Setting up Domino® Active Directory synchronization

When the Domino® server is installed on a Microsoft Windows 2003 server, as an administrator, you typically need to maintain two separate directories for the same set of people and groups. Maintaining user and group information involves adding entries to both directories, deleting entries, ensuring that passwords are the same when users use Notes® Single Logon, coordinating group membership in both directories, and ensuring that user or group settings, such as email addresses and telephone numbers, are identical.

About this task

Domino® includes a set of tools to make synchronization between Domino® and Active Directory simple and easy. The Active Directory Domino® Upgrade Service (AD DUS) is a tool that you can use with Active Directory synchronization (ADSync) when you have data in your Active Directory and you have just installed Domino®. AD DUS can optionally be used to migrate all or a set of your Active Directory users. After you've done that, you can start using ADSync to maintain those users in Active Directory and in Domino®.

User options are available to register Notes® users in Active Directory. In the Domino® Administrator's user registration interface, there is a Windows User Options button on the Other panel of the Register Person - New Entry dialog box. You can select options to register a user in Active Directory at the same time that the user is registered in Domino®. This is essentially the opposite of what ADSync does. Regardless of the tool with which you register a new user in both directories, you can use ADSync to synchronize and delete users from both directories. You can also use ADSync to rename users in both directories.

You can synchronize Person and Group documents in the Domino® Directory, and user and group accounts in Active Directory. When you register or delete a Notes® user or delete a Notes® group, you can automatically update the Active Directory. Use the Notes® synchronization options to enable the synchronization of all operations.

Conversely, special menu options and dialog boxes added to the Users and Computers snap-in of the Microsoft Management Console (MMC) enable you to specify that additions, deletions, and name changes made to Active Directory user or group accounts be reflected in the Domino® Directory. You can also add existing Active Directory user or group accounts to the Domino® Directory, and synchronize Active Directory and Domino® Directory entries.

These directory synchronization features let you keep both the Domino® Directory and Active Directory current without having to update both when either changes. Also, you can manage user and group information in the Domino® Directory and the Active Directory through a single interface of your choice, either Domino® or Windows 2003.

You must have a properly certified Notes® ID and appropriate access to make any changes to a Domino® Directory from Notes® or Windows 2003, and have the appropriate rights if you are going to use the Domino® server-defined certification authority (CA) to certify users on Domino®. Use a Notes® 6 or later client, and Domino® 6 or later server as your registration server. You must create policies that contain registration settings documents, either implicit or explicit, for all Domino® certifiers with which you are going to certify new users. Also, you must have appropriate rights in the Active Directory allowing you to add user accounts and synchronize passwords.

To set up Domino® Active Directory synchronization

About this task

Install the Active Directory domain controller, the Domino® server, and the Domino® Administrator on separate computers to improve performance and enhance security. However, if necessary you may install the Domino® server on the same computer as the Active Directory domain controller.

Procedure

  1. Log into the Windows domain using a user account with administrative rights.
  2. From the Windows 2003 Server CD, install the Windows 2003 Administration Tools Pack (adminpak.msi).
    Note: This file is not on the Windows XP Professional or Vista CD. You must install the file from the Windows 2003 Server CD or download the file from the Microsoft Web site. Microsoft licensing permits you to install this administrative package on workstations.
  3. From the Start menu, click Programs > Administrative Tools > Active Directory Users and Computers, and verify that the workstation has connected to the domain controller.
  4. Install, but do not run, the Domino® Administrator.
  5. Open a command prompt. From your Notes® install directory, type:
    regsvr32 nadsync.dll

    A message box appears indicating that registration is complete. This can take up to one minute.

  6. Run the Domino® Administrator and complete the configuration process.
  7. From the Domino® Administrator, create an organizational policy or an explicit policy and a Registration Policy Settings document. You must have at least one policy to use with ADSync.
  8. From the Start menu, click Programs > Administrative Tools > Active Directory Users and Computers. Click the Domino Options folder.
  9. Right-click Domino Directory synchronization, and then choose Options.
  10. Enter your Notes® password.
  11. Click the Notes Settings tab.
  12. Click the Notes Server for Registration button and specify a registration server. This is typically the administration server of the Domino® Directory.
  13. Click OK.
  14. Close and restart Active Directory Users and Computers to allow these changes to take effect.