Password synchronization components
The process of password synchronization involves components on the Active Directory domain controller and components on servers in the Domino domain.
Components on the Active Directory domain controller
- Domino Utility Server You register this server in the Domino domain but install it on the Active Directory domain controller. Installing the server installs the Domino password library that contains the password synchronization code. The server doesn't run after installation.
- Domino password library When the Active Directory domain controller
starts, its Local Security Authority (LSA) service loads this library (DLL),
which performs these general tasks:
- Captures password change information send to it by the LSA and uses that information to create password change request documents in its local Password Change Request database.
- Copies the documents to the Password Change Request databases on an available Request Processor server in the Domino domain.
- Deletes the request documents from its local database.
- Request Creator This is the Domino password library identity registered in the Domino domain as a server and identified by its server ID file. The server ID file is a non-password protected, encrypted ID file that is installed with the Domino Utility Server. A server is designated as a Request Creator through its Server document in the Domino directory.
- Password Change Request database When the Domino password library detects new passwords in Active Directory, it creates password change documents in this database. The documents contain users' objectGUID attributes and new password information, securely stored. This database is created when the Active Directory domain controllers starts for the first time after installation of the Domino Utility Server. By default, the database is created in the Domino Utility Server root data directory with the file name adpwsync.nsf but you can customize this during Request Creator configuration in the Domino directory. Access to this database is controlled through a Configuration Settings document used by the Request Creator.
- Domino Configuration Directory This directory is installed with the Domino Utility Server. It's a replica of the Domino domain directory but contains only documents related to server configuration.
- Directory assistance database This database is replicated from the Domino domain during installation of the Domino Utility Server. It includes a document that enables the Domino password library to access the Domino directory on the Domino Request Processor servers.
Components on Domino domain servers
- Request Processor A Domino server in the Domain that processes new password requests received from the Request Creator on the Active Directory domain controller.
- Password Change Request database This database is created on a Request Processor automatically. The database contains password change documents received from a Request Creator. Each Request Processor has its own instance of this database; the database doesn't replicate. By default, the database is created in the root data directory with the file name adpwsync.nsf but you can customize this during Request Processor configuration. Access to this database is controlled through the Configuration Settings document used by the Request Processor.
- Domino directory The following Domino directory documents are used to
configure password synchronization. These documents replicate to the Domino
Configuration Directory on the Active Directory domain controller.
- The Server document defines a server as a Request Creator or a Request Processor and controls the path and file name of the Password Change Request database.
- A Configuration Settings document defines the types of passwords to sync (HTTP, Notes ID, or both), the time to allow for password change processing before requests expire, and who is allowed to access the Password Change Request database. Request Creator and Request Processor servers can use the same Configuration Settings document or different ones.
- Directory assistance database Created on the Domino domain administration server and replicated to the Domino Utility Server when it's installed. It includes a document that enables the Domino password library to access the full Domino directory on Domino servers in the domain.
- ID vault To sync Notes ID passwords, IDs must be in the ID vault. There is no special ID vault configuration required, though.