SlideShare a Scribd company logo

Getting Started with Active Directory Integration

Download as PPT, PDF
Ken Lin
Ken Lin

This document provides an overview of using Active Directory Integration (ADI) with IBM Lotus Domino. It begins by clarifying common misconceptions about ADI and examining the ADSync and Directory Assistance tools. ADSync allows for some limited synchronization between Domino and Active Directory objects but is not a full synchronization tool. Directory Assistance enables using secondary directories like Active Directory for user authentication and authorization for Notes and web clients. The document reviews setting up and testing Directory Assistance by configuring the DA.nsf database and verifying the LDAP connection and startup. It also provides background on how user authorization works between the directories.

TechnologyBusiness
1 of 41
ID107: Getting Started With Active Directory Integration Josh Burchard Ken Lin Lotus Software, IBM Software Group
Agenda and Goals  Clarify and correct common misconceptions  Clarify and correct common mistakes  Clarify relevant deployment scenarios Examine ADSync and Directory Assistance for integrating IBM Lotus Domino directory services and Microsoft Active Directory
ADSync & Domino  Why this presentation section?  There have been many questions in the IBM Notes and Domino forums about the Domino administration feature, ADSync  There is a lot of confusion about what ADSync is capable of, and what it isn’t  What I hope to give you:  A high-level overview of what of what ADSync is and is not  What ADSync is capable of doing for you  Things to think on when deploying ADSync
Terminology  A couple of terms I’ll use throughout this section:  Object-Level  For the scope of this presentation, “object” refers to Domino records (e.g., the Josh Burchard person document) or LDAP entries of type person or group  Field-Level  The Domino fields (e.g., HTTPPassword) / LDAP attributes that comprise person and group objects
What ADSync Isn’t Surprise! Despite the name, it’s not a full synchronization tool
So What is it Then?  It’s a Microsoft Management Console (MMC) Snap-In that extends and expands on our Notes NT User Manager Add-In  It’s A Domino Administrator client install option  It’s a tool that allows for some synchronization by linking Domino and Active Directory objects.  It’s a way to do general Domino field-level administration from the MMC  It’s a way to do basic Domino object-level administration from the MMC  It’s more useful than simply migrating entries back and forth between a Domino Directory and Active Directory ?
So What is it? (cont.)  It’s only part of the Active Directory administration picture:  ADSync, along with the Domino Administrator client, can work together to perform limited, manual, synchronization of objects Domino Active Directory AdminClient ADSync objects & fields objects only
Where does ADSync Live? ADSyn c buttons Contain er for ADSync popup menu  ADSync is a Snap-In to the Microsoft Management Console’s “Users and Computers” dialog that provides embedded Domino functionality
What can you do with these tools?  Adds people to Active Directory or NT via the “Person Registration Advanced Pane” and links them to their respective Domino object  Imports people and groups from Active Directory or NT via “Person Registration Migrate” (Domino Upgrade Service) and links them to their respective Domino object  You can add, delete, rename people in NT or Active Directory via the Domino Administrator client  You can migrate people and groups to Domino from NT or Active Directory via the Domino Administrator client
What can you do with these tools?  You can create new people and groups in Active Directory and at the same time (or later, if you wish) register the people, or add the groups to Domino via ADSync  You can link people and groups that already exist in Active Directory and Domino via ADSync  You can delete groups in NT or Active Directory via the Domino Administrator client  You can synchronize changes made to an Active Directory object with the object it’s linked to in Domino
Be Aware! (Prereqs and Planning Needed)  Prerequisites:  Install the Domino Administrator client with the W2000 Sync Services option  The preferred way of running ADSync is from Windows 2000 Professional or Windows XP Professional with the Microsoft AdminPak  Planning:  You can perform ADSync operations on more than one Domino server, but it is not recommended  Domino registration operations are limited to the primary Domino Directory, no secondary directories  To perform Active Directory object level operations (like delete and rename) from the Domino Admin client, the objects must have been previously linked  You must have created a Domino policy when adding people in Active Directory and then registering them in Domino. This provides a way for Domino to specify default values for the fields that aren’t mapped from AD (e.g. Roaming user)
Some Common Misconceptions  We never do field-level manipulation from Domino to Active Directory, only from Active Directory to Domino  During Domino person registration, ADSync can set a common password for Active Directory, Domino HTTP and the Notes ID  If you reset the common password via ADSync, the AD and Domino HTTP password will be made the same but the Notes ID password will not be modified. Even using Notes Single Logon will require a manual Notes ID password change  Since Domino field values never get applied to AD fields, the AD e-mail address needs to be manually set to the Domino e-mail address  ADSync configuration settings are not shared across Administrator client machines
Some Common Misconceptions (cont.)  ADSync only synchronizes Active Directory changes made via the MMC. In general, these are manual changes made by administrators. Programmatic changes are not recognized  Changing a field in Active Directory prompts an automatic synchronization to occur which overwrites the corresponding Domino field  No scheduling of synchronizations  Synchronizing an Active Directory group will not register its members as people in Domino. It is only a field level synchronization operation that translates group members names  Renaming a group via ADSync does not create all of the necessary Administration Process requests, e.g. replacing the old name with the new in Domino database ACLs
Points to Take Away  ADSync requires careful planning beforehand, and careful management once in use because:  It can’t provide a perfect password-sync solution, even when used with Notes Single Logon  Only manual MMC changes (not programmatic ones) kick off an auto-sync, which may leave orphaned objects or other directory anomalies  There exists only one-way field-level synchronization: from Active Directory to Domino  AdminP will not propagate Active Directory name changes to ACLs  There are other alternatives that IBM provides!
Directory Assistance  What is it?  How is it used by Notes and Web clients?  How is it set up?  What additional background information is useful?  What are the common problems and solutions?
What is Directory Assistance? Directory of secondary directories Domino server feature enabling customers to use secondary Domino or LDAP (e.g., Active Directory) directories for:  Internet Authentication  Notes and Internet Group Membership Lookups for Database Authorization  Notes Mail Address Resolution  Type ahead (type/pause/complete)  Select Addresses dialog  F9 / Comma Address completion  Lookup User Attributes  Email address  MailFile  Etc.
Notes Client Database Access YesYesNAMELookup YesYesF9 name completion NoYesSelect Addresses dialog NoYesType ahead Not applicable YesAuthorization Not applicable YesAuthentication Name in LDAP secondary (e.g., AD) Name in secondary Domino directory
Web Client Database Access (non-DWA) YesYesNAMELookup Not Applicable Not Applicable F9 name completion NoYesSelect Addresses dialog NoNoType ahead YesYesAuthorization YesYesAuthentication Name in LDAP secondary (e.g., AD) Name in secondary Domino directory
DA Backgrounder: Directory Interfaces NSF/NIF API e.g., NSFDbOpen, NIFFindByName NAME API e.g., NAMELookup LDAP Server Names.nsfNames2.nsf Active Directo (bk2000) NSF AppNAMELookup AppLDAP App Chased LDAP Referral Domino Server (klin0) LDAP GwyNSF/NIF directory data flow LDAP Ref XOR Referral Directory Services Not used in our examples NRPC NRPC NSF/NIF/FT LDAP
DA Setup: Modify Server Document 1.Enter name of DA database that we will create next -
DA Setup: Create DA.nsf Database 2. da.nsf matches Server doc setting 1. Use Directory Assistance da50.ntf (Show advanced
DA Setup: Basics Tab 1. Change Domain type from Notes (default) to LDAP 2. Any unique admin-friendly name 3. Select types of directory applications 4. Change Group Authorization from No (default) to Yes to allow Active Directory 5. Leave nested group expansion Yes to recognize 6. Leave Enabled set to YesNot covered - see
