Connector for Lotus Notes Directory Synchronization- Part 3- Frequently Asked Questions

Article
08/11/2006

This is a FAQ is third blog about Directory Synchronization and completes the three part series

Q: How does the Connector for Lotus Notes know which objects it created?

A: The "ImportedFrom" attribute will be set to the GUID of the Connector for Lotus Notes that created it. If this attribute has been modified or does not exist, no updates or reloads will affect that object and no new object will be created if the current object has the TargetAddress matching the object you're trying to Dirsync.

Q: What would prevent a user from being processed during directory synchronization ?

A: There are several things that could do it.

1. The targetaddress must be a unique attribute on each user. If you already have an object in Active Directory that has the target address that will be generated by your mapping rules for a new user, that new user will not be created in Active Directory.

2. If the Person Document in the Domino Directory Source Name and Address book, typically names.nsf, is not configured to allow foreign synchronization. You can check this by going to the Administration Tab on the person document and checking the "Foreign Directory Sync Allowed:" attribute. It has to be set to "Yes" for the Connector for Lotus Notes to be able to pull the object into Active Directory.

Q: Why aren’t some fields replicating from the Active Directory to Domino?

A: Check to see if the attribute isAMemberOfPartialAttributeSet is set to true. For instance EmployeeID is set to <Not Set> by default and would need to be modified to True. This support article will show you the default list. Of what is set to True. https://support.microsoft.com/kb/230663/EN-US/

Then to edit this specific attribute, this article provides different methods on how to accomplish that task, https://support.microsoft.com/kb/248717/en-us.

Q: If I delete the contact representation of a Domino object from the Active Directory, Will the Domino user get synchronized back to Active Directory ev

er?

A: Depends- On an Immediate update.... No....UNLESS the user's person document was changed since the last update. This would cause LSDXA to recognize that this user needs to be updated (the modified date on the Person Document is newer (more recent) than the "Lastextract=" entry in the pcta.tbl. Then we would export this Person Doc to the dxamex.txt file (based on the mapping rules of course), where we would then add the new object back into Active Directory properly.

Q: What is the second proxy address EXAMPLE- (NOTES:UID=71a19cf-a786cca4-88256c85-43910f) on the Active Directory contact representing a Domino user for?

A: This is created by the DirSync process, and helps to ensure we can match Notes users to the Active Directory. The UID value represents the Person Document's UNID (Unique Identifier) in Domino.

This ID comes from the ID on the Person document. To find this go to properties of the person document and click on icon tab. In there, you will see 4 sets of numbers on the very top. In the sample above, the person document had this:

OF071A19CF:A786CCA4

ON88256C85:0043910F

As you can see there are essentially 4 sets of data separated by colons. The OF in the first set is dropped and the ON in the 3rd set is dropped. In addition, all LEADING zero's are dropped FROM EACH set of data. Also, the colons are not valid address types, so they are changed to dashes (-). This gives us the following proxy address in Active Directory based on the UID from Domino

NOTES:UID=71a19cf-a786cca4-88256c85-43910f

Q: Is there any reason that dirsync would delete a user from Active Directory?

A: Two ways:

1. If the user was deleted in Domino, we delete their object (usually a Contact) in Active Directory.

2. If an object matching the type of objects that the Notes Connector creates exists in the Active Directory that has the importedfrom attribute on it matching the GUID of the connector (objectguid attribute: Looks similar to this:

{16109bf6-16b8-42ff-b8b4-3c1f4e7682dc}). A contact with the importedfrom attribute set to the Connector performing the dirsync will be deleted.

Q: What happens if another user in the Active Directory has the same Target address as the user I'm trying to dirsync?

A: If the proposed user to be added from DXAMEX.txt has a Target address ( the "TA =" field) that matches a Targetaddress attribute on any user, then the user will NOT be created in Active Directory and you will see the following message in the Connectivity Controller logs (exchsrvr\conndata\logs\[data].txt):

-63192 Duplicate Entry found for NotesUser/NotesCert@ dxamexpt (834)

- Where NotesUser/NotesCert@ matches the first portion of the TA of someone in the Active Directory.

Q: What's the difference between a Full Reload and an Immediate Update on the Connector for Lotus Notes?

A: On a full reload, the objects in Active Directory are not deleted, they are simply updated as well (this can verified because the user's "CreatedTimeStamp" on the object does not change upon doing a Full Reload). The only difference between a full reload and an update is that in a full reload we look for all changes since "01/01/1980

12:00:00 AM" and for an update we only look since the last dirsync, which is saved in the conndata\DXANOTES\PCTA.TBL. The LastExtract={date} shows when the last updates were extracted from the Notes (names.nsf by default) to Exchange. To see this in the Connectivity controller Logs, you simply look for a 41121 logged which will say "Looking for changes since <data and time>". We then check the "Modified" attribute on the Person documents in the Domino NAB. If the modified date is newer, this user is extracted to the dxamex.txt file and imported into Active Directory.

Q: If I wanted to associate a specific contact in Active Directory with a specific user (person document) in Notes/Domino, could I?

A: Yes. This is quite a popular request since you could have dirsync'd a user from a different connector or you could have done imported the user via CSVDE and now want him associated with the Domino user in their directory. To do this, you MUST have two attributes set.

1. IMPORTEDFROM- This is what lets the connector know that it created the object

What do I set it to? - Set this to the GUID of you Notes Connector Object (see the objectguid attribute on the connector). Example: {16109bf6-16b8-42ff-b8b4-3c1f4e7682dc} How do I set it ? ADSI Edit or LDP are two options.

2. NOTES SECONDARY proxy address- This is what lets the connector know that an OBJECT in the Domino Directory is associated with this Active Directory object. How do I set it ? ADSI Edit or LDP are two options.

This field needs to have the address type (notes) as well as "UID=" (minus the quotes) in from of it making this our final text that we need to add. notes:UID=71a19cf-a786cca4-88256c85-43910f IMPORTANT: the "notes" above must be in lowercase because uppercase indicates a PRIMARY proxy address and lowercase indicates a secondary proxy which is what we want.

Q: Can I Troubleshooting Directory Synchronization by manually running the dirsynch process ?

A: Yes. All of these commands below are run from the command line and from the directory [Installed Drive]\Program Files\exchsrvr\bin (or the custom directory you installed Exchange into)

Each piece is one step in the two step directory synch process.

From the Active Directory to Domino

Read from Active Directory and write to DXANotes.Txt in Program Files\exchsrvr\conndata\temp

lsdxa -n lme-notes-dxa /w0 /l

Write from DXANotes.Txt to target NAB

lsdxa -n lme-notes-dxa /R1

From Domino to the Active Directory.

Read from Source NAB and write into DXAMEX.txt in Program Files\exchsrvr\Conndata\temp

lsdxa -n lme-notes-dxa /w1 /l

Write from DXAMEX.txt into the Active Directory

lsdxa -n lme-notes-dxa /R0

Reference material: