Getting started configuring the latest Microsoft Identity Manager IBM Notes Management Agent with Domino v9.x

Lotus Notes. My old nemesis as both a user and as an Administrator is back to haunt me again.

There’s a reasonable amount written by others on the trials and tribulations of getting the FIM/MIM Notes / Domino Management Agent configured and working. However they are all referencing older versions of the Domino Management Agent and older versions of Domino. (If you are looking details on the previous versions checkout Michael’s great post here). The info on permissions is still valid, so make sure you’re on top of that.

The latest Notes / Domino Management Agent (March 2017) is available from here and supports v9.x of Domino and v9.x of the Notes Client.

Here’s a couple of the differences straight up;

The v9 Lotus Notes Client does not require the v8 client requirements of setting up the MA using x86 architecture. Use “Process” as MA Architecture as per the documentation
I managed to get the v9.0.0 and v9.0.1 FP4 clients to work. The latest is v9.0.1 FP8 available from here
There are two technical references from Microsoft for the Notes MA. This is the old version. After some hunting I located the documentation for the latest release here. Yes the new version of the MA and the associated documentation only become available mid-March 2017

Here’s a couple of quick tips for getting up and running with the latest MIM Notes MA;

Install the v9.x Lotus Notes Client on the MIM Sync Server
- Select Single User Install
Open the names.nsf and schema.nsf databases using the Notes ID you will be supplying to the Notes MA configuration

Enable Logging

Like anything, knowing what is going on, helps diagnose issues. This is how I enabled event log logging for the latest IBM Notes Management Agent

Edit the miiserver.exe.config file in the BIN folder. More than likely that will be in this path C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin
Add the following lines as shown in the graphic below

<source name="ConnectorsLog" switchValue="Information">
   <listeners>
     <add name="ConnectorsLogListener" 
     type="System.Diagnostics.EventLogTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
     initializeData="ForefrontIdentityManager.ManagementAgent"
     traceOutputOptions="LogicalOperationStack, DateTime, Timestamp, Callstack" />
  </listeners>
</source>

Restart the Forefront Identity Manager Synchronization Service in services and when you run the Notes MA you will then see output in the Event Log under Forefront Identity Manager Management Agent.

Change the following line substituting Error, Warning, Information or Verbose for what you want logged.

<source name="ConnectorsLog" switchValue="Information">

If you want it to log to the Application Log then change the initializeData value to whatever you want. I used IBM Domino MA;

<source name="ConnectorsLog" switchValue="Information">
  <listeners>
    <add name="ConnectorsLogListener" 
    type="System.Diagnostics.EventLogTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    initializeData="IBM Domino MA"
    traceOutputOptions="LogicalOperationStack, DateTime, Timestamp, Callstack" />
  </listeners>
</source>

… restart the Forefront Identity Manager Synchronization Service in services and when you run the Notes MA the logged data will land in the Application Log.

If you’ve used the Notes MA before, this should get you up and running with the latest.

Darren Robinson

Bespoke learnings from a Microsoft Identity and Access Management Architect using lots of Microsoft Identity Manager, Azure Active Directory, PowerShell, SailPoint IdentityNow and Lithnet products and services.