Backgrounder: Database Authorization  DA permits only one secondary directory where Group Authorization is set to Yes  If you have both a secondary Active Directory and other Domino secondaries, make the primary an Extended Directory Catalog  Use fully qualified Notes names (slashes) in database ACLs – not abbreviated names – not LDAP names!  cn=MDN Admin/cn=Users/dc=bk/dc=notesdev/dc=ibm/dc=com  cn=Administrators/cn=Builtin/dc=bk/dc=notesdev/dc=ibm/dc=com  Review setting for File / Database / Access Control / Advanced / Maximum Internet name and password
Backgrounder: Notes & AD Directory Organization dc=bk,dc=notesdev,dc=ibm,dc=com cn=Builtin cn=Computers cn=Users cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin ctive Directory cn=Enterprise Admins Note possi ble use of DCs (root) LocalDomainAdmins o=IBM LDAP Server Dev ou=Westford cn=Josh Burchard cn=Ken Lin otes/Domino person group container
DA Setup: Naming Contexts Tab Leave N.C.1 with all asterisks (because Change Trusted for Credentials
DA Setup: LDAP Tab hostn amesLDAP bind DN for Searc hes passw ordLDAP base DN for searc h SSL not cover ed in Change to
DA Setup: Hostname  DNS name or IP address (v6 also) of one or more replicated Active Directory servers  Obtain by asking your AD administrator  Alternate discovery methods:  Query DNS SRV for _ldap._tcp.domainname using nslookup.exe (registered by Windows 2003-based domain controllers)  Run an auto-discovery tool on your subnet
DA Setup: Optional Authentication Credential  Use LDAP “Bind” distinguished name of a single AD user who can search desired AD entries  Use LDAP naming (attribute = value and commas)  Optionally protect clear text Passwords using normal “Encrypting documents using secret keys” procedure
DA Setup: Base DN for Search dc=bk,dc=notesdev,dc=ibm,dc=com cn=Builtin cn=Computers cn=Users cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin cn=Enterprise Admins Proba bly what you  LDAP searches require filter, base, and scope  Locate top of desired tree (e.g., root DSE’s defaultNamingContext)
DA Setup: Authentication Filter Base: dc=bk,dc=notesd ev,dc=ibm,dc=co m Filter: ( | (cn=bkeach) search DN: cn=Beth Keach,cn=Users, . . . suc ces LDAP Gwy AD Nameresolutionuthentication Beth authenticates while opening http://klin0/mail/klin.nsf using Windows username bindDN: cn=Beth Keach,cn=User s, . . . Password: 6.5. 6 7.0. 1 More name variations lower security
Backgrounder: NamesList NamesList (Effective Access) is composed of  Names and aliases  Groups =Beth Keach,cn=Users, … cn=Enterprise Admins,cn=Users, … cn=Adminstrators,cn=Builtin, … cn=Domain Adminstrators,cn=Builtin, … a member of Grant AD admins (including Beth) access to http://klin0/mail/
DA Setup: 6.5.4 Authorization Filter Base: dc=bk,dc=notesdev,dc=ibm,dc=com Filter: (&(objectclass=group) (member=cn=Beth Keach,dc=Users, . . .)) DN: cn=Domain Adminstrators,cn=Builtin, . . . DN: cn=Enterprise Admins,cn=Users, . . . DAP Gwy AD Base: dc=bk,dc=notesdev,dc=ibm,dc=com Filter: (&(objectclass=group) (member=cn=Domain Administrators,cn=Builtin, . . .)) (no such object) Base: dc=bk,dc=notesdev,dc=ibm,dc=com Filter: (&(objectclass=group) (member=cn=Enterprise Admins,dc=Users, . . .)) DN: cn=Administrators,cn =Builtin, . . .
DA Setup: 6.5.5 Authorization Filter DN: cn=Beth Keach,cn=Users, . . . memberOf: cn=Domain Adminstrators,cn=Builtin, . . . memberOf: cn=Enterprise Admins,cn=Users, . . . DAP Gwy AD Base: cn=Domain Administrators,cn=Builtin, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf DN: cn=Domain Adminstrators,cn=Builtin, . . . Base: cn=Enterprise Admins,cn=Users, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf DN: cn=Enterprise Admins,cn=Users, . . . memberOf: cn=Administrators, cn=Builtin, . . . Base: cn=Administrators, Base: cn=Beth Keach,dc=Users, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf Big Perfo rman ce Impr ovem ent
[C:Notes] ldapsearch.exe -h bk2000.notesdev.ibm.com –p 389 -D “cn=mdn admin,cn=users,dc=bk, dc=notesdev,dc=ibm,dc=com” -w “rosebud” -b “dc=bk,dc=notesdev,dc=ibm,dc=com” -s subtree “(cn=Administrators)” Test DA: LDAP Connection hostn ame LDAP bind DN passw ordLDAP base DN for searc Find an entry port  Test DA LDAP Configuration settings using ldapsearch tool
Test DA: Verify Startup > SHOW XDIR DomainName DirectoryType ClientProtocol Replica/LDAP Server ---------- -------------- -------------- ------------------- 1 KLIN0 Primary-Notes Notes & LDAP names.nsf 2 BK2000 Secondary-LDAP Notes & LDAP [bk2000.notesdev.ibm.com]:389 Success 01/05/2006 07:12:54 PM Error attempting to access the Directory *[bk2000.notesdev.ibm.com]:389 (no available alternatives), error is LDAP Server is NOT available. > SHOW XDIR DomainName DirectoryType ClientProtocol Replica/LDAP Server ---------- ------------- -------------- ------------------- 1 KLIN0 Primary-Notes Notes & LDAP names.nsf Port or Bind DN / Password Failure
Monitor DA: WebAuth_Verbose_Trace=1 NAMELookup::<NAMEVerifyLDAPPassword>> BIND LDAP host='[bk2000.notesdev.ibm.com]:389' w/ user='CN=Beth Keach /CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' WebAuth> VERIFY password essful Name ResolutionWebAuth> LOOKUP in view $Users (user=‘bkeach' org='') NAMELookup::<LDAP GW> Searching for name=‘bkeach' in LDAP server='[bk2000.notesdev.ibm.com]‘ NAMELookup::<LDAP GW> Base: dc=bk,dc=notesdev,dc=ibm,dc=com NAMELookup::<LDAP GW> Scope: 2 NAMELookup::<LDAP GW> Filter: (|(cn=bkeach) (sAMAccountName=bkeach)(uid=bkeach)(mail=bkeach)) . . . NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Beth Keach /CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' cessful Authentication
NAMELookup::<LDAP GW> Searching for name='CN=Beth Keach/CN=Users /DC=bk/DC=notesdev/DC=ibm/DC=com' in LDAP server= '[bk2000.notesdev.ibm.com]‘ NAMELookup::<LDAP GW> Base: CN=Beth Keach,CN=Users, DC=bk,DC=notesdev,DC=ibm,DC=com NAMELookup::<LDAP GW> Scope: 0 NAMELookup::<LDAP GW> Filter: (objectClass=*) NAMELookup::<LDAP GW> Attrs: memberOf . . . NAMELookup::<LDAP GW> SEARCH returned '2' match(es). NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Enterprise Admins/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Domain Administrators/CN=Builtin/DC=bk/DC=notesdev/DC=ibm/DC=com‘ Etc. sful 6.5.5 NamesList Generation Monitor DA: WebAuth_Verbose_Trace=1
DA: Points to Take Away  Allows AD users to access Domino databases with web clients  Setup:  Specify AD users or groups in Domino database ACLs as Notes names  Group Authorization – Yes  Trusted for Credentials – Yes  Optional Authentication Credential – Must supply an LDAP name  Base DN for Search – Must supply an LDAP name  Type of Search Filter to use – Active Directory  Testing and Monitoring:  ldapsearch command line tool  Show XDIR server console command  WebAuth_Verbose_Trace=1 Notes.ini setting
IBM Tivoli Directory Integrator  General purpose data synchronization toolkit / engine  Change Propagation  Built-in connectors perform I/O with popular data sources (e.g., LDAP, NSF)  Built-in event handlers wait for and react to specific event (e.g., AD change, LDAP changelog detection)  Administrators code assembly lines using connectors and/or event handlers to transform and propagate information  Password Change Propagation  Separately installable plug-in entities capture AD password and Domino HTTP password changes, updates other directories with new password  ITDI Compared with ADSync  ITDI change-triggered or batch execution vs. ADSync is manual only  ITDI is flexible (you provide programming) vs. ADSync is limited  ITDI assembly lines coded using JavaScript or Java
Summary  Use ADSync when  You want to allow Active Directory users to access Domino databases using the Notes or Web clients  You want Active Directory administrators to handle most people and group administration for your Domino domain  You don’t mind not having the most up-to-date directory entries  Use Directory Assistance when  You want to allow Active Directory users to access Domino databases using Web clients  You do not want to continually maintain and sync directory content  Consider IBM Tivoli Directory Integrator when  Your synchronization requirements are more advanced
References  IBM Redbooks | Using LDAP for Directory Integration  ADSync  IBM Redbooks | Active Directory Synchronization with Lotus ADSync http://www.redbooks.ibm.com  Administering the Domino System – Using Domino with Windows Synchronization Tools  Directory Assistance  Administering the Domino System – Setting Up Directory Assistance  Single sign-on in a Multi-directory World http://www-128.ibm.com/developerworks/lotus/library/sso1/  Google “Domino Directory FAQ”

