none
Issue with AD synch across domains (2010) RRS feed

  • Question

  • Hi all

    I'm again having some issues with one of our Project Server 2010 installations (incl. 02-2011 CU) where I'm trying to synchronize Project Server groups with Active Directory groups.

    We're having a rather complicated structure of various user domains. All of the users I'm trying to sync belong to domains that either have a forest trust or a domain trust with the domain that Project Server resides in. It seems that syncing users from domains with a forest trust seem to work just fine. However, users from a domain with a domain trust never show up in the Project Server security groups. Establishing a forest trust for these domains as well is not possible for organizational/political reasons.

    Interestingly enough, SharePoint seems to be able to "see" these users when checking their permissions from within the PWA site > Site Actions > Site Permissions > Check Permissions.

    Does anyone have any ideas on what might be wrong here? Is there anyway I can monitor or even manipulate the way Project Server handles the AD synchronization?

    Thanks for your help!

    Marc

    Thursday, August 4, 2011 6:33 PM

Answers

  • Project server is relay on Display name, so the Global catalog should provide the complete information when its trying to fetch the data. Apart from that, it requires Two way trust for successful synchronization.

     

    Try to modify the people picker and check the status.

     

    Using People Picker with multiple forests or domains

    ---------------------------------------------------------------

    By default, People Picker will only return users, groups, and claims from the domain on which SharePoint Server 2010 is installed. If you want People Picker to return query results from more than one forest or domain, you must either have a two-way trust between the forests or domains, or you must configure People Picker to use an encrypted account and password for a one-way trust between forests and domains. For more information about trusts, see Managing Trusts (http://go.microsoft.com/fwlink/?LinkId=207573).

     

    To configure People Picker for a one-way trust, you must first use the Stsadm setapppassword operation to set the password for use on the trusted forest or domain, and then use the Peoplepicker-searchadforests property for the setproperty operation to specify the forest or domain to search. Remember that the settings for People Picker are configured per zone for a Web application, so if you have more than one forest or domain in your farm, you must combine the accounts and passwords into a single command for the setproperty operation. For more information, see Peoplepicker-searchadforests: Stsadm property (Office SharePoint Server).

    Bottom of Form

     

     

    STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Contoso.com,Contoso\User1,Password1; domain:Fabrikam.com,Fabrikam\User2,Password2" -url http://ServerName

     

    Additional Info:

     

    http://technet.microsoft.com/en-us/library/cc263460(office.12).aspx

    http://technet.microsoft.com/en-us/library/gg602068.aspx

    http://technet.microsoft.com/en-us/library/dd279546.aspx

    http://msdn.microsoft.com/en-us/library/dd303522(PROT.13).aspx


    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management
    Friday, August 5, 2011 10:34 PM
    Moderator

All replies

  • Project server is relay on Display name, so the Global catalog should provide the complete information when its trying to fetch the data. Apart from that, it requires Two way trust for successful synchronization.

     

    Try to modify the people picker and check the status.

     

    Using People Picker with multiple forests or domains

    ---------------------------------------------------------------

    By default, People Picker will only return users, groups, and claims from the domain on which SharePoint Server 2010 is installed. If you want People Picker to return query results from more than one forest or domain, you must either have a two-way trust between the forests or domains, or you must configure People Picker to use an encrypted account and password for a one-way trust between forests and domains. For more information about trusts, see Managing Trusts (http://go.microsoft.com/fwlink/?LinkId=207573).

     

    To configure People Picker for a one-way trust, you must first use the Stsadm setapppassword operation to set the password for use on the trusted forest or domain, and then use the Peoplepicker-searchadforests property for the setproperty operation to specify the forest or domain to search. Remember that the settings for People Picker are configured per zone for a Web application, so if you have more than one forest or domain in your farm, you must combine the accounts and passwords into a single command for the setproperty operation. For more information, see Peoplepicker-searchadforests: Stsadm property (Office SharePoint Server).

    Bottom of Form

     

     

    STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Contoso.com,Contoso\User1,Password1; domain:Fabrikam.com,Fabrikam\User2,Password2" -url http://ServerName

     

    Additional Info:

     

    http://technet.microsoft.com/en-us/library/cc263460(office.12).aspx

    http://technet.microsoft.com/en-us/library/gg602068.aspx

    http://technet.microsoft.com/en-us/library/dd279546.aspx

    http://msdn.microsoft.com/en-us/library/dd303522(PROT.13).aspx


    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management
    Friday, August 5, 2011 10:34 PM
    Moderator
  • Thanks for the pointer, Sriram!

    We're currently investigating in this direction and have also opened an Advisory Call with MSFT to ensure we'll find a solution!

    I will post any relevant findings.

    Marc

    Thursday, August 18, 2011 10:31 AM
  • Marc,

    Did you get any feedback on this ? Thanks

    Allan

    Wednesday, September 21, 2011 6:39 PM