Running SharePoint Server 2007 in a multi domain environment? RRS feed

  • Question

  • Can anybody suggest a good resource or answer this problem?

    I'm running MOSS 2007 in a multi authenticated and multi domain (separate forests) environment and cannot find any documentation that clearly explains the overall configuration when running within the same MOSS farm.

    Before anybody asks, the reason for this configuration is that one HR department and upper management team overlooks a number of companies in the same building and at other locations around the world. 

    We have managed to set-up multi authentication providers using both AD and SQL/ASP.NET forms authentication using the standard method of extending web applications, as well as configuring a custom profile connector on the SSP admin site.  This works fine imports the new AD accounts but will not display in the People picker to add these accounts to any web applications.  The ASP.NET forms authenticated users stored in SQL show up as expected.

    We have tried running the spsadmin.exe peoplepicker command to add a new forest but the just errors every time we try with MOSS 2007.  The spsadmin.exe desperately needs a GUI interface and much better documentation, the argument that it a powerful way to manage SharePoint would be great if the documentation explained exactly what the commands where and how to type them!

    What are we missing to get this to work?

    Wednesday, January 17, 2007 9:57 AM

All replies

  • 1. The farm (all servers) need to all be within 1 domain.

    2. Users in the forest that the server is in will automatically show up.  Forests that have at least a one way trust to that forest can be "searched" for adding users using the stsadm command in the blog post from venky. 

    If it is not a two way trust then you will need to specify an account.  The "peoplepicker-searchadforests" property allows you to search.  You can add multiple forests, domains, and accounts.

    stsadm.exe -o setproperty -url http://server:port -pn "peoplepicker-searchadforests" -pv "forest:foo.corp.com;domain:bar.foo.corp.com", LoginName, P@ssword

    I just posted a more thorough cross forest explanation on my blog.


    Thursday, January 18, 2007 4:10 PM
  • Thanks Joel for your very helpful response.

    It so happens that a few of the domains are using Small Business Server 2003.  As far as we are concerned a cross domain share is not an option for security reasons.  Could you shed some light on any alternate solutions when adding users to MOSS 2007 from a SMS 2003 domain?


    Tuesday, January 23, 2007 5:20 PM
  • This is an old thread but it still shows up in searches, so I thought I might add my experience. The only way I could get the command to actually take effect (the command line was always accepted but the value never changed) was to type it after this syntax:

    stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:mydomain.com,user,password"

    The following things in the syntax that are usually included on different websites prevented MOSS from actually enforcing my input value:

    It would not work if I had spaces after the commas that are placed after domain & user. It would not work if I had the ending quotation mark after the domain name (which of course makes sense - it's just that a Technet article misleads about this). It would not work if I supplied the "-url" parameter anywhere on the command line.

    I hope this helps someone out there!
    • Edited by Blue Shield Thursday, August 28, 2008 8:40 AM Corrected spelling.
    Thursday, August 28, 2008 8:38 AM