Establishing Co-Existence environment between Lotus Domino and Exchange 2000/3, based on SMTP and Microsoft Identity Integration Server

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Hang-on what about Lotus Notes Connector: Microsoft ships Lotus Notes connector with Exchange Server 2000/3, which provides high level of interoperability with Lotus Notes including directory synchronization, mail flow and free-busy update between the two systems. Furthermore Microsoft has published very detailed prescriptive guidance documentation on co-existence with Lotus Notes using Lotus Notes Connector as an interoperability mechanism. Therefore the use of Lotus Notes Connector should always be a preferred way to for establishing a co-existence environment between Lotus Domino and Exchange.  At the same time some customers have expressed an interest in using native SMTP capabilities of both systems for establishing a co-existence environment. In their view the use of native industry standard protocol like SMTP would simplify the interoperability and reduce the support cost, even at the expense of loosing some features provided by the Lotus Notes Connector (ex. free-busy update and directory synchronization).

Objective of this blog: This blog explores the possibility of using Microsoft Identity Integration Server to provide a bi-directional directory synchronization between Exchange 2000/3  and Domino, while mail flow is handled through SMTP. This blog should be viewed strictly as a proof of concept type of document, rather than a prescriptive guidance.

Establishing mail-flow between Exchange 2000/3 and Lotus Domino through SMTP

This blog assumes that Exchange and Domino are sharing the same SMTP address space, since this is the most common scenario.

Both systems would need to be modified to allow for sharing of SMTP space.

Configuring Exchange

I recommend familiarizing yourself with this article: Authoritative and nonauthoritative domains in Exchange 2000 Server and in Exchange Server 2003, since it provides the necessary conceptual background on how Exchange handles processing of incoming mail.

The step-by-step instructions on configuring Exchange for sharing of SMTP address space with a foreign mail system could be found here:

How to Configure Exchange to Forward Messages to a Foreign Messaging System That Shares the Same SMTP Domain Name Space

Configuring Domino

Assuming that Domino is already configured for SMTP, all we need to do is to configure a local smart host. In other words, if Domino can not find a recipient within it's database, then the message will be forwarded to a smart host, In this configuration the smart host is a fully qualified domain name of an Exchange server.

You may have to restart Domino for changes to take effect.

At this point you should be able to route mail between Exchange and Domino, but your user will not be able to select destination addresses from the respective directories. The remaining portion of this blog will concentrate on establishing bi-directional synchronization between Active Directory and Domino using MIIS.

Establishing bi-directional directory synchronization between Active Directory and Domino using MIIS

Note: This blog only deals with synchronization of e-mail addresses, distribution lists are not currently handled. At the same time this solution could be extended to provide a bi-directional synchronization for distribution lists if required.

Logical Overview of the solution

Main Design Objectives

Processes Flow

New Mailbox Added in Domino

  1. On the next scheduled run MIIS will detect a change and import the new Notes Mailbox into the Metaverse as a Domino User Object.

Note: To make the solution more intuitive I created a new object within MIIS schema for Domino Users, which is based on default MIIS Person object. The same was done for the Exchange Users. Such separation allows for easier rule processing and object deletion rules.

    2.    Following the import MIIS will export the new Domino User into Active Directory as a mail-enabled contact.

New Mailbox-Enabled User Added in Active Directory

  1. On the next scheduled run MIIS will detect a change and import the new Mailbox-Enabled User into the Metaverse as an Exchange User Object.

    2.    Following the import MIIS will export the new Exchange User into Domino as a contact.

Solution Implementation Walkthrough

Extending MIIS Schema to accommodate for the two new objects (Domino User and Exchange User)

  1. Within MIIS Administrator switch to Metaverse Designer
  2. Click on Create Object Type
  3. In object type name type DominoUser (this name is arbitrary, but if you want to use code samples from this blog then you need to stick to this naming convention).
  4. Select the following attributes for this object:

        cn, displayName, givenName, mail, mailNickname, sn

        Note: You can add additional attributes if required, this is simply the minimum required set

    5.    Repeat steps 2 - 4, simply substitute DominoUser for ExchangeUser in step3

Installing Provisioning and Management Agent Rule Extension DLL

  1. Download this file and unzip it into C:\Program Files\Microsoft Identity Integration Server\Extensions on your MIIS server. Now you should have the following 2 files in your extensions folder:

        If you would like to examine or modify these files then download the sources from here.

