Resolve accounts across multiple forests

Applies To: Office SharePoint Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2016-11-14

Microsoft Office SharePoint Server 2007 can be deployed in various configurations, including single forest and multiple forest environments, of Active Directory Domain Services. Previous versions of Office SharePoint Server expected to be installed in a single Active Directory forest. The result was that users who had accounts in two forests that had a two-way trust found themselves with duplicate MySite pages and profiles. Office SharePoint Server 2007 reduces these issues by addressing cross forest deployments in new ways.

When planning to deploy Office SharePoint Server across multiple forests, there are two primary configurations to consider:

  • Resource forest deployment where there are two or more forests configured with a single logon forest that contains user accounts that are trusted by one or more resource domains that contain file and application servers.

  • Multi-logon forest deployments where there are two or more forests that contain user accounts that access resources through two-way trusts.

Note

There must be at least a one-way trust between the forests for these procedures to work.

For more information about how to resolve accounts across multiple forests and an illustration that depicts the relationship between the forests, see the Microsoft SharePoint Team Blog (https://go.microsoft.com/fwlink/?LinkId=186152).

Resource forest deployment

A resource forest configuration exists where all user accounts exist in one or more top-level forests. All users use credentials from these forests to log on. The resource servers, such as Microsoft Exchange Server 2007 and Office SharePoint Server, are installed in a separate resource forest, which then maintains a one-way trust to each account forest. The resource forest contains shadowed, non-logon accounts for each user who accesses the resource forest, which contains metadata about the user based on the ms-ds-Source-Object property of the user account.

In this kind of deployment, Office SharePoint Server draws Active Directory information from a container in the resource forest’s directory, and bases the user profiles and MySite creation on that information.

Multi-logon forest deployments

In a multi-logon forest deployment, user accounts are distributed across two or more forests. There are typically two-way trusts between all of the forests. This scenario is often the result of a merger between organizations where the decision was made to maintain the existing forests and provide users access to resources in each forest. Because many existing applications depend on the forest structure in which they are deployed, some users are granted an account in each forest to which they need access.

In this kind of deployment, Office SharePoint Server is deployed in one of the forests with Directory Connections to each forest where user accounts reside. Then you have to use the distinguished name (ms-ds-Source-Object-DN) attribute in the user object to create an association between the user’s accounts. In this relationship between multiple accounts that belong to a single user, one account is considered the primary account, and all other accounts are considered alternates of the primary. You can use a tool such as Microsoft Identity Lifecycle Manager 2007 to create this relationship between user account objects.

The expected user experiences for various features of Office SharePoint Server are listed in the following table.

Feature User experience

Profile page and object model

Office SharePoint Server maintains the list of alternate accounts by which the profile is identified. When you use either account to find the profile of a user, Office SharePoint Server returns the primary account profile.

MySite

When you create a MySite, Office SharePoint Server uses the primary account of the user to create the site. All of your alternate accounts are automatically added to the site as administrators.

People Search

Searching for people returns the primary account information for the user.

Audiences

Audiences in Office SharePoint Server only use primary accounts. Any rule that contains an alternate account for a user will use the primary account for that user internally. Because the primary and alternate accounts are reconciled, the management hierarchy will be the same for both primary and alternate accounts.

Import from Business Data Catalog

Because Office SharePoint Server depends on the primary account information for each user, only data that can be identified by primary user account is imported. When creating a list of users in the Business Data Catalog, use the primary account for each user.

Windows SharePoint Services Synchronization - Memberships

Office SharePoint Server treats sites that a user belongs to with both primary and alternate accounts as if they all belong to the same user account. In order to produce a more accurate list of site memberships, Office SharePoint Server must use a query equivalent to "SELECT docs FROM member site WHERE author = domain1\user OR author = domain2\user" in order to produce a list that contains the sites where the user is a member with any of the user’s accounts.

Windows SharePoint Services Synchronization - Profile properties

Any changes that are made to the user profile are replicated to all user accounts that are associated with the user. This ensures that changes such as adding a picture to the profile in MySite will be synchronized to all Windows SharePoint Services sites regardless of the account the user logs on with.

Prepare the Web front-end servers

The People Picker automatically issues queries to all two-way trusted domains when it uses the application pool account to search for users and groups. When you select a secondary account in the People Picker, the primary account information will be returned.

For one-way trusts you must provide the following information:

  • Logon credentials with permission to query the forest

  • An encryption key that will be used when the People Picker is performing a query

Use the following procedure to prepare the encryption key for each Office SharePoint Server Web front-end server to use this account.

To prepare the Web front-end servers

  1. Click Start, right-click Command Prompt, and then click Run as Administrator.

  2. Type the following command:

    stsadm.exe -o setapppassword -password <key>
    

    Where <key> is the encryption key to set for the Web application.

Register credentials across forests

Office SharePoint Server can keep track of an association between user accounts from multiple forests in order to provide a seamless user experience. You use the stsadm command-line tool to establish this account relationship as shown in the following procedure.

To perform the following steps you must be a member of the Farm Administrators group on the server that is running Office SharePoint Server.

To register credentials across forests

  1. Click Start, right-click Command Prompt, and then click Run as Administrator.

  2. Type the following command:

    stsadm.exe -o setproperty -url <http://server:port> -pn "peoplepicker-searchadforests" -pv "<forest:contoso.com;domain:corp.contoso.com>", <LoginName>, <Password>
    

    Where:

    • <http://server:port> is the URL to the Web application to which you will be granting access.

    • <forest:contoso.com;domain:corp.contoso.com> is the qualified name of the forest and the domain to search for the user account.

    • <LoginName> is the user’s account name.

    • <Password> is the user’s password.