Setting up Domino® Active Directory synchronization (Deprecated)
When the Domino® server is installed on a Microsoft™ Windows™ 2003 server, as an administrator, you typically need to maintain two separate directories for the same set of people and groups. Maintaining user and group information involves adding entries to both directories, deleting entries, ensuring that passwords are the same when users use Notes® Single Logon, coordinating group membership in both directories, and ensuring that user or group settings, such as email addresses and telephone numbers, are identical.
About this task
Domino® includes a set of tools to make synchronization between Domino® and Active Directory simple and easy. The Active Directory Domino® Upgrade Service (AD DUS) is a tool that you can use with Active Directory synchronization (ADSync) when you have data in your Active Directory and you have just installed Domino®. AD DUS can optionally be used to migrate all or a set of your Active Directory users. After you've done that, you can start using ADSync to maintain those users in Active Directory and in Domino®.
User options are available to register Notes® users in Active Directory. In the Domino® Administrator's user registration interface, there is a Windows User Options button on the Other panel of the Register Person - New Entry dialog box. You can select options to register a user in Active Directory at the same time that the user is registered in Domino®. This is essentially the opposite of what ADSync does. Regardless of the tool with which you register a new user in both directories, you can use ADSync to synchronize and delete users from both directories. You can also use ADSync to rename users in both directories.
You can synchronize Person and Group documents in the Domino® Directory, and user and group accounts in Active Directory. When you register or delete a Notes® user or delete a Notes® group, you can automatically update the Active Directory. Use the Notes® synchronization options to enable the synchronization of all operations.
Conversely, special menu options and dialog boxes added to the Users and Computers snap-in of the Microsoft™ Management Console (MMC) enable you to specify that additions, deletions, and name changes made to Active Directory user or group accounts be reflected in the Domino® Directory. You can also add existing Active Directory user or group accounts to the Domino® Directory, and synchronize Active Directory and Domino® Directory entries.
These directory synchronization features let you keep both the Domino® Directory and Active Directory current without having to update both when either changes. Also, you can manage user and group information in the Domino® Directory and the Active Directory through a single interface of your choice, either Domino® or Windows™ 2003.
You must have a properly certified Notes® ID and appropriate access to make any changes to a Domino® Directory from Notes® or Windows™ 2003, and have the appropriate rights if you are going to use the Domino® server-defined certification authority (CA) to certify users on Domino®. Use a Notes® 6 or later client, and Domino® 6 or later server as your registration server. You must create policies that contain registration settings documents, either implicit or explicit, for all Domino® certifiers with which you are going to certify new users. Also, you must have appropriate rights in the Active Directory allowing you to add user accounts and synchronize passwords.