ACTIVE DIRECTORY AND LOTUS

Redbooks Paper

© Copyright IBM Corp. 2002. All rights reserved. ibm.com/redbooks 1

Active Directory Synchronization

with Lotus ADSync

The Active Directory Synchronization tool, or ADSync, allows Active Directory

administrators to manage (register, delete, and rename) users and groups in

both Active Directory and the Domino Directory as a unified operation from the

Active Directory Users and Computers Console.

In this paper, we describe some of the capabilities of the Domino 6 server and

the new feature that enables you to synchronize the Domino Directory with Active

Directory. This paper assumes you have a Domino server up and running and

Active Directory installed. To use Lotus Active Directory Synchronization, the

Domino Administration client must be installed on the same workstation used to

manage users and computers within your Active Directory.

We describe in detail how to install and set up the ADSync tool. Detailed

instructions for creating users in Domino Directory using Active Directory Users

and Computers Console are given. We also show how to register users into

Active Directory from Domino.

Billy Boykin

Tommi Tulisalo

2 Active Directory Synchronization with Lotus ADSync

Active Directory synchronization

Domino administrators working in a Windows 2000 environment with Active

Directory can now administer users and groups from a single administrative

interface of their choice: the Domino Administration client or Windows 2000

Active Directory Users and Computers. This new feature of the Domino 6 server,

ADSync lets you keep both the Domino Directory and Active Directory current

without having to manually update both with changes. This synchronization

feature allows a Domino administrator to securely and precisely delegate the

responsibility for Domino user and group management to the network

administrators who manage these details in Active Directory.

You can create new users and groups in Active Directory and have those

changes reflected in the Domino Directory, including the creation of person or

group documents, Notes IDs, passwords, and mail files for the users. In order to

accomplish these tasks, the Active Directory administrator must have a properly

certified Notes ID and appropriate access to make changes in the Domino

Directory. The registration server must be Domino 6 or later and the Domino

Administration client must be a 6 or later client. Additionally, policies must be

created that contain subpolicies, either implicit or explicit, for all Domino certifiers

where users will be created. Finally, you must have the appropriate rights in

Active Directory to add users and groups, and synchronize passwords.

For demonstration purposes, you may install Active Directory, Domino Server,

and the Domino Administration client on a single workstation. In a production

environment, the Domino server and the Active Directory will likely be installed

on separate servers.

For this document we used a Domino server running on Linux and a separate

Windows 2000 Server with Active Directory and the Domino Administration

Client installed.

The only requirement for utilizing the ADSync tool is to work from a workstation

that administers the Active Directory and that also has the Domino 6

Administration client installed.

Note: Refer to the Lotus Domino Administrator 6 Help for information on

policies and subpolicies.

Note: If you install all components on a single workstation for demonstration

purposes, you must change the LDAP port settings for either Active Directory

or Domino. By default, both will be listening on port 389; therefore, one of the

two will fail to function properly.

Active Directory Synchronization with Lotus ADSync 3

Figure 1 Active Directory synchronization: Server diagram

Active Directory synchronization in our demo environment is illustrated in

Figure 1.

Installing the Lotus ADSync tool

In order to use the ADSync tool, you must turn on Domino Directory W2000 Sync

Services during the installation of the Domino Administration client. This option is

only available with the customize button during the Domino Administration client

installation.

The synchronization option is not selected by default; therefore, check the

appropriate box.

Note: Active Directory synchronization will work regardless of the platform

Domino Server is running on.

ITSO Domino Domain

Domino 6 Server for

Linux RedHat 7.2

ITSO

Domino

Directory

itsoredhat.lotus.com

Domino 6 Server for

Linux SuSE 8.0

ITSO

Domino

Directory

itsosuse.lotus.com Windows 2000 Advanced Server

Active Directory

Domino 6 Administration Client

Lotus ADSync

Active

Directory

Replication

ITSO Windows Domain

Directory synchronization

Active Directory synchronization

Ethernet connection

4 Active Directory Synchronization with Lotus ADSync

Figure 2 Domino Administration Client Installation: Customize

After installing the Domino Administration client, start a DOS command prompt

window, and navigate to the directory where you installed the client. Enter the

following command and press Enter:

$c:\Program Files\Lotus\Notes> regsvr32 nadsync.dll

The command adds a container entry for Lotus Domino Options to the Active

Directory Users and Computers management screen and returns the

confirmation shown in Figure 3.

Figure 3 ADSync: RegSvr32

You are now ready to administer users and groups in Active Directory.

Active Directory Synchronization with Lotus ADSync 5

Creating users and groups in Active Directory

To access Active Directory Users and Computers from your Windows workstation

click Start -> Programs -> Administrative Tools -> Active Directory Users

and Computers. You may initiate Active Directory “actions” in the right-hand

results pane, or in the left-hand navigation pane. Domino users and groups are

created by either of two methods:

In the left pane, right-click an entry and choose your action from the pop-up

menu.

In the results pane, select one or more users and groups, then select

“Register

...