So about 3 months ago I "inherited" a Lotus Domino setup, and quite frankly, it's a mess. Historically, it's had 10 years of the primary focus being on development rather than on management and housekeeping (none of the latter was actually done, I had guys who'd left the place 11 years back still in admin groups), with a predictable end result.
Now, I know how to clean up a mess, but while I'm doing that I'm also keeping one eye on the future, and something that I'm interested in investigating is the possibility of Active Directory integration. It doesn't make sense to me – in 2009 – to have yet another bunch of systems that require yet another username and password, inviting people down the route of yellow-sticky-note-syndrome (not to mention doubling our user/password management overhead).
With clients being a mixture of browser-based and trad-client-based, I'm wondering how practical this is. Has anyone done it, and how well does it work? Do we get completely transparent authentication without requiring to even re-enter network credentials, do we still have to fool around with ID files (gack), can we add AD users to Domino groups, that kinda stuff.
The server is 8.0.2 (on 2003 Server), clients mostly 8.0.1 and IE6, database applications but not Notes Mail are used. What little info I've seen on IBM is incredibly vague on the whole topic.
Best Answer
I personally don't have experience in with the Domino / AD integration, but I've long thought about it and hope to try implementing it this year. The things I do know is that IBM has a service built to synchronize Domino and AD user/group info in both directions, and that there is a company called PistolStar that appears to specialize in this area.
I would definitely start with the IBM integration service first and see where that gets you. In fact, I'm going to check it out today too.
http://www.ibm.com/developerworks/lotus/library/domino-adsync/index.html