DIrectory Sync Pro 5.1 User Guide for Domino-Active

DIrectory Sync Pro 5.1 User Guide for Domino-Active
Directory Sync Pro 5.1
User Guide for Domino-Active Directory
Synchronization
March 2017
Binary Tree Documentation
Table of Contents
Section 1. Introduction.............................................................................................. 4
1.1 Purpose ........................................................................................................................................ 4
1.2 Audience for Domino - Active Directory Synchronization ................................................................. 4
1.3 About Directory Sync Pro for Domino - Active Directory Synchronization.......................................... 4
1.4 Supported Upgrade Path ............................................................................................................... 5
Section 2. Configuring Synchronization .......................................................................... 6
2.1 Applying a License ......................................................................................................................... 6
2.2 Domino to AD and AD to Domino Profile Configuration ................................................................... 6
2.3 Domino Directory to Active Directory Profile Configuration | General Tab........................................ 7
2.4 Domino Directory to Active Directory Profile Configuration | Domino Source Tab............................. 8
2.5 Domino Directory to Active Directory Profile Configuration | AD Target Tab................................... 10
2.6 Domino Directory to Active Directory Profile Configuration | AD Target Options Tab ...................... 11
2.7 Domino Directory to Active Directory Profile Configuration | Exchange Target Options Tab ............ 15
2.8 Domino Directory to Active Directory Profile Configuration | Target DCs Tab ................................. 17
2.9 Domino Directory to Active Directory Profile Configuration | Matching Tab ................................... 18
2.10 Domino Directory to Active Directory Profile Configuration | Mapping Tab .................................. 21
2.11 Active Directory to Domino Directory Profile Configuration | General Tab .................................... 24
2.12 Active Directory to Domino Directory Profile Configuration | AD Source Tab ................................ 25
2.13 Active Directory to Domino Directory Profile Configuration | Source DCs Tab ............................... 27
2.14 Active Directory to Domino Directory Profile Configuration | Domino Target Tab ......................... 28
2.15 Active Directory to Domino Directory Profile Configuration | Matching Tab ................................. 30
2.16 Active Directory to Domino Directory Profile Configuration | Mapping Tab .................................. 33
2.17 Importing and Exporting a Profile ............................................................................................... 35
2.18 Suspending and Activating a Profile ............................................................................................ 36
2.19 Removing a Profile .................................................................................................................... 36
2.20 Resetting a Profile ..................................................................................................................... 36
Section 3. Running Sync Reports ................................................................................ 37
3.1 Marking Objects as Ready to Sync ................................................................................................ 43
Section 4. Running Directory Sync Pro ......................................................................... 44
4.1 Manually Starting a Synchronization using a Sync Profile ............................................................... 44
4.2 Manually Starting a Synchronization Process using the Right-Click Menu........................................ 44
4.3 Manually Starting a Synchronization Process from a Command Line .............................................. 45
Section 5. Using the Directory Sync Pro Log Viewer to View Logs and Audits .......................... 46
5.1 Using the Directory Sync Pro Log Viewer to View Logs and Audits .................................................. 46
5.2 Searching Log or Audit Entries...................................................................................................... 46
5.3 Pausing a Log .............................................................................................................................. 46
5.4 Showing or Audit Log Entries for a Time Period ............................................................................. 47
5.6 Grouping the Log or Audits by Column ......................................................................................... 47
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
2
Binary Tree Documentation
5.7 Viewing Log or Audit Entry Details................................................................................................ 48
5.8 Exporting Log or Audit Entries...................................................................................................... 48
5.9 Clearing Log or Audit Entries ........................................................................................................ 49
Section 6. Managing Multiple Nodes........................................................................... 49
Directory Sync Pro Nodes .................................................................................................................. 50
Node Running .................................................................................................................................. 51
Node Shutdown - Normal Termination............................................................................................... 51
Node Shutdown - Unexpected Termination........................................................................................ 51
Section 7. Updating the Groups to Ignore List in SQL ....................................................... 52
7.1 Updating the Groups to Ignore List in SQL for Domino - Active Directory Synchronization ............... 52
7.2 Default List of Groups in the Groups to Ignore List for Domino - Active Directory Synchronization ... 52
7.3 Updating the Groups to Ignore List with the SQL Server Management Studio (SSMS) ...................... 54
7.4 Updating the Groups to Ignore List with the SQL Import and Export Tool ....................................... 56
7.5 Excluding Security Groups from Synchronization with the Group Filter ........................................... 59
Appendix A: Using the User and Group LDAP Filters ........................................................ 60
Appendix B: Additional Configuration Options ............................................................... 61
Changing the attribute used for "Created by Dirsync" or "Updated by Dirsync" .................................... 61
Setting msExchRecipientDisplayType and msExchRecipientTypeDetails Exchange attributes ................. 61
Allow objects with remote mailboxes to be treated as mailbox-enabled objects................................... 62
Disable the caching of group members .............................................................................................. 62
Disable the initialization of the sync report ........................................................................................ 62
Set the maximum number of users and groups synced simultaneously ................................................ 63
Set the number of objects selected when the user selects all (Ctrl+A) .................................................. 63
Setting select all limit when marking objects as Ready to Sync ............................................................ 63
Set the attribute used for the linking function .................................................................................... 64
Appendix C: Default Mapping ................................................................................... 65
Domino Source – AD Target Default Mapping..................................................................................... 65
AD Source – Domino Target Default Mapping..................................................................................... 69
Appendix D: Customizing Overrides ............................................................................ 73
Example Overrides............................................................................................................................ 77
Appendix E: Directory Sync Pro Fields with Special Processing............................................ 78
AD Directory Sync Pro Fields with Special Processing .......................................................................... 78
Domino Directory Sync Pro Fields with Special Processing................................................................... 82
About Binary Tree.................................................................................................. 84
Binary Tree Social Media Resources ................................................................................................... 84
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
3
Binary Tree Documentation
Section 1. Introduction
Directory Sync Pro features a new name and logo, but is the same, trusted product previously known as Directory
Sync Pro.
1.1 Purpose
The purpose of this document is to provide information on how to use Binary Tree Directory Sync Pro to perform
synchronizations between Domino and Active Directory.
1.2 Audience for Domino - Active Directory Synchronization
It is assumed the reader has the following technical expertise:

Advanced Domino Administration

Advanced Active Directory & Exchange Administration

Windows Administration

SQL Administration

LDAP

SMTP Routing

DNS
1.3 About Directory Sync Pro for Domino - Active Directory Synchronization
Directory Sync Pro allows you to synchronize objects from Domino to Active Directory or Active Directory to
Domino. Directory Sync Pro has been carefully designed and crafted to meet the challenging requirement for a
solution that can deliver a reliable, secure, and automated solution that synchronizes and transforms directory
data between Exchange 2003, 2007, 2010, 2013, 2016, and Domino 7.x or higher environments.
Key Features and Functions

Sync Reports allow you to view how objects will appear in the target directory before synchronizing a
profile. This allows for the remediation of any data issues without impacting the target directory

User Synchronization
o
Synchronize user objects from between Active Directory and Domino
o
Create Active Directory objects as Contacts or Mail -Enabled Objects
o
Ability to match and update existing objects

Customizable attribute matching logic

Ability to mail-enable matched users in the target Active Directory

Ability to synchronize, mail -in databases, rooms and resources from Domino to Active Directory

Ability to synchronize shared mailboxes, rooms and resources from Active Directory to Domino
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
4
Binary Tree Documentation

Group Synchronization
o
Synchronize groups into the target directory as member-populated groups or as contacts
o
Conflict resolution options
o
Create External Members as Contacts in AD
1.4 Supported Upgrade Path
Upgrades are supported to the latest GA (Generally Available Release) from two GA versions prior. GA releases are
listed on our website. If you are upgrading to a CSR (Customer Specific Release), please contact Binary Tree
Support for clarification on whether the upgrade is supported.
If upgrading from a release older than two releases prior to the current GA, it is highly recommended that Binary
Tree Support is contacted to discuss upgrade options for your specific environment. Some implementations which
are more complex or have custom configurations may require a dedicated resource to assist in the upgrade
process. If the upgrade goes beyond the scope of produc t support, this issue will be escalated to our Professional
Services to assist at a billable rate.
Upgrade instructions for both standard Directory Sync Pro installations and Single Server installations are located
in Section 3 of the Directory Sync Pro Installation Guide.
Please contact Binary Tree Support ([email protected]) if you have questions or need clarification on the
Directory Synchronization upgrade process.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
5
Binary Tree Documentation
Section 2. Configuring Synchronization
The Directory Sync Pro Console provides an easy to follow wizard for creating directory synchronization profiles
between Domino and Active Directory. It also allows you to quickly manage profiles and immediately start
synchronization.
To begin configuring the synchronization, start the installed Directory Sync Pro Console.
2.1 Applying a License
All Directory Sync Pro profile types are licensed for the number of objects to be synchronized. Some options are
either enabled or disabled (for example, Group migration). A license key must be added in order to synchronize
objects to a Target. To apply a license:
1.
On the Directory Sync Pro Console, click the License button. The License dial og window appears.
2.
Click the Apply License button.
3.
Browse to and select the license (.lic) file obtained from Binary Tree, and then click Open.
4.
The license details appear in the dialog window. Click Close to close the window.
2.2 Domino to AD and AD to Domino Profile Configuration
Synchronization profiles for Domino to AD and AD to Domino can be configured and reconfigured on the multi tabbed Profile Settings screen. The different profile types are configured differently, on different sets of tabs.
Objects can only be associated to one profile. An object can start syncing from one profile and then be
"transferred" to another profile when, for example, the object goes out of scope of the first profile's LDAP filter.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
6
Binary Tree Documentation
2.3 Domino Directory to Active Directory Profile Configuration | General Tab
Directory Sync Pro will skip Domino objects (Person, Group, Mail -In) when reading from the Domino
Directory for a sync if the Allow Foreign Directory Synchronization field is set to "No". This is found on
the Administration tab of an object in the Domino Directory.
To add or edit the General tab for profile configuration: Click Add Profile and select Domino to Active Directory or
select and a previously defined profile from the list.

Type: Displays the type of profile selected.

Name: The name to identify the profile.

Status: The drop-down list here lets you specify whether the profile is immediately active or not:

o
Active: The profile will synchronize manually or as scheduled as soon as the profile is saved.
o
Suspended: The profile will not be active and will not synchronize.
Logging: The drop-down list logging level of the profile:
o
Low: Only errors are logged.
o
Medium: Errors and warnings are logged.
o
High: All messages (errors, warnings, information, etc.) are logged (should be used for
troubleshooting purposes only).

Audit Logging: When Enable is selected, object and attribute changes are recorded in the Audit Log.

Schedule: Select a schedule option:
o
By frequency: Enter the appropriate frequency or the specific time for the synchronization
process to run for your environment. Directory Sync Pro will initiate a synchronization as soon as
an active profile is saved. Zero (0) is not a valid value for frequency. The minimum interval is 15
minutes.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
7
Binary Tree Documentation
o
At specific times(s): Enter one or more specific times or select times from the drop-down list of
times. You can select this option and select a time in the future to save an active profile without
it syncing right away. A selected time can be deleted by selecting the time and clicking the Delete
key.
o
Manual only: The synchronization process will not run until it is manually started. You can select
this option if you want to save an active profile without it syncing right away.
2.4 Domino Directory to Active Directory Profile Configuration | Domino Source Tab
To configure or edit the Domino Source tab for profile configuration: Click the Domino Source tab.

Attribute Change Detection: Select an option from the drop-down list:
o
Enabled: Only fields changed on the source Domino directory will be synchronized.
o
Disabled: All fields on the source Domino directory will be synchronized.

Domino Server: The Binary Tree Domino server.

Automatically Mark Objects as Ready to Sync: The default value is "Yes". If this option is changed to
"No", objects can be individually marked as ready to sync using the functionality on the Sync Report.
When the option to "Sync Accompanying User Groups" is set to "Yes" on a profile, a group
will only be synced when at least one member of that group has been synced. So, when this
option is turned on, all groups will be pushed into SQL with Ready to Sync set to No, even if
"Automatically Mark Objects as Ready to Sync" is set to "Yes". Once a member of the group
has been synced, Directory Sync Pro will switch the Ready to Sync flag of the group to Yes,
indicating that it can now be synced to the target.
However, users and groups may be synced by different profiles. Therefore, if ANY profile has
"Sync Accompanying User Groups" set to "Yes", then all other profiles will push groups with
Ready to Sync set to No, even if "Automatically Mark Objects as Ready to Sync" is set to "Yes"
on those profiles. The group will have Ready to Sync set to Yes when a member of that group
is synced, even if that member is synced by a different profile.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
8
Binary Tree Documentation

Source Directories: Select or enter the Domino directories to synchronize in the following ways:
o
Click Add Directory to select Domino directories to synchronization. Select the Domino
directories to synchronize, select the Synchronize Users, Synchronize Rooms/Resources,
Synchronize Groups, and Synchronize MailInDBs options if you want users, groups,
rooms/resources, and MailInDBs to synchronize, and then click OK. Use Ctrl+click to select more
than one directory.
o
Click a row in the table to manually enter a directory file name (example: names.nsf). Any
directory added must be in the data directory of the Binary Tree Domino server. The Sync Users,
Sync Groups, Sync Rooms/Resources, and Sync MailInDBs options are selected by default.
Uncheck options if you don’t want those object types to synchronize for the entered directory.
To deselect a Domino directory from the source, select it and then click Remove Directory. The Remove Directory
button is enabled when a directory is added.
The following source Domino directory fields are displayed:

Title: Title of the Domino directory.

File Name: The file name of the Domino directory.

Sync Users: Select this option to synchronize users. Clear this option if you do not want to synchronize
users.

Sync Groups: Select this option to synchronize groups. Clear this option if you do not want to sync hronize
groups.

Sync Rooms/Resources: Select this option to synchronize rooms/resources. Clear this option if you do not
want to synchronize rooms/resources.

Sync MailInDBs: Select this option to synchronize mail -in databases. Clear this option if you do not want
to synchronize mail-in databases.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
9
Binary Tree Documentation
2.5 Domino Directory to Active Directory Profile Configuration | AD Target Tab
To configure or edit the AD Target tab for profile configuration: Click the AD Target tab.

User Name: The name of the Active Directory user that has the required rights to the Target directory as a
user principal name (for example, [email protected]).

