Resolve accounts across multiple forests (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010

Microsoft SharePoint Server 2010 can be deployed in various configurations, including single forest and multiple forest environments, of Active Directory Domain Services.

When planning to deploy SharePoint Server 2010 across multiple forests, there are two primary configurations:

  • Resource forest deployment where there are two or more forests configured with a single logon forest that contains user accounts that are trusted by one or more resource domains that contain file and application servers.

  • Multi-logon forest deployments where there are two or more forests that contain user accounts that access resources through two-way trusts.

Note

There must be at least a one-way trust between the forests for the procedures that are described in this article to work correctly.

For more information about how to resolve accounts across multiple forests and an illustration that shows the relationship between the forests, see the Microsoft SharePoint Team Blog (https://go.microsoft.com/fwlink/?LinkId=186152).

Resource forest deployment

A resource forest configuration exists where all user accounts exist in one or more top-level forests. All users use credentials from these forests to log on. The resource servers, such as Microsoft Exchange Server and SharePoint Server 2010, are installed in a separate resource forest, which then maintains a one-way trust to each account forest. The resource forest contains shadowed, non-logon accounts for each user who accesses the resource forest, which contains metadata about the user based on the ms-ds-Source-Object property of the user account.

In this kind of deployment, SharePoint Server 2010 draws Active Directory information from a container in the resource forest’s directory, and bases the user profiles and My Sites creation on that information.

Multi-logon forest deployments

In a multi-logon forest deployment, user accounts are distributed across two or more forests. There are typically two-way trusts between all of the forests. This scenario is often the result of a merger between organizations where the decision was made to maintain the existing forests and provide users access to resources in each forest. Because many existing applications depend on the forest structure in which they are deployed, some users are granted an account in each forest to which they need access.

In this kind of deployment, SharePoint Server 2010 is deployed in one of the forests with Directory Connections to each forest where user accounts reside. Then you have to use the distinguished name (ms-ds-Source-Object-DN) attribute in the user object to create an association between the user’s accounts. In this relationship between multiple accounts that belong to a single user, one account is considered the primary account, and all other accounts are considered alternates of the primary. You can use Microsoft Forefront Identity Manager to create this relationship between user account objects.

The expected user experiences for various features are listed in the following table:

Feature User experience

Profile page and object model

SharePoint Server 2010 maintains the list of alternate accounts by which the profile is identified. When you use either account to find the profile of a user, SharePoint Server 2010 returns the primary account profile.

My Sites

When you create My Sites, SharePoint Server 2010 uses the primary account of the user to create the site. All of your alternate accounts are automatically added to the site as administrators.

People Search

Searching for people returns the primary account information for the user.

Audiences

Audiences in SharePoint Server 2010 only use primary accounts. Any rule that contains an alternate account for a user will use the primary account for that user internally. Because the primary and alternate accounts are reconciled, the management hierarchy will be the same for both primary and alternate accounts.

Import from Business Data Catalog

Because SharePoint Server 2010 depends on the primary account information for each user, only data that can be identified by primary user account is imported. When creating a list of users in the Business Data Catalog, use the primary account for each user.

Memberships synchronization

SharePoint Server 2010 treats sites that a user belongs to with both primary and alternate accounts as if they all belong to the same user account. In order to produce a more accurate list of site memberships, SharePoint Server 2010 must use a query the same as "SELECT docs FROM member site WHERE author = domain1\user OR author = domain2\user" in order to produce a list that contains the sites where the user is a member with any of the user’s accounts.

Profile synchronization

Any changes that are made to the user profile are replicated to all user accounts that are associated with the user. This ensures that changes such as adding a picture to the profile in a My Site will be synchronized to all SharePoint Server 2010 sites regardless of the account the user uses to log on.

Prepare the Web front-end servers

The People Picker automatically issues queries to all two-way trusted domains when it uses the application pool account to search for users and groups. When you select a secondary account in the People Picker, the primary account information will be returned.

For one-way trusts you must provide the following information:

  • Logon credentials with permission to query the forest

  • An encryption key that will be used when the People Picker is performing a query

Use the following procedure to prepare the encryption key for each SharePoint Server 2010 Web front-end server to use this account.

Note

Procedures in this task require using the Stsadm command-line tool. The Stsadm command-line tool was deprecated for this release, but is included to support compatibility with previous product versions.

To prepare the Web front-end servers

  1. Click Start, right-click Command Prompt, and then click Run as Administrator.

  2. Type the following command:

    stsadm.exe -o setapppassword -password <key>
    

    Where <key> is the encryption key to set for the web application.

Register credentials across forests

SharePoint Server 2010 can keep track of an association between user accounts from multiple forests in order to provide a seamless user experience. You use the stsadm command-line tool to establish this account relationship as shown in the following procedure.

To perform the following steps you must be a member of the Farm Administrators group on the server that is running SharePoint Server 2010.

To register credentials across forests

  1. Click Start, right-click Command Prompt, and then click Run as Administrator.

  2. Type the following command:

    stsadm.exe -o setproperty -url <http://server:port> -pn "peoplepicker-searchadforests" -pv "<forest:contoso.com;domain:corp.contoso.com>", <LoginName>,<Password>, <Key>
    

    Where:

    • <http://server:port> is the URL to the web application to which you will be granting access.

    • <forest:contoso.com;domain:corp.contoso.com> is the qualified name of the forest and the domain to search for the user account.

    • <LoginName> is the user’s account name.

    • <Password> is the user’s password.

    • <key> is the encryption key to set for the web application.

See Also

Concepts

User Profile Service administration (SharePoint Server 2010)
Managing personal and social features (SharePoint Server 2010)

Other Resources

Resource Center: Social Computing in SharePoint Server 2010