Active Directory Synchronization with Lotus ADSync

Redbooks Paper

© Copyright IBM Corp. 2002. All rights reserved. ibm.com/redbooks 1

Active Directory Synchronization

with Lotus ADSync

The Active Directory Synchronization tool, or ADSync, allows Active Directory

administrators to manage (register, delete, and rename) users and groups in

both Active Directory and the Domino Directory as a unified operation from the

Active Directory Users and Computers Console.

In this paper, we describe some of the capabilities of the Domino 6 server and

the new feature that enables you to synchronize the Domino Directory with Active

Directory. This paper assumes you have a Domino server up and running and

Active Directory installed. To use Lotus Active Directory Synchronization, the

Domino Administration client must be installed on the same workstation used to

manage users and computers within your Active Directory.

We describe in detail how to install and set up the ADSync tool. Detailed

instructions for creating users in Domino Directory using Active Directory Users

and Computers Console are given. We also show how to register users into

Active Directory from Domino.

Billy Boykin

Tommi Tulisalo

2 Active Directory Synchronization with Lotus ADSync

Active Directory synchronization

Domino administrators working in a Windows 2000 environment with Active

Directory can now administer users and groups from a single administrative

interface of their choice: the Domino Administration client or Windows 2000

Active Directory Users and Computers. This new feature of the Domino 6 server,

ADSync lets you keep both the Domino Directory and Active Directory current

without having to manually update both with changes. This synchronization

feature allows a Domino administrator to securely and precisely delegate the

responsibility for Domino user and group management to the network

administrators who manage these details in Active Directory.

You can create new users and groups in Active Directory and have those

changes reflected in the Domino Directory, including the creation of person or

group documents, Notes IDs, passwords, and mail files for the users. In order to

accomplish these tasks, the Active Directory administrator must have a properly

certified Notes ID and appropriate access to make changes in the Domino

Directory. The registration server must be Domino 6 or later and the Domino

Administration client must be a 6 or later client. Additionally, policies must be

created that contain subpolicies, either implicit or explicit, for all Domino certifiers

where users will be created. Finally, you must have the appropriate rights in

Active Directory to add users and groups, and synchronize passwords.

For demonstration purposes, you may install Active Directory, Domino Server,

and the Domino Administration client on a single workstation. In a production

environment, the Domino server and the Active Directory will likely be installed

on separate servers.

For this document we used a Domino server running on Linux and a separate

Windows 2000 Server with Active Directory and the Domino Administration

Client installed.

The only requirement for utilizing the ADSync tool is to work from a workstation

that administers the Active Directory and that also has the Domino 6

Administration client installed.

Note: Refer to the Lotus Domino Administrator 6 Help for information on

policies and subpolicies.

Note: If you install all components on a single workstation for demonstration

purposes, you must change the LDAP port settings for either Active Directory

or Domino. By default, both will be listening on port 389; therefore, one of the

two will fail to function properly.

Active Directory Synchronization with Lotus ADSync 3

Figure 1 Active Directory synchronization: Server diagram

Active Directory synchronization in our demo environment is illustrated in

Figure 1.

Installing the Lotus ADSync tool

In order to use the ADSync tool, you must turn on Domino Directory W2000 Sync

Services during the installation of the Domino Administration client. This option is

only available with the customize button during the Domino Administration client

installation.

The synchronization option is not selected by default; therefore, check the

appropriate box.

Note: Active Directory synchronization will work regardless of the platform

Domino Server is running on.

ITSO Domino Domain

Domino 6 Server for

Linux RedHat 7.2

ITSO

Domino

Directory

itsoredhat.lotus.com

Domino 6 Server for

Linux SuSE 8.0

ITSO

Domino

Directory

itsosuse.lotus.com Windows 2000 Advanced Server

Active Directory

Domino 6 Administration Client

Lotus ADSync

Active

Directory

Replication

ITSO Windows Domain

Directory synchronization

Active Directory synchronization

Ethernet connection

4 Active Directory Synchronization with Lotus ADSync

Figure 2 Domino Administration Client Installation: Customize

After installing the Domino Administration client, start a DOS command prompt

window, and navigate to the directory where you installed the client. Enter the

following command and press Enter:

$c:\Program Files\Lotus\Notes> regsvr32 nadsync.dll

The command adds a container entry for Lotus Domino Options to the Active

Directory Users and Computers management screen and returns the

confirmation shown in Figure 3.

Figure 3 ADSync: RegSvr32

You are now ready to administer users and groups in Active Directory.

Active Directory Synchronization with Lotus ADSync 5

Creating users and groups in Active Directory

To access Active Directory Users and Computers from your Windows workstation

click Start -> Programs -> Administrative Tools -> Active Directory Users

and Computers. You may initiate Active Directory “actions” in the right-hand

results pane, or in the left-hand navigation pane. Domino users and groups are

created by either of two methods:

In the left pane, right-click an entry and choose your action from the pop-up

menu.

In the results pane, select one or more users and groups, then select

“Register in Domino” from either the context menu, the toolbar, or by right

clicking the entry and using the pop-up menu.

Before you start registering users and groups from Active Directory, you must

enable the Lotus Domino Option. Use the following steps to do this.

1. From the Active Directory Container shown in Figure 4, double-click the Lotus

Domino entry.

Figure 4 Active Directory Users and Computers

Note: Refer to your Windows 2000 documentation for more information about

working with Active Directory Users and Computers.

6 Active Directory Synchronization with Lotus ADSync

Figure 5 Active Directory Users and Groups: Lotus Domino options

2. Double-click the entry for Domino Directory synchronization in the results

pane shown in Figure 5 to initialize the Lotus ADSync tool. This will require

the password for the Domino administrator working from the Active Directory

Users and Groups console.

Figure 6 Initializing Lotus ADSync

3. You are then prompted to select a Domino server for all Active

Directory/Notes user synchronizations (Figure 7). Select the appropriate

Domino server from the drop-down selection box.

Active Directory Synchronization with Lotus ADSync 7

Figure 7 Lotus ADSync: Choose Domino Server

4. If the initialization was successful you should see the window shown in

Figure 8.

Figure 8 Lotus ADSync initialized

With ADSync initialization complete, you have the opportunity to choose several

synchronization options, as shown in the next four windows.

Note: Refer to the Help files available from the Lotus ADSync Options window

shown in Figure 9. This window is accessible by right-clicking the Domino

Directory Synchronization entry and choosing Options.

8 Active Directory Synchronization with Lotus ADSync

Figure 9 Lotus ADSync- Notes synchronization options

From the Notes Synchronization Options tab you can:

– Enable or disable all synchronization operations

– Customize synchronization options with “Select synchronization

operations to enable.”

– Configure prompting options from the drop-down selection box

– Choose to use the CA process for user registration

Active Directory Synchronization with Lotus ADSync 9

Figure 10 Lotus ADSync: Notes settings

On the Notes Settings tab you can specify:

– Registration server (which Domino server will be used for registration)

– Administration ID (which user ID will have administrative privileges)

– User deletion options (From the drop-down selection box, choose which

actions should take place when a user is deleted.)

– Default certifier and policy

– Group type mappings

10 Active

...