    2.    In MIIS Administrator click on Tools->Options. Under the rule extension name specify DominoExchangeSharedSMTP.dll and select to Enable Metaverse rule extension and Enable Provisioning Rule Extension.

 

Importing Management Agents

There are total of 4 management agents required to make this scenario work:

  1. Download this file and unzip it on your MIIS server, this file contains exports of the management agents required for this scenario.
  2. Prior to importing management agents for Domino you must install a Lotus Notes Client. The officially supported version of Lotus Notes client is 5.0. You will also need Notes ID file with administrative privileges on Domino, since MIIS will need a security context on Domino in order to create new contacts. I suggest that you validate the ability to connect to Domino from the MIIS server prior to proceeding to step 3.
  3. In MIIS Administrator click on Actions->Import Management Agent and navigate to the location where you unzipped the files in step 1. Choose LotusInternetMailMA.xml.
  4. Click on next to accept the pre-configured MA name
  5. In this step you will need to specify the name of a Domino Server, which holds a replica of Domino directory. Also provide the location of the Notes ID file and password for a user with sufficient privileges to read Domino Directory.

    6.    Since this particular management agent will be creating contact objects in the Domino directory, we need to provide Notes ID file and password for a user that has permissions to create new objects (certifier). Click on Add and provide the information appropriate for your environment.

    7.    After this point simply complete the wizard by choosing the pre-configured values.

    8.    Repeat steps 2 -7 for the LotusNotesMailMA.xml. Skip step 6 since this management agent does not need to create any new objects in Domino, therefore simply leave the form in step 6 blank and press next.

    9.    Next we need to import AD related management agents. In MIIS Admin click on Actions->Import Management Agent and locate ADMailEnabledUsersMA.xml

    10.    Click on next to accept the pre-configured management agent name

    11.    Provide security information for a user account with sufficient privileges to enumerate AD user objects.

    12.    In this step we need to specify OUs which MIIS will search for mailbox-enabled users. In this scenario I assumed that the exchange OU is the place were all mailbox-enabled users will be created. Of course you can select multiple OUs.

Important: Create a dedicated OU for contacts that represent Domino users, and do not place any other objects into that OU.

    13.    Complete the rest of the wizard by accepting the pre-configured values.

    14.    Repeat steps 9 -13 for ADContactsMA.xml. In step 12 select the OU dedicated for Domino Contacts

 

Configuring object deletion rules

    1.     In Metaverse Designer select DominoUser and click on Configure Object Deletion Rule. Specify to delete the object when the LotusNotesMailMA connector disconnecs.

   

    2.    Select ExchangeUser and click on Configure Object Deletion Rule. Specify to delete the object when the ADMailBoxEnabledUsersMA connector disconnects.

 

  

Executing run profiles

  1. For each imported management agent execute Full Import Stage Only profile, this will populate MIIS with placeholders for OU, Domain and Organization objects.
  2. Since both systems support delta import, create run profiles for delta import and delta synchronization.
  3. I recommend running the profiles in the following order: 

          LotusMailMA (delta import and delta sync)->ExchangeContactMA (export and delta import stage only)  - this will provide the synchronization from Domino to Exchange

          ExchangeMailBoxEnabledUsersMA (delta import and delta sync)->LotusInternetMailMA (export and delta import stage only) - this will provide the synchronization from Exchange to Domino

           

Test the solution

  1. Create a new Notes mailbox. Ensure that MIIS creates a corresponding contact for this user in AD
  2. Create a new mailbox enabled user in AD. Ensure that MIIS creates a corresponding contact for this user in Domino.
  3. Delete a Notes mailbox. Ensure that MIIS deletes the corresponding contact in AD.
  4. Delete a mailbox enabled user in AD. Ensure that MIIS deletes the corresponding contact in Domino.