Redbooks Paper

© Copyright IBM Corp. 2002. All rights reserved. 1

Active Directory Synchronization

with Lotus ADSync

The Active Directory Synchronization tool, or ADSync, allows Active Directory

administrators to manage (register, delete, and rename) users and groups in

both Active Directory and the Domino Directory as a unified operation from the

Active Directory Users and Computers Console.

In this paper, we describe some of the capabilities of the Domino 6 server and

the new feature that enables you to synchronize the Domino Directory with Active

Directory. This paper assumes you have a Domino server up and running and

Active Directory installed. To use Lotus Active Directory Synchronization, the

Domino Administration client must be installed on the same workstation used to

manage users and computers within your Active Directory.

We describe in detail how to install and set up the ADSync tool. Detailed

instructions for creating users in Domino Directory using Active Directory Users

and Computers Console are given. We also show how to register users into

Active Directory from Domino.

Billy Boykin

Tommi Tulisalo

Active Directory synchronization

Domino administrators working in a Windows 2000 environment with Active

Directory can now administer users and groups from a single administrative

interface of their choice: the Domino Administration client or Windows 2000

Active Directory Users and Computers. This new feature of the Domino 6 server,

ADSync lets you keep both the Domino Directory and Active Directory current

without having to manually update both with changes. This synchronization

feature allows a Domino administrator to securely and precisely delegate the

responsibility for Domino user and group management to the network

administrators who manage these details in Active Directory.

You can create new users and groups in Active Directory and have those

changes reflected in the Domino Directory, including the creation of person or

group documents, Notes IDs, passwords, and mail files for the users. In order to

accomplish these tasks, the Active Directory administrator must have a properly

certified Notes ID and appropriate access to make changes in the Domino

Directory. The registration server must be Domino 6 or later and the Domino

Administration client must be a 6 or later client. Additionally, policies must be

created that contain subpolicies, either implicit or explicit, for all Domino certifiers

where users will be created. Finally, you must have the appropriate rights in

Active Directory to add users and groups, and synchronize passwords.

For demonstration purposes, you may install Active Directory, Domino Server,

and the Domino Administration client on a single workstation. In a production

environment, the Domino server and the Active Directory will likely be installed

on separate servers.

For this document we used a Domino server running on Linux and a separate

Windows 2000 Server with Active Directory and the Domino Administration

Client installed.

The only requirement for utilizing the ADSync tool is to work from a workstation

that administers the Active Directory and that also has the Domino 6

Administration client installed.

Note: Refer to the Lotus Domino Administrator 6 Help for information on

policies and subpolicies.

Note: If you install all components on a single workstation for demonstration

purposes, you must change the LDAP port settings for either Active Directory

or Domino. By default, both will be listening on port 389; therefore, one of the

two will fail to function properly.

Figure 1 Active Directory synchronization: Server diagram

Active Directory synchronization in our demo environment is illustrated in

Figure 1.

Installing the Lotus ADSync tool

In order to use the ADSync tool, you must turn on Domino Directory W2000 Sync

Services during the installation of the Domino Administration client. This option is

only available with the customize button during the Domino Administration client


The synchronization option is not selected by default; therefore, check the

appropriate box.

Note: Active Directory synchronization will work regardless of the platform

Domino Server is running on.

