Integrating IBM Lotus Domino Directory with Microsoft Active Directory using ADSync

An enterprise IT environment with multiple directory platforms is a common scenario, and IBM Lotus Domino Directory and Microsoft Active Directory are popular choices within this scenario. This article explains one way to get these two directories to communicate easily using the Lotus Domino Active Directory Synchronization tool (ADSync).

Share:

Tony Patton (aspatton@bellsouth.net), Consultant

Tony Patton is a consultant based in Louisville, Kentucky. He works with various technologies, including Lotus Notes/Domino, Java technology, and Microsoft .NET. He is the author of two books focusing on Lotus Notes/Domino development: Practical LotusScript and Domino Development with Java as well as weekly columns on CNet.com focusing on .NET and Web development. You can reach Tony at aspatton@bellsouth.net.



28 July 2009 (First published 02 January 2007)

Also available in Chinese Russian

Working with disparate systems is a common theme in most organizations, but different systems can be problematic when you're maintaining enterprise directories. A common scenario includes both the Microsoft Active Directory and IBM Lotus Domino within the corporate IT infrastructure. Lotus Domino is often used for enterprise messaging, whereas Active Directory handles network users. To simplify system administration, it's advantageous to maintain both directories from a single point. IBM recognized this need with the inclusion of the Lotus Domino Active Directory Synchronization tool, or ADSync, first available in Lotus Domino V6. It works with Microsoft Windows 2000 and later versions.

ADSync allows administrators to keep Domino Directory and Active Directory users and groups in synch. Administrators can register, synchronize properties and passwords, and rename and delete users and groups in the Domino Directory when such actions are performed in Active Directory and vice versa. Features include container and property mappings between the two directories and the use of policies for registering users. Setup and usage are straightforward, but there are caveats to consider.

The following products are used in this article:

  • Microsoft Windows Server 2003
  • Lotus Domino V7.0.1
  • Lotus Domino Administrator V7.0.1

Installation and setup

ADSync is included with the IBM Lotus Domino Administrator client as an installation option. It isn’t installed by default, but is available as one of the optional program files, so you must select it during installation (see figure 1). In the Custom Setup window of the IBM Lotus Notes installation wizard, select the Domino Administrator option and the Domino Directory W2000 Sync Services sub-option.

Figure 1. ADSync option selected during Domino Administrator client installation
ADSync option selected during Domino Administrator client installation

Once installed, ADSync consists of one DLL file (nadsync.dll) along with a help file (adsynch.chm). When you install ADSync on a Windows platform, you must complete installation with the following line:

Regsvr32 nadsync.dll

This registers ADSync as a Microsoft Management Console (MMC) snap-in, which makes it available in the Active Directory Users and Computers tool. Another installation issue involves establishing the appropriate security for both Lotus Domino and Active Directory administrators.

Setting up security

A key aspect of using ADSync is security. Active Directory administrators need administrative access to the appropriate Domino Directory, and Domino administrators require appropriate Active Directory access. Active Directory administrators require a properly certified Notes ID and necessary access to work with the Domino Directory. In addition, policies must be created for all Domino certifiers in which users are created. On the flip side, Domino administrators must have the necessary rights in Active Directory to perform all functions, such as adding users and groups. IBM recommends copying the certifier ID file (cert.id) from the Domino server to the Domino Administrator data directory.

The final installation step involves initializing the ADSync tool from the Active Directory Users and Computers tool. To do this, double-click the Domino Directory synchronization object to initiate the process (see figure 2). You're asked for the Domino server followed by the password prompt for the administrator (admin.id in the Domino server data directory). A dialog box appears to confirm successful setup.

Figure 2. Initializing the ADSync tool
Initializing the ADSync tool

The Lotus ADSync Options dialog box

After initialization is complete, the Lotus ADSync Options dialog box opens. (To access this window after initialization, double-click the Domino Directory synchronization selection in figure 2.) The Lotus ADSync Options dialog box contains the following four tabs:

  • Notes Synchronization Options. You can use this tab to enable or disable all synchronization options as well as selectively enable/disable options. In addition, you may specify when prompts are displayed (for all operations, deletions only, or no operations) as well as choose to use a Certificate Authority for certification (see figure 3).
    Figure 3. Notes Synchronization Options tab
    Notes Synchronization Options tab
  • Notes Settings. On this tab, you identify the Domino server to use for all operations or specific servers for individual operations such as registration, synchronization, and deletion. In addition, you can specify Domino settings, including an administration ID, what happens during user deletion, a default certifier name, and policy along with Domino groups (see figure 4).
    Figure 4. Notes Settings tab
    Notes Settings tab
  • Field Mappings. Use this tab to map Active Directory fields to Domino Directory fields. Select a row (Active Directory field), and choose the Domino field to map to it (see figure 5).
    Figure 5. Field Mappings tab
    Field Mappings tab
  • Container Mappings. Use this tab to map Active Directory containers to specific Domino certifiers and/or policies (see figure 6). By default, the certifier and policy selected during setup are used for all operations.
    Figure 6. Container Mappings tab
    Container Mappings tab

The Help button is available on all tabs in the Lotus ADSync Options dialog box. It provides access to general MMC help as well as ADSync-specific topics. You can easily enable or disable synchronization and access the options and Help windows by right-clicking Domino Directory synchronization, as shown in figure 7, or by using the Action menu.

Figure 7. Enabling Domino Directory synchronization
Enabling Domino Directory synchronization

With the options properly configured, you are ready to synchronize users between Active Directory and Domino Directory. You begin with the Domino Administrator client.


Using the Domino Administrator client

ADSync adds an Advanced option (see figure 8) to the Register Person dialog box. Selecting this option provides access to Active Directory options with the Windows User Options button in the Other tab of the Register Person dialog box.

