integrating ibm lotus domino directory with microsoft active direct

Sign in (or register)English

Technical topics Evaluation software Community Events

Integrating IBM Lotus Domino Directory with Microsoft Active Directory usingADSyncTony Patton ([email protected]), Consultant

Summary: An enterprise IT environment with multiple directory platforms is a common scenario, and IBM Lotus Domino Directory and Microsoft Active Directory arepopular choices within this scenario. This article explains one way to get these two directories to communicate easily using the Lotus Domino Active DirectorySynchronization tool (ADSync).

Date: 28 Jul 2009 (Published 02 Jan 2007)Level: IntermediateAlso available in: Chinese Russian

Activity: 66933 viewsComments: 1 (View | Add comment - Sign in)

Average rating (44 votes)Rate this article

Working with disparate systems is a common theme in most organizations, but different systems can be problematic when you're maintaining enterprise directories. A commonscenario includes both the Microsoft Active Directory and IBM Lotus Domino within the corporate IT infrastructure. Lotus Domino is often used for enterprise messaging,whereas Active Directory handles network users. To simplify system administration, it's advantageous to maintain both directories from a single point. IBM recognized thisneed with the inclusion of the Lotus Domino Active Directory Synchronization tool, or ADSync, first available in Lotus Domino V6. It works with Microsoft Windows 2000and later versions.

ADSync allows administrators to keep Domino Directory and Active Directory users and groups in synch. Administrators can register, synchronize properties and passwords,and rename and delete users and groups in the Domino Directory when such actions are performed in Active Directory and vice versa. Features include container and propertymappings between the two directories and the use of policies for registering users. Setup and usage are straightforward, but there are caveats to consider.

The following products are used in this article:

Microsoft Windows Server 2003Lotus Domino V7.0.1Lotus Domino Administrator V7.0.1

Installation and setup

ADSync is included with the IBM Lotus Domino Administrator client as an installation option. It isn’t installed by default, but is available as one of the optional programfiles, so you must select it during installation (see figure 1). In the Custom Setup window of the IBM Lotus Notes installation wizard, select the Domino Administrator optionand the Domino Directory W2000 Sync Services sub-option.

Figure 1. ADSync option selected during Domino Administrator client installation

Once installed, ADSync consists of one DLL file (nadsync.dll) along with a help file (adsynch.chm). When you install ADSync on a Windows platform, you must completeinstallation with the following line:

Regsvr32 nadsync.dll

This registers ADSync as a Microsoft Management Console (MMC) snap-in, which makes it available in the Active Directory Users and Computers tool. Another installationissue involves establishing the appropriate security for both Lotus Domino and Active Directory administrators.

Integrating IBM Lotus Domino Directory with Microsoft Active Directo... http://www.ibm.com/developerworks/lotus/library/domino-adsync/

1 of 9 31/07/2012 9:45 PM

Setting up security

A key aspect of using ADSync is security. Active Directory administrators need administrative access to the appropriate Domino Directory, and Domino administrators requireappropriate Active Directory access. Active Directory administrators require a properly certified Notes ID and necessary access to work with the Domino Directory. Inaddition, policies must be created for all Domino certifiers in which users are created. On the flip side, Domino administrators must have the necessary rights in ActiveDirectory to perform all functions, such as adding users and groups. IBM recommends copying the certifier ID file (cert.id) from the Domino server to the DominoAdministrator data directory.

The final installation step involves initializing the ADSync tool from the Active Directory Users and Computers tool. To do this, double-click the Domino Directorysynchronization object to initiate the process (see figure 2). You're asked for the Domino server followed by the password prompt for the administrator (admin.id in theDomino server data directory). A dialog box appears to confirm successful setup.

Figure 2. Initializing the ADSync tool

The Lotus ADSync Options dialog box

After initialization is complete, the Lotus ADSync Options dialog box opens. (To access this window after initialization, double-click the Domino Directory synchronizationselection in figure 2.) The Lotus ADSync Options dialog box contains the following four tabs:

Notes Synchronization Options. You can use this tab to enable or disable all synchronization options as well as selectively enable/disable options. In addition, youmay specify when prompts are displayed (for all operations, deletions only, or no operations) as well as choose to use a Certificate Authority for certification (seefigure 3).

Figure 3. Notes Synchronization Options tab

Notes Settings. On this tab, you identify the Domino server to use for all operations or specific servers for individual operations such as registration, synchronization,and deletion. In addition, you can specify Domino settings, including an administration ID, what happens during user deletion, a default certifier name, and policy alongwith Domino groups (see figure 4).