Recommended

Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
Using OpenLDAP
Using OpenLDAPUsing OpenLDAP
Using OpenLDAPWildan Maulana
 
Open API Architectural Choices Considerations
Open API Architectural Choices ConsiderationsOpen API Architectural Choices Considerations
Open API Architectural Choices ConsiderationsDominiek ter Heide
 
Active directory
Active directoryActive directory
Active directorygunakhan
 
New Exchange Server 2013 Architecture
New Exchange Server 2013 ArchitectureNew Exchange Server 2013 Architecture
New Exchange Server 2013 ArchitectureKhalid Al-Ghamdi
 
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client AccessExchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client AccessMicrosoft TechNet - Belgium and Luxembourg
 
Exchange Server 2013 Architecture Deep Dive, Part 1
Exchange Server 2013 Architecture Deep Dive, Part 1Exchange Server 2013 Architecture Deep Dive, Part 1
Exchange Server 2013 Architecture Deep Dive, Part 1Microsoft TechNet - Belgium and Luxembourg
 
LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)Fran Fabrizio
 

Recommended

Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
Using OpenLDAP
Using OpenLDAPUsing OpenLDAP
Using OpenLDAPWildan Maulana
 
Open API Architectural Choices Considerations
Open API Architectural Choices ConsiderationsOpen API Architectural Choices Considerations
Open API Architectural Choices ConsiderationsDominiek ter Heide
 
