Processing heterogeneous systems is a common topic in most organizations, but different systems may become a problem when maintaining enterprise directories. Common scenarios include Microsoft Active Directory and IBM Lotus Domino in the company's IT infrastructure. Lotus Domino is usually used for enterprise message transmission, while active directory processes network users. To simplify system management, it is very convenient to maintain two directories at the same time from a single point. IBM recognized this requirement and included the Lotus Domino active directory synchronization tool or adsync (first in Lotus Domino V6 ). This tool can run on Microsoft Windows 2000 and later versions.
Adsync allows administrators to synchronize Domino Directory and Active Directory users and groups. Administrators can register and synchronize attributes and passwords, and perform the same operation in Domino Directory when renaming and deleting users and groups in Active Directory, and vice versa. Its features include container ing and property ing between two directories, as well as the policies used when registering users. It is easy to set and use, but there are still issues to consider.
The following products are used in this article:
Microsoft Windows Server 2003
Lotus Domino v7.0.1
Lotus Domino administrator v7.0.1
Installation and setting
Adsync is included as an installation option in the IBM Lotus Domino Administrator client. Adsync is not installed by default, but can be used as an optionalProgramFile, so you must select it during installation (see figure 1 ). In the custom Setup window of the IBM Lotus Notes Installation Wizard, select the domino administrator option and the Domino Directory W2000 sync services sub-option.
Figure 1. Select the adsync option during the installation of the domino Administrator client
After installation, adsync consists of a DLL file (nadsync. dll) and a help file (adsynch. CHM. When installing adsync on Windows, you must use the followingCodeComplete installation:
Regsvr32 nadsync. dll
This registers adsync as a Microsoft Management Console (MMC) snap-in and can be used in the Active Directory users and computers tool. Another installation problem involves creating appropriate security for Lotus Domino administrators and Active Directory administrators.
Establish security
The key issue when using adsync is
Security. The Active Directory administrator needs to manage and access the appropriate Domino Directory, And the domino administrator needs to access the appropriate Active Directory. The Active Directory administrator must have the correctly authenticated Notes ID and necessary access permissions to use the Domino Directory. In addition, policies must be created for all Domino authenticators (where users are created. Similarly, the domino administrator must have the necessary rights in Active Directory to perform all functions, such as adding users and groups. IBM recommends that you copy the CERT. ID file from the Domino server to the domino administrator data directory.
The final installation step involves initializing the adsync tool in the Active Directory users and computers tool. Double-click the domino directory synchronization object to start the process (see figure 2 ). After you are prompted to enter the administrator password (Admin. ID in the Domino server data directory), the Domino server is required. A dialog box is displayed to confirm the installation is successful.
Figure 2. initialize the adsync Tool
Lotus adsync Options dialog box
After initialization, the Lotus adsync Options dialog box opens. (To access this window after initialization, double-click the domino directory synchronization option in Figure 2 .) The Lotus adsync Options dialog box contains the following four tabs:
Notes synchronization options.You can use this tab to enable or disable all synchronization options, as well as the optional enable/disable options. In addition, you can specify when to display the prompt (for all operations, deletions only or no operations) and whether to use certificate authority for authentication (see figure 3 ).
Figure 3. Notes synchronization options Tab
Notes settings.On this tab, you can identify the Domino server used for all operations or specific servers used for individual operations (such as registration, synchronization, and deletion. In addition, you can specify the domino settings, including the Management ID, events that occur during user deletion, default authenticator names, and Domino group policies (see figure 4 ).
Figure 4. Notes settings Tab
Field mappings.Use this tab to map the Active Directory field to the Domino Directory field. Select a line (Active Directory field) and select the domino field to map the line (see Figure 5 ).
Figure 5. Field mappings attachment
Container mappings.Use this tab to map the Active Directory container to a specific Domino authenticator and/or policy (see figure 6 ). By default, the authenticator and policy selected during the setup process are used for all operations.