Password: The password of the Active Directory user. These credentials should have write access to target
OU, as well as any Domains or subdomains that may contain matched users.

Global Catalog Server: The IP Address or fully qualified domain name of the server (FQDN) of the Global
Catalog Server or Domain Controller that will be used for all read operation s.

Domain Name: Displays the Domain name.

Target OU: The target OU.

Default Password: The default password for new users. Directory Sync Pro does not validate the
password policies present within your domains. Verify that the password entered complies with the
password policy of your target environment. The default password cannot exceed 128 characters in
length.
The Default Password is not required when creating users as contacts.


Preserve Objects in Target: Select from the drop-down list to control what happens to target objects
when the corresponding source objects are deleted:
o
No: (default) When objects are deleted in the source, the corresponding objects will be deleted
from the target. This only applies to objects created in the target by Directory Sync Pro.
o
Yes: Objects that are deleted in the source will not be deleted in the target.
Preserve Deleted Objects in Target As Is: Select from the drop-down list to control what happens to
target objects if they are deleted:
o
No: (default) If an object previously synchronized is deleted on the target, it will be recreated.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
10
Binary Tree Documentation
o

Yes: If an object previously synchronized is deleted on the target, it will not be recreated.
Preserve Soft Deleted Objects in Target: Select an option from the drop-down list to control what
happens to target objects when the corresponding source objects are soft deleted:
o
No: (default) Both hard and soft deleted objects in the source will be deleted in the target if they
were created by Directory Sync Pro.
o
Yes: Soft deleted objects in the source will not be deleted in the target. Hard deleted objects in
the source will be deleted in the target if they were created by Directory Sync Pro.
2.6 Domino Directory to Active Directory Profile Configuration | AD Target Options Tab
To configure or edit the AD Target Options tab for profile configuration: Click the AD Target Options tab.
Users Tab

Create Users: Select an option from the drop-down list:
o
Mail-Enabled, AD Enabled: Users will be Mail-Enabled Users in the target.
o
Mail Enabled, AD Disabled: Users in the source will be Disabled Mail -Enabled Users in the target.
o
Contact: Users in the source will be Contacts in the target. This option does not have logon
capabilities, but can be used for maintaining mail flow for existing users, contacts and
distribution lists.
The Mail-Enabled User option creates Active Directory users with logon capabilities in the target domain
and all properties from the source’s object, including mai l addresses.
Directory Sync Pro will not create Mailbox-Enabled Users in the target directory.

Rooms and Resources in Domino are created as User objects in Active Directory.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
11
Binary Tree Documentation

Due to a sAMAccountName size limit of 20 characters in Active Directory, user objects with calculated
sAMAccountName names greater than 20 characters in length are truncated to 20 characters. Truncated
sAMAccountNames will be appended with a random number between 1 and 9999 to ensure uniqueness.
This does not apply to group objects.

Do not overwrite target Proxy Addresses: Select an option from the drop-down list:

o
Yes: Proxy Addresses will only be updated during initial sync if the target object has no proxy
addresses. Proxy addresses will not be updated on subsequent syncs.
o
No: (default) Proxy Addresses on the target are overwritten.
Sync Accompanying User Groups: By default, this option is set to "No", but if "Yes" is selected, only the
groups where the members have been synchronized to the target will be synchronized. The groups must
be in scope of a synchronization profile. If "Yes" is selected, the Include Parent Groups option appears
(checked automatically) and if a user is a direct member of a group that is a subset of a larger chain of
groups then the entire parental chain of groups will be synchronized.
All groups that a user could be a member of must exist in SQL already if the administrator wants to ensure
that all groups can be migrated either through setting the “Sync accompanying user groups” option or by
checking the “Include Parent Groups” option.
Essentially, a second Synchronization profile could be created that targets the forest/domain but is limited
to the context of groups only. This approach would ensure that all possible groups are pushed to SQL.
When the “Sync Accompanying User Groups” option or the “Include Parent Groups” option is selected,
Directory Sync Pro is able to find all necessary groups in SQL to set the ready to sync flag.
This is a global switch, once the setting is turned on for a profile, al l other profiles in the same Directory
Sync Pro instance will honor this switch once it is turned on and will look for all groups that have been
pushed into SQL across all configured synchronization profiles.
When the option to "Sync Accompanying User Groups" is set to "Yes" on a profile, a group
will only be synced when at least one member of that group has been synced. So, when this
option is turned on, all groups will be pushed into SQL with Ready to Sync set to No, even if
"Automatically Mark Objects as Ready to Sync" is set to "Yes". Once a member of the group
has been synced, Directory Sync Pro will switch the Ready to Sync flag of the group to Yes,
indicating that it can now be synced to the target.
However, users and groups may be synced by different profiles. Therefore, if ANY profile has
"Sync Accompanying User Groups" set to "Yes", then all other profiles will push groups with
Ready to Sync set to No, even if "Automatically Mark Objects as Ready to Sync" i s set to "Yes"
on those profiles. The group will have Ready to Sync set to Yes when a member of that group
is synced, even if that member is synced by a different profile.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
12
Binary Tree Documentation
Groups Tab

Create Domino Mail-only and Multipurpose Groups as: Select an option from the drop-down list:
o
Contact: Domino Mail-only and Multipurpose Groups will be contacts in the target.
o
Global Group: (default) Domino Mail -only and Multipurpose groups in the source will be Global
groups in the target.
o
Universal Group: Domino Mail-only and Multipurpose groups in the source will be Universal
groups in the target.
Universal groups must be used if the target group will contain members from other AD Domains,
otherwise those members will not be added to the group.

Create Domino ACL Groups as: Select an option from the drop-down list:
o
Security Group: (default) Domino ACL groups will be Security groups in the target.
o
Global Group: Domino ACL groups in the source will be Global groups in the target.
o
Universal Group: Domino ACL groups in the source will be Universal groups in the target.
Universal groups must be used if the target group will contain members from other AD Domains,
otherwise those members will not be added to the group.

Group Collisions: Select an option for handli ng group collisions when two groups of the same name are
found from the drop-down list:
o
Merge: If a group with the same name is found in the target domain, the members of the source
group will be added to the target group. Group collisions are determined based on Name first,
then based on the options selected on the Matching tab of the profile.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
13
Binary Tree Documentation
o
Skip: (default) The group will not be synchronized into the target AD and a warning entry will be
entered into the log entry stating that the source group will not be synchronized to the target
group. A group that was previously synchronized to the target will fail to sync if a manual
/repushpull /resync is run. Before running the /repushpull and /resync commands,
administrators should clear the target OU of any previously created objects.
o
Rename: This allows you to define a prefix or suffix to be added to the name of the group when it
is written in the target directory. This option creates a new group and group email address using
the existing name and the prefix or suffix to bypass the group collision when selected. Prefix is
selected by default. To define a specific value for the prefix or suffix, select the Specific Value
option and enter the value. To use a value from an internal field, select the Internal Field option
and select a field from the drop-down list.
If selecting an internal field, a Boolean (True/False) field or an empty field should not be selected.
The Merge and Rename collision types are not available when creating groups as contacts.
All members in the source group will be synchronized to the tar get group if they are present in the target
AD. If a group member is not synchronized into the target group, a warning message displays in the log
explaining the reason why the member was not synchronized.


Create External Members as Contacts: Select an option from the drop-down list:
o
Yes: (default) Group members that don't exist in the Domino Directory are created in AD as
contact objects. If Yes is selected, the Target OU for Contacts option appears where you must
select the target OU where the contacts wi ll be created. The Contact GAL Visibility option is also
available when Yes is selected.
o
No: – Group members that don't exist in the Domino Directory are NOT created in AD as contact
objects.
Target OU for Contacts: For the option (displayed if Yes is selected for the Create External Members as
Contacts option), click the Browse button and select the target OU where contacts for external members
will be created.
External Domino Contacts that are created in Active Directory by Directory Sync Pro are not updated or
deleted, they are only initially created by Directory Sync Pro.

Contact GAL Visibility: Select an option from the drop-down list:
o
Visible: (default) Users and groups are visible in the GAL.
o
Hidden: Users and groups are hidden in the GAL.
When synching objects into Exchange 2003 (only), the option to hide from the GAL will not function if the
Recipient Update Service (RUS) is enabled.
If synching to an Active Directory that does not have Exchange in the environment, select the Hidden
option to avoid Active Directory constraint errors.
If synching to an Active Directory that does not have Exchange in the environment, select the Hidden opti
to avoid Active Directory constraint errors.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
14
Binary Tree Documentation
2.7 Domino Directory to Active Directory Profile Configuration | Exchange Target Options Tab
To configure or edit the Exchange Target Options tab for profile configuration: Click the Exchange Target Options
tab.

GAL Visibility: Select from the drop-down list:
o
Visible: (default) Users and groups are visible in the GAL.
o
Hidden: Users and groups are hidden in the GAL.
o
As Is: Users and groups that are hidden in the GAL in the source are hidden in the GAL in the
target. Users and groups that are visible in the GAL in the source are visible in the GAL in the
target.
When synchronizing objects into Exchange 2003 (only), the option to hide from the GAL will not function
if the Recipient Update Service (RUS) is enabled.
If synchronizing to an Active Directory that does not have Exchange in the environment, select the Hidden
option to avoid Active Directory constraint errors.

Convert Contacts to Mail Enabled Users: This option is defaulted to "No". For the scope of this feature a
Microsoft Exchange Mail Enabled Contact is defined as an Active Directory contact where the
legacyExchangeDN attribute is not null. A contact will be promoted to a user if the primary SMTP address
on the source object matches the external or target email address of the contact. Once the attributes
have been stored on the new MEU on the target, the Contact object will be removed from the target. The
source object in the Domino Directory needs to have an Internet Address.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
15
Binary Tree Documentation
This option may not be selected if the setting Create Mail Enabled Users As on the AD Target Options
Users tab is set to Contact. If the Create User As option is set to As Is, then if the source object is a
contact, this feature does not apply. If the result is the creation of a mail -enabled user, then this feature
does apply.
If converting contacts to mail enabled users, use a matching attribute that doesn’t exist on
the contact. Otherwise, if an attribute that matches is used, this process will fail.

Convert Contacts to Mail Enabled Groups: This option is defaulted to "No". For the scope of this feature a
Microsoft Exchange Mail Enabled Contact is defined as an Active Directory contact where the
legacyExchangeDN attribute is not null. A contact will be promoted to a group if the primary SMTP
address on the source object matches the external or target email address of the contact. Once the
attributes have been stored on the new Mail Enabled Group on the target, the Contact object will be
removed from the target. For groups, only an object that is mail-enabled (has an InternetAddress) in the
source is required.
This option may not be selected if the setting Create Mail Enabled Users As on the AD Target Options
Users tab is set to Contact. If the Create User As option is set to As Is, then if the source object is a
contact, this feature does not apply. If the result is the creation of a mail -enabled user, then this feature
does apply.

Only Update Mailbox Enabled Objects: If you select Yes, mailbox-enabled objects in the target directory
will be updated with values from the source object based on the mapping table settings.
CAUTION: This is not a commonly occurring preference as the authoritative object is most often where
the mailbox is located.

Email Address Policy: Mark the checkbox to select the option for Users, Contacts, and Groups.
o
Unselected: (default) Directory Sync Pro will not enable the target object attribute to
‘Automatically update email addresses based on email address policy’ in Exchange.
o
Selected: Directory Sync Pro will enable the target object attribute to ‘Automatically update
email addresses based on email address policy’ in Exchange.
Directory Sync Pro will only apply the attribute to ‘Automatically update email addresses based on email
address policy’ to the target object. It cannot apply the email address policy.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
16
Binary Tree Documentation
2.8 Domino Directory to Active Directory Profile Configuration | Target DCs Tab
To configure or edit the Target DCs tab for profile configuration: Click the Target DCs tab.
Click Add DC(s) to open the Active Directory DC Selection window. Click Refresh DCs to find all available Domain
Controllers. Select one or more Domain Controller (use Ctrl+Click to select more than one) and click OK to add the
Domain Controllers to the list of Target DCs. The order the domain controllers are used can be selected by entering
a number value in the Priority column (lowest number = first).
If you selected Domain level matching in the Target tab, only select Domain Controllers for the target Domain. No
other Domains will be searched.
If you have selected Forest level matching in the Target tab, you must add at least one Domain Controller for each
Domain that should be searched for matched objects. If you do not select at least one Domain Controller for a
Domain, that Domain will not be searched during synchronization.
Select more than one Domain Controller in a Domain for failover purposes.
Defined Domain Controllers are only searched for matches if the previous Domain Controller is unavailable.
About Priority:

Domain Controllers with no priority set will be used after those with a priority.

If no priority is set for the servers in a Domain, they will be used in the order listed in the table.

A Domain Controller that is the Global Catalog Server selected on the AD Source tab is given top priority
regardless of the value in the Priority field.

No two DC’s in a Domain can have the same priority.
Ping Servers
Click Ping Servers to test the availability of the selected Domain Controllers.
Test Connections
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
17
Binary Tree Documentation
Click Test Connections to test the connection to the LDAP server.
2.9 Domino Directory to Active Directory Profile Configuration | Matching Tab
To configure or edit the Matching tab for profile configuration: Click the Matching tab.
Selecting non-indexed Active Directory attributes can result in increased processing time. A list of indexed
attributes defined by Active Directory is available at https://msdn.microsoft.com/enus/library/ms675095(v=vs.85).aspx.
If non-indexed AD attributes are selected for matching, they can be indexed by following the procedure at
https://technet.microsoft.com/en-us/library/aa995762(v=exchg.65).aspx.


Matching Level: Select an option from the drop-down list:
o
Forest: (default) Matching is done against the target Forest.
o
Domain: Matching is done against the target Domain.
Matching Action: Select from the drop-down list:
o
Create or Update: (default) Creates objects that do not have matching objects in the Target and
updates objects that have matching objects in the Target.
o
Create only: Creates objects that do not have matching objects in the Target. Objects that have
matching objects in the Target are NOT updated, unless the object was created by Directory Sync
Pro. This means that even during an initial sync or a sync after a reset, objects previously created
by Directory Sync Pro will be updated.
o
Update only: Updates objects that have matching objects in the Target. Objects that do not have
matching objects in the Target are NOT created.
During synchronization, if a source object matches to more than one target object, the source object is
skipped and a warning is generated in the log.

