HCL Domino V11 – Directory Synchronzation – Part 7

Registering Active Directory users in Domino

When you use Directory Sync, you can register Active Directory users in Domino to create mail files and Notes IDs for them.

To register Active Directory users in Domino, open the Admin client and navigate to “People & Groups -> People“. Select the name of an Active Directory user to register. Right-click and select Register Selected Person.

Select the certifier and type in the password.

The Register Person dialog appears, pre-filled with …

ouups. NOTHING in there.

This is an issue, I ran into during BETA testing. It took a while until we found out the cause for it. If you encounter the same in V11 GA in your environment, open the Notes Client notes.ini and search for

NewUserServer=<servername>

Most likely, servername is not the name of the registration server. Delete the entry from notes.ini and restart the Administration client.
If this does not fix the issue, check your policy settings. Chances are that the registration server in the registration policy does not match the server where you want to register the user.

This is a known issue and will be fixed hopefully in Domino V11.0.1. It’s being tracked under SPR# MOBNBHQQUH.

With the correct settings in place, you will see the following

Complete the registration dialog and register the user.

The Active Directory users is now registered in Domino.

By now, you can only register one user at a time. An enhancement request already exists to register ALL selected Active Directory users.

Renaming Domino users when their names change in Active Directory

When you use Directory Sync and the common name of a registered Domino user changes in Active Directory, follow this procedure to change the name in the Domino directory Person document, too.

The Rename Domino users upon Active Directory rename option must be enabled in the Directory Sync configuration document.

When a Domino user’s common name changes in Active Directory, a Rename Common Name administration process request is created. You must approve the request for the rename to be carried out in Domino.

I renamed the user in Active Directory

Here is what you see on the server console during the sync.

[0290:0004-16DC] DirSync  Entry with mail address 'd.vader@darkside.org' - NoteID 33086 was found in the target directory.
[0290:0004-16DC] DirSync  
DirSync  CSyncFromAD::DoModify(dn = 'CN=Darth Vaderman,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0)
[0290:0004-16DC] 22.01.2020 08:34:28 LLNDirSync CSyncToAdminP::ModifyPerson: FLATFirstFuameValue: CN=Darth Vaderman/CN=Sync/DC=ad/DC=fritz/DC=box
 Status: No error.
[0290:0004-16DC] DirSync Submitted adminp request to rename user CN=Darth Vader/O=singultus to CN=Darth Vaderman/O=singultus
[0290:0004-16DC] DirSync  Modified LastName from 'Vader' to 'Vaderman'
[0290:0004-16DC] DirSync  Modified memberOf from '' to 'CN=BadGuys,CN=Sync,DC=ad,DC=fritz,DC=box'
[0290:0004-16DC] DirSync  Modified uSNChanged from '234953' to '235340'
[0290:0004-16DC] DirSync  'person' Document updated, UTF8 Name = 'CN=Darth Vaderman,CN=Sync,DC=ad,DC=fritz,DC=box' 
[0290:0004-16DC] DirSync  CSyncFromAD::DoModify - Modified existing Note for 'CN=Darth Vaderman,CN=Sync,DC=ad,DC=fritz,DC=box'
[0290:0004-16DC] DirSync  
[0290:0004-16DC] 22.01.2020 08:34:28   DIRSYNC From Active Directory (AD) - Summary (1.111 sec, Start=235338, Adds=0, Modifies=1, Deletes=0, Skips=0, Errors=0, End=235340)

Open admin4.nsf and navigate to “Rename Common Name Requests”.

Select the names to process and click Complete rename for selected entries. Select certifier and provide the Notes certifier password.

Select “Change common name” in the next dialog box.

A standard administration process Rename In Domino Directory request is then initiated for each name processed.

Deleting registered users 

When users or groups are deleted in Active Directory, they are also deleted in the Domino® directory, with one exception: Active Directory users who are registered as Domino users (have mail files, etc) are not deleted from Domino.

The objectGUID item will be removed from the personrecord on next resync.

DirSync  Removed ObjectGUID for Registered User with Note ID 33086, user = CN=Darth Vaderman/O=singultus.

4 thoughts on “HCL Domino V11 – Directory Synchronzation – Part 7

  1. thank you for your invaluable guidance.
    I note that this process is not at all user friendly…
    But I wonder if HCL has never thought about how to optimise the steps…
    Isn’t it possible to syncronize the password?
    Go to admin4 and approve the renaming… go to registration and register…
    Does it all seem so complicated to me?

  2. >> But I wonder if HCL has never thought about how to optimise the steps…
    they have thought about …

    >> Isn’t it possible to syncronize the password?
    will come in a later Version / FP

    >> Go to admin4 and approve the renaming… go to registration and register…
    can be done today with LS / JAVA.

    We discussed all of this in the BETA forum. HCL has a list of feature requests and enhancements, and they are working on it.

  3. Do you know why admin need to do the user registration dialog again ? Pre-11 presentation seemed to sold this feature as a way to reduce the administration burden of having to register your user twice (once in AD and once in Domino). This manual process means that admin still need to register the user in Domino.
    If only DirSync could trigger an Adminp user registration that would pre-populate everything (i.e : ID, Password and mail file). If approval to said Adminp request is needed I think it would still be acceptable compared to filling out User Registration dialog.

    • Well, if you sync users from AD to Domino, you can see them in DD and you can address them as well as see other information about them. You do not necessarily have to register AD users in Domino.
      At this point, AD will be the leading system for those users.
      If you decide to register them in Domino, then Domino will be the leading system, leaving the user in AD as well, because this user might be needed for tools and programs outside of Domino.
      To register them automatically is not a good idea IMHO. How would you know which certifier to use? How should the mail file name be build? Companies might have guidelines for that? Which policy the user has applied?
      You see, not that easy.

Leave a Reply

Your email address will not be published. Required fields are marked *

sixteen + ten =

This site uses Akismet to reduce spam. Learn how your comment data is processed.