Integrating IBM Lotus Domino Directory with Microsoft Active Directory using ADSync
Working with disparate systems is a common theme in most organizations, but different systems can be problematic when you're maintaining enterprise directories. A common scenario includes both the Microsoft Active Directory and IBM Lotus Domino within the corporate IT infrastructure. Lotus Domino is often used for enterprise messaging, whereas Active Directory handles network users. To simplify system administration, it's advantageous to maintain both directories from a single point. IBM recognized this need with the inclusion of the Lotus Domino Active Directory Synchronization tool, or ADSync, first available in Lotus Domino V6. It works with Microsoft Windows 2000 and later versions.
ADSync allows administrators to keep Domino Directory and Active Directory users and groups in synch. Administrators can register, synchronize properties and passwords, and rename and delete users and groups in the Domino Directory when such actions are performed in Active Directory and vice versa. Features include container and property mappings between the two directories and the use of policies for registering users. Setup and usage are straightforward, but there are caveats to consider.
The following products are used in this article:
- Microsoft Windows Server 2003
- Lotus Domino V7.0.1
- Lotus Domino Administrator V7.0.1
Installation and setup
ADSync is included with the IBM Lotus Domino Administrator client as an installation option. It isn’t installed by default, but is available as one of the optional program files, so you must select it during installation (see figure 1). In the Custom Setup window of the IBM Lotus Notes installation wizard, select the Domino Administrator option and the Domino Directory W2000 Sync Services sub-option.
Figure 1. ADSync option selected during Domino Administrator client installation
Once installed, ADSync consists of one DLL file (nadsync.dll) along with a help file (adsynch.chm). When you install ADSync on a Windows platform, you must complete installation with the following line:
This registers ADSync as a Microsoft Management Console (MMC) snap-in, which makes it available in the Active Directory Users and Computers tool. Another installation issue involves establishing the appropriate security for both Lotus Domino and Active Directory administrators.
Setting up security
A key aspect of using ADSync is security. Active Directory administrators need administrative access to the appropriate Domino Directory, and Domino administrators require appropriate Active Directory access. Active Directory administrators require a properly certified Notes ID and necessary access to work with the Domino Directory. In addition, policies must be created for all Domino certifiers in which users are created. On the flip side, Domino administrators must have the necessary rights in Active Directory to perform all functions, such as adding users and groups. IBM recommends copying the certifier ID file (cert.id) from the Domino server to the Domino Administrator data directory.
The final installation step involves initializing the ADSync tool from the Active Directory Users and Computers tool. To do this, double-click the Domino Directory synchronization object to initiate the process (see figure 2). You're asked for the Domino server followed by the password prompt for the administrator (admin.id in the Domino server data directory). A dialog box appears to confirm successful setup.
Figure 2. Initializing the ADSync tool
The Lotus ADSync Options dialog box
After initialization is complete, the Lotus ADSync Options dialog box opens. (To access this window after initialization, double-click the Domino Directory synchronization selection in figure 2.) The Lotus ADSync Options dialog box contains the following four tabs:
- Notes Synchronization Options. You can use this tab to enable or disable all synchronization options as well as selectively enable/disable options. In addition, you may specify when prompts are displayed (for all operations, deletions only, or no operations) as well as choose to use a Certificate Authority for certification (see figure 3).
Figure 3. Notes Synchronization Options tab
- Notes Settings. On this tab, you identify the Domino server to use for all operations or specific servers for individual operations such as registration, synchronization, and deletion. In addition, you can specify Domino settings, including an administration ID, what happens during user deletion, a default certifier name, and policy along with Domino groups (see figure 4).
Figure 4. Notes Settings tab
- Field Mappings. Use this tab to map Active Directory fields to Domino Directory fields. Select a row (Active Directory field), and choose the Domino field to map to it (see figure 5).
Figure 5. Field Mappings tab
- Container Mappings. Use this tab to map Active Directory containers to specific Domino certifiers and/or policies (see figure 6). By default, the certifier and policy selected during setup are used for all operations.
Figure 6. Container Mappings tab
The Help button is available on all tabs in the Lotus ADSync Options dialog box. It provides access to general MMC help as well as ADSync-specific topics. You can easily enable or disable synchronization and access the options and Help windows by right-clicking Domino Directory synchronization, as shown in figure 7, or by using the Action menu.
Figure 7. Enabling Domino Directory synchronization
With the options properly configured, you are ready to synchronize users between Active Directory and Domino Directory. You begin with the Domino Administrator client.
Using the Domino Administrator client
ADSync adds an Advanced option (see figure 8) to the Register Person dialog box. Selecting this option provides access to Active Directory options with the Windows User Options button in the Other tab of the Register Person dialog box.
Figure 8. Register Person dialog box in Lotus Domino
Figure 9 shows the window that opens when you click the Windows User Options button. Here you can specify whether or not a corresponding Active Directory user is created, which Active Directory to use, and the following Active Directory options: full name, logon name, and groups.
Figure 9. Active Directory options for a new Domino user
The Lotus Domino side of the process ends with user maintenance. Next, you work in Active Directory.
