Synchronizing password changes in Lotus Domino and Active Directory

Posted on 2005-03-28
Medium Priority
Last Modified: 2013-11-15

I was wondering if there is a way to synchronize the password changes btw Lotus Domino and Active Directory i.e. when a user changes his e-mail password it automatically gets updated in the Active Directory.

Any help or suggestions is appreciated.

Question by:Tom_Cat
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

ID: 13645987
You can use microsofts metadirectory to synchronize all of your passwords.  We keep a users' PC, Active directory, internet(ldap), RACF, and Lotus passwords the same.  Of course the passwords must all meet the minimun requirments for all the different packages.


Expert Comment

ID: 13646784
We use Lotus's ADsync utilty and LDAP.

Go to the Domino Help file and go to topic :Setting up Domino Active Directory synchronization  

here is a link to a Redbook on how it's done as well:

From the Domino Help File:

To set up Domino Active Directory synchronization
Install the Active Directory domain controller, the Domino server, and the Domino Administrator on separate machines to improve performance and enhance security.  However, if necessary you may install any two or all three of these on the same machine.
  1.      From a Windows 2000 Professional workstation, log into the Windows domain using a user account with administrative rights.
  2.      From the Windows 2000 Server CD, install the Windows 2000 Administration Tools Package.  From the CD, run \i386\adminpak.msi.
Note  This file is not on the Windows 2000 Professional workstation CD.  You must install the file from the Windows 2000 Server CD.  Microsoft licensing permits you to install this administrative package on Windows 2000 Professional workstations.
  3.      From the Start menu, click Programs - Administrative Tools - Active Directory Users and Computers, and verify that the workstation has connected to the domain controller.
  4.      Install, but do not run, the Domino Administrator.
  5.      Open a command prompt.  From your Notes install directory, type:
regsvr32 nadsync.dll
A message box appears indicating that registration is complete.  This can take up to one minute.
  6.      Run the Domino Administrator and complete the configuration process.
  7.      From the Domino Administrator, create an organizational policy or an explicit policy and a Registration policy settings document. You must have at least one policy to use with ADSync.
For more information about policies, see Using policies.
  8.      From the Start menu, click Programs - Administrative Tools - Active Directory Users and Computers. Click the Lotus Domino Options folder.
  9.      Right-click Domino Directory synchronization and then choose Options.
 10.      Enter your Notes password.
 11.      Click the Notes Settings tab.
 12.      Click the Notes Server for Registration button and specify a registration server.  This is typically the administration server of the Domino Directory.
 13.      Click OK.
 14.      Close and restart Active Directory Users and Computers to allow these changes to take effect.

Author Comment

ID: 13646993
Can we update AD from the domino directory using ADSync ? ie if a user changes his email password, can we propagate this change to the Active Directory from the Domino Directory using ADSync. If I am not wrong ADSync needs manual intervention everytime we want to synchronize the user information and that this can be done only from the Active Directory to  Domino  Directory and not the other way around. I was looking at a procedure where we can get this to happen with out any  manual intervention on the net admin's part and from the Domino Directory to the Active Directory.
Can we do  this by setting up a Kerberos realm and if so can you let me know how to go about this .

Thanx in advance.
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Expert Comment

ID: 13647223
The policy you create in domino is what takes care of the automated part.  We explained to all our users that they must change the password thru the windows interface (AD) and NOT to change the password using the Lotus Notes/Domino software.

As far as I know your correct in that all changes must be made in the AD as your centralized LDAP store and Domino "sync's" those changes.  You have to use it "one way" that is AD -> Domino

It makes more sense to me to use AD as your central LDAP anyway, if a user is logged onto thier XP workstation and changes the password thru the Notes client, then when they tried to get on a network share they would be denied access until they re-logon with the new password thru the windows interface.  This way, users are forced to use the AD to store the credentials, and it to my mind this makes things easier on you if you ever decide to move to something like RADIUS.


Author Comment

ID: 13653470
Hi royalcanin,

I am setting up a test bed to see if ADSync can solve my problem and I will get back to you with the results ASAP. Also are there any precautions that should be observed if I am trying to set up  AD, Lotus domino server and the Lotus Administrative client on the same windows 2003 server .

Thanx in advance

Accepted Solution

royalcanin earned 2000 total points
ID: 13654501
The only thing I can think of would be to make certain that when you install the Notes Admin client to specify a diff. directory than the Domino install folders (a sep. HD is even better to seperate the IO).

Good luck

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question