Integrating IBM Lotus Domino Directory With Microsoft Active Direct

Integrating IBM Lotus Domino Directory with Microsoft Active Directo...
http://www.ibm.com/developerworks/lotus/library/domino-adsync/
English
Sign in (or register)
Technical topics
Evaluation software
Community
Events
Integrating IBM Lotus Domino Directory with Microsoft Active Directory using ADSync
Tony Patton (aspatton@bellsouth.net), Consultant Summary: An enterprise IT environment with multiple directory platforms is a common scenario, and IBM Lotus Domino Directory and Microsoft Active Directory are popular choices within this scenario. This article explains one way to get these two directories to communicate easily using the Lotus Domino Active Directory Synchronization tool (ADSync). Date: 28 Jul 2009 (Published 02 Jan 2007) Level: Intermediate Also available in: Chinese Russian Activity: 66933 views Comments: 1 (View | Add comment - Sign in) Average rating (44 votes) Rate this article Working with disparate systems is a common theme in most organizations, but different systems can be problematic when you're maintaining enterprise directories. A common scenario includes both the Microsoft Active Directory and IBM Lotus Domino within the corporate IT infrastructure. Lotus Domino is often used for enterprise messaging, whereas Active Directory handles network users. To simplify system administration, it's advantageous to maintain both directories from a single point. IBM recognized this need with the inclusion of the Lotus Domino Active Directory Synchronization tool, or ADSync, first available in Lotus Domino V6. It works with Microsoft Windows 2000 and later versions. ADSync allows administrators to keep Domino Directory and Active Directory users and groups in synch. Administrators can register, synchronize properties and passwords, and rename and delete users and groups in the Domino Directory when such actions are performed in Active Directory and vice versa. Features include container and property mappings between the two directories and the use of policies for registering users. Setup and usage are straightforward, but there are caveats to consider. The following products are used in this article: Microsoft Windows Server 2003 Lotus Domino V7.0.1 Lotus Domino Administrator V7.0.1 Installation and setup ADSync is included with the IBM Lotus Domino Administrator client as an installation option. It isnt installed by default, but is available as one of the optional program files, so you must select it during installation (see figure 1). In the Custom Setup window of the IBM Lotus Notes installation wizard, select the Domino Administrator option and the Domino Directory W2000 Sync Services sub-option. Figure 1. ADSync option selected during Domino Administrator client installation
Once installed, ADSync consists of one DLL file (nadsync.dll) along with a help file (adsynch.chm). When you install ADSync on a Windows platform, you must complete installation with the following line:
Regsvr32 nadsync.dll
This registers ADSync as a Microsoft Management Console (MMC) snap-in, which makes it available in the Active Directory Users and Computers tool. Another installation issue involves establishing the appropriate security for both Lotus Domino and Active Directory administrators.
1 of 9
31/07/2012 9:45 PM
Setting up security A key aspect of using ADSync is security. Active Directory administrators need administrative access to the appropriate Domino Directory, and Domino administrators require appropriate Active Directory access. Active Directory administrators require a properly certified Notes ID and necessary access to work with the Domino Directory. In addition, policies must be created for all Domino certifiers in which users are created. On the flip side, Domino administrators must have the necessary rights in Active Directory to perform all functions, such as adding users and groups. IBM recommends copying the certifier ID file (cert.id) from the Domino server to the Domino Administrator data directory. The final installation step involves initializing the ADSync tool from the Active Directory Users and Computers tool. To do this, double-click the Domino Directory synchronization object to initiate the process (see figure 2). You're asked for the Domino server followed by the password prompt for the administrator (admin.id in the Domino server data directory). A dialog box appears to confirm successful setup. Figure 2. Initializing the ADSync tool
The Lotus ADSync Options dialog box After initialization is complete, the Lotus ADSync Options dialog box opens. (To access this window after initialization, double-click the Domino Directory synchronization selection in figure 2.) The Lotus ADSync Options dialog box contains the following four tabs: Notes Synchronization Options. You can use this tab to enable or disable all synchronization options as well as selectively enable/disable options. In addition, you may specify when prompts are displayed (for all operations, deletions only, or no operations) as well as choose to use a Certificate Authority for certification (see figure 3).
Figure 3. Notes Synchronization Options tab
Notes Settings. On this tab, you identify the Domino server to use for all operations or specific servers for individual operations such as registration, synchronization, and deletion. In addition, you can specify Domino settings, including an administration ID, what happens during user deletion, a default certifier name, and policy along with Domino groups (see figure 4).
