6. Installing Active Directory Password Sync on a domain controller

To install Domino Active Directory Password Sync, use the Domino Windows 64-bit server installer on the Active Directory domain controller.

About this task

You install Active Directory Password Sync to load the Domino password library to the domain controller through the Local Security Authority (LSA) on the controller. The following components, which are required by the password library, are installed on the domain controller:
  • A Configuration Directory in the domain, that omits Person and Group documents.
  • The directory assistance database and document configured for password synchronization that the password library library uses to access the full Domino directory for the domain.
  • A Domino server ID that the Domino password library uses to access other servers and databases in the domain. The ID has no password and is encrypted.
  • Password Change Request database, by default, adpwsync.nsf. This database is encrypted with the request creator Domino server ID that you created.


  1. Install Active Directory Password Sync using the Domino Windows 64-bit server installer on the Active Directory domain controller. You must select the Active Directory Password Sync install type.
  2. Click the HCL AD Password Sync desktop link to begin Active Directory Password Sync setup.
  3. When prompted, enter the Domino directory administration server for the Domino domain as the server from which to retrieve the directory.
  4. Respond to any other prompts to complete setup.
  5. After setup is complete, run regedit and confirm that the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages key contains the following entry as its last entry. This is the entry that allows LSA to load the Domino password library .
    <Domino program directory>\npwsync.dll
  6. Restart the domain controller to load the Domino password library.


Look at the Windows System log in Windows Event Viewer. Filter by Event source "Directory-Services-SAM" with Event Level "Error" and look for any errors that might indicate an error loading the Domino password library. If there are none, the library has loaded and begins to capture password changes for Domino users.

Additional information on status of the password library can be seen in the console.log located in the IBM_TECHNICAL_SUPPORT subdirectory of the Domino data directory on the domain controller.