Source/Target: Displays what fields (Domino) and attributes (AD) Directory Sync Pro will use to match
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
18
Binary Tree Documentation
objects in the Source to objects in the Target, as well as the order in which they will be used. The default
source to target attribute matching pairs are displayed. The below table displays the default matching
attribute pairs:
Source
Target
ShortName
sAMAccountName
InternetAddress
mail
FullName
cn
To customize the matching, select attributes from the drop-down lists under Source and/or Target or type
in the names of attributes in the fields. The matching pairs are “either/or” statements (not “and”
statements) with the first match attempted on the top row pair (Default: ShortName ->
sAMAccountName) and then proceeding in descending order to the next row pair and so on. At least one
matching pair is required for the profile to be saved.

Re-link: Select an option from the drop-down list:
o
Enabled: (default) Directory Sync Pro will attempt to re-link objects in the target by first looking
for an object that has the adminDisplayName stamped with the source object's unique identifier.
If an object is found, then those two objects are linked and no other attempts at matching are
performed. If an object is not found, then the process attempts to match to an object by
searching based on the matching criteria. If a matching object is not found, then a new object is
created.
o
Disabled: Directory Sync Pro will not attempt to re-link objects in the target and will always
match based on the matching criteria.
Whenever Directory Sync Pro creates a new object in the target or matches to an existing object in the
target, it stamps the adminDisplayName attribute (for Active Directory) or the $BTSourceDirectoryID
property (for Domino) of the target object with the source object's unique identifier (objectGUID for AD
objects and UNID for Domino objects). This effectively links these two objects together. This link is also
maintained between the two objects in the SQL database and future updates are based on this SQL link.
However, when a profile is reset, these SQL records are deleted.
When Re-Link is enabled, performance can be improved by indexing the adminDisplayName attribute.
Follow the procedure at https://technet.microsoft.com/en-us/library/aa995762(v=exchg.65).aspx to
index AD attributes.

Restore Ready to Sync: If the Re-Link option is enabled, select an option from the drop-down list:
o
Yes: (default) The re-link process will set all re-linked objects to Ready To Sync.
o
No: The re-link process will not reset the Ready To Sync setting on re-linked objects. This would
allow you to prevent changes to objects until they are prepared.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
19
Binary Tree Documentation
Matching Processing
Matching is defined based on the values of the Matching tab (see image below).
In the example image above, the current version of Directory Sync Pro will use the source object’s
sAMAccountName and search the target for an object with the same sAMAccountName. If it finds such an object,
then it has identified a match. This occurs without the use of overrides or any mapped values.
Directory Sync Pro will process matches in the following manner:
Directory Sync Pro will search the Mapped Values table for a Source Field/Value that matches the source object,
and whose Applicability is set to Match only or Match and Map.
If Directory Sync Pro finds a matching Source Field/Value for this object, AND the corresponding Target Field in the
Mapped Values tabl e is the same as the Target field of the Matching Tab, then Directory Sync Pro will look for a
matching object in the target based on the Target Value from the Mapped Values table.
If Directory Sync Pro did not find a corresponding Source Field/Value in the Mapped Values table, OR the
associated Target Field of the Mapped Values is not the same as the Target field of the Matching tab, then
Directory Sync Pro will look for an Override value for the match field.
If there is an Override for the Source field of the Matching tab, then Directory Sync Pro will look for a matching
object in the target based on the Override value.
If there is not an Override for the Source field of the Ma tching tab, then Directory Sync Pro will look for a matching
object using the value from the source object.
Whether or not Directory Sync Pro finds a matching object in the target, processing will continue as normal.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
20
Binary Tree Documentation
2.10 Domino Directory to Active Directory Profile Configuration | Mapping Tab
To configure or edit the Mapping tab for profile configuration: Click the Mapping tab.
Click the Mapping tab to view the default mapping or to edit how attributes should be translated from the source
to the target Active Directory. Review the table and make the appropriate changes for your environment. Doubleclick a cell in the mapping table select a different field or type from a drop-down list. Double-click on a cell in the
Comments column to enter a comment. See Domino Source – AD Target Default Mapping.
To revert to the default mappings, use CTRL+A to select all mappings, delete the mappings (Delete key), and click
Yes when prompted to remove all entries.
The default mapping for attributes will be applied unless deleted. When creating custom mapping for an attribute,
the default mapping for the attribute should be deleted.
When creating a custom mapping, use a CustomXX field (Custom01 to Custom99) that has not already been used
for other mappings or in the overrides. Do not use a BTCustom0XX field. Either review this information in the
Directory Sync Pro Mapping and Overrides user interface or in the SQL database.
There are two Target Type columns in the table. This allows you to restrict the type of object in the target directory
that can be updated. If you set both types to the same value, then this mapping will only apply to that object type.
If you set one to person and the other to group, the mapping will apply user and group objects only. If both are set
to any, the mapping is unrestricted and will apply to all object types.
Attribute names in Domino source must contain only valid values in the Active Directory target.
Valid values are: Strings formed with characters from A to Z (uppercase or lowercase), digits from 0 to 9, !, #, $, %,
&, `, *, +, -, /, =, ?, ^, _, `, {, |, } or ~. One or more periods may be embedded in an alias, but each period should be
preceded and followed by at least one of the other characters. Unicode characters from U+00A1 to U+00FF are
also valid in an alias, but they will be mapped to a best-fit US-ASCII string in the e-mail address, which is generated
from such an alias.
When synchronizing users from Domino to Active Directory where both environments share the same SMTP
domain you must utilize the Target Address for objects written to Active Directory to facilitate mail routing. Review
Customizing BT_PersonView and BT_GroupsView for more information.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
21
Binary Tree Documentation
For object types that have a 20 character limit for the sAMAccount Name in Active Directory (all types except
groups), Directory Sync Pro automatically truncates the sAMAccount Name and appends a random number fr om 1
to 9999.
To conform to Active Directory’s 1024 character maximum, Directory Sync Pro truncates values from Domino to
1024 characters.
Reset Mappings
Click the Reset Mappings button to reset the mappings back to the default mappings. This feature is us ually used
during the initial configuration of the profile to correct mistakes and start over. If a synchronization has been run
already, and there is the need to reset the mappings to the default, the synchronization profile will also need to be
reset. Careful planning for either of these features should be taken.
Overrides
Click Overrides to open the table of mapping overrides. These represent default system mappings specifically for
the internal SQL fields, and are used to transpose values during creation and synchronization. Overrides are
customizable and apply to all profiles. See Appendix D for more information on editing Overrides.
Mapped Values
Click the Mapped Values button to open the Mapped Values dialog box. Values that can be used for either
mapping or matching can be entered manually or imported from a CSV file.
Values can be entered manually by clicking on the first row. Values can also be imported from a CSV file by clicking
the Import button.
Select a CSV file that has Source fields and values, Target fields and values, and the application of the mapping or
matching. The final value of each row can be “Match”, “Map”, or “MatchMap”. “MatchMap” applies both
matching and mapping.

New rows in the CSV file will be appended to the mapped values grid.

Existing rows in the file (rows with Source Field/Value and Target Field/Value that already match a row in
the grid) will have the Applicability column updated from the CSV file.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
22
Binary Tree Documentation

No rows will be deleted from the grid.

Due to the potentially large volume of data, all imported rows will be saved immediately to SQL.
Mapping Processing
In Directory Sync Pro, matching and mapping are two separate processes, although both will make use of the
Mapped Values table. Mapping is based on the values in the Mapping tab.
Directory Sync Pro will process mapping the following manner:

Directory Sync Pro will search the Mapped Values table for the Source Field/Value that matches the
source object, and whose Applicability is set to Map only or Match and Map.

If Directory Sync Pro finds a matching Source Field/Value for the source object, AND the corresponding
Target Field in the Mapped Values table is the same as the Target Field of the Mapping tab, then Directory
Sync Pro will use the Target Value from the Mapped Values table when creating or updating the target
object.

If Directory Sync Pro does not find a corresponding Mapped Value, OR the associated Target Field is not
the same as the Target of the Mapped tab, then Directory Sync Pro will look for an Override value to use.

If there is an Override for the Source field of the Mapping tab, then Directory Sync Pro will use the
override value when creating or updating the target object.

If there is not an Override for the Source field of the Mapping tab, then Directory Sync Pro use the value
of the Source field directly when creating or updating the target object.

Once the values to use have been found, object will be created or updated as normal.
Note: If Mapped Value is configured with ‘Map and Match’ or ‘Match Only’, the attribute defined in the mapped
value setting should also be part of the a ttribute list defined in the matching tab and this attribute should be on
the top of the list (Matched Value1).
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
23
Binary Tree Documentation
2.11 Active Directory to Domino Directory Profile Configuration | General Tab
To add or edit the General tab for profile configuration: Click Add Profile and select Active Directory to Domino
Directory or select and a previously defined profile from the list.

Type: Displays the type of profile selected.

Name: The name to identify the profile.

Status: The drop-down list here lets you specify whether the profile is immediately active or not:

o
Active: The profile will synchronize manually or as scheduled as soon as the profile is saved.
o
Suspended: The profile will not be active and will not synchronize.
Logging: The drop-down list logging level of the profile:
o
Low: Only errors are logged.
o
Medium: Errors and warnings are logged.
o
High: All messages (errors, warnings, information, etc.) are logged (should be used for
troubleshooting purposes only).

Audit Logging: When Enable is selected, object and attribute changes are recorded in the Audit Log.

Schedule: Select a schedule option:
o
By frequency: Enter the appropriate frequency or the specific time for the synchronization
process to run for your environment. Directory Sync Pro will initiate a synchronization as soon as
an active profile is saved. Zero (0) is not a valid value for frequency. The minimum interval is 15
minutes.
o
At specific times(s): Enter one or more specific times or select times from the drop-down list of
times. You can select this option and select a time in the future to save an active profile without
it syncing right away. A selected time can be deleted by selecting the time and clicking the Delete
key.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
24
Binary Tree Documentation
o
Manual only: The synchronization process will not run until it is manually started. You can select
this option if you want to save an active profile without it syncing right away.
2.12 Active Directory to Domino Directory Profile Configuration | AD Source Tab
To configure or edit the AD Source tab for profile configuration: Click the AD Source tab.

User Name: The Active Directory User Name as a user principal name (for example,
[email protected]). The credentials (User name and Password) must have read/write access to the
source Active Directory. The required read access must extend to the Deleted Accounts container, which
can require a privileged account.

Password: The password assigned to the Active Directory user.

Global Catalog Server: The IP Address or fully qualified domain name of the server (FQDN) for the Global
Catalog Server or a Domain Controller that will be used for all read operations. The entered credentials
and Global Catalog Server/Domain Controller must have access to all Domains and subdomains that are
required to synchroni ze.

Domain Name: Displays the Domain name.

Attribute Change Detection: When Enabled, only attributes changed on the source object will be
synchronized.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
25
Binary Tree Documentation

Automatically Mark Objects as Ready to Sync: The default value is "Yes". If this option is changed to
"No", objects can be individually marked as ready to sync using the functionality on the Sync Report.
When the option to "Sync Accompanying User Groups" is set to "Yes" on a profile, a group
will only be synced when at least one member of that group has been synced. So, when this
option is turned on, all groups will be pushed into SQL with Ready to Sync set to No, even if
"Automatically Mark Objects as Ready to Sync" is set to "Yes". Once a member of the group
has been synced, Directory Sync Pro will switch the Ready to Sync flag of the group to Yes,
indicating that it can now be synced to the target.
However, users and groups may be synced by different profiles. Therefore, if ANY profile has
"Sync Accompanying User Groups" set to "Yes", then all other profiles will push groups with
Ready to Sync set to No, even if "Automatically Mark Objects as Ready to Sync" is set to "Yes"
on those profiles. The group will have Ready to Sync set to Yes when a member of that group
is synced, even if that member is synced by a different profile.

Source OUs: Displays a list of OU(s) (organizational units) available to synchronize. Click Add OU(s) to
display a list of OU(s) (organizational units) a vailable to synchronize. Note that a synchronization profile
that includes the OU where the computer objects reside should be created.

The Source OUs table includes:
o
Source OU: Reflects the OU selected from the tree view.
o
Sub OUs: Select this option to synchronize Sub-OUs. The checkbox is selected by default. Clear
this option if you do not want to synchronize sub-OUs.
o
Groups: The checkbox is selected by default. Clear this option to skip groups from being
synchronized.
o
Disabled Users: Select this option to synchronize a Disabled User. The checkbox is selected by
default. Clear this option to prevent Disabled Users from being synchronized.
o
User Filter: This is an LDAP filter and can be used to filter synchronization to specific object types
or those objects exhibiting specific attribute properties.
o
Group Filter: This is a LDAP filter and can be used to filter groups based on the entered criteria.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
26
Binary Tree Documentation
It is recommended that you test the LDAP filter syntax prior to saving your changes a nd running a
synchronization. See the Using the User, Group, and Device LDAP Filters topic for more information about
using LDAP filters.
Public Folder Active Directory objects can be synchronized from AD to a Domino Directory. To synchronize
Public Folder Active Directory objects, the Source OU must point to the Microsoft Exchange System
Objects container, and the Users Filter value must be objectClass=publicFolder
2.13 Active Directory to Domino Directory Profile Configuration | Source DCs Tab
To configure or edit the Source DCs tab for profile configuration: Click the Source DCs tab.
Click Add DC(s) to open the Active Directory DC Selection window. Click Refresh DCs to find all available Domain
Controllers. The order the domain controllers are used for each Domain can be selected by entering a number
value in the Priority column (lowest number = first). If the highest priority DC is unavailable, Directory Sync will use
the next DC.
If your Active Directory forest contains more than one domain, it may be necessary to add at least one domain
controller from each domain. When Directory Sync Pro attempts to resolve objects, such as group members or a
user's manager, that are in another Domain (than the one specified on the Sour ce tab), it will reference the
domain controllers list to find a valid DC to use.
To ensure that group membership and manager/subordinate relationships are properly recreated, it is
recommended to add the appropriate DC’s for alternate domains to the Sour ce DC’s tab.
About Priority:

Domain Controllers with no priority set will be used after those with a priority.

If no priority is set for the servers in a Domain, they will be used in the order listed in the table.