Using Active Directory
The Active Directory Users and Computers tool is available in Administrative Tools in Windows by selecting Administrative Tools - Active Directory Users and Computers. With ADSync initialized and set up, Domino Directory is now an option when you add Active Directory objects (people or groups). The New Object dialog box includes a "Register in Domino Directory" option; select this option to create the new object in Lotus Domino with the information entered in the fields.
In addition, you can add or synchronize an existing user in Lotus Domino by right-clicking the object in Active Directory and selecting the appropriate option. The dialog box shown in figure 10 opens when you select the Register in Domino option for an existing Active Directory user. You can use the default values and complete the user registration without prompts or supply a name and password for each selected user. An option lets you choose if registration should be attempted later if errors occur. After specifying the options, you can choose to register now, register later, or abort the process.
Figure 10. Registration options for Windows users and groups
In addition to working with individual users, you can also create groups from Active Directory. To do this, follow the user synchronization process, choosing to register or synchronize from the list of groups. You can also choose to create a group in Lotus Domino when it's created in Active Directory as shown in figure 11. In the New Object - Group dialog box, you enter a name for the group, select the group type, and add a description.
Figure 11. Creating a Domino Directory group from Active Directory
The newly created group appears in Lotus Domino as shown in figure 12. The Group name, Group type, and Description field are completed with the input from the New Object dialog box. Notice that the new group has no characteristics that signal it was created using Active Directory.
Figure 12. Domino group created using Active Directory and ADSync
As you can see, using the ADSync tool is straightforward, but as with any tool, you must consider certain caveats when you use ADSync from either Lotus Domino or Active Directory.
One of the trickier aspects of using ADSync is gaining a thorough understanding of what works from which side; that is, which operations can be performed from Active Directory and what can be handled from the Domino Administrator client. However, this is easy to understand if you use the information in table 1. The first column contains the task, and the next two columns designate whether or not the task works based on its origin.
Table 1. ADSync operations initiated from both Active Directory and Lotus Domino
|Operation||From Active Directory||From Lotus Domino|
|Rename user created in Active Directory||Renames Active Directory user only||Renames Active Directory user only|
|Rename user created in Lotus Domino||Yes||Yes|
|Synchronize user data||Yes||No|
|Synchronize group data||Overwrites the Domino Directory Members field with the membership defined in Active Directory||No|
A quick look at the table tells you that users can be created and deleted from either side, but registering a user depends upon where he was created. User data is easily synchronized between the systems from Active Directory, but not Lotus Domino. Finally, group creation is solely an Active Directory task. So putting ADSync to use in your environment requires familiarity with this table. Another issue involves dealing with passwords.
When registering a new user in Active Directory Users and Computers, the password is entered twice, and ADSync takes the password information at that time from AD and populates that information in to the Domino Directory. Once the password has been set during the initial user registration, the password is then encrypted in AD and therefore ADSync cannot read the existing password to perform further updates to either the Notes ID nor the HTTP password in Domino.
A better approach to keep user passwords synchronized is available through the single sign-on (SSO) feature during installation of the Lotus Notes client (see figure 13). When you install Lotus Notes, select the Client Single Logon Feature sub-option to enable SSO, and a security policy can change the HTTP password when the Notes password is changed. Outside of Lotus Domino, IBM offers a Tivoli Directory Integration tool that can provide some password synchronization functionality between the Domino Directory and Active Directory.
The SSO feature lets users use one logon for both Lotus Notes and the operating system. It’s advantageous for users because it presents only one authentication mechanism, but it requires more administrative legwork due to the client installation and configuration.
Figure 13. Installing SSO during Lotus Notes installation
A common question about using ADSync has to do with programmatic support: Can you use ADSync when you create Domino users using scripts? The short answer is no. ADSync is an MMC snap-in meant to simplify the life of a system administrator. However, it provides no programmatic options for simplifying user or group creation and/or synchronization.
You can use ADSync to register Domino users at the time of Active Directory user creation or after the fact and vice versa. At a low level, the ability to create Active Directory users is available in Lotus Notes, but it isn't exposed to developers by way of any available API in C, in Java, or in LotusScript. You may think that Active Directory interaction is available through the Microsoft .NET platform, but it doesn’t provide access to ADSync features. You must use the Active Directory or Domino Directory interface to use ADSync functionality.
As any system administrator can tell you, managing enterprise users and groups is a time-consuming process. It can be even more grueling when the enterprise uses multiple, disparate systems. It’s advantageous to have a single interface for tackling administrative chores like creating, deleting, and configuring users and groups. ADSync provides the answer by simplifying the process of keeping Active Directory and Domino Directory users and groups in sync. However, both sides of the ADSync process have caveats, so be prepared when you use the tool to ensure the results match your expectations.
- IBM Redbook, "Migrating from Microsoft Exchange 2000/2003 to Lotus Notes and Domino 7"
- IBM Redbook, "Active Directory Synchronization With Lotus ADSync"
- IBM Redbook, "Getting the Most From Your Domino Directory"
- Download a trial version of Lotus Domino from developerWorks.
- Download a trial version of Lotus Notes from developerWorks.