2 of 9
31/07/2012 9:45 PM
Figure 4. Notes Settings tab
Field Mappings. Use this tab to map Active Directory fields to Domino Directory fields. Select a row (Active Directory field), and choose the Domino field to map to it (see figure 5).
Figure 5. Field Mappings tab
Container Mappings. Use this tab to map Active Directory containers to specific Domino certifiers and/or policies (see figure 6). By default, the certifier and policy selected during setup are used for all operations.
Figure 6. Container Mappings tab
3 of 9
31/07/2012 9:45 PM
The Help button is available on all tabs in the Lotus ADSync Options dialog box. It provides access to general MMC help as well as ADSync-specific topics. You can easily enable or disable synchronization and access the options and Help windows by right-clicking Domino Directory synchronization, as shown in figure 7, or by using the Action menu. Figure 7. Enabling Domino Directory synchronization
With the options properly configured, you are ready to synchronize users between Active Directory and Domino Directory. You begin with the Domino Administrator client. Using the Domino Administrator client ADSync adds an Advanced option (see figure 8) to the Register Person dialog box. Selecting this option provides access to Active Directory options with the Windows User Options button in the Other tab of the Register Person dialog box. Figure 8. Register Person dialog box in Lotus Domino
4 of 9
31/07/2012 9:45 PM
Figure 9 shows the window that opens when you click the Windows User Options button. Here you can specify whether or not a corresponding Active Directory user is created, which Active Directory to use, and the following Active Directory options: full name, logon name, and groups. Figure 9. Active Directory options for a new Domino user
The Lotus Domino side of the process ends with user maintenance. Next, you work in Active Directory. Using Active Directory The Active Directory Users and Computers tool is available in Administrative Tools in Windows by selecting Administrative Tools - Active Directory Users and Computers. With ADSync initialized and set up, Domino Directory is now an option when you add Active Directory objects (people or groups). The New Object dialog box includes a "Register in Domino Directory" option; select this option to create the new object in Lotus Domino with the information entered in the fields. In addition, you can add or synchronize an existing user in Lotus Domino by right-clicking the object in Active Directory and selecting the appropriate option. The dialog box shown in figure 10 opens when you select the Register in Domino option for an existing Active Directory user. You can use the default values and complete the user registration without prompts or supply a name and password for each selected user. An option lets you choose if registration should be attempted later if errors occur. After specifying the options, you can choose to register now, register later, or abort the process. Figure 10. Registration options for Windows users and groups
5 of 9
31/07/2012 9:45 PM
In addition to working with individual users, you can also create groups from Active Directory. To do this, follow the user synchronization process, choosing to register or synchronize from the list of groups. You can also choose to create a group in Lotus Domino when it's created in Active Directory as shown in figure 11. In the New Object Group dialog box, you enter a name for the group, select the group type, and add a description. Figure 11. Creating a Domino Directory group from Active Directory
The newly created group appears in Lotus Domino as shown in figure 12. The Group name, Group type, and Description field are completed with the input from the New Object dialog box. Notice that the new group has no characteristics that signal it was created using Active Directory. Figure 12. Domino group created using Active Directory and ADSync
As you can see, using the ADSync tool is straightforward, but as with any tool, you must consider certain caveats when you use ADSync from either Lotus Domino or Active Directory. ADSync caveats One of the trickier aspects of using ADSync is gaining a thorough understanding of what works from which side; that is, which operations can be performed from Active Directory and what can be handled from the Domino Administrator client. However, this is easy to understand if you use the information in table 1. The first column contains the task, and the next two columns designate whether or not the task works based on its origin.
6 of 9
31/07/2012 9:45 PM
Table 1. ADSync operations initiated from both Active Directory and Lotus Domino Operation From Active Directory Yes Register user Rename user created in Active Renames Active Directory user only Directory Rename user created in Lotus Domino Yes Yes Synchronize user data Yes Delete user Yes Create group Yes Rename group Overwrites the Domino Directory Members field with the membership defined in Active Synchronize group data Directory No Delete group
From Lotus Domino Yes Renames Active Directory user only Yes No Yes No No No Yes