A Domain Controller that is the Global Catalog Server selected on the AD Source tab is given top priority
regardless of the value in the Priority field.

No two DC’s in a Domain can have the same priority.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
27
Binary Tree Documentation
Ping Servers
Click Ping Servers to test the availability of the selected Domain Controllers.
Test Connections
Click Test Connections to test the connection to the LDAP server.
2.14 Active Directory to Domino Directory Profile Configuration | Domino Target Tab
To configure or edit the Domino Target tab for profile configuration: Click the Domino Target tab.

Domino Server: The Binary Tree Domino server.

Domino Directory: The Domino directory into which the Active Directory objects will be written.

Foreign Domain: The Foreign Domain that matches the domain used in the Foreign Domain document
created for routing to Exchange.

Create Group As: Select an option from the drop-down list:
o
Person Documents: (default) Distribution Lists will be created as Person documents (members do
not synchronize) in the target.
o
Group Documents: Distribution Lists will be created as member-populated Mail Only groups in
the target directory.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
28
Binary Tree Documentation
Due to the manner in which Domino Rooms and Resources are managed (requiring a document in the
Domino Directory, as well as a corresponding document in the Rooms and Reservations database), rooms
and resources will be synchronized as Person documents in the Target Domino directory. All other objects
types will be synchronized as follows:

Active Directory
Domino
User Objects and Contacts
Person documents
Distribution Lists
Mail Groups (unless specified as Person documents in the profile)
Shared Mailboxes
Mail-in databases
Group Collisions: Select an option for handling group collisions when two groups of the same name are
found from the drop-down list:
o
Merge: If a group with the same name is found in the target domain, the members of the source
group will be added to the target group. Group collisions are determined based on the options
selected on the Matching tab of the profile.
o
Skip: (default) The group will not be synchronized into the target Domino directory and a warning
entry will be entered into the log entry stating that the source group will not be synchronized to
the target group. A group that was previously synchronized to the target will fail to sync if a
manual /repushpull /resync is run. Before running the /repushpull and /resync commands,
administrators should clear the target Domino Directory of any previously created objects.
o
Rename: This allows you to define a prefix or suffix to be added to the name of the group when it
is written in the target directory. This option creates a new group and group email address us ing
the existing name and the prefix or suffix to bypass the group collision. When selected, Prefix is
selected by default. This option creates a new group and group email address using the existing
name and the prefix or suffix to bypass the group collision. When selected, Prefix is selected by
default.
Directory Sync Pro will attempt to add a group member to the target if it can find the member in the
source. If the member in the source is in a different Domain than the group, the member will only be
added to the group in the target if it already exists in the target. If Directory Sync Pro cannot find the
member in the source, the member will not be added to the group in the target. Log messages will explain
why a member could or could not be synchronized.
Merge and rename are only available when synching groups as member -populated Mail groups.

Sync Accompanying User Groups: By default, this option is set to "No", but if "Yes" is selected, only the
groups where the members have been synchronized to the target will be synchronized. The groups must
be in scope of a synchronization profile. If "Yes" is selected, the Include Parent Groups option appears
(checked automatically) and if a user is a direct member of a group that is a subset of a larger chain of
groups then the entire parental chain of groups will be synchronized.
All groups that a user could be a member of must exist in SQL already if the administrator wants to ensure
that all groups can be migrated either through setting the “Sync accompanying user groups” option or by
checking the “Include Parent Groups” option.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
29
Binary Tree Documentation
Essentially, a second Synchronization profile could be created that targets the forest/domain but is limited
to the context of groups only. This approach would ensure that all possible gro ups are pushed to SQL.
When the “Sync Accompanying User Groups” option or the “Include Parent Groups” option is selected,
Directory Sync Pro is able to find all necessary groups in SQL to set the ready to sync flag.
This is a global switch, once the setting is turned on for a profile, all other profiles in the same Directory
Sync Pro instance will honor this switch once it is turned on and will look for all groups that have been
pushed into SQL across all configured s ynchronization profiles.
When the option to "Sync Accompanying User Groups" is set to "Yes" on a profile, a group
will only be synced when at least one member of that group has been synced. So, when this
option is turned on, all groups will be pushed into SQL with Ready to Sync set to No, even if
"Automatically Mark Objects as Ready to Sync" is set to "Yes". Once a member of the group
has been synced, Directory Sync Pro will switch the Ready to Sync flag of the group to Yes,
indicating that it can now be synced to the target.
However, users and groups may be synced by different profiles. Therefore, if ANY profile has
"Sync Accompanying User Groups" set to "Yes", then all other profiles will push groups with
Ready to Sync set to No, even if "Automatically Mark Obj ects as Ready to Sync" is set to "Yes"
on those profiles. The group will have Ready to Sync set to Yes when a member of that group
is synced, even if that member is synced by a different profile.


Preserve Objects in Target: Select an option from the drop-down list to control what happens to target
objects when the corresponding source objects are deleted:
o
No: (default) When objects are deleted in the source, the corresponding objects will be deleted
from the target. This only applies to objects created in the target by Directory Sync Pro.
o
Yes: Objects that are deleted in the source will not be deleted in the target.
Preserve Deleted Objects in Target As Is: Select an option from the drop-down list to control what
happens to target objects if they are deleted:
o
No: (default) If an object previously synchronized is deleted on the target, it will be recreated.
o
Yes: If an object previously synchronized is deleted on the target, it will not be recreated.
2.15 Active Directory to Domino Directory Profile Configuration | Matching Tab
To configure or edit the Matching tab for profile configuration: Click the Matching tab.
Selecting non-indexed Active Directory attributes can result in increased processing time. A list of indexed
attributes defined by Active Directory is available at https://msdn.microsoft.com/enus/library/ms675095(v=vs.85).aspx.
If non-indexed AD attributes are selected for matching, they can be indexed by following the procedure at
https://technet.microsoft.com/en-us/library/aa995762(v=exchg.65).aspx.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
30
Binary Tree Documentation

Matching Action: Select from the drop-down list:
o
Create or Update: (default) Creates objects that do not have matching objects in the Target and
updates objects that have matching objects in the Target.
o
Create only: Creates objects that do not have matching objects in the Target. Objects that have
matching objects in the Target are NOT updated, unless the object was created by Directory Sync
Pro. This means that even during an initial sync or a sync after a reset, objects previously created
by Directory Sync Pro will be updated.
o
Update only: Updates objects that have matching objects in the Target. Objects that do not have
matching objects in the Target are NOT created.
During synchronization, if a source object matches to more than one target objec t, the source object is
skipped and a warning is generated in the log.

Source/Target: Displays what attributes (AD) and fields (Domino) Directory Sync Pro will use to match
objects in the Source to objects in the Target, as well as the order in which they will be used. The default
source to target attribute matching pairs are displayed. The below table displays the default matching
attribute pairs:
Source
Target
sAMAccountName
ShortName
mail
Internet Address
cn
FullName
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
31
Binary Tree Documentation

Re-link: Select from the drop-down list:
o
Enabled: (default) Directory Sync Pro will attempt to re-link objects in the target by first looking
for an object that has the $BTSourceDirectoryID stamped with the source object's unique
identifier. If an object is found, then those two objects are linked and no other attempts at
matching are performed. If an object is not found, then the process attempts to match to an
object by searching based on the matching criteria. If a matching object is not found, then a new
object is created.
o
Disabled: Directory Sync Pro will not attempt to re-link objects in the target and will always
match based on the matching criteria.
Whenever Directory Sync Pro creates a new object in the target or matches to an existing object in the
target, it stamps the adminDisplayName attribute (for Active Directory) or the $BTSourceDirectoryID
property (for Domino) of the target object with the source object's unique identifier (objectGUID for AD
objects and UNID for Domino objects). This effectively links these two objects together. This link is also
maintained between the two objects in the SQL database and future updates are based on this SQL link.
However, when a profile is reset, these SQL records are deleted.

Restore Ready to Sync: If the Re-Link option is enabled, select an option from the drop-down list:
o
Yes: (default) The re-link process will set all re-linked objects to Ready To Sync.
o
No: The re-link process will not reset the Ready To Sync setting on re-linked objects. This would
allow you to prevent changes to objects until they are prepared.
Matching Processing
Matching is defined based on the values of the Matching tab (see image below).
In the example image above, the current version of Directory Sync Pro will use the source object’s
sAMAccountName and search the target for an object with the same sAMAccountName. If it finds such an object,
then it has identified a match. This occurs without the use of overrides or any mapped values.
Directory Sync Pro will process matches in the following manner:
Directory Sync Pro will search the Mapped Values table for a Source Field/Value that matches the source object,
and whose Applicability is set to Match only or Match and Map.
If Directory Sync Pro finds a matching Source Field/Value for this object, AND the corresponding Target Field in the
Mapped Values table is the same as the Target field of the Matching Tab, then Directory Sync Pro will look for a
matching object in the target based on the Target Value from the Mapped Values table.
If Directory Sync Pro did not find a corresponding Source Field/Value in the Mapped Values table, OR the
associated Target Field of the Mapped Values is not the same as the Target field of the Matching tab, then
Directory Sync Pro will look for an Override value for the match field.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
32
Binary Tree Documentation
If there is an Override for the Source field of the Matching tab, then Directory Sync Pro will look for a matching
object in the target based on the Override value.
If there is not an Override for the Source field of the Matching tab, then Directory Sync Pro will look for a matching
object using the value from the source object.
Whether or not Directory Sync Pro finds a matching object in the target, processing will continue as normal.
2.16 Active Directory to Domino Directory Profile Configuration | Mapping Tab
To configure or edit the Mapping tab for profile configuration: Click the Mapping tab.
Click the Mapping tab to view the default mapping or to edit how attributes should be translated from the source
Active Directory to the target Domino directory. Review the table and make the appropr iate changes for your
environment. Double-click a cell in the mapping table select a different field or type from a drop-down list. Doubleclick on a cell in the Comments column to enter a comment. See AD Source – Domino Target Default Mapping
To revert to the default mappings, use CTRL+A to select all mappings, delete the mappings (Delete key), and click
Yes when prompted to remove all entries.
The default mapping will be applied unless deleted. When creating custom mapping for an attribute, the default
mapping for the attribute should be deleted.
There are two Target Type columns in the table. This allows you to restrict the type of object in the target directory
that can be updated. If you set both types to the same value, then this mapping will only appl y to that object type.
If you set one to person and the other to group, the mapping will apply user and group objects only. If both are set
to any, the mapping is unrestricted and will apply to all object types.
Reset Mappings
Click the Reset Mappings button to reset the mappings back to the default mappings. This feature is usually used
during the initial configuration of the profile to correct mistakes and start over. If a synchronization has been run
already, and there is the need to reset the mappings to the default, the synchronization profile will also need to be
reset. Careful planning for either of these features should be taken.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
33
Binary Tree Documentation
Overrides
Click Overrides to open the table of mapping overrides. These represent default system mappings specifically for
the internal SQL fields, and are used to transpose values during creation and synchronization. Overrides are
customizable and apply to all profiles. See Appendix D for more information on editing Overrides.
Overrides for device objects is not currently supported. This feature will be supported in a future release.
Mapped Values
Click the Mapped Values button to open the Mapped Values dialog box. Values that c an be used for either
mapping or matching can be entered manually or imported from a CSV file.
Values can be entered manually by clicking on the first row. Values can also be imported from a CSV file by clicking
the Import button.
Select a CSV file that has Source fields and values, Target fields and values, and the application of the mapping or
matching. The final value of each row can be “Match”, “Map”, or “MatchMap”. “MatchMap” applies both
matching and mapping.

New rows in the CSV file will be appended to the mapped values grid.

Existing rows in the file (rows with Source Field/Value and Target Field/Value that already match a row in
the grid) will have the Applicability column updated from the CSV file.

No rows will be deleted from the grid.

Due to the potentially large volume of data, all imported rows will be saved immediately to SQL.
Mapping Processing
In Directory Sync Pro, matching and mapping are two separate processes, although both will make use of the
Mapped Values table. Mapping is based on the values in the Mapping tab.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
34
Binary Tree Documentation
Directory Sync Pro will process mapping the following manner:

Directory Sync Pro will search the Mapped Values table for the Source Field/Value that matches the
source object, and whose Applicability is set to Map only or Match and Map.

If Directory Sync Pro finds a matching Source Field/Value for the source object, AND the corresponding
Target Field in the Mapped Values table is the same as the Target Field of the Mapping tab, then Directory
Sync Pro will use the Target Value from the Mapped Values table when creating or updating the target
object.

If Directory Sync Pro does not find a corresponding Mapped Value, OR the associated Target Field is not
the same as the Target of the Mapped tab, then Directory Sync Pro will look for an Override value to use.

If there is an Override for the Source field of the Mapping tab, then Directory Sync Pro will use the
override value when creating or updating the target object.

If there is not an Override for the Source field of the Mapping tab, then Directory Sync Pro uses the value
of the Source field directly when creating or updating the target object.

