Decommission DirSync

New Users

Depending on how your new joiner process is structured, you are most likely initiating user creation in Active Directory or an HR system that is populating Active Directory and other systems.  Therefore, a new joiner request is already most likely being sent to the Notes Admin team or an automation process.  So that process would remain.  It is unlikely that DirSync is backwardly creating Notes Person Documents.

New Notes Mail-In Databases

It would be unusual now for new Notes Mail-In Databases to be created given how far along you would be in your transition to Microsoft.  Almost certainly you will be using Shared Mailboxes, or probably Microsoft 365 Groups / Microsoft Teams.

If for any reason there are still new notes Mail-In Databases being created, then the corresponding Active Directory object would need to be manually created with all the correct attributes like targetAddress and proxyAddresses.  This would require a process created or updated.

New Groups

Much like Mail-In Databases, net new Groups are most likely no longer be being created in Domino, but Groups created in Exchange are potentially being added to Domino to ensure consistency across the platform.  Again, a process for creating in both may be required that sets the mail attribute and proxyAddresses.

Updating Group Memberships

This is almost certainly the number one reason for retaining Directory Synchronisation.

The ambition here should be to switching the authoritative membership away from Domino and instead perform all updates only in Active Directory, and ultimately even having Groups mastered in Exchange Online or Entra.

So, how best to achieve this without the need to perform dual updates?

Remediation of Group Memberships

Mail Groups

Ignoring ACL Only Groups and Multi-Purpose groups for now, the short answer is to have a single member in a Domino Group.  And that member should be the smtp address of at least one of the proxyAddresses on the Group object in Exchange Online.  e.g.  If I have a Distribution Group called “Notes Engineering” with a primary SMTP Address of notes.engineering@contoso.com and 5 members,

Then first I need to make sure that the corresponding AD Group is up to date, mark it out of scope of DirSync and ensure that no deletion of that out-of-scope object flows during a DirSync operation.

Then update the Domino Group membership with a single member of: notes.engineering@contoso.mail.onmicrosoft.com

Thus, when an email is sent from within the Domino mail system, it will hit that group and route to Exchange Online.  EXO will resolve that to the proxyAddress of the Group and then will be bifurcated to all the members.

Access Control List only Groups

For Access Control List “ACL” only groups, if these have been synchronised at all, these will have been sync’d as AD Security Groups.

In my experience ACL-only groups are generally not synchronised or if they are they have typically been one-off as they are generally not fit for purpose in Active Directory as they are designed for Notes applications like with names like _READERS, _EDITORS, _MANAGERS which often doesn’t make sense for non Notes Applications.

If new ACL Groups are being created and they are genuinely needed in AD, then that process will have to be manually managed through process documentation.

Multi-purpose Groups

This is where the real challenge is.  Often these are the majority of Groups in a Domino environment because this is the default group type when creating groups. 

You will need to conduct an audit of Notes Application ACLs.  The Domino Domain Catalog can help here.  You won’t be able to see if they are Multi-purpose or ACL Only, so you should be able to add a column to the view that will look up the Domino Directory to retrieve the Group Type.

Remediation of Multi-purpose Groups

Where you see a multi-purpose group is on an ACL you should duplicate it.  Convert the original Group to an ACL-only group and remove the group email address.  Then make the group you duplicated a Mail Only group and follow the guidance for Mail-only groups.

The ACL can remain untouched and continue to work.

Update the new Group and append “Mail Only” and have one recipient.

Decommission Binary Tree DirSync and Coexistence – Part 1

Decommission Binary Tree DirSync and Coexistence – Part 3