Creating a Directory Sync Configuration document

After you create a Directory Assistance document that is enabled for Directory Sync, create a Directory Sync Configuration document in the Domino® directory. You use this document to select Directory Sync configuration options and then to enable Directory Sync.

Procedure

  1. Open the Domino® directory.
  2. Select Configuration > Directory > Directory Sync.
  3. Click Add Directory Sync.
  4. Complete the following fields in the Basics tab:
    Table 1. Fields in the Basics tab of a Directory Sync Configuration document
    Field Description
    Directory Assistance domain Select the domain specified in the Domain name field in the LDAP tab of the Directory Assistance document that is enabled for Directory Sync. For example, Renovations AD.
    Note: To be able to select a domain, there must be a directory assistance document enabled for Directory Sync that specifies this domain.
    Dirsync status After you complete the other configuration options in this document, select Enabled to enable Directory Sync. You see the following prompt:
    Begin sync now or run in test mode?
    Choose one of the following options:
    • Synchronize data
    • Run in test mode (log to console, don't update data)

    Select Run in test mode to simulate the actions that Directory Sync would take but without changing any Domino® data. Make any adjustments needed to the Directory Sync configuration. When you are ready to enable synchronization for real, select Synchronize data.

    Sync all Active Directory users
    • Select Yes to sync Active Directory users regardless if they are registered in Domino.
    • Select No (default) to sync only Active Directory users who are registered in Domino. If previously set to Yes, any unregistered Active Directory users synced previously are removed from the Domino directory.

    Changing the value of this field, causes a full resync.

    For an Active Directory record to sync with Domino, the Active Directory mail field must match theInternet address field in the Domino directory Person document.

    Domino® directory file name The file name for the Domino® directory, typically names.nsf.
    Direction The direction of synchronization. Currently only Active Directory to Domino® is available.
    Rename Domino® users upon Active Directory rename
    • Select Yes to change the common name of a registered Domino® user in Domino® when the users' common name changes in Active Directory. For more information, see Renaming Domino users when their names change in Active Directory.
    • Select No (default) to prevent users' common names from changing in Domino® when they change in Active Directory.
    Note: If the name of an Active Directory user who is not registered in Domino® changes, the name is automatically updated in the Domino® directory Person document during sync, regardless of this option.
    Sync frequency How frequently the Dirsync task checks for Active Directory changes to synchronize. Default is once a minute.
    Resync frequency

    How often to resync all data from Active Directory, in minutes. Default is 10,000 minutes or approximately once a week. If you don't want to regularly resync all data, specify 0.

    Resync causes the following changes to synchronize which are not otherwise synced:
    • Deleted users and groups.
    • Name changes within groups.

    Consider increasing the default value if many users and groups are regularly deleted in Active Directory. Also if there are frequent name changes and you synchronize Active Directory groups.

    Resync runs in the background on the Domino administration and does not have a big impact on performance.

    Table 2. Fields in Synchronization tab of a Directory Sync Configuration document
    Field Description
    Fields to sync to Domino®

    Use this field to specify which Active Directory person fields to sync to Domino®. A standard list of fields from Active Directory is shown by default. You can add or remove fields from the list. When Active Directory and Domino® use different names for a field, the Domino® field name is shown in parentheses after the Active Directory field name. For example: mail (Email address).

    Modifying this field causes a full resync.

    Note:
    • When syncing multi-valued attributes, only the first value is synced.
    • Removing an attribute that was previously synced does not remove it from Person documents.
    LDAP Filter

    When you don't specify a filter, the following default search filter is used: (|(objectClass=Group)(objectClass=Person)). This filter syncs all users and groups in Active Directory.

    Optionally, use a standard LDAP search filter to sync a subset of users and groups based on attribute. Be sure to include the default filter in your custom search filter; that way, only user and group records are synced and not other types of records that are not relevant for the Directory Sync feature.

    For example, to sync only user and group records that contain the department hr AND the state MN, use the following filter: (&(|(objectClass=Group)(objectClass=Person))(&(department=hr)(st=MN)))
    Tip:
    To verify a custom search filter, you can use an open source LDAP browser such as Apache Directory Studio.

    Modifying this field causes a full resync.

    LDAP Groups
    • If you want to synchronize groups, select the types of groups to synchronize. If you don't want to synchronize groups, do not select either option.
      • Security groups, to be able to use Active Directory security groups in Notes® access lists.
      • Distribution groups, to be able to use Active Directory distribution groups in Notes® mail addressing.
    • Select No to synchronize person information only.

    Modifying this field causes a full resync.

  5. Click Save & Close.
  6. Restart the Domino server:
    Restart server
  7. The Dirsync task begins to run when it detects the configuration document.