Active directory
Active directoryActive directory
Active directorygunakhan
 
New Exchange Server 2013 Architecture
New Exchange Server 2013 ArchitectureNew Exchange Server 2013 Architecture
New Exchange Server 2013 ArchitectureKhalid Al-Ghamdi
 
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client AccessExchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client AccessMicrosoft TechNet - Belgium and Luxembourg
 
Exchange Server 2013 Architecture Deep Dive, Part 1
Exchange Server 2013 Architecture Deep Dive, Part 1Exchange Server 2013 Architecture Deep Dive, Part 1
Exchange Server 2013 Architecture Deep Dive, Part 1Microsoft TechNet - Belgium and Luxembourg
 
LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)Fran Fabrizio
 
Ldap sync with sap(rfc)
Ldap sync with sap(rfc)Ldap sync with sap(rfc)
Ldap sync with sap(rfc)Rajendra prasad
 
Preparing forfirstconnectionsinstall
Preparing forfirstconnectionsinstallPreparing forfirstconnectionsinstall
Preparing forfirstconnectionsinstallGabriella Davis
 
Exchange server 2013
Exchange server 2013Exchange server 2013
Exchange server 2013Santosh Kulkarni
 
Tibco business works
Tibco business worksTibco business works
Tibco business worksCblsolutions.com
 
Preventing serversickness
Preventing serversicknessPreventing serversickness
Preventing serversicknessGabriella Davis
 
Database application developer's guide
Database application developer's guideDatabase application developer's guide
Database application developer's guideSudar's Juba
 
Hosting the Content
Hosting the ContentHosting the Content
Hosting the Contentwebhostingguy
 
SOA for PL/SQL Developer (OPP 2010)
SOA for PL/SQL Developer (OPP 2010)SOA for PL/SQL Developer (OPP 2010)
SOA for PL/SQL Developer (OPP 2010)Lucas Jellema
 
IBM Connections Design To #NOTFAIL
IBM Connections Design To #NOTFAILIBM Connections Design To #NOTFAIL
IBM Connections Design To #NOTFAILGabriella Davis
 
Managing ldap changes in connections
Managing ldap changes in connectionsManaging ldap changes in connections
Managing ldap changes in connectionsWannes Rams
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...Klaus Bild
 
Microsoft Exchange 2010 in 10 slides
Microsoft Exchange 2010 in 10 slidesMicrosoft Exchange 2010 in 10 slides
Microsoft Exchange 2010 in 10 slidesAndre Debilloez
 
Microsoft exchange-server-2013-installation
Microsoft exchange-server-2013-installationMicrosoft exchange-server-2013-installation
Microsoft exchange-server-2013-installationtakdirlovely09
 
LESSON 2 - Active Directory and Domain Controller.pptx
LESSON 2 - Active Directory and Domain Controller.pptxLESSON 2 - Active Directory and Domain Controller.pptx
LESSON 2 - Active Directory and Domain Controller.pptxssuser0f6f05
 
DNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First LookDNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First Lookdaniel_nashed
 
Step by-step guide to managing the active directory
Step by-step guide to managing the active directoryStep by-step guide to managing the active directory
Step by-step guide to managing the active directoryPradeep Agarwal
 
E brochure it254_actived2012
E brochure it254_actived2012E brochure it254_actived2012
E brochure it254_actived2012I-r Papa
 
70 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 04100970 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 041009Coffeyville Community College
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDSHarsh Sethi
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID VaultLuis Guirigay
 
Proposal For Their Integration Of Windows Server
Proposal For Their Integration Of Windows ServerProposal For Their Integration Of Windows Server
Proposal For Their Integration Of Windows ServerBrenda Higgins
 
Only an IBM Domino Server can take this much beating and still run
Only an IBM Domino Server can take this much beating and still runOnly an IBM Domino Server can take this much beating and still run
Only an IBM Domino Server can take this much beating and still runAndreas Ponte
 

More Related Content

What's hot

Preparing forfirstconnectionsinstall
Preparing forfirstconnectionsinstallPreparing forfirstconnectionsinstall
Preparing forfirstconnectionsinstallGabriella Davis
 
Preventing serversickness
Preventing serversicknessPreventing serversickness
Preventing serversicknessGabriella Davis
 
Database application developer's guide
Database application developer's guideDatabase application developer's guide
Database application developer's guideSudar's Juba
 
SOA for PL/SQL Developer (OPP 2010)
SOA for PL/SQL Developer (OPP 2010)SOA for PL/SQL Developer (OPP 2010)
SOA for PL/SQL Developer (OPP 2010)Lucas Jellema
 
IBM Connections Design To #NOTFAIL
IBM Connections Design To #NOTFAILIBM Connections Design To #NOTFAIL
IBM Connections Design To #NOTFAILGabriella Davis
 
Managing ldap changes in connections
Managing ldap changes in connectionsManaging ldap changes in connections
Managing ldap changes in connectionsWannes Rams
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...Klaus Bild
 
Microsoft Exchange 2010 in 10 slides
Microsoft Exchange 2010 in 10 slidesMicrosoft Exchange 2010 in 10 slides
Microsoft Exchange 2010 in 10 slidesAndre Debilloez
 
Microsoft exchange-server-2013-installation
Microsoft exchange-server-2013-installationMicrosoft exchange-server-2013-installation
Microsoft exchange-server-2013-installationtakdirlovely09
 

What's hot (13)

Ldap sync with sap(rfc)
Ldap sync with sap(rfc)Ldap sync with sap(rfc)
Ldap sync with sap(rfc)
 
Preparing forfirstconnectionsinstall
Preparing forfirstconnectionsinstallPreparing forfirstconnectionsinstall
Preparing forfirstconnectionsinstall
 
Exchange server 2013
Exchange server 2013Exchange server 2013
Exchange server 2013
 
Tibco business works
Tibco business worksTibco business works
Tibco business works
 
Preventing serversickness
Preventing serversicknessPreventing serversickness
Preventing serversickness
 
Database application developer's guide
Database application developer's guideDatabase application developer's guide
Database application developer's guide
 