2 of 9 31/07/2012 9:45 PM

Figure 4. Notes Settings tab

Field Mappings. Use this tab to map Active Directory fields to Domino Directory fields. Select a row (Active Directory field), and choose the Domino field to map toit (see figure 5).

Figure 5. Field Mappings tab

Container Mappings. Use this tab to map Active Directory containers to specific Domino certifiers and/or policies (see figure 6). By default, the certifier and policyselected during setup are used for all operations.

Figure 6. Container Mappings tab


3 of 9 31/07/2012 9:45 PM

The Help button is available on all tabs in the Lotus ADSync Options dialog box. It provides access to general MMC help as well as ADSync-specific topics. You can easilyenable or disable synchronization and access the options and Help windows by right-clicking Domino Directory synchronization, as shown in figure 7, or by using the Actionmenu.

Figure 7. Enabling Domino Directory synchronization

With the options properly configured, you are ready to synchronize users between Active Directory and Domino Directory. You begin with the Domino Administrator client.

Using the Domino Administrator client

ADSync adds an Advanced option (see figure 8) to the Register Person dialog box. Selecting this option provides access to Active Directory options with the Windows UserOptions button in the Other tab of the Register Person dialog box.

Figure 8. Register Person dialog box in Lotus Domino


4 of 9 31/07/2012 9:45 PM

Figure 9 shows the window that opens when you click the Windows User Options button. Here you can specify whether or not a corresponding Active Directory user iscreated, which Active Directory to use, and the following Active Directory options: full name, logon name, and groups.

Figure 9. Active Directory options for a new Domino user

The Lotus Domino side of the process ends with user maintenance. Next, you work in Active Directory.

Using Active Directory

The Active Directory Users and Computers tool is available in Administrative Tools in Windows by selecting Administrative Tools - Active Directory Users and Computers.With ADSync initialized and set up, Domino Directory is now an option when you add Active Directory objects (people or groups). The New Object dialog box includes a"Register in Domino Directory" option; select this option to create the new object in Lotus Domino with the information entered in the fields.

In addition, you can add or synchronize an existing user in Lotus Domino by right-clicking the object in Active Directory and selecting the appropriate option. The dialog boxshown in figure 10 opens when you select the Register in Domino option for an existing Active Directory user. You can use the default values and complete the userregistration without prompts or supply a name and password for each selected user. An option lets you choose if registration should be attempted later if errors occur. Afterspecifying the options, you can choose to register now, register later, or abort the process.

Figure 10. Registration options for Windows users and groups


5 of 9 31/07/2012 9:45 PM

In addition to working with individual users, you can also create groups from Active Directory. To do this, follow the user synchronization process, choosing to register orsynchronize from the list of groups. You can also choose to create a group in Lotus Domino when it's created in Active Directory as shown in figure 11. In the New Object -Group dialog box, you enter a name for the group, select the group type, and add a description.

Figure 11. Creating a Domino Directory group from Active Directory

The newly created group appears in Lotus Domino as shown in figure 12. The Group name, Group type, and Description field are completed with the input from the NewObject dialog box. Notice that the new group has no characteristics that signal it was created using Active Directory.

Figure 12. Domino group created using Active Directory and ADSync

As you can see, using the ADSync tool is straightforward, but as with any tool, you must consider certain caveats when you use ADSync from either Lotus Domino or ActiveDirectory.

ADSync caveats

One of the trickier aspects of using ADSync is gaining a thorough understanding of what works from which side; that is, which operations can be performed from ActiveDirectory and what can be handled from the Domino Administrator client. However, this is easy to understand if you use the information in table 1. The first column containsthe task, and the next two columns designate whether or not the task works based on its origin.


6 of 9 31/07/2012 9:45 PM

Table 1. ADSync operations initiated from both Active Directory and Lotus DominoOperation From Active Directory From Lotus DominoRegister user Yes YesRename user created in ActiveDirectory

Renames Active Directory user onlyRenames Active Directory useronly

Rename user created in Lotus Domino Yes YesSynchronize user data Yes NoDelete user Yes YesCreate group Yes NoRename group Yes No

Synchronize group dataOverwrites the Domino Directory Members field with the membership defined in ActiveDirectory

No

Delete group No Yes

A quick look at the table tells you that users can be created and deleted from either side, but registering a user depends upon where he was created. User data is easilysynchronized between the systems from Active Directory, but not Lotus Domino. Finally, group creation is solely an Active Directory task. So putting ADSync to use in yourenvironment requires familiarity with this table. Another issue involves dealing with passwords.