Figure 6. iner Mappings tab
The Help button is available in all the tabs in the Lotus adsync Options dialog box. It provides the help of MMC and the topic specific to adsync.
Use the domino Administrator client
Adsync adds the advanced option to the Register person dialog box (see figure 8 ). After this option is selected, access the Active Directory option through the Windows user button in the other tab in the register person dialog box.
Figure 8. Register person dialog box in Lotus Domino
Figure 9 shows the window opened after you click the Windows user Options button. You can specify whether to create an active directory user, which Active Directory to use, and the following active directory options: full name, logon name, and group.
Figure 9. Active Directory options for new domino users
The Lotus Domino aspect of this process ends with user maintenance. Next, perform operations in Active Directory.
Use Active Directory
Select Administrative Tools-Active Directory users and computers to use the Active Directory users and computers tool of Administrative Tools in windows. After adsync is initialized and set, Domino Directory becomes an option when an Active Directory object (person or group) is added. The new object dialog box includes the "register in Domino Directory" option. Select this option to create an object in Lotus Domino using the information entered in the field.
In addition, right-click an object in Active Directory and select appropriate options to add or synchronize existing users in Lotus Domino. When you select the register in Domino option for the existing Active Directory, the dialog box shown in Figure 10 is displayed. You can use the default value to complete user registration without prompting or providing the name and password of each selected user. One option is used to select whether to try registration later when an error occurs. After specifying these options, you can choose to register now, register later, or stop this process.
Figure 10. Registry options for Windows users and groups
In addition to operations on individual users, you can also create groups from Active Directory. To do this, select from group list
Adsync considerations
One of the most difficult problems when using adsync is to fully understand which side can perform what operations; that is, which operations can be performed by Active Directory and which operations can be performed by the domino Administrator client. However, if the information in table 1 is used, the above content is easy to understand. The first column in the table contains tasks, and the last two columns indicate whether the tasks are operated on the original platform.
Table 1. adsync operations initiated from Active Directory and Lotus Domino
You can quickly browse the table above and find that you can create and delete users from either side, but user registration depends on the location where the users are created. In Active Directory, user data can be easily synchronized between systems, but not on Lotus Domino. Finally, creating a group is only an Active Directory task. Therefore, you must be familiar with this table when using adsync in your environment. Another
| Operation | From Active Directory Platform | From the Lotus Domino Platform |
|---|---|---|
| Registered User | Yes | Yes |
| Rename the user created in Active Directory | Only Active Directory users can be renamed. | Only Active Directory users can be renamed. |
| Rename the user created in Lotus Domino | Yes | Yes |
| Synchronize user data | Yes | No |
| Delete a user | Yes | Yes |
| Create Group | Yes | No |
| Rename a group | Yes | No |
| Synchronize group data | Use the member relationships defined in Active Directory to override the Domino Directory members Field | No |
| Delete Group | No | Yes |
Programming
A common problem with adsync is programming support: Can I use adsync to create Domino users using scripts? The answer is simple: No. Adsync is an MMC management unit designed to simplify the work of system administrators. However, it does not provide any programming options to simplify the creation and/or synchronization of users or groups.
You can use adsync to register Domino users when or after creating Active Directory users, and vice versa. At least, you can create Active Directory users in Lotus Notes, but this capability is not disclosed to developers through any available APIs (written in C, Java, or Lotus script. You may think that you can achieve Active Directory interaction through the Microsoft. NET platform, but it does not provide support for the adsync function. You must use active directory or Domino Directory Interface to use adsync.
Conclusion
Any system administrator will tell you that managing enterprise users and groups is a time-consuming process. When an enterprise uses multiple fully heterogeneous systems, the problem becomes more serious. It is convenient to use a single interface to handle administrative matters (such as creating, deleting, and configuring users and groups. Adsync solves this problem by simplifying the process of synchronizing Active Directory and Domino Directory users and groups. However, you need to pay attention to the two aspects in the adsync process. Therefore, you should be prepared when using this tool to ensure that the results meet your expectations.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
