6. Installing Active Directory Password Sync on a domain controller

To install Domino Active Directory Password Sync on a domain controller, you must install and set up a Domino Utility Server on the Active Directory domain controller.

About this task

You install a Domino Utility Server to load the Domino password library onto the domain controller through the Local Security Authority (LSA) on the controller. The Utility Server is an additional server in the Domino domain. The following components which are required by the password library are installed on the Utility Server:
  • A Configuration Directory in the domain, that omits Person and Group documents.
  • The directory assistance database and document configured for password synchronization that the password library library uses to access the full Domino directory for the domain.
  • A Domino server ID that the Domino password library uses to access other servers and databases in the domain. The ID has no password and is encrypted.
  • Password Change Request database, by default, adpwsync.nsf. This database is encrypted with the Utility Server server ID.


  1. Install a Domino Windows 64-bit Utility server on the Active Directory domain controller. You must select the Utility Server install type.
  2. Start the Domino server to start server setup
  3. When prompted, enter the Domino directory administration server for the Domino domain as the server from which to retrieve the directory.
  4. Respond to any other prompts to complete setup.
  5. After setup is complete, run regedit and confirm that the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages key contains the following entry as its last entry. This is the entry that allows LSA to load the Domino password library .
    <Domino program directory>\npwsync.dll
  6. Restart the domain controller to load the Domino password library.


Look at the Windows System log in Windows Event Viewer. Filter by Event source "Directory-Services-SAM" with Event Level "Error" and look for any errors that might indicate an error loading the Domino password library. If there are none, the library has loaded and begins to capture password changes for Domino users.

Additional information on status of the password library can be seen in the console.log located in the IBM_TECHNICAL_SUPPORT subdirectory of the Domino data directory on the Domino Utility server on the domain controller.