Consistent passwords

When registering a new user in Active Directory Users and Computers, the password is entered twice, and ADSync takes the password information at that time from AD andpopulates that information in to the Domino Directory. Once the password has been set during the initial user registration, the password is then encrypted in AD and thereforeADSync cannot read the existing password to perform further updates to either the Notes ID nor the HTTP password in Domino.

A better approach to keep user passwords synchronized is available through the single sign-on (SSO) feature during installation of the Lotus Notes client (see figure 13).When you install Lotus Notes, select the Client Single Logon Feature sub-option to enable SSO, and a security policy can change the HTTP password when the Notespassword is changed. Outside of Lotus Domino, IBM offers a Tivoli Directory Integration tool that can provide some password synchronization functionality between theDomino Directory and Active Directory.

The SSO feature lets users use one logon for both Lotus Notes and the operating system. It’s advantageous for users because it presents only one authentication mechanism,but it requires more administrative legwork due to the client installation and configuration.

Figure 13. Installing SSO during Lotus Notes installation

Programming

A common question about using ADSync has to do with programmatic support: Can you use ADSync when you create Domino users using scripts? The short answer is no.ADSync is an MMC snap-in meant to simplify the life of a system administrator. However, it provides no programmatic options for simplifying user or group creation and/orsynchronization.

You can use ADSync to register Domino users at the time of Active Directory user creation or after the fact and vice versa. At a low level, the ability to create Active Directoryusers is available in Lotus Notes, but it isn't exposed to developers by way of any available API in C, in Java, or in LotusScript. You may think that Active Directoryinteraction is available through the Microsoft .NET platform, but it doesn’t provide access to ADSync features. You must use the Active Directory or Domino Directoryinterface to use ADSync functionality.

Conclusion

As any system administrator can tell you, managing enterprise users and groups is a time-consuming process. It can be even more grueling when the enterprise uses multiple,disparate systems. It’s advantageous to have a single interface for tackling administrative chores like creating, deleting, and configuring users and groups. ADSync provides theanswer by simplifying the process of keeping Active Directory and Domino Directory users and groups in sync. However, both sides of the ADSync process have caveats, so beprepared when you use the tool to ensure the results match your expectations.

Resources

Learn


7 of 9 31/07/2012 9:45 PM

developerWorks Migation Station Lotus page

IBM Redbook, "Migrating from Microsoft Exchange 2000/2003 to Lotus Notes and Domino 7"

IBM Redbook, "Active Directory Synchronization With Lotus ADSync"

IBM Redbook, "Getting the Most From Your Domino Directory"

Windows 2003 Active Directory Technology Center

Get products and technologies

Download a trial version of Lotus Domino from developerWorks.

Download a trial version of Lotus Notes from developerWorks.

Discuss

Participate in the discussion forum.

Read the developerWorks Lotus Team blog.

About the author

Tony Patton is a consultant based in Louisville, Kentucky. He works with various technologies, including Lotus Notes/Domino, Java technology, and Microsoft .NET. He isthe author of two books focusing on Lotus Notes/Domino development: Practical LotusScript and Domino Development with Java as well as weekly columns on CNet.comfocusing on .NET and Web development. You can reach Tony at [email protected].

Close [x]

developerWorks: Sign inIBM ID:Need an IBM ID?Forgot your IBM ID?

Password:Forgot your password?Change your password

Keep me signed in.

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your developerWorks profile is displayed to the public, but you may editthe information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

Close [x]

Choose your display nameThe first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post ondeveloperWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address forprivacy reasons.

Display name: (Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

Average rating (44 votes)

1 star 1 star

2 stars 2 stars

3 stars 3 stars

4 stars 4 stars

5 stars 5 stars

Add comment:


8 of 9 31/07/2012 9:45 PM

Print this page Share this page Follow developerWorks

About

Help

Contact us

Submit content

Feeds and apps

Newsletters

Report abuse

Terms of use

IBM privacy

IBM accessibility

Faculty

Students

Business Partners

Sign in or register to leave a comment.

Note: HTML elements are not supported within comments.

Notify me when a comment is added1000 characters left

Total comments (1)

... just don't try it on 64-bit windows servers (AKA x64). It just doesn't work.

Posted by 3W5B_Ildar_Mulyukov on 10 March 2011

Report abuse


9 of 9 31/07/2012 9:45 PM

integrating ibm lotus domino directory with microsoft active direct

Documents