SharePoint 2010 & domain trusts - People Picker

The last couple of days were filled with SharePoint 2010, domain trusts, tears, the great SharePoint community and last but not least: joy. It seems SharePoint 2010 is more strict when it comes to domain trusts, or simply communicating across multiple domains. I'll try to share the most important things I've learned from this, the first regarding the People Picker. If anything mentioned here doesn't make sense: feel free to ask / comment!

The problem with the People Picker is this: SharePoint does not resolve account names from the other (trusted) domain. It just cannot find it. You can open the firewall any way you like, it's not going to happen. It won't even try to contact the domain controller from the other domain. We need to tell SharePoint that it should search in other domains too. As of today, there doesn't seem to be a PowerShell command to do this, so we're going old school with stsadm.

First, we set an encryption key (execute this on each server in the farm):

stsadm -o setapppassword -password ******


 Second, we register all the domains that need to be searched for account names (this is done per Web Application, not per server)

stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:domainB.local;domain:domainA.local,domainA\account,password -url http://webapplication


That should be all! Remember that at least firewall ports 88, 139 and 445 should be open.

This particular problem is not SharePoint 2010 specific, SharePoint 2007 has the same issue. It is strange however that there is no PowerShell replacement for this. The need for cross domain name resolving is just as present today as it was 3 years ago, if not higher.
Labels: , , ,

5 comments:

  1. ArnoAugust 26, 2010 at 2:55 PM

    Hi,

    I tried these settings, but still there aren't results when trying to select a user from the other domain. Alle mentioned ports are open, there is a two way trust, so eventually the searchadforests command isn't necessary. According to Microsoft you only have to use this when you are using a one-way trust.
    Anyway, I just configured like you said, but still users from the other domain are not showing in people picker.
    Are there any other things involved like eg. AD profiles / SSP?

    ReplyDelete
  2. Martijn SchoutenSeptember 6, 2010 at 8:58 AM

    When People Picker does not resolve names even with the extra property set through stsadm, I'd check network traffic. There is not much more to configure on the SharePoint side. Monitor the traffic between the SharePoint (WFE) server and the Domain servers (all of them).

    ReplyDelete
  3. ArnoSeptember 9, 2010 at 2:19 PM

    I figured out DNS was not configured correctly. There were no forwarders to the trusted domain on the domain controllers at our site.

    ReplyDelete
  4. CDApril 21, 2011 at 6:29 PM

    This is a strange combination of ports: "Remember that at least firewall ports 88, 139 and 445 should be open"

    LDAP queries use port 389-LDAP and 3268-Global Catalog. Refer to this link: http://technet.microsoft.com/en-us/library/cc755809(WS.10).aspx

    ReplyDelete
  5. ErickMay 12, 2011 at 11:47 PM

    Is this applicable if you AD structure has child domains?

    ReplyDelete

Subscribe to: Post Comments (Atom)