Hosting the Content
Hosting the ContentHosting the Content
Hosting the Content
 
SOA for PL/SQL Developer (OPP 2010)
SOA for PL/SQL Developer (OPP 2010)SOA for PL/SQL Developer (OPP 2010)
SOA for PL/SQL Developer (OPP 2010)
 
IBM Connections Design To #NOTFAIL
IBM Connections Design To #NOTFAILIBM Connections Design To #NOTFAIL
IBM Connections Design To #NOTFAIL
 
Managing ldap changes in connections
Managing ldap changes in connectionsManaging ldap changes in connections
Managing ldap changes in connections
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
 
Microsoft Exchange 2010 in 10 slides
Microsoft Exchange 2010 in 10 slidesMicrosoft Exchange 2010 in 10 slides
Microsoft Exchange 2010 in 10 slides
 
Microsoft exchange-server-2013-installation
Microsoft exchange-server-2013-installationMicrosoft exchange-server-2013-installation
Microsoft exchange-server-2013-installation
 

Similar to Getting Started with Active Directory Integration

LESSON 2 - Active Directory and Domain Controller.pptx
LESSON 2 - Active Directory and Domain Controller.pptxLESSON 2 - Active Directory and Domain Controller.pptx
LESSON 2 - Active Directory and Domain Controller.pptxssuser0f6f05
 
DNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First LookDNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First Lookdaniel_nashed
 
Step by-step guide to managing the active directory
Step by-step guide to managing the active directoryStep by-step guide to managing the active directory
Step by-step guide to managing the active directoryPradeep Agarwal
 
E brochure it254_actived2012
E brochure it254_actived2012E brochure it254_actived2012
E brochure it254_actived2012I-r Papa
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDSHarsh Sethi
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID VaultLuis Guirigay
 
Proposal For Their Integration Of Windows Server
Proposal For Their Integration Of Windows ServerProposal For Their Integration Of Windows Server
Proposal For Their Integration Of Windows ServerBrenda Higgins
 
Only an IBM Domino Server can take this much beating and still run
Only an IBM Domino Server can take this much beating and still runOnly an IBM Domino Server can take this much beating and still run
Only an IBM Domino Server can take this much beating and still runAndreas Ponte
 
Windows server 2008 active directory
Windows server 2008 active directoryWindows server 2008 active directory
Windows server 2008 active directoryRaghu nath
 
Please follow the data and description Active Directory In gen.pdf
Please follow the data and description Active Directory In gen.pdfPlease follow the data and description Active Directory In gen.pdf
Please follow the data and description Active Directory In gen.pdfapleathers
 
Administering computer accounts and resources in active directory
Administering computer accounts and resources in active directoryAdministering computer accounts and resources in active directory
Administering computer accounts and resources in active directoryKavinda Prabhath
 
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...Tũi Wichets
 
Connections fornewbies
Connections fornewbiesConnections fornewbies
Connections fornewbiesr4ttl3r
 
Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infr...
Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infr...Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infr...
Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infr...Ken Lin
 
Ctive directory interview question and answers
Ctive directory interview question and answersCtive directory interview question and answers
Ctive directory interview question and answerssankar palla
 
Installation of Active Directory on Windows 2000 Server
Installation of Active Directory on Windows 2000 ServerInstallation of Active Directory on Windows 2000 Server
Installation of Active Directory on Windows 2000 Server► Supreme Mandal ◄
 
Active directory installation on windows server 2012
Active directory installation on windows server 2012Active directory installation on windows server 2012
Active directory installation on windows server 2012Ricardo Solís
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
ActivedirecotryfundamentalsShekhar Singh
 

Similar to Getting Started with Active Directory Integration (20)

LESSON 2 - Active Directory and Domain Controller.pptx
LESSON 2 - Active Directory and Domain Controller.pptxLESSON 2 - Active Directory and Domain Controller.pptx
LESSON 2 - Active Directory and Domain Controller.pptx
 
DNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First LookDNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First Look
 
Step by-step guide to managing the active directory
Step by-step guide to managing the active directoryStep by-step guide to managing the active directory
Step by-step guide to managing the active directory
 
E brochure it254_actived2012
E brochure it254_actived2012E brochure it254_actived2012
E brochure it254_actived2012
 
70 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 04100970 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 041009
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDS
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID Vault
 
Proposal For Their Integration Of Windows Server
Proposal For Their Integration Of Windows ServerProposal For Their Integration Of Windows Server
Proposal For Their Integration Of Windows Server
 
Only an IBM Domino Server can take this much beating and still run
Only an IBM Domino Server can take this much beating and still runOnly an IBM Domino Server can take this much beating and still run
Only an IBM Domino Server can take this much beating and still run
 
Windows server 2008 active directory
Windows server 2008 active directoryWindows server 2008 active directory
Windows server 2008 active directory
 
Please follow the data and description Active Directory In gen.pdf
Please follow the data and description Active Directory In gen.pdfPlease follow the data and description Active Directory In gen.pdf
Please follow the data and description Active Directory In gen.pdf
 
Administering computer accounts and resources in active directory
Administering computer accounts and resources in active directoryAdministering computer accounts and resources in active directory
Administering computer accounts and resources in active directory
 
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
 
Connections fornewbies
Connections fornewbiesConnections fornewbies
Connections fornewbies
 
Active Directory
Active DirectoryActive Directory
Active Directory
 
Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infr...
Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infr...Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infr...
Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infr...
 