A quick look at the table tells you that users can be created and deleted from either side, but registering a user depends upon where he was created. User data is easily synchronized between the systems from Active Directory, but not Lotus Domino. Finally, group creation is solely an Active Directory task. So putting ADSync to use in your environment requires familiarity with this table. Another issue involves dealing with passwords. Consistent passwords When registering a new user in Active Directory Users and Computers, the password is entered twice, and ADSync takes the password information at that time from AD and populates that information in to the Domino Directory. Once the password has been set during the initial user registration, the password is then encrypted in AD and therefore ADSync cannot read the existing password to perform further updates to either the Notes ID nor the HTTP password in Domino. A better approach to keep user passwords synchronized is available through the single sign-on (SSO) feature during installation of the Lotus Notes client (see figure 13). When you install Lotus Notes, select the Client Single Logon Feature sub-option to enable SSO, and a security policy can change the HTTP password when the Notes password is changed. Outside of Lotus Domino, IBM offers a Tivoli Directory Integration tool that can provide some password synchronization functionality between the Domino Directory and Active Directory. The SSO feature lets users use one logon for both Lotus Notes and the operating system. Its advantageous for users because it presents only one authentication mechanism, but it requires more administrative legwork due to the client installation and configuration. Figure 13. Installing SSO during Lotus Notes installation
Programming A common question about using ADSync has to do with programmatic support: Can you use ADSync when you create Domino users using scripts? The short answer is no. ADSync is an MMC snap-in meant to simplify the life of a system administrator. However, it provides no programmatic options for simplifying user or group creation and/or synchronization. You can use ADSync to register Domino users at the time of Active Directory user creation or after the fact and vice versa. At a low level, the ability to create Active Directory users is available in Lotus Notes, but it isn't exposed to developers by way of any available API in C, in Java, or in LotusScript. You may think that Active Directory interaction is available through the Microsoft .NET platform, but it doesnt provide access to ADSync features. You must use the Active Directory or Domino Directory interface to use ADSync functionality. Conclusion As any system administrator can tell you, managing enterprise users and groups is a time-consuming process. It can be even more grueling when the enterprise uses multiple, disparate systems. Its advantageous to have a single interface for tackling administrative chores like creating, deleting, and configuring users and groups. ADSync provides the answer by simplifying the process of keeping Active Directory and Domino Directory users and groups in sync. However, both sides of the ADSync process have caveats, so be prepared when you use the tool to ensure the results match your expectations.
Resources Learn
7 of 9
31/07/2012 9:45 PM
developerWorks Migation Station Lotus page IBM Redbook, "Migrating from Microsoft Exchange 2000/2003 to Lotus Notes and Domino 7" IBM Redbook, "Active Directory Synchronization With Lotus ADSync" IBM Redbook, "Getting the Most From Your Domino Directory" Windows 2003 Active Directory Technology Center Get products and technologies Download a trial version of Lotus Domino from developerWorks. Download a trial version of Lotus Notes from developerWorks. Discuss Participate in the discussion forum. Read the developerWorks Lotus Team blog. About the author Tony Patton is a consultant based in Louisville, Kentucky. He works with various technologies, including Lotus Notes/Domino, Java technology, and Microsoft .NET. He is the author of two books focusing on Lotus Notes/Domino development: Practical LotusScript and Domino Development with Java as well as weekly columns on CNet.com focusing on .NET and Web development. You can reach Tony at aspatton@bellsouth.net. Close [x]
developerWorks: Sign in
IBM ID: Need an IBM ID? Forgot your IBM ID? Password: Forgot your password? Change your password Keep me signed in. By clicking Submit, you agree to the developerWorks terms of use.
The first time you sign into developerWorks, a profile is created for you. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post. All information submitted is secure. Close [x]
Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks. Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons. Display name: (Must be between 3 31 characters.)
By clicking Submit, you agree to the developerWorks terms of use.
All information submitted is secure. Average rating (44 votes) 1 star 2 stars 3 stars 4 stars 5 stars 1 star 2 stars 3 stars 4 stars 5 stars
Add comment:
8 of 9
31/07/2012 9:45 PM
Sign in or register to leave a comment. Note: HTML elements are not supported within comments.
Notify me when a comment is added1000 characters left
Total comments (1) ... just don't try it on 64-bit windows servers (AKA x64). It just doesn't work. Posted by 3W5B_Ildar_Mulyukov on 10 March 2011 Report abuse
Print this page Share this page Follow developerWorks
About Help Contact us Submit content
Feeds and apps Newsletters
Report abuse Terms of use IBM privacy IBM accessibility
Faculty Students Business Partners
9 of 9
31/07/2012 9:45 PM

Integrating IBM Lotus Domino Directory With Microsoft Active Direct

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Integrating IBM Lotus Domino Directory With Microsoft Active Direct

Încărcat de

Drepturi de autor:

Formate disponibile

Integrating IBM Lotus Domino Directory with Microsoft Active Directo...

Sign in (or register)