Once the values to use have been found, object will be created or updated as normal.
Note: If Mapped Value is configured with ‘Map and Match’ or ‘Match Only’, the attribute defined in the mapped
value setting should also be part of the attribute list defined in the matching tab and this attribute should be on
the top of the list (Matched Value1).
2.17 Importing and Exporting a Profile
Synchronization profiles can be imported and exported. The Export Profile option exports all of the configuration
options for the selected profile and creates a DSProfile file that can be saved for backup purposes. The Import
Profile option allows a DSProfile file to be imported and all of the configuration options for a profile restored.
Imported profiles are suspended by default and must be activated before they can be synchronized.
To import a synchronization profile:
1.
Click Import Profile.
2.
Select an import file and click Open. The imported profile is suspended by default and must be activated
before it can be synchronized.
To export a synchronization profile:
1.
When viewing a profile, click Export Profile. You can also right-click on a profile in the table and select
Export.
2.
Enter a file name for the export file and click Save.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
35
Binary Tree Documentation
2.18 Suspending and Activating a Profile
Suspending a synchronization profile disables the profile from synchronizing. Note that you also cannot manually
run a synchronization of a suspended profile using the Sync Profile button, right-click menu, or command line
commands. Suspended profiles remain in the list of profiles and can be reactivated at any time.
Suspending a profile allows an unfinished profile to be saved.
To suspend an active synchronization profile:
1.
Select a profile you wish to suspend.
2.
Click Suspend Profile. The status of the profile is changed to “Suspended”.
To activate a suspended synchronization profile:
1.
Select a suspended profile you wish to activate.
2.
Click Activate Profile. The status of the profile is changed to “Active”.
2.19 Removing a Profile
Removing a synchronization profile will delete it from the list of profiles. All objects (except registered devices)
that are synced by the profile are deleted from SQL when the profile is removed. Registered devices synced by the
profile can also be removed by selecting the option on the Delete Profile dialog window. Removed profiles cannot
be restored.
To remove a synchronization profile:
1.
Select a profile you wish to remove.
2.
Click Remove Profile.
3.
On the Delete Profile dialog window, check the box if you also want to delete registered devices from SQL
that are synced by the profile.
4.
Click Yes to confirm. The profile is deleted from the list of profiles.
2.20 Resetting a Profile
Resetting a synchronization profile causes the database for the profile to be cleared. This clears the sync database,
not the profile properties. The device SQL tables are also cleared, except for devices that have already registered.
Registered devices remain in SQL.
If there are multiple profiles for the same AD Source and one of the profiles is reset, all data for the
AD Source is deleted in the SQL database.
To reset a synchronization profile:
1.
Select a profile you wish to reset.
2.
Click Reset Profile.
3.
Click Yes to confirm. The profile is reset.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
36
Binary Tree Documentation
Section 3. Running Sync Reports
Overview
The Sync Report has two primary functions. The first is as an analytical tool used prior to synchronizing any objects
into a target directory, and the second is as a logging feature to view the details of each synchronization.
Prior to synchronizing any object into the target, the source directory(ies) must be analyzed to identify any objects
that could be problematic. This is a critical step to a successful sync and should not be overlooked.
The Sync Report reads the source directory(ies) and writes the data into SQL. This is the same action taken if you
were to initiate a Push command. The source data is analyzed to determine the result if you were to Pull the d ata
into the target directory. The Sync report should be run prior to the first sync, as well as prior to running a sync
after you have made a change to the profile, to confirm the intended results. The Sync Report is populated
anytime a Sync Profile is actually run. Information at the top of the Sync Report will differentiate if the Sync Report
is a result of a simulation or a synchronization.
or
Common issues that must be corrected prior to synchronizing Domino to Active Directory
SMTP Addresses
Missing SMTP Addresses -These objects will be skipped with a warning that
there is no InternetAddress. Any object you wish to sync must have a valid
and unique SMTP Address.
Duplicate SMTP Address - These objects will be skipped with a warning that
the SMTP address is already in SQL.Any object you wish to sync must have a
valid and unique SMTP Address.
SMTP Address contains space(s) - These objects will be skipped with a
warning...
Missing Local Part - These objects will be skipped with a warning...
Unique Match Values
Directory Sync Pro allows you to define up to 4 field/attribute pairs to
match objects in the source to objects in the target. If the source value
matches to more the one target object value, Directory Sync Pro will skip
the object. This must be corrected if you intend for this object to
synchronize to the target directory. The Sync Report allows you to see the
matched object between the source and target. These should be reviewed
to ensure that your match criteria are valid for your environment.
While Domino will allow you to add external SMTP addresses to a mail
group, Active Directory requires that all group members exist as objects in
External SMTP Addresses in Groups Active Directory. These external members must either be created in
Domino (and synched over) or created in Active Directory if you intend for
these groups members to sync to Active Directory.
Running a Sync Report
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
37
Binary Tree Documentation
To run a Sync Report:
1. Once you have created a profile, click the Sync Report button. This opens the Sync Report window. The
example in this section is a Domino to Active Directory profile.
2.
Click Run Simulation and Yes to confirm. Click the Refresh button to populate the UI with the most recent
data.
A sync report performs a Push into SQL, so it is important that you reset the profile prior to running a
sync if you have made any changes to the source data or the profile settings. If you do not clear the
profile, the data that is in SQL from the Sync Report will be pulled to the target directory.
Objects tab
This contains all of the objects in the source and the action that would have been taken had the profile been
synched to the target. All of the columns can be sorted, filtered or reordered (drag and drop). Review any obj ects
that were skipped in the Operations column, as well as any warnings in the Status column. You can double click on
any entry to open the details for that object. The Details windows displays all of the details for the object, including
the attributes and values that would be written to Active Directory. The Internal Fields tab displays the values that
are written to SQL. The below example shows a Sync Report that is filtered to show warning for Users (only). Here
you can see examples of the common issues listed above, as well as the warning you would see if the Domino
object had Allow Foreign Directory Sync (AFDS) set to No. This issues must be corrected in the source directory
before they will sync to the target. Once corrected, you can run another sync report to validate the changes.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
38
Binary Tree Documentation
Object Issues tab
The Object Issues is a filtered list showing all issues would have occurred during a simulation or all issues that did
occur during a synchronization.
Members tab
The Members tab displays details for group synchronization. Here you can see each member of all of the groups that would be
synched to Active Directory. You can filter the Status column for warnings to easily view any issues that should be resolved. The
most common reason that a member of a Domino group cannot be added to the group in AD is because the member is an external
SMTP address that is not represented in the target directory. The example below illustrates this. The external SMTP address m ust
either be added to the Domino source directory (so in syncs to AD), or added to AD as a contact object.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
39
Binary Tree Documentation
Member Issues tab
The Member Issues is a filtered list showing all issues would have occurred during a simulation or all issues that did
occur during a synchronization.
Object Summary tab
The Object Summary tab displays a summary of each object type, the operation performed, the status an d the
object count.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
40
Binary Tree Documentation
Members Summary tab
The Members Summary tab displays a summary of group membership synchronization. It displays the number of
members added to groups, number of skipped members and the total number of errors or warnings.
Profile tab
The Profile tab lists all of the settings for the profile for which the Sync was run. You can copy the contents to the
clipboard to easily export as needed.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
41
Binary Tree Documentation
Target DCs
The Target DCs tab will display all of the Domain Controllers configured in the Target DCs tab. It also shows the
priority in which they will be used. The default will always be used unless it is unreachable.
Active Directory to Domino Sync Report
Running a Sync Report on an AD to Domino profile follows the same process as detailed above. The only
differences are that there is lack of a Target DCs tab, and the addition of the Source DCs tab.
Source DCs tab
This tab appears on AD to Domino or AD to AD profiles only and displays the Domain Controllers listed in the
Source AD tab of the profile.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
42
Binary Tree Documentation
3.1 Marking Objects as Ready to Sync
You have the ability to mark any object (User, Contact, Group, Room, Resource, MailinDB, Device) in the Sync
Report as Ready to Sync. This option allows you to individually mark objects as ready to sync if the “Automatically
Mark Objects as Ready to Sync” option is set to “No” in the Directory Sync Pro profile.
Select one or multiple objects in the Sync Report, right click and choose Ready to Sync or Not Ready to Sync.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
43
Binary Tree Documentation
Section 4. Running Directory Sync Pro
There are four ways to run Directory Sync Pro:

Scheduling Directory Sync Pro to run programmatically by defining a schedule for the synchronization
profile to run. See Configuring Active Directory Synchronization for more info.

Manually starting synchronization by selecting a profile and clicking the Sync Profile button.

Manually starting a synchronization process by right-clicking on a profile and selecting a synchronization
option.

Manually run Directory Sync Pro commands from a command line.
4.1 Manually Starting a Synchronization using a Sync Profile
A synchronization or sync report of a profile cannot be started if a synchronization or sync report of
the profile is already running.
To manually start synchronization:
1.
Select a profile to synchronize.
2.
Click Sync Profile. The synchronization is started. This runs a complete sync of the profile (push/pull).
4.2 Manually Starting a Synchronization Process using the Right-Click Menu
A synchronization or sync report of a profile cannot be started if a synchronization or sync report of
the profile is already running.
To manually start a synchronization process:
1.
Right-click a profile to synchronize.
2.
Click one of the following options:

Push - Pushes all changed entries in the source to SQL

Pull - Pulls all changed entries from SQL to the target

Repush - Pushes all source entries regardless of modification date to SQL (the profile is reset prior to
running a Push or a full Sync)

Repull - Same as a Pull and will only pull changed objects or objects that need to be resynced (for
example, because they failed on a prior pull)

Repushpull - Combines the Repush and Repull commands into one step (the profile is reset prior to
running a Push or a full Sync)

Cancel - Cancels a Sync

Validate - Verifies that your profile settings are correct

Copy - Creates a copy of the selected profile

Export - Exports the selected profile
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
44
Binary Tree Documentation
4.3 Manually Starting a Synchronization Process from a Command Line
A synchronization or sync report of a profile cannot be started if a synchronization or sync report of
the profile is already running.
To manually start a synchronization process from a command line:
1.
Open a Command Prompt window.
2.
Navigate to %Program Files%\Binary Tree\Dirsync
Command
Description
binarytree.dirsync.exchange.exe /validate <Profile ID> Verifies that your settings are correct
binarytree.dirsync.exchange.exe /push <Profile ID>
binarytree.dirsync.exchange.exe /pull <Profile ID>
Pushes all changed entries in the source to SQL
Pulls all changed entries from SQL to the target
binarytree.dirsync.exchange.exe /repush <Profile ID>
Pushes all source entries regardless of modification date
to SQL
binarytree.dirsync.exchange.exe /repull <Profile ID>
Same as a Pull and will only pull changed objects or
objects that need to be resynced
binarytree.dirsync.exchange.exe /repushpull <Profile
ID>
Combines the /repush and /repull commands into one
step
binarytree.dirsync.exchange.exe /pushpull <Profile ID>
Combines the /push and /pull commands into one step
binarytree.dirsync.exchange.exe /sync <Profile ID>
Performs the equivalent of a /pushpull on all saved
profiles without prompting the user to select one
binarytree.dirsync.exchange.exe /resync <Profile ID>
Performs the equivalent of a /repushpull on all saved
profiles without prompting the user to select one
binarytree.dirsync.exchange.exe /sync <Profile ID> quit
Automatically quits the sync without requiring a key
press. The option must be listed last in the command.
Binary Tree recommends that you remove existing objects from the target OU before running Repush,
Repull, or Repushpull.
If you do not include a Profile ID in the command, you will be prompted to choose one.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
45
Binary Tree Documentation
Section 5. Using the Directory Sync Pro Log Viewer to
View Logs and Audits
5.1 Using the Directory Sync Pro Log Viewer to View Logs and Audits
The Directory Sync Pro Log Viewer allows you to view, search, export, and clear synchronization logs and audit
reports on changes to all items in the target environment.
To open and view logs and audits in the Directory Sync Pro Log Viewer:
1.
In the Directory Sync Pro Console, click the View Logs and Auditing button. The Directory Sync Pro Log
Viewer opens.
2.
Select the Logs tab to view the synchronization logs or the Audits tab to view the audit reports.
3.
The Synchronization profile is automatically sel ected and log entries associated with the profile are
displayed. To change the profile, select a different profile from the Profile drop-down list. Click the
Refresh icon next to the Profile drop-down list to refresh the list of profiles and the log grid.
5.2 Searching Log or Audit Entries
To search for log or audit entries:

Enter a search term in the Search field and then click the Find icon. The table refreshes to show the search
results.
5.3 Pausing a Log
You can stop the continuous scrolling of the log to allow for easier reading. This feature pauses the display only,
not the logging function.
To pause the log:
1.
Click the Pause icon.
2.
To restart the log display, click the Play icon (next to “Paused”).
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
46
Binary Tree Documentation
5.4 Showing or Audit Log Entries for a Time Period
To show all log or audit entries for a time period:

Select a “Show...” option from the drop-down list near the upper right corner of the console. The table
refreshes to show all log or audit entries for the selected time period.
To filter the log or audit:
1.
Click the filter button on any column header to open the filter window.
2.
Enter the filter criteria, and then click Filter. The table refreshes to the filtered log entries.
3.
User the Clear Filter button to clear the filter.
5.6 Grouping the Log or Audits by Column
To group the log or audits by a column:

Drag a column header to the bar above the table to group the log or audits by a specific column. The table
refreshes grouped by the selected column.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
47
Binary Tree Documentation
5.7 Viewing Log or Audit Entry Details
To view log or audit entry details:

Click the plus icon in the log or audit entry. The entry expands to display the details of the log or audit
entry.
Log entries:
Audit entries:
Audit log displaying one entry:
Audit log displaying modified attributes:
5.8 Exporting Log or Audit Entries
To export the log or audit entries of the currently selected profile:
1.
Click Export All.
2.
Enter a File name, location, a file type, and then click Save.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
48
Binary Tree Documentation
5.9 Clearing Log or Audit Entries
To clear old log or audit entries of the currently selected profile:
1.
Click Clear. The Clear Log window or Clear Audits window opens.
2.
Select a number and time unit (Weeks, Days, or Hours) from the drop-down list to clear the log or audits
of older entries and then click OK.
3.
Also for Log entries, you have the option to clear the log entries of all profiles older than the selected time
automatically by selecting Clear log automatically. The Clear Log Automatically option is not available for
Audits.
Binary Tree recommends that the logs be set to clear automatically to prevent the accumulated data from
becoming too large.
To clear all log and audit entries of the currently selected profile:
1.
Click Clear All. All log or audit entries of the currently selected profile are cleared.
If an Audit Log is cleared, the following is an example of the record that will be displayed showing that the entries
were removed (cleared).
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
49
Binary Tree Documentation
Section 6. Managing Multiple Nodes
The Multiple Nodes feature allows two or more Directory Sync Pro services to be installed and configured to point
to the same SQL database, and ensures that only one instance is active and syncing objects. This feature is
designed for basic disaster recovery purposes. This feature only applies to the AD service
(BinaryTree.DirSync.Exhange.exe).
Each instance of the Directory Sync Pro service is referred to as a Node. Only one node can be active at any
moment and is the only node that will sync profiles. Nodes can be switched between active and passive on the
Directory Sync Pro Nodes window.
Nodes must be started and stopped manually from the server on which they are installed. Only the state of the
Node (active or passive) can be changed on the Directory Sync Pro Nodes window.
Directory Sync Pro Nodes
The list of installed Nodes can be accessed via the View Nodes button on the Directory Sync Pro Console.
The Node list has the following columns:

Name: The name of the server on which the Node is running.

Status: The status of the server, whether it is Online or Offline.

State: The state of the server, whether it is the Active Node or a Passive node.

