Synchronizing password changes in Lotus Domino and Active Directory

Posted on 2005-03-28
Medium Priority
Last Modified: 2013-11-15

I was wondering if there is a way to synchronize the password changes btw Lotus Domino and Active Directory i.e. when a user changes his e-mail password it automatically gets updated in the Active Directory.

Any help or suggestions is appreciated.

Question by:Tom_Cat
  • 3
  • 2

Expert Comment

ID: 13645987
You can use microsofts metadirectory to synchronize all of your passwords.  We keep a users' PC, Active directory, internet(ldap), RACF, and Lotus passwords the same.  Of course the passwords must all meet the minimun requirments for all the different packages.


Expert Comment

ID: 13646784
We use Lotus's ADsync utilty and LDAP.

Go to the Domino Help file and go to topic :Setting up Domino Active Directory synchronization  

here is a link to a Redbook on how it's done as well:

From the Domino Help File:

To set up Domino Active Directory synchronization
Install the Active Directory domain controller, the Domino server, and the Domino Administrator on separate machines to improve performance and enhance security.  However, if necessary you may install any two or all three of these on the same machine.
  1.      From a Windows 2000 Professional workstation, log into the Windows domain using a user account with administrative rights.
  2.      From the Windows 2000 Server CD, install the Windows 2000 Administration Tools Package.  From the CD, run \i386\adminpak.msi.
Note  This file is not on the Windows 2000 Professional workstation CD.  You must install the file from the Windows 2000 Server CD.  Microsoft licensing permits you to install this administrative package on Windows 2000 Professional workstations.
  3.      From the Start menu, click Programs - Administrative Tools - Active Directory Users and Computers, and verify that the workstation has connected to the domain controller.
  4.      Install, but do not run, the Domino Administrator.
  5.      Open a command prompt.  From your Notes install directory, type:
regsvr32 nadsync.dll
A message box appears indicating that registration is complete.  This can take up to one minute.
  6.      Run the Domino Administrator and complete the configuration process.
  7.      From the Domino Administrator, create an organizational policy or an explicit policy and a Registration policy settings document. You must have at least one policy to use with ADSync.
For more information about policies, see Using policies.
  8.      From the Start menu, click Programs - Administrative Tools - Active Directory Users and Computers. Click the Lotus Domino Options folder.
  9.      Right-click Domino Directory synchronization and then choose Options.
 10.      Enter your Notes password.
 11.      Click the Notes Settings tab.
 12.      Click the Notes Server for Registration button and specify a registration server.  This is typically the administration server of the Domino Directory.
 13.      Click OK.
 14.      Close and restart Active Directory Users and Computers to allow these changes to take effect.

Author Comment

ID: 13646993
Can we update AD from the domino directory using ADSync ? ie if a user changes his email password, can we propagate this change to the Active Directory from the Domino Directory using ADSync. If I am not wrong ADSync needs manual intervention everytime we want to synchronize the user information and that this can be done only from the Active Directory to  Domino  Directory and not the other way around. I was looking at a procedure where we can get this to happen with out any  manual intervention on the net admin's part and from the Domino Directory to the Active Directory.
Can we do  this by setting up a Kerberos realm and if so can you let me know how to go about this .

Thanx in advance.
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.


Expert Comment

ID: 13647223
The policy you create in domino is what takes care of the automated part.  We explained to all our users that they must change the password thru the windows interface (AD) and NOT to change the password using the Lotus Notes/Domino software.

As far as I know your correct in that all changes must be made in the AD as your centralized LDAP store and Domino "sync's" those changes.  You have to use it "one way" that is AD -> Domino

It makes more sense to me to use AD as your central LDAP anyway, if a user is logged onto thier XP workstation and changes the password thru the Notes client, then when they tried to get on a network share they would be denied access until they re-logon with the new password thru the windows interface.  This way, users are forced to use the AD to store the credentials, and it to my mind this makes things easier on you if you ever decide to move to something like RADIUS.


Author Comment

ID: 13653470
Hi royalcanin,

I am setting up a test bed to see if ADSync can solve my problem and I will get back to you with the results ASAP. Also are there any precautions that should be observed if I am trying to set up  AD, Lotus domino server and the Lotus Administrative client on the same windows 2003 server .

Thanx in advance

Accepted Solution

royalcanin earned 2000 total points
ID: 13654501
The only thing I can think of would be to make certain that when you install the Notes Admin client to specify a diff. directory than the Domino install folders (a sep. HD is even better to seperate the IO).

Good luck

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This tutorial is intended to teach the basics of 3-D Modeling using TinkerCad.com as the Computer Aided Drafting software. Once complete this model can be 3D printed.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question