Ctive directory interview question and answers
Ctive directory interview question and answersCtive directory interview question and answers
Ctive directory interview question and answers
 
Installation of Active Directory on Windows 2000 Server
Installation of Active Directory on Windows 2000 ServerInstallation of Active Directory on Windows 2000 Server
Installation of Active Directory on Windows 2000 Server
 
Active directory installation on windows server 2012
Active directory installation on windows server 2012Active directory installation on windows server 2012
Active directory installation on windows server 2012
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
Activedirecotryfundamentals
 

Recently uploaded

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Getting Started with Active Directory Integration

  • 1. ID107: Getting Started With Active Directory Integration Josh Burchard Ken Lin Lotus Software, IBM Software Group
  • 2. Agenda and Goals  Clarify and correct common misconceptions  Clarify and correct common mistakes  Clarify relevant deployment scenarios Examine ADSync and Directory Assistance for integrating IBM Lotus Domino directory services and Microsoft Active Directory
  • 3. ADSync & Domino  Why this presentation section?  There have been many questions in the IBM Notes and Domino forums about the Domino administration feature, ADSync  There is a lot of confusion about what ADSync is capable of, and what it isn’t  What I hope to give you:  A high-level overview of what of what ADSync is and is not  What ADSync is capable of doing for you  Things to think on when deploying ADSync
  • 4. Terminology  A couple of terms I’ll use throughout this section:  Object-Level  For the scope of this presentation, “object” refers to Domino records (e.g., the Josh Burchard person document) or LDAP entries of type person or group  Field-Level  The Domino fields (e.g., HTTPPassword) / LDAP attributes that comprise person and group objects
  • 5. What ADSync Isn’t Surprise! Despite the name, it’s not a full synchronization tool
  • 6. So What is it Then?  It’s a Microsoft Management Console (MMC) Snap-In that extends and expands on our Notes NT User Manager Add-In  It’s A Domino Administrator client install option  It’s a tool that allows for some synchronization by linking Domino and Active Directory objects.  It’s a way to do general Domino field-level administration from the MMC  It’s a way to do basic Domino object-level administration from the MMC  It’s more useful than simply migrating entries back and forth between a Domino Directory and Active Directory ?
  • 7. So What is it? (cont.)  It’s only part of the Active Directory administration picture:  ADSync, along with the Domino Administrator client, can work together to perform limited, manual, synchronization of objects Domino Active Directory AdminClient ADSync objects & fields objects only
  • 8. Where does ADSync Live? ADSyn c buttons Contain er for ADSync popup menu  ADSync is a Snap-In to the Microsoft Management Console’s “Users and Computers” dialog that provides embedded Domino functionality
  • 9. What can you do with these tools?  Adds people to Active Directory or NT via the “Person Registration Advanced Pane” and links them to their respective Domino object  Imports people and groups from Active Directory or NT via “Person Registration Migrate” (Domino Upgrade Service) and links them to their respective Domino object  You can add, delete, rename people in NT or Active Directory via the Domino Administrator client  You can migrate people and groups to Domino from NT or Active Directory via the Domino Administrator client
  • 10. What can you do with these tools?  You can create new people and groups in Active Directory and at the same time (or later, if you wish) register the people, or add the groups to Domino via ADSync  You can link people and groups that already exist in Active Directory and Domino via ADSync  You can delete groups in NT or Active Directory via the Domino Administrator client  You can synchronize changes made to an Active Directory object with the object it’s linked to in Domino
  • 11. Be Aware! (Prereqs and Planning Needed)  Prerequisites:  Install the Domino Administrator client with the W2000 Sync Services option  The preferred way of running ADSync is from Windows 2000 Professional or Windows XP Professional with the Microsoft AdminPak  Planning:  You can perform ADSync operations on more than one Domino server, but it is not recommended  Domino registration operations are limited to the primary Domino Directory, no secondary directories  To perform Active Directory object level operations (like delete and rename) from the Domino Admin client, the objects must have been previously linked  You must have created a Domino policy when adding people in Active Directory and then registering them in Domino. This provides a way for Domino to specify default values for the fields that aren’t mapped from AD (e.g. Roaming user)
  • 12. Some Common Misconceptions  We never do field-level manipulation from Domino to Active Directory, only from Active Directory to Domino  During Domino person registration, ADSync can set a common password for Active Directory, Domino HTTP and the Notes ID  If you reset the common password via ADSync, the AD and Domino HTTP password will be made the same but the Notes ID password will not be modified. Even using Notes Single Logon will require a manual Notes ID password change  Since Domino field values never get applied to AD fields, the AD e-mail address needs to be manually set to the Domino e-mail address  ADSync configuration settings are not shared across Administrator client machines
  • 13. Some Common Misconceptions (cont.)  ADSync only synchronizes Active Directory changes made via the MMC. In general, these are manual changes made by administrators. Programmatic changes are not recognized  Changing a field in Active Directory prompts an automatic synchronization to occur which overwrites the corresponding Domino field  No scheduling of synchronizations  Synchronizing an Active Directory group will not register its members as people in Domino. It is only a field level synchronization operation that translates group members names  Renaming a group via ADSync does not create all of the necessary Administration Process requests, e.g. replacing the old name with the new in Domino database ACLs
  • 14. Points to Take Away  ADSync requires careful planning beforehand, and careful management once in use because:  It can’t provide a perfect password-sync solution, even when used with Notes Single Logon  Only manual MMC changes (not programmatic ones) kick off an auto-sync, which may leave orphaned objects or other directory anomalies  There exists only one-way field-level synchronization: from Active Directory to Domino  AdminP will not propagate Active Directory name changes to ACLs  There are other alternatives that IBM provides!
  • 15. Directory Assistance  What is it?  How is it used by Notes and Web clients?  How is it set up?  What additional background information is useful?  What are the common problems and solutions?
  • 16. What is Directory Assistance? Directory of secondary directories Domino server feature enabling customers to use secondary Domino or LDAP (e.g., Active Directory) directories for:  Internet Authentication  Notes and Internet Group Membership Lookups for Database Authorization  Notes Mail Address Resolution  Type ahead (type/pause/complete)  Select Addresses dialog  F9 / Comma Address completion  Lookup User Attributes  Email address  MailFile  Etc.
  • 17. Notes Client Database Access YesYesNAMELookup YesYesF9 name completion NoYesSelect Addresses dialog NoYesType ahead Not applicable YesAuthorization Not applicable YesAuthentication Name in LDAP secondary (e.g., AD) Name in secondary Domino directory
  • 18. Web Client Database Access (non-DWA) YesYesNAMELookup Not Applicable Not Applicable F9 name completion NoYesSelect Addresses dialog NoNoType ahead YesYesAuthorization YesYesAuthentication Name in LDAP secondary (e.g., AD) Name in secondary Domino directory
  • 19. DA Backgrounder: Directory Interfaces NSF/NIF API e.g., NSFDbOpen, NIFFindByName NAME API e.g., NAMELookup LDAP Server Names.nsfNames2.nsf Active Directo (bk2000) NSF AppNAMELookup AppLDAP App Chased LDAP Referral Domino Server (klin0) LDAP GwyNSF/NIF directory data flow LDAP Ref XOR Referral Directory Services Not used in our examples NRPC NRPC NSF/NIF/FT LDAP
  • 20. DA Setup: Modify Server Document 1.Enter name of DA database that we will create next -
  • 21. DA Setup: Create DA.nsf Database 2. da.nsf matches Server doc setting 1. Use Directory Assistance da50.ntf (Show advanced
  • 22. DA Setup: Basics Tab 1. Change Domain type from Notes (default) to LDAP 2. Any unique admin-friendly name 3. Select types of directory applications 4. Change Group Authorization from No (default) to Yes to allow Active Directory 5. Leave nested group expansion Yes to recognize 6. Leave Enabled set to YesNot covered - see
