none
Active Directory Import with a two way trusted forest SharePoint 2016

    Question

  • Hi,

    I'm trying to avoid setting up MIM as we don't have a specific requirement for it. Whilst configuring ADI I'm struggling to import from a domain on a two-way trusted forest though. I can set up the synchronisation connection, but no profiles are imported when I run the sync.

    I receive a cryptic error in the ULS logs along the lines of:

    UserProfileADImportJob.ImportDC: exception: System.ComponentModel.Win32Exception (0x80004005): The operation completed successfully

    Has anyone had similar problems and can confirm whether ADI supports syncing with a two-way trust? The official documentation says trusts aren't supported with ADI, but it doesn't refer to whether this is one or two-way.

    Thanks
    Matt

    lundi 11 juin 2018 10:51

Réponses

  • Note that ADI does support multiple synchronization connects to forests, it just does not support a single connection to multiple forests. This does look like it might boil down to a permissions issue on the target forest with the sync account as Allen indicated.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marqué comme réponse Matt041987 jeudi 14 juin 2018 08:17
    mardi 12 juin 2018 15:05
    Modérateur

Toutes les réponses

  • Hi Matt,

    Trusts aren't supported with ADI, no matter it is one or two-way.

    Active Directory Import allows you to import users from active directory into your SharePoint environment. The AD import option does not support multi-Forest scenarios such as:

    1. If you have a trust between two forests, the trusted forest objects will not be imported.

    2. If you need to import users from multiple domains, you must create multiple synchronization connections. If you have multiple domains to manage, using MIM.

    Refer to below article about how to configure profile synchronization by using SharePoint Active Directory Import in SharePoint Server:

    https://docs.microsoft.com/en-us/sharepoint/administration/configure-profile-synchronization-by-using-sharepoint-active-directory-import 

    Besides, pay attention below things when you Enable Active Directory Import:

    1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

    2. Verify that the synchronization account for a connection to Active Directory Domain Services (AD DS) must have the "Replicate Directory Changes permission" on the domain..

    3. If you are mapping the attributes using ADI, you need to type the attributes in the textbox.

    Best regards,

    Allen Bai


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    mardi 12 juin 2018 09:17
  • Note that ADI does support multiple synchronization connects to forests, it just does not support a single connection to multiple forests. This does look like it might boil down to a permissions issue on the target forest with the sync account as Allen indicated.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marqué comme réponse Matt041987 jeudi 14 juin 2018 08:17
    mardi 12 juin 2018 15:05
    Modérateur
  • Thank you for your replies.

    Trevor, I thought that it should work. I've switched to MIM anyway now though as the profile picture import will be useful.

    I'm having problems with that regarding the trusted domain again though. It may be the same reason that the ADI import was failing. I've created the second ADMA for the trusted domain and can connect to the forest. I get error when running the import or clicking the 'Containers' button under 'Partitions' though - "the connection was forcibly closed by the remote host'. 

    I'm assured that the account has 'replicate directory changes' on the second forest. 

    Do you have any idea what might be causing this or how I could debug it?

    Thanks,
    Matt

     

    mercredi 13 juin 2018 12:42
  • Forcibly closed typically means firewall (or other network access) issue. If using tcp/389, validate access. If using tcp/636, there must be a valid, trusted certificate on the Domain Controller.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    mercredi 13 juin 2018 16:01
    Modérateur
  • Thanks Trevor. I checked port 389 and it was open though.

    I have now solved this issue if anyone else is having the same problem - turned out I just needed to specify the IP of a domain controller on the trusted domain in MIM (under preferred domain controllers).

    mercredi 20 juin 2018 13:43