Last Contact: The last time the Node checked in with SQL.
The Node list window has the following buttons:

Deactivate: Makes an Active Node into a Passive Node. This button is only available when the Active Node
is selected in the list. Any running sync jobs will be canceled.

Activate: Makes a Passive Node into the Active Node. Only one Node can be active at a time, so this
button is only available when all Nodes are Passive Nodes.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
50
Binary Tree Documentation

Remove: Removes a Node from the list. The Active Node cannot be removed, so this button is only
available for Passive Nodes.

Refresh: Refreshes the Nodes list. The list does not automatically refresh.

Close: Closes the window.
Click the [+] symbol next to the name of the Node to view additional details, such as the Node’s unique GUID.
Node Running
Periodically (every 30 seconds), a node will check in with SQL to determine if it should switch state to Active or
Passive. Any node state switches will be written to the Windows Event Log.
If the node is Active and it is switched to Passive, any running syncs will continue to run to co mpletion. This will
allow the node to cancel any running profiles.
Removing a node from the list in the Directory Sync Pro Nodes window does not terminate or uninstall the node.
Nodes must be manually stopped and uninstalled.
The Last Contact time will be updated every time the node checks in. If a node shows as online but there have not
been any updates to the Last Contact time within the last 30 seconds, the node may have terminated
unexpectedly.
Node Shutdown - Normal Termination
When a node is shutdown (the service is stopped) it will notify SQL that it is shutting down. This will change the
status of the node to Offline. The Last Contact time will also be updated. The state of the node will not change.
Node Shutdown - Unexpected Termination
If a node terminates unexpectedly, then SQL will not be notified of the shutdown. In this case, the node will still be
shown in the Directory Sync Pro Nodes window as Online, but the Last Contact time will no longer be updated.
If a passive node terminates unexpectedly, the service can be manually restarted.
If the active node terminates unexpectedly, it will still be displayed in the Directory Sync Pro Nodes window as the
active node. There are two opti ons in this case:

The node may be manually restarted, and will resume processing as the active node.

The node may be deactivated in the Directory Sync Pro Nodes window. Running profiles will be marked
for cancellation and the currently active node will be made a passive node. Once this is done, a different
node can be made the active node.
If the crashed node will no longer be used, it can be removed from the Directory Sync Pro Nodes window.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
51
Binary Tree Documentation
Section 7. Updating the Groups to Ignore List in SQL
7.1 Updating the Groups to Ignore List in SQL for Domino - Active Directory Synchronization
By default, Directory Sync Pro is configured with a list of typical Active Directory (Exchange) and Domino security
groups that will not be synchronized. You can update the Groups to Ignore List in SQL by using either the SQL
Server Management Studio (SSMS) or the SQL Import and Export Data tool.
For an AD Source, you may also choose to not synchronize any Security groups via the Group Filter, which will
prevent all groups matching the criteria from being entered into SQL. This must be configured before the initial
synchronization, or you will have to remove all the security groups from SQL and AD prior to using this option.
7.2 Default List of Groups in the Groups to Ignore List for Domino - Active Directory
Synchronization
The default list of groups in the AD Source Groups to Ignore List includes:

Account Operators

Administrator

Administrators

Anonymous

Authenticated Users

Backup Operators

Batch

By default, Directory

Cert Publishers

Delegated Setup

Dialup

Digest Authentication

Discovery Management

Domain Admins

Domain Computers

Domain Guests

Domain Users

Enterprise Admins

Enterprise Domain Controllers

Exchange All Hosted Organizations

Exchange Organization Administrators
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
52
Binary Tree Documentation

Exchange Public Folder Administrators

Exchange Recipient Administrators

Exchange Servers

Exchange Trusted Subsystem

Exchange View-Only Administrators

Exchange Windows Permissions

ExchangeLegacyInterop

Group Policy Creator Owners

Guest

Guests

Hygiene Management

Interactive

KRBTGT

Local System

Logon Session

Network

NT Authority

NT Authority

NT Service

NTLM Authentication

Organization Management

Power Users

Principal Self

Print Operators

Proxy

Public Folder Management

RAS and IAS Servers

Recipient Management

Records Management

Remote Interactive Logon
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
53
Binary Tree Documentation

Replicators

Restricted Code

SChannel Authentication

Schema Admins

Server Management

Server Operators

Service

Terminal Server Users

This Organization

UM Management

Untrusted Mandatory Level

Updating Groups to Ignore List in SQL

Users

View-Only Organization Management
The default list of groups in the Domino Source Groups to Ignore List Members includes:

LocalDomainServers

OtherDomainServers

LocalDomainAdmins

OtherDomainAdmins
7.3 Updating the Groups to Ignore List with the SQL Server Management Studio (SSMS)
Perform the following steps from SSMS to add or remove groups from the Groups to Ignore List in SQL. This
process is preferred if you have a small number of changes to make. Refer to Updating the Groups to Ignore List via
the SQL Import and Export Data Tool for larger updates.
To add or remove groups from the Groups to Ignore List in SQL:
1.
Launch the SQL Server Management Studio.
2.
Navigate to the BTCodex server and database, expand Tables, and then right click on the
dbo.Dirsync_GroupsToIgnore.
3.
Select Edit Top 200 Rows from the list.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
54
Binary Tree Documentation
4.
Add new entries at the bottom.
5.
If you have more than 200 groups to ignore, you can increase the number of rows shown:
a.
Run the SQL Server Management Studio.
b.
Click Tools -> Options
c.
Select SQL Server Object Explorer. Now you should be able to see the Table and View options:
d.

Value for Edit Top Rows Command

Value for Select Top Rows Command
Set the Values to 0 to edit and select all the records.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
55
Binary Tree Documentation
6.
The table displays the Select All Rows and Edit All Rows options.
7.4 Updating the Groups to Ignore List with the SQL Import and Export Tool
To use the SQL Import and Export Data tool to update the Groups to Ignore List in SQL:
1.
Expand the Microsoft SQL Server 2008 R2 folder and select Import and Export Data (32-bit).
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
56
Binary Tree Documentation
2.
Select the data source from which you want to copy data, and then click Next.
3.
Select the destination where data is to be copied.
4.
Select Copy data from one or more tables or views, and then click Next to continue.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
57
Binary Tree Documentation
5.
Choose one or more tables and views to copy, and then click Edit Mappings.
6.
Select Append rows to the destination table and fill in the values in the Destination column, then click
OK.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
58
Binary Tree Documentation
7.
Select Run immediately and then click Finish.
7.5 Excluding Security Groups from Synchronization with the Group Filter
Select the appropriate Profile and Source OU in the Directory Sync Pro UI and double-click on Group Filter on the
AD Source tab.
Replace (objectClass=Group) with (objectClass=Group)(!groupType:=-2147483646) and click Save.
Binary Tree recommends that you use the Active Directory Users and Computers management
console to test your filters to prevent Directory Synchronization from failing due to an invalid filter.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
59
Binary Tree Documentation
Appendix A: Using the User and Group LDAP Filters
Active Directory provides a powerful way of retrieving data through the use LDAP filters. Directory Synchronization
exposes two filters during the creation of a synchronization profile: User OU Filter and Group OU Filter whose
defaults are:

Users: (&(!(adminDescription=Created By
DirSync))(|(objectClass=Person)(objectClass=room))(!(objectClass=computer)))

Groups: (&(!(adminDescription=Created By DirSync))(objectClass=Group))
These filters are per organizational unit and apply to sub-OUs when the Sync Sub-OUs option is selected.
Modifying these filters requires a basic understanding of the attributes, their value representations, and their data
types. LDAP filters support any number of options including filtering by date ranges, wildcards, and the use of
bitmasks as in the userAccountControl property.
The use of the objectClass and objectCategory properties can greatly reduce the number of records retrieved
resulting in improved performance. You may use other attributes to further restrict your results.
The following are common examples of queries and their LDAP query syntax.

Selecting users that are part of the ‘Accounting’ department:
o

Selecting mailbox-enabled users:
o

(|(&(objectClass=User)(objectCategory=Person)(!homeMDB=*))(objectClass=Contact))
Selecting users created after January 1, 2011:
o

(&(objectClass=User)(objectCategory=Person)(homeMDB=*))
Selecting mail-enabled users and contacts:
o

(&(objectClass=User)(objectCategory=Person)(department=Accounting))
(&(objectClass=User)(objectCategory=Person)(whenCreated>=20110101000000.0Z))
Selecting distribution lists:
o
(&(objectClass=Group)(groupType=2))
Binary Tree recommends that you use the Active Directory Users and Computers management console to test your
filters to prevent Directory Synchronization from failing due to an invalid filter.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
60
Binary Tree Documentation
Appendix B: Additional Configuration Options
Changing the attribute used for "Created by Dirsync" or "Updated by Dirsync"
By default, the adminDescription attribute (for Active Directory) or $BTAction (for Domino) is stamped on objects
on the Target that are created or updated by Directory Sync Pro with "Created by Dirsync" or "Updated by Dirsync"
to define which objects can be s afely deleted from the Target. An app setting is available in the config file to allow
you to define a different attribute/field for this purpose.
To use an attribute other than adminDescription or $BTAction, define a new DirSyncAttribute setting in the
<appSettings> section of the config file. For example, the below setting will use adminDisplayName instead of
adminDescription:
Warning: This must be configured before the initial sync.
<appSettings>
<add key="DirSyncAttribute" value="adminDisplayName"/>
</appSettings>
Setting msExchRecipientDisplayType and msExchRecipientTypeDetails Exchange attributes
A configuration option to allow you to set msExchRecipientDisplayType and msExchRecipientTypeDetails Exchange
attributes based on the value of a configura ble attribute is available. This option is only applied to target objects
not created by Directory Sync Pro.
The configuration option must defined in the <appSettings> section of the config file, as shown below. “Value=”
should be contain the attribute to be used. (proxyAddresses shown below). If the value of the target attribute is
null, msExchRecipientDisplayType and msExchRecipientTypeDetails will be populated. See the list below for the
values that will be populated.
<appSettings>
<add key="RecipientType_MailEnabledAttribute" value="proxyAddresses"/>
</appSettings>
Mail Enabled Users in the source:

msExchRecipientDisplayType = 6

msExchRecipientTypeDetails = 128
Room Mailbox in the source:

msExchRecipientDisplayType = 7

msExchRecipientTypeDetails = 16
Resource Mailbox in the source:

msExchRecipientDisplayType = 8

msExchRecipientTypeDetails = 32
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
61
Binary Tree Documentation
Shared Mailbox in the source:

msExchRecipientDisplayType = 0

msExchRecipientTypeDetails = 4
Allow objects with remote mailboxes to be treated as mailbox-enabled objects
A setting that allows objects with connected O365 remote mailboxes to be treated as mailbox -enabled objects is
available. To enable this feature, add the RemoteMailboxAsMailboxEnabled option to the <appSettings> section of
the BinaryTree.DirSync.Exchange.exe.config file as displayed below.
<appSettings>
<add key="RemoteMailboxAsMailboxEnabled" value="True"/>
</appSettings>
If this setting is set to any value other than True or if omitted from the file, objects with remote mailboxes will be
treated as non-mailbox-enabled. If set to True, objects with remote mailboxes will be treated as mailbox -enabled.
Disable the caching of group members
A configuration option can be used in the appSettings section of the config file to disable the caching of group
members.
This setting should be added to the BinaryTree.DirSync.Exchange.exe.config file.
<appSettings>
<add key="OptimizeGroupSyncMemoryUsage" value="true"/>
</appSettings>
Valid values are true and false. If this setting is omitted, or set to an invalid value, the value defaults to false. If set
to false, group members will be cached during push and pull. If set to true, group members will not be cached
during push and pull.
Disable the initialization of the sync report
A configuration option can be used in the appSettings section of the config file to disable the initialization of the
sync report. If disabled, a sync report will still be recorded, but it will not be initialized between syncs. The result
will be that an object will show data from the last time it was processed by Directory Sync Pro, rather than just the
most recent time it was processed. In other words, if an object is inserted during a sync, it will show in the sync
report as Inserted. Assuming a second sync does not touch this object, then if the sync report is initialized, a
second sync will show this object as No Change, but if the sync report is not initialized, the object will still show as
Inserted.
This setting should be added to the BinaryTree.DirSync.Exchange.exe.config file.
<appSettings>
<add key="DisableSyncReportInitialization" value="true"/>
</appSettings>
Valid values are true and false. If this setting is omitted, or set to an invalid value, the value defaults to false. If set
to false, the sync report will be initialized. If set to true, the sync report will not be initialized.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
62
Binary Tree Documentation
Set the maximum number of users and groups synced simultaneously
During pull processing, Directory Sync Pro will sync multiple Active Directory user and group objects
simultaneously into the target AD. The maximum number of users and groups synced simultaneously can be
changed using the ThreadCount setting in the config file. If this configuration option is not specified, the
ThreadCount will be set to the same number of logical processor cores of the server on which Directory Sync Pro is
running.
The configuration option is not included by default. To add, modify the BinaryTree.DirSync.Exchange.exe.config file
located at C:\Program Files\Binary Tree\DirSync and add a new key to the <appSettings> section as follows:
<appSettings>
<add key="ThreadCount" value="4"/>
</appSettings>
This option should never be set to a number greater than the number of processor cores on the server. However,
you may need to specify a lower number if other applications also running on the server require a specific number
of cores set aside for processing. Best practice is to leave the setting at the default value and lower it only if
additional processing power is needed for other applications on the server.
Multiple passes will be needed to make sure all data is synchronized to the target when multi -threading is used. An
example scenario is:

User B is the Manager of User A.

User A is synchronized first.

Then, User B is synchronized.