  • 23. Backgrounder: Database Authorization  DA permits only one secondary directory where Group Authorization is set to Yes  If you have both a secondary Active Directory and other Domino secondaries, make the primary an Extended Directory Catalog  Use fully qualified Notes names (slashes) in database ACLs – not abbreviated names – not LDAP names!  cn=MDN Admin/cn=Users/dc=bk/dc=notesdev/dc=ibm/dc=com  cn=Administrators/cn=Builtin/dc=bk/dc=notesdev/dc=ibm/dc=com  Review setting for File / Database / Access Control / Advanced / Maximum Internet name and password
  • 24. Backgrounder: Notes & AD Directory Organization dc=bk,dc=notesdev,dc=ibm,dc=com cn=Builtin cn=Computers cn=Users cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin ctive Directory cn=Enterprise Admins Note possi ble use of DCs (root) LocalDomainAdmins o=IBM LDAP Server Dev ou=Westford cn=Josh Burchard cn=Ken Lin otes/Domino person group container
  • 25. DA Setup: Naming Contexts Tab Leave N.C.1 with all asterisks (because Change Trusted for Credentials
  • 26. DA Setup: LDAP Tab hostn amesLDAP bind DN for Searc hes passw ordLDAP base DN for searc h SSL not cover ed in Change to
  • 27. DA Setup: Hostname  DNS name or IP address (v6 also) of one or more replicated Active Directory servers  Obtain by asking your AD administrator  Alternate discovery methods:  Query DNS SRV for _ldap._tcp.domainname using nslookup.exe (registered by Windows 2003-based domain controllers)  Run an auto-discovery tool on your subnet
  • 28. DA Setup: Optional Authentication Credential  Use LDAP “Bind” distinguished name of a single AD user who can search desired AD entries  Use LDAP naming (attribute = value and commas)  Optionally protect clear text Passwords using normal “Encrypting documents using secret keys” procedure
  • 29. DA Setup: Base DN for Search dc=bk,dc=notesdev,dc=ibm,dc=com cn=Builtin cn=Computers cn=Users cn=Administrators cn=Users cn=Beth Keach cn=MDN Admin cn=Enterprise Admins Proba bly what you  LDAP searches require filter, base, and scope  Locate top of desired tree (e.g., root DSE’s defaultNamingContext)
  • 30. DA Setup: Authentication Filter Base: dc=bk,dc=notesd ev,dc=ibm,dc=co m Filter: ( | (cn=bkeach) search DN: cn=Beth Keach,cn=Users, . . . suc ces LDAP Gwy AD Nameresolutionuthentication Beth authenticates while opening http://klin0/mail/klin.nsf using Windows username bindDN: cn=Beth Keach,cn=User s, . . . Password: 6.5. 6 7.0. 1 More name variations lower security
  • 31. Backgrounder: NamesList NamesList (Effective Access) is composed of  Names and aliases  Groups =Beth Keach,cn=Users, … cn=Enterprise Admins,cn=Users, … cn=Adminstrators,cn=Builtin, … cn=Domain Adminstrators,cn=Builtin, … a member of Grant AD admins (including Beth) access to http://klin0/mail/
  • 32. DA Setup: 6.5.4 Authorization Filter Base: dc=bk,dc=notesdev,dc=ibm,dc=com Filter: (&(objectclass=group) (member=cn=Beth Keach,dc=Users, . . .)) DN: cn=Domain Adminstrators,cn=Builtin, . . . DN: cn=Enterprise Admins,cn=Users, . . . DAP Gwy AD Base: dc=bk,dc=notesdev,dc=ibm,dc=com Filter: (&(objectclass=group) (member=cn=Domain Administrators,cn=Builtin, . . .)) (no such object) Base: dc=bk,dc=notesdev,dc=ibm,dc=com Filter: (&(objectclass=group) (member=cn=Enterprise Admins,dc=Users, . . .)) DN: cn=Administrators,cn =Builtin, . . .
  • 33. DA Setup: 6.5.5 Authorization Filter DN: cn=Beth Keach,cn=Users, . . . memberOf: cn=Domain Adminstrators,cn=Builtin, . . . memberOf: cn=Enterprise Admins,cn=Users, . . . DAP Gwy AD Base: cn=Domain Administrators,cn=Builtin, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf DN: cn=Domain Adminstrators,cn=Builtin, . . . Base: cn=Enterprise Admins,cn=Users, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf DN: cn=Enterprise Admins,cn=Users, . . . memberOf: cn=Administrators, cn=Builtin, . . . Base: cn=Administrators, Base: cn=Beth Keach,dc=Users, . . . Filter: (objectClass=*) Scope: Base Attr: memberOf Big Perfo rman ce Impr ovem ent
  • 34. [C:Notes] ldapsearch.exe -h bk2000.notesdev.ibm.com –p 389 -D “cn=mdn admin,cn=users,dc=bk, dc=notesdev,dc=ibm,dc=com” -w “rosebud” -b “dc=bk,dc=notesdev,dc=ibm,dc=com” -s subtree “(cn=Administrators)” Test DA: LDAP Connection hostn ame LDAP bind DN passw ordLDAP base DN for searc Find an entry port  Test DA LDAP Configuration settings using ldapsearch tool
  • 35. Test DA: Verify Startup > SHOW XDIR DomainName DirectoryType ClientProtocol Replica/LDAP Server ---------- -------------- -------------- ------------------- 1 KLIN0 Primary-Notes Notes & LDAP names.nsf 2 BK2000 Secondary-LDAP Notes & LDAP [bk2000.notesdev.ibm.com]:389 Success 01/05/2006 07:12:54 PM Error attempting to access the Directory *[bk2000.notesdev.ibm.com]:389 (no available alternatives), error is LDAP Server is NOT available. > SHOW XDIR DomainName DirectoryType ClientProtocol Replica/LDAP Server ---------- ------------- -------------- ------------------- 1 KLIN0 Primary-Notes Notes & LDAP names.nsf Port or Bind DN / Password Failure
  • 36. Monitor DA: WebAuth_Verbose_Trace=1 NAMELookup::<NAMEVerifyLDAPPassword>> BIND LDAP host='[bk2000.notesdev.ibm.com]:389' w/ user='CN=Beth Keach /CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' WebAuth> VERIFY password essful Name ResolutionWebAuth> LOOKUP in view $Users (user=‘bkeach' org='') NAMELookup::<LDAP GW> Searching for name=‘bkeach' in LDAP server='[bk2000.notesdev.ibm.com]‘ NAMELookup::<LDAP GW> Base: dc=bk,dc=notesdev,dc=ibm,dc=com NAMELookup::<LDAP GW> Scope: 2 NAMELookup::<LDAP GW> Filter: (|(cn=bkeach) (sAMAccountName=bkeach)(uid=bkeach)(mail=bkeach)) . . . NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Beth Keach /CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' cessful Authentication
  • 37. NAMELookup::<LDAP GW> Searching for name='CN=Beth Keach/CN=Users /DC=bk/DC=notesdev/DC=ibm/DC=com' in LDAP server= '[bk2000.notesdev.ibm.com]‘ NAMELookup::<LDAP GW> Base: CN=Beth Keach,CN=Users, DC=bk,DC=notesdev,DC=ibm,DC=com NAMELookup::<LDAP GW> Scope: 0 NAMELookup::<LDAP GW> Filter: (objectClass=*) NAMELookup::<LDAP GW> Attrs: memberOf . . . NAMELookup::<LDAP GW> SEARCH returned '2' match(es). NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Enterprise Admins/CN=Users/DC=bk/DC=notesdev/DC=ibm/DC=com' NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Domain Administrators/CN=Builtin/DC=bk/DC=notesdev/DC=ibm/DC=com‘ Etc. sful 6.5.5 NamesList Generation Monitor DA: WebAuth_Verbose_Trace=1
  • 38. DA: Points to Take Away  Allows AD users to access Domino databases with web clients  Setup:  Specify AD users or groups in Domino database ACLs as Notes names  Group Authorization – Yes  Trusted for Credentials – Yes  Optional Authentication Credential – Must supply an LDAP name  Base DN for Search – Must supply an LDAP name  Type of Search Filter to use – Active Directory  Testing and Monitoring:  ldapsearch command line tool  Show XDIR server console command  WebAuth_Verbose_Trace=1 Notes.ini setting
  • 39. IBM Tivoli Directory Integrator  General purpose data synchronization toolkit / engine  Change Propagation  Built-in connectors perform I/O with popular data sources (e.g., LDAP, NSF)  Built-in event handlers wait for and react to specific event (e.g., AD change, LDAP changelog detection)  Administrators code assembly lines using connectors and/or event handlers to transform and propagate information  Password Change Propagation  Separately installable plug-in entities capture AD password and Domino HTTP password changes, updates other directories with new password  ITDI Compared with ADSync  ITDI change-triggered or batch execution vs. ADSync is manual only  ITDI is flexible (you provide programming) vs. ADSync is limited  ITDI assembly lines coded using JavaScript or Java
  • 40. Summary  Use ADSync when  You want to allow Active Directory users to access Domino databases using the Notes or Web clients  You want Active Directory administrators to handle most people and group administration for your Domino domain  You don’t mind not having the most up-to-date directory entries  Use Directory Assistance when  You want to allow Active Directory users to access Domino databases using Web clients  You do not want to continually maintain and sync directory content  Consider IBM Tivoli Directory Integrator when  Your synchronization requirements are more advanced
  • 41. References  IBM Redbooks | Using LDAP for Directory Integration  ADSync  IBM Redbooks | Active Directory Synchronization with Lotus ADSync http://www.redbooks.ibm.com  Administering the Domino System – Using Domino with Windows Synchronization Tools  Directory Assistance  Administering the Domino System – Setting Up Directory Assistance  Single sign-on in a Multi-directory World http://www-128.ibm.com/developerworks/lotus/library/sso1/  Google “Domino Directory FAQ”

