Personal Documents) using basic

Domino commands. For these commands to run uninterrupted, privileges need to be given to a

migration account such that they can successfully perform these actions as if the actions were being

performed using Domino/Lotus Notes native tools. Failing to do so will result in errors which will prevent

a successful migration from occurring.

This basic example should give guidance in how to achieve a successful migration with minimum

rights. For larger, more complex environments, further investigation on part of the end-user will be

warranted. If the provided information here does not allow for the said actions to work successfully,

Quest Technical Support will request that the recommended permissions/rights/roles given from the

current System Requirements be implemented.