Another sync is needed for User B to be the Manager on User A.
Set the number of objects selected when the user selects all (Ctrl+A)
A configuration option can be added to control how many objects are selected when the u ser selects all (Ctrl+A):
<appSettings>
<add key="SelectAllLimit" value="1000"/>
</appSettings>
If this configuration option is omitted, the default value is 1000. Setting this option to a high number may cause
performance issues when selecting and marking objects.
Setting select all limit when marking objects as Ready to Sync
Selecting objects to mark as Ready to Sync can be done from the Objects tab within the Sync Report, which
contains all object types.
A configuration option can be used in the appSettings section of the config file to control how many objects are
selected when the user selects all (Ctrl+A):
This setting should be added to the BinaryTree.DirSync.Exchange.exe.config file.
<appSettings>
<add key="SelectAllLimit" value="1000"/>
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
63
Binary Tree Documentation
</appSettings>
If this configuration option is omitted, the default value is 1000. Setting this to a high number may cause
performance issues when selecting and marking objects.
This option does not apply to Windows Server Migration profiles.
Set the attribute used for the linking function
A configuration option can be added to change the attribute used for the linking functionality.
This setting should be added to the BinaryTree.DirSync.Exchange.exe.config file.
<appSettings>
<add key="LinkedIDAttribute" value="adminDisplayName"/>
</appSettings>
If this configuration option is omitted, adminDisplayName is used.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
64
Binary Tree Documentation
Appendix C: Default Mapping
Domino Source – AD Target Default Mapping
The below table displays the default values of the Domino Source to AD Target mapping table.
Source Field
Internal Field
Target Field
Source Field
Target
Type 1
InternetAddress
InternetAddress
mail
any
any
CompanyName
Company
any
any
LegacyExchangeDN legacyExchangeDN any
any
GroupType
GroupType
groupType
group
group
ListDescription
Comment
info
group
group
contact
ListName
DisplayName
displayName
group
group
contact
ListName must be empty in Notes
or it will be treated as a group by
the router.
ListName
PrimaryAlias
mailNickname
group
group
contact
ListName must be empty in Notes
or it will be treated as a group by
the router.
ProxyAddresses
proxyAddresses
group
group
contact
ProxyAddresses contains the
InternetAddress as the primary
SMTP, the legacyExchangeDN of
both the source and target as
X500 addresses, and any email
policies from the target (if
enabled).
SAMAccountName
sAMAccountName group
group
TargetAddress
targetAddress
group
Comments
Comment
comment
sharedMail
sharedMaicontact
l
Description
Info
info
sharedMail
sharedMaicontact
l
FullName
CommonName
cn
sharedMail
sharedMaicontact
l
FullName
PrimaryAlias
mailNickname
sharedMail
sharedMaicontact
l
FullName
DisplayName
displayName
sharedMail
sharedMaicontact
l
FullName
ProxyAddresses
proxyAddresses
sharedMail
sharedMaicontact
l
ListName
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
Target
Type 2
Comments
Created using the source object's
Notes ID as the CN.
ListName must be empty in Notes
or it will be treated as a group by
the router.
contact
TargetAddress is set to the source
object's primary SMTP inthe
ProxyAddresses, the
InternetAddress, or the
UserPrincipleName of the source
object.
ProxyAddresses contains the
InternetAddress as the primary
SMTP, the legacyExchangeDN of
both the source and target as
X500 addresses, and any email
65
Binary Tree Documentation
Source Field
Internal Field
Target Field
Source Field
Target
Type 1
Target
Type 2
Comments
policies from the target (if
enabled).
FullName
SAMAccountName
sAMAccountName sharedMail
sharedMai
l
TargetAddress
targetAddress
sharedMail
sharedMaicontact
l
Comments
Comment
comment
resource
resource contact
Description
Info
info
resource
resource contact
FullName
CommonName
cn
resource
resource contact
FullName
PrimaryAlias
mailNickname
resource
resource contact
FullName
CommonName
displayName
resource
resource contact
FullName
ProxyAddresses
proxyAddresses
resource
resource contact
FullName
SAMAccountName
sAMAccountName resource
ResourceCapacity
msExchResourceCapamsExchResourceCapresource
city
acity
resource contact
TargetAddress
targetAddress
resource
resource contact
Description
Info
info
room
room
contact
FullName
CommonName
cn
room
room
contact
FullName
PrimaryAlias
mailNickname
room
room
contact
FullName
CommonName
displayName
room
room
contact
FullName
ProxyAddresses
proxyAddresses
room
room
contact
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
TargetAddress is set to the source
object's primary SMTP inthe
ProxyAddresses, the
InternetAddress, or the
UserPrincipleName of the source
object.
ProxyAddresses contains the
InternetAddress as the primary
SMTP, the legacyExchangeDN of
both the source and target as
X500 addresses, and any email
policies from the target (if
enabled).
resource
TargetAddress is set to the source
object's primary SMTP inthe
ProxyAddresses, the
InternetAddress, or the
UserPrincipleName of the source
object.
ProxyAddresses contains the
InternetAddress as the primary
SMTP, the legacyExchangeDN of
both the source and target as
X500 addresses, and any email
policies from the target (if
enabled).
66
Binary Tree Documentation
Target
Type 2
Internal Field
Target Field
FullName
SAMAccountName
sAMAccountName room
room
ResourceCapacity
msExchResourceCapamsExchResourceCaproom
city
acity
room
contact
TargetAddress
room
room
contact
targetAddress
Source Field
Target
Type 1
Source Field
Comments
TargetAddress is set to the source
object's primary SMTP inthe
ProxyAddresses, the
InternetAddress, or the
UserPrincipleName of the source
object.
CellPhoneNumber
CellPhoneNumber
user
user
contact
Comment
Comment
user
user
contact
Department
Department
user
user
contact
EmployeeID
EmployeeID
user
user
contact
FirstName
FirstName
user
user
contact
FullName
CommonName
user
user
contact
FullName
DisplayName
user
user
contact
FullName
ProxyAddresses
user
user
contact
JobTitle
JobTitle
user
user
contact
LastName
LastName
user
user
contact
Sometimes used as a surname.
Location
Location
user
user
contact
Important, particularly for
printers.
MiddleInitial
Initials
user
user
contact
OfficeCity
OfficeCity
user
user
contact
OfficeFAXPhoneNumber OfficeFAXNumber
user
user
contact
OfficePhoneNumber
OfficePhoneNumber
user
user
contact
OfficeState
OfficeState
user
user
contact
OfficeStreetAddress
OfficeStreetAddress
user
user
contact
cn
proxyAddresses
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
ProxyAddresses contains the
InternetAddress as the primary
SMTP, the legacyExchangeDN of
both the source and target as
X500 addresses, and any email
policies from the target (if
enabled).
67
Binary Tree Documentation
Source Field
Target
Type 1
Target
Type 2
user
user
contact
mailNickname
user
user
contact
proxyAddresses
user
user
contact
ProxyAddresses contains the
InternetAddress as the primary
SMTP, the legacyExchangeDN of
both the source and target as
X500 addresses, and any email
policies from the target (if
enabled).
user
user
user
user
contact
TargetAddress is set to the source
object's primary SMTP inthe
ProxyAddresses, the
InternetAddress, or the
UserPrincipleName of the source
object.
BTCustom032
resource
resource contact
BTCustom033
msExchRecipientDis resource
playType
resource contact
BTCustom034
msExchResourceSearesource
rchProperties
resource contact
BTCustom034
msExchResourceDis resource
play
resource contact
BTCustom035
msExchResourceMeresource
taData
resource contact
Source Field
Internal Field
OfficeZip
OfficeZip
ShortName
PrimaryAlias
ShortName
ProxyAddresses
ShortName
SAMAccountName
TargetAddress
Resource Type
Resource Type
Target Field
targetAddress
BTCustom032
room
room
contact
BTCustom033
msExchRecipientDis room
playType
room
contact
BTCustom034
msExchResourceSearoom
rchProperties
room
contact
BTCustom034
msExchResourceDis room
play
room
contact
BTCustom035
msExchResourceMeroom
taData
room
contact
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
Comments
68
Binary Tree Documentation
AD Source – Domino Target Default Mapping
The below table displays the default values of the AD Source to Domino Target mapping table.
Source Field
Internal Field
Target Field
Source Type
Target
Type 1
mail
InternetAddress
InternetAddress
any
any
company
Company
CompanyName
any
any
c
OfficeCountry
OfficeCountry
contact
user
department
Department
Department
contact
user
displayName
DisplayName
FullName
contact
user
employeeID
EmployeeID
EmployeeID
contact
user
facsimileTelephoneNum OfficeFAXNumber
ber
OfficeFAXPhoneNu contact
mber
user
givenName
FirstName
FirstName
contact
user
initials
Initials
MiddleInitial
contact
user
l
OfficeCity
OfficeCity
contact
user
mailNickname
PrimaryAlias
ShortName
contact
user
mobile
CellPhoneNumber
CellPhoneNumber contact
user
physicalDeliveryOfficeNaLocation
me
Location
contact
user
postalCode
OfficeZip
OfficeZip
contact
user
proxyAddresses
FullName
FullName
contact
user
sn
LastName
LastName
contact
user
st
OfficeState
OfficeState
contact
user
streetAddress
OfficeStreetAddress OfficeStreetAddresscontact
user
telephoneNumber
OfficePhoneNumber OfficePhoneNumbercontact
user
title
JobTitle
JobTitle
contact
user
BTCustom001
FullName
contact
user
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
Target
Type 2
Comments
The following restricted chars will
be replaced with underscores: ( )
@ [ ] " space : \ > ; <
Important, particularly for
printers.
Sometimes used as surname.
69
Binary Tree Documentation
Target
Type 1
Target
Type 2
Source Field
Internal Field
Target Field
Source Type
c
OfficeCountry
OfficeCountry
group
user
department
Department
Department
group
user
displayName
DisplayName
ListName
group
employeeID
EmployeeID
EmployeeID
group
user
facsimileTelephoneNum OfficeFAXNumber
ber
OfficeFAXPhoneNu group
mber
user
givenName
FirstName
FirstName
group
user
info
Comment
ListDescription
group
info
Comment
Comment
group
user
initials
Initials
MiddleInitial
group
user
l
OfficeCity
OfficeCity
group
user
mailNickname
PrimaryAlias
ShortName
group
user
mobile
CellPhoneNumber
CellPhoneNumber group
user
physicalDeliveryOfficeNaLocation
me
Location
group
user
postalCode
OfficeZip
OfficeZip
group
user
proxyAddresses
FullName
FullName
group
user
sAMAccountName
SAMAccountName
ShortName
group
user
The following restricted chars will
be replaced with underscores: +
@ [ ]" / : |? \> ; = *< ,
sn
LastName
LastName
group
user
Sometimes used as surname.
st
OfficeState
OfficeState
group
user
streetAddress
OfficeStreetAddress OfficeStreetAddressgroup
user
telephoneNumber
OfficePhoneNumber OfficePhoneNumbergroup
user
title
JobTitle
JobTitle
group
user
BTCustom001
FullName
group
user
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
Comments
group
group
The following restricted chars will
be replaced with underscores: ( )
@ [ ] " space : \ > ; <
Important, particularly for
printers.
To represent group as person.
70
Binary Tree Documentation
Source Field
Internal Field
Target Field
Source Type
Target
Type 1
cn
CommonName
FullName
resource
user
displayName
DisplayName
FullName
resource
user
name
LastName
LastName
resource
user
mailNickname
PrimaryAlias
FullName
resource
user
The following restricted chars will
be replaced with underscores: ( )
@ [ ] " space : \ > ; <
mailNickname
ShortName
ShortName
resource
user
The following restricted chars will
be replaced with underscores: ( )
@ [ ] " space : \ > ; <
proxyAddresses
FullName
FullName
resource
user
sAMAccountName
SAMAccountName
FullName
resource
user
cn
CommonName
FullName
room
user
displayName
DisplayName
FullName
room
user
name
LastName
LastName
room
user
mailNickname
PrimaryAlias
FullName
room
user
The following restricted chars will
be replaced with underscores: ( )
@ [ ] " space : \ > ; <
mailNickname
ShortName
ShortName
room
user
The following restricted chars will
be replaced with underscores: ( )
@ [ ] " space : \ > ; <
proxyAddresses
FullName
FullName
room
user
sAMAccountName
SAMAccountName
FullName
room
user
cn
CommonName
FullName
sharedMail
user
displayName
DisplayName
FullName
sharedMail
user
mailNickname
PrimaryAlias
FullName
sharedMail
user
mailNickname
ShortName
ShortName
sharedMail
user
proxyAddresses
FullName
FullName
sharedMail
user
sAMAccountName
SAMAccountName
FullName
sharedMail
user
The following restricted chars will
be replaced with underscores: +
@ [ ]" / : |? \> ; = *< ,
c
OfficeCountry
OfficeCountry
user
user
The following restricted chars will
be replaced with underscores: ( )
@ [ ] " space : \ > ; <
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
Target
Type 2
Comments
The following restricted chars will
be replaced with underscores: +
@ [ ]" / : |? \> ; = *< ,
The following restricted chars will
be replaced with underscores: +
@ [ ]" / : |? \> ; = *< ,
The following restricted chars will
be replaced with underscores: ( )
@ [ ] " space : \ > ; <
71
Binary Tree Documentation
Source Field
Internal Field
Target Field
Source Type
Target
Type 1
cn
CommonName
FullName
user
user
department
Department
Department
user
user
displayName
DisplayName
FullName
user
user
employeeID
EmployeeID
EmployeeID
user
user
facsimileTelephoneNum OfficeFAXNumber
ber
OfficeFAXPhoneNu user
mber
user
givenName
FirstName
FirstName
user
user
initials
Initials
MiddleInitial
user
user
l
OfficeCity
OfficeCity
user
user
mailNickname
PrimaryAlias
ShortName
user
user
mobile
CellPhoneNumber
CellPhoneNumber user
user
physicalDeliveryOfficeNaLocation
me
Location
user
user
postalCode
OfficeZip
OfficeZip
user
user
proxyAddresses
FullName
FullName
user
user
sAMAccountName
SAMAccountName
ShortName
user
user
The following restricted chars will
be replaced with underscores: +
@ [ ]" / : |? \> ; = *< ,
sn
LastName
LastName
user
user
Sometimes used as surname.
st
OfficeState
OfficeState
user
user
streetAddress
OfficeStreetAddress OfficeStreetAddressuser
user
telephoneNumber
OfficePhoneNumber OfficePhoneNumberuser
user
title
JobTitle
JobTitle
user
user
BTCustom001
FullName
user
user
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
Target
Type 2
Comments
The following restricted chars will
be replaced with underscores: ( )
@ [ ] " space : \ > ; <
Important, particularly for
printers.
72
Binary Tree Documentation
Appendix D: Customizing Overrides
In Directory Sync Pro, an override is used to transform values in the target directory based upon a formula.
The formula language used is T-SQL, used in Microsoft’s SQL Server product line. A valid select statement in T-SQL
would be Select (FirstName + LastName) from BT_Person. When adding an override you do not need to include a
full SQL select statement as portions of the SQL statement are generated for you. Specifically, you are not required
to use the select or from commands in the override. It is only required to enter the columns that should be
selected. To continue the example above, a valid override would only need to contain the value of FirstName +
LastName.
To add a View Override:
1.
From the Mapping tab, click Overrides. The View Overrides window appears.
2.
Click Add. The Override dialog appears.
3.
Select a Person or Groups from the View drop-down list.
4.
Enter a Field Name for the new override. This must be a valid internal field name in SQL.
5.
Enter a Field Value for the new override. This must be a correctly formatted SQL statement.
6.
Enter Comments for the new override.
7.
Click Save.
8.
Click Yes for the confirmation message.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
73
Binary Tree Documentation
When you save an override, Directory Sync Pro re-generates the Person or Groups view. It does this by
dynamically generating a single SQL statement using the snippet of SQL code that is part of all
overrides. The max size for this SQL statement is 8000 total characters. If many new overrides are
added, this limit could be exceeded and an error when adding the overrides will occur. In addition to
the default overrides, approximately 15-20 more Person and 20-25 Group overrides can be added
before hitting the size limit.
To edit a mapping override:
1.
From the Mapping tab, click Overrides. The View Overrides window appears.
2.
Select an Override and click Edit. The Override dialog appears.
3.
Edit the Field Value for the override. The View and Field Name cannot be edited.
4.
Edit Comments for the override.
5.
Click Save.
6.
Click Yes for the confirmation message.
To delete a mapping override:
1.
From the Mapping tab, click Overrides. The View Overrides window appears.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
74
Binary Tree Documentation
2.
Select an Override and click Delete.
3.
Click Yes for the confirmation message.
To export all mapping overrides:
1.
From the Mapping tab, click Overrides. The View Overrides window appears.
2.
Click Export All.
3.
Select a location, enter a file name, and click Save.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
75
Binary Tree Documentation
Controlling actions with Overrides
Directory Sync Pro uses the TypeOfTransaction column from the BT_Person table, or the Operation column from
the BT_Groups table to determine what action to perform on the target object. These may have overrides applied
to them, to control what actions Directory Sync Pro will take for an object. The below image shows an example of
this kind of override.
Matching user accounts with Overrides
The values used for matching can have overrides applied to them. This is accomplished by setting up a new
override using the field names MatchValue1, MatchValue2, MatchValue3 and MatchValue4. Each MatchValue1 -4
corresponds the respective Source and Target pair on the matching tab.
These values are used for matching only. Values that get written to the target are based on the mappings, not the
matching.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
76
Binary Tree Documentation
Example Overrides
Field Name
Field Value
Description
TargetAddress
CASE EntryType WHEN 'user' THEN 'SMTP:' + P.Custom20 +
'@domino.contoso.com' ELSE 'SMTP:' +
dbo.ReplaceDomain(InternetAddress,'domino.contoso.com') END
This formula will dynamically set the
targetaddress value based on the
EntryType.
TargetAddress
'SMTP:' + dbo.UpdateInternetAddress(InternetAddress,'domino.')
This formula will set the
TargetAddress value based on the
InternetAddress and prefix the
domain with the value specified, in
this case "domino.".
TargetAddress
' 'SMTP:' + dbo.ReplaceDomain(InternetAddress,'domino.contoso.com')
This formula will set the
TargetAddress value based on the
InternetAddress and replace the
domain with the value specified, in
this case "domino.contoso.com".
TargetAddress
CASE WHEN InternetAddress LIKE '%@kodak.com' THEN 'smtp:' +
dbo.UpdateInternetAddress(P.InternetAddress, 'domino.') WHEN
InternetAddress LIKE '%@knotes.contoso.com' THEN 'smtp:' +
dbo.ReplaceDomain(P.InternetAddress, 'domino.contoso.com') ELSE
P.InternetAddress END
This formula will dynamically set the
targetaddress value based on the
existing InternetAddress domain
name value. If the first domain is
found then the TargetAddress will be
set to one value, if the second
domain is found another value will
be used and if neither domain is
found then the TargetAddress will be
set the same as the current
InternetAddress value.
CommonName
CASE EntryType WHEN 'user' THEN 'do$$' + SourceDirectoryID WHEN
'sharedmail' THEN 'do$$' + SourceDirectoryID ELSE CommonName END
This formula will dynamically set the
CommonName value based on the
EntryType.
CommonName
CASE WHEN LEN(CommonName) > 64 THEN
LTRIM(RTRIM(LEFT(CommonName,64))) ELSE CommonName END
This formula will limit the
CommonName value to 64
characters if it exceeds that limit.
ProxyAddresses
CASE ProxyAddresses WHEN '' THEN 'smtp:' +
This formula will set or append to
dbo.ReplaceDomain(InternetAddress,'@contoso.mail.onmicrosoft.com;smtp:the list of ProxyAddresses values the
') + dbo.UpdateInternetAddress(InternetAddress,'domino.') ELSE
coexistence routing addresses. This
ProxyAddresses + ';smtp:' +
example specifically is designed for
dbo.ReplaceDomain(InternetAddress,'@contoso.mail.onmicrosoft.com;smtp:Office 365.
') + dbo.UpdateInternetAddress(InternetAddress,'domino.') END
Company
LTRIM(RTRIM(LEFT(company, 50)))
This formula will Trim, then limit the
string value by 50 characters.
Custom001
'this is a string'
This formula will set any string value
to the any SQL field.
Custom001
REPLACE(InternetAddress,'@','.')
This formula will replace the '@'
symbol with a period '.' to create a
string like so. (i.e.
first.last.contoso.com)
Custom001
LEFT(InternetAddress,CHARINDEX('@',InternetAddress)-1)
This formula will extract the localpart
of InternetAddress.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
77
Binary Tree Documentation
Appendix E: Directory Sync Pro Fields with Special
Processing
AD Directory Sync Pro Fields with Special Processing
The below tables include fields with some kind of special processing in Directory Sync Pro. Fields can have the
following characteristics:

Cannot be mapped

Can be mapped and have an override

May be explicitly ignored or changed by Directory Sync Pro if object meets certain conditions, even if
mapping and override exists

Actual attribute may be set via config file
Additional notes are available below for field marked with a *.
Writing Users to AD
Attributes that may be set by Directory Sync Pro regardless of mapping:
Field
Cannot be
mapped
distinguishedName
•
objectClass
•
Can be mapped /
have override
May be explicitly
ignored
userPassword
•
unicodePwd
•
userAccountControl
•
msExchRecipientDisplayType
•
•
msExchRecipientTypeDetails
•
•
msExchResourceDisplay
•
msExchResourceSearchProperties
•
msExchResourceMetaData
•
showInAddressBook*
•
msExchMasterAccountSid
msExchPoliciesExcluded
•
•
•
msExchPoliciesIncluded
•
pwdLastSet
•
adminDescription
•
•
•
•
userAccountControl
May be set with
config file
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
•
•
•
78
Binary Tree Documentation
Special processing if mapped:
Field
Cannot be
mapped
Can be mapped / have
override
May be explicitly
ignored
mail
•
•
assistant*
•
manager*
•
managedBy*
•
altRecipient*
•
authoring
•
unauthOrig
•
dLMemSubmitPerms
•
dLMemRejectPerms
•
sAMAccountName
•
•
legacyExchangeDN*
•
•
mailNickname
•
•
May be set with
config file
Never set:
Field
Cannot be
mapped
objectGUID
•
objectSid
•
whenCreated
•
whenChanged
•
uSNChanged
•
name
•
cn
•
Can be mapped / have
override
May be explicitly
ignored
May be set with config
file
Writing Groups to AD
Attributes that may be set by Directory Sync Pro regardless of mapping:
Field
Can be mapped / have
override
May be explicitly
ignored
msExchRecipientDisplayType
•
•
msExchVersion
•
objectClass
Cannot be
mapped
May be set with
config file
•
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
79
Binary Tree Documentation
Field
Cannot be
mapped
Can be mapped / have
override
May be explicitly
ignored
showInAddressBook*
•
•
msExchPoliciesExcluded
•
•
msExchPoliciesIncluded
May be set with
config file
•
adminDescription
•
•
Special processing if mapped:
Field
Cannot be
mapped
Can be mapped / have
override
May be explicitly
ignored
mail
•
•
assistant*
•
manager*
•
managedBy*
•
altRecipient*
•
authOring
•
unauthOrig
•
dLMemSubmitPerms
•
dLMemRejectPerms
•
sAMAccountName
•
legacyExchangeDN*
•
groupType
•
•
mailNickname
•
•
May be set with
config file
•
Never set:
Field
Cannot be
mapped
objectGUID
•
objectSid
•
whenCreated
•
whenChanged
•
uSNChanged
•
name
•
Can be mapped / have
override
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
May be explicitly
ignored
May be set with config
file
80
Binary Tree Documentation
Field
Cannot be
mapped
cn
Can be mapped / have
override
May be explicitly
ignored
May be set with config
file
•
Special processing by Internal Field Name:
Field
Cannot be
mapped
Can be
mapped /
have override
May be
explicitly
ignored
May be set
with config
file
If this internal field name is
mapped and value is empty,
actual value comes from
different internal field
DisplayName
•
•
PrimaryAlias
•
•
SAMAccountName
•
•
InternetAddress
•
•
Name
•
•
CommonName
•
•
Additional Notes
1.
TargetDN – this column contains the distinguishedName of the target object to be created or the existing
distinguishedName of a matched target object. If the object is created, the following values are used:
a.
b.
Non-group objects from Domino sources use the following columns (or override values if specified) in
order until a non-NULL value is found:
i.
CommonName
ii.
DisplayName
iii.
PrimaryAlias
iv.
FullName
v.
PrimaryFullName
Groups from Domino sources use the following columns (or override values if specified) in order until
a non-NULL value is found:
i.
DisplayName
ii.
Name
iii.
CommonName
iv.
PrimaryAlias
c.
Non-group objects from AD sources use the DN column (or override value if specified) to compute a
target object DN. This preserves the sub-OU hierarchy the object may be in from the source.
d.
Groups from AD sources, use the OU column (or override value if specified) to compute a target
object DN. This preserves the sub-OU hierarchy the object may be in from the source.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
81
Binary Tree Documentation
2.
LegacyExchangeDN – the legacyExchangeDN of the target object is computed by constructing a value
relative to the target Exchange organization.
3.
ShowInAddressBook – unless hiding from GAL is enabled. No override column is available for this field.
4.
5.
6.
7.
a.
Rooms are added to the All Rooms address book, except for Exchange 2003 which doesn't have
rooms or the All Rooms address book.
b.
Users are added to the All Users address book.
c.
Groups are added to the All Groups address book.
d.
All objects are added to the All Global Address Lists (GAL) address book.
Manager – all objects except Groups
a.
Uses the Manager column (or override value if specified) for the source object.
b.
Locates the referenced Manager in the target.
c.
If not found and a pending sync is available for the Manager, Directory Sync Pro will immediately sync
it to the target.
d.
If the referenced Manager is a reference to itself, the Manager on the target object will be set on the
next sync.
ManagedBy – group objects only
a.
Uses the ManagedBy column (or override value if specified) for the source object.
b.
Follows the same process as Manager above.
Assistant – all objects
a.
Uses the Assistant column (or override value if specified) for the source object.
b.
Follows the same process as Manager above.
AltRecipient – This is not automatically reconciled by Directory Sync Pro.
Domino Directory Sync Pro Fields with Special Processing
The below tables include Domino fields with some kind of special processing in Directory Sync Pro. Fields can have
the following characteristic:

On the “reserved” list, meaning any mappings for them will be ignored and overrides cannot be used.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
82
Binary Tree Documentation
Explicitly set, even without mapping:
Field
On the Reserved List
$BTAction
•
$BTSourceDirectoryID
•
Form - when Directory Sync Pro created
•
Type - when Directory Sync Pro created
•
AvailableForDirSync - explicitly set to 0, when Directory Sync Pro created
•
MailSystem - explicitly set to 3
•
MailDomain - set to Foreign Domain given in profile, when Directory Sync Pro created
•
CalendarDomain - groups only, set to Foreign Domain given in profile, when Directory
Sync Pro created
GroupType - groups only, explicitly set to 1, set for Directory Sync Pro created
•
$Grouptype_Help - groups only, explicitly set to 1, set for Directory Sync Pro created
GroupTitle - groups only, explicitly set to 1, set for Directory Sync Pro created
Never set:
Field
On the Reserved List
ResourceType
•
Can be mapped, but will use the given values if they exist (and ignores overrides in that case):
Field
On the Reserved List
DisplayName – groups only, set to TargetDisplayName if it has a value
PrimaryAlias – groups only, set to TargetPrimaryAlias if it has a value
SAMAccountName – groups only, set to TargetSAMAccountName if it has a value
InternetAddress – groups only, set to TargetInternetAddress if it has a value
Name – groups only, set to TargetName if it has a value
CommonName – groups only, set to TargetCommonName if it has a value
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
83
Binary Tree Documentation
About Binary Tree
At Binary Tree, we power enterprise transformations. Our award-winning software and services help Enterprise
businesses modernize their Microsoft email, directories and applications by moving and integrating them to the
cloud. Binary Tree mitigates the ris k of delays, downtime, and budget overruns for complex transformation
projects for large organizations. We understand Enterprise migration requirements that go well beyond the needs
of small companies. Since 1993, we’ve transformed more than 7,000 global clients and 40 million users, including
6 million to Office 365. Our business first approach helps plan, move and manage the transformation process from
end-to-end. So, clients stay focused on their core business while our experts deliver a low-risk, successful IT
transformation.
Binary Tree is a Microsoft Gold Partner and a globally preferred vendor for Offices 365. Our headquarters are
located outside of New York City with global offices in the United Kingdom, France, Germany, Sweden and
Singapore. For more, visit us at www.binarytree.com.
Binary Tree Social Media Resources
© Copyright 2017, Binary Tree, Inc. All rights reserved.
Binary Tree, the Binary Tree logo, and any references to Binary Tree’s products and services, are trademarks of Binary Tree, Inc. All other
trademarks are the trademarks or registered trademarks of their respective rights holders.
Directory Sync Pro 5.1 User Guide for Domino-Active Directory Synchronization
84
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement