Solved

SharePoint People Picker over External Two Way Trust

Posted on 2012-03-29
7
1,879 Views
Last Modified: 2012-06-27
Experts:

Here is the situation: I have Domain A and Domain B.  The two have a two way, domain wide trust relationship.  I have a SharePoint server in each domain, we'll call them SP Server A in Domain A and SP Server B in Domain B.

SP Server A is running SP 2010 on Win 2K8 R2 in a Win 2K8 R2 AD environment (Domain A).

SP Server B us running SP 2007 on Win 2K3 in a Win2K3 AD environment (Domain B).

I can add users from Domain A or B to SP Server A with no issues.  I can add users from Domain A or B to *files and folders* on SP Server B with no issues.  But, I *cannot* add users from Domain A to any of the SharePoint permissions groups on any web applications on SP Server B.

The Server B people picker simply doesn't see anyone from Domain A.  I have tried multiple times to run:

stsadm.exe -o setproperty -url http://domain1.example.com:80 -pn “peoplepicker-searchadforests” -pv “domain:domain1.example.com,domain1\LoginName, P@ssword; domain:domain2.example.com,domain2\LoginName, P@ssword; domain:domain3.example.com,domain3\LoginName, P@ssword“

And it always reports back succesful, but no matter what I put in those fields, it has no effect on what the names that the people picker pulls (it always only sees people from Domain B).

I have been able to add users from Domain A to a security group in Domain B, then add that security group to SP Server B.  It takes the group, but am I still unable to access any sites on SP Server B using credentials from users in Domain A.

What am I doing wrong?  It seems like every little thing is in its place and yet my older SP web application won't recognize that the other domain exists, even though the server itself (that is, Windows) sees it just fine.

Thanks,
Matt
0
Comment
Question by:mhentrich
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785203
Since you have a two way trust, you shouldn't have to set the AppPassword.  So my advice would be to go ahead and specify the Forest names as well.  Also, you don't need to specify a user/password for the local forest and domain names.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv forest:remoteforest.int,remote\user,password;forest:localforest.int;domain:remotedomain.int,remote\user,password;domain:localdomain.int -url http://sharepointurl
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785209
i'm curious.....when you deployed SharePoint server B....did you run that stsadm command right away?  Or did you try to add people before running it?  SharePoint should be able to see all two way trusts by default.  Wondering if running the command threw it off.
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785218
The more I think about this.....even my script isn't right.  You shouldn't have to designate user/passwords for the remote domain since there is a two way trust.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:mhentrich
ID: 37785368
Achilles,

Thanks, I agree that I shouldn't have to.  It's odd, I can put username/passwords in or leave them out, the command still completes succesfully, but has no impact on the people picker.

I ran the getproperty command against SP Server A (the one that sees both domains) and it returns "Property Exist=No".  So, I didn't even have to run this command or set any such properties on that server and it works fine.  Server B, however, doesn't work no matter what I do.  Any ideas?

Matt
0
 

Author Comment

by:mhentrich
ID: 37785389
Quick note though: the first time I ran this command on Server B, it DID make me set an app password.  I have no idea why, because the trust it two-way and each SP server is standalone (i.e. not part of a larger farm).
0
 

Accepted Solution

by:
mhentrich earned 0 total points
ID: 37789893
Folks,

Since I got no solid answers here, I resorted to calling MS themselves.  A gentleman there instructed me to set up a Forest Trust instead of an External Trust.  That did not solve the People Picker issue but it did allow me to add users from the one domain to the other.

Thanks anyways,
Matt
0
 

Author Closing Comment

by:mhentrich
ID: 37805224
Nobody else answered it.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now