Figure 8. Register Person dialog box in Lotus Domino
Register Person dialog box in Lotus Domino

Figure 9 shows the window that opens when you click the Windows User Options button. Here you can specify whether or not a corresponding Active Directory user is created, which Active Directory to use, and the following Active Directory options: full name, logon name, and groups.

Figure 9. Active Directory options for a new Domino user
Active Directory options for a new Domino user

The Lotus Domino side of the process ends with user maintenance. Next, you work in Active Directory.


Using Active Directory

The Active Directory Users and Computers tool is available in Administrative Tools in Windows by selecting Administrative Tools - Active Directory Users and Computers. With ADSync initialized and set up, Domino Directory is now an option when you add Active Directory objects (people or groups). The New Object dialog box includes a "Register in Domino Directory" option; select this option to create the new object in Lotus Domino with the information entered in the fields.

In addition, you can add or synchronize an existing user in Lotus Domino by right-clicking the object in Active Directory and selecting the appropriate option. The dialog box shown in figure 10 opens when you select the Register in Domino option for an existing Active Directory user. You can use the default values and complete the user registration without prompts or supply a name and password for each selected user. An option lets you choose if registration should be attempted later if errors occur. After specifying the options, you can choose to register now, register later, or abort the process.

Figure 10. Registration options for Windows users and groups
Registration options for Windows users and groups

In addition to working with individual users, you can also create groups from Active Directory. To do this, follow the user synchronization process, choosing to register or synchronize from the list of groups. You can also choose to create a group in Lotus Domino when it's created in Active Directory as shown in figure 11. In the New Object - Group dialog box, you enter a name for the group, select the group type, and add a description.

Figure 11. Creating a Domino Directory group from Active Directory
Creating a Domino Directory group from Active Directory

The newly created group appears in Lotus Domino as shown in figure 12. The Group name, Group type, and Description field are completed with the input from the New Object dialog box. Notice that the new group has no characteristics that signal it was created using Active Directory.

Figure 12. Domino group created using Active Directory and ADSync
Domino group created using Active Directory and ADSync

As you can see, using the ADSync tool is straightforward, but as with any tool, you must consider certain caveats when you use ADSync from either Lotus Domino or Active Directory.


ADSync caveats

One of the trickier aspects of using ADSync is gaining a thorough understanding of what works from which side; that is, which operations can be performed from Active Directory and what can be handled from the Domino Administrator client. However, this is easy to understand if you use the information in table 1. The first column contains the task, and the next two columns designate whether or not the task works based on its origin.

Table 1. ADSync operations initiated from both Active Directory and Lotus Domino
OperationFrom Active DirectoryFrom Lotus Domino
Register userYesYes
Rename user created in Active DirectoryRenames Active Directory user onlyRenames Active Directory user only
Rename user created in Lotus DominoYesYes
Synchronize user dataYesNo
Delete userYesYes
Create groupYesNo
Rename groupYesNo
Synchronize group dataOverwrites the Domino Directory Members field with the membership defined in Active DirectoryNo
Delete groupNoYes

A quick look at the table tells you that users can be created and deleted from either side, but registering a user depends upon where he was created. User data is easily synchronized between the systems from Active Directory, but not Lotus Domino. Finally, group creation is solely an Active Directory task. So putting ADSync to use in your environment requires familiarity with this table. Another issue involves dealing with passwords.

Consistent passwords

When registering a new user in Active Directory Users and Computers, the password is entered twice, and ADSync takes the password information at that time from AD and populates that information in to the Domino Directory. Once the password has been set during the initial user registration, the password is then encrypted in AD and therefore ADSync cannot read the existing password to perform further updates to either the Notes ID nor the HTTP password in Domino.

A better approach to keep user passwords synchronized is available through the single sign-on (SSO) feature during installation of the Lotus Notes client (see figure 13). When you install Lotus Notes, select the Client Single Logon Feature sub-option to enable SSO, and a security policy can change the HTTP password when the Notes password is changed. Outside of Lotus Domino, IBM offers a Tivoli Directory Integration tool that can provide some password synchronization functionality between the Domino Directory and Active Directory.

The SSO feature lets users use one logon for both Lotus Notes and the operating system. It’s advantageous for users because it presents only one authentication mechanism, but it requires more administrative legwork due to the client installation and configuration.

Figure 13. Installing SSO during Lotus Notes installation
Installing SSO during Lotus Notes installation

Programming

A common question about using ADSync has to do with programmatic support: Can you use ADSync when you create Domino users using scripts? The short answer is no. ADSync is an MMC snap-in meant to simplify the life of a system administrator. However, it provides no programmatic options for simplifying user or group creation and/or synchronization.

You can use ADSync to register Domino users at the time of Active Directory user creation or after the fact and vice versa. At a low level, the ability to create Active Directory users is available in Lotus Notes, but it isn't exposed to developers by way of any available API in C, in Java, or in LotusScript. You may think that Active Directory interaction is available through the Microsoft .NET platform, but it doesn’t provide access to ADSync features. You must use the Active Directory or Domino Directory interface to use ADSync functionality.


Conclusion

As any system administrator can tell you, managing enterprise users and groups is a time-consuming process. It can be even more grueling when the enterprise uses multiple, disparate systems. It’s advantageous to have a single interface for tackling administrative chores like creating, deleting, and configuring users and groups. ADSync provides the answer by simplifying the process of keeping Active Directory and Domino Directory users and groups in sync. However, both sides of the ADSync process have caveats, so be prepared when you use the tool to ensure the results match your expectations.

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into IBM collaboration and social software on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Lotus
ArticleID=184821
ArticleTitle=Integrating IBM Lotus Domino Directory with Microsoft Active Directory using ADSync
publish-date=07282009