Editor's Notes

  1. Assume some audience has heard of DA. Balance of presentation is based upon our monitoring of ND and BP forums – more DA than ADSync questions
  2. If half the functionality is in the Domino Admin client then…………….. (Ask question on title.)
  3. They’ll see it later on, but explicitly point out that Domino registration can only create PEOPLE in AD, but AD can create people or groups in Domino.
  4. Target audience: Somewhat familiar with DA and LDAP My value: common problems / inner workings
  5. Not interesting for Active Directory deployment scenario Not applicable because running a Notes client requires and ID, and therefore a Domino directory infrastructure Not to be confused with (mention) LDAP connection docs
  6. Star = Points to pay attention to DA-AD used mainly for Web authentication/authorization
  7. Magic Hat = Details for geeks
  8. (Don’t attempt to explain on this slide) Mention next 2 slides are Side notes
  9. http://www.awprofessional.com/articles/article.asp?p=26918&amp;rl=1 Investigate migration hierarchies vs. brand new hierarchies
  10. Need a sentence defining Name Rule. “ Just use all asterisks”
  11. Go through these quickly (will be covered in depth later) SSL Warning – see lab (red lotus security handbook)
  12. http://www-12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/f4b82fbb75e942a6852566ac0037f284/fe24903970b82d3585256c1d00394173?OpenDocument
  13. sAMAccountName is a new feature in 6.5.6 and 7.0.1 (NOT in 7.0)
  14. This slide illustrates how groups (in this case from AD) are used to in Names Lists
  15. In subsequent releases, we’ll consider embedding configuration validation/wizards
  16. Mention SHOW XDIR DEBUG
  17. XOR