Password synchronization components

The process of password synchronization involves components on the Active Directory domain controller and components on servers in the Domino domain.

Components on the Active Directory domain controller

  • Domino password library When the Active Directory domain controller starts, its Local Security Authority (LSA) service loads this library (DLL), which performs these general tasks:
    1. Captures password change information send to it by the LSA and uses that information to create password change request documents in its local Password Change Request database.
    2. Copies the documents to the Password Change Request databases on an available Request Processor server in the Domino domain.
    3. Deletes the request documents from its local database.
  • Request Creator This is the Domino password filter identity registered in the Domino domain as a server and identified by its server ID file. The server ID file is a non-password protected, encrypted ID file that is installed on the Active Directory Domain Controller during Domino Active Directory Password Sync setup. The server ID is designated as a Request Creator through its Server document in the Domino directory.
  • Password Change Request database When a Windows user who is dirsynced to the Domino directory changes their password, the Domino password filter detects the change and creates a password change document in this database. The document contains the users' objectGUID attributes and new password information, securely stored. This database is created when the Active Directory domain controllers start for the first time after installation of Domino Active Directory Password Sync. By default, the database is created in the root data directory of the Domino Active Directory Password Sync install, with the file name adpwsync.nsf. You can customize this during Request Creator configuration in the Domino directory. Access to this database is controlled through a Configuration Settings document used by the Request Creator.
  • Domino Configuration Directory This directory is created during setup of Domino Active Directory Password Sync. It's a replica of the Domino domain directory which contains only documents related to server configuration.
  • Directory assistance database This database is replicated from the Domino domain during setup of Domino Active Directory Password Sync. It includes a document that enables the Domino password filter to access the Domino directory on the Domino Request Processor servers.

Components on Domino domain servers

  • Request Processor A Domino server in the Domain that processes new password requests received from the Request Creator on the Active Directory domain controller.
  • Password Change Request database This database is created on a Request Processor automatically. The database contains password change documents received from a Request Creator. Each Request Processor has its own instance of this database; the database doesn't replicate. By default, the database is created in the root data directory with the file name adpwsync.nsf but you can customize this during Request Processor configuration. Access to this database is controlled through the Configuration Settings document used by the Request Processor.
  • Domino directory The following Domino directory documents are used to configure password synchronization. These documents replicate to the Domino Configuration Directory on the Active Directory domain controller.
    • The Server document defines a server as a Request Creator or a Request Processor and controls the path and file name of the Password Change Request database.
    • A Configuration Settings document defines the types of passwords to sync (HTTP, Notes ID, or both), the time to allow for password change processing before requests expire, and who is allowed to access the Password Change Request database. Request Creator and Request Processor servers can use the same Configuration Settings document or different ones.
  • Directory assistance database Created on the Domino domain administration server and replicated to the Active Directory Domain Controller during Domino Active Directory Password Sync setup. It includes a document that enables the Domino Active Directory Password Sync on an Active Directory Domain Controller to access the full Domino directory, including person records, on Domino servers in the domain.
  • ID vault To sync Notes ID passwords, IDs must be in the ID vault. There is no special ID vault configuration required, though.