Handling Cross-forest deployments

In many corporate or external-facing SharePoint deployments, it becomes necessary to develop multiple forests or domains to handle different users.  A great explaination of this concept can be found in the SharePoint Team’s blog on Support for Cross-forest deployments
The basic idea here is that you have two domains, e.g. DomainA and DomainB.  DomainA has your SharePoint servers and you want to be able to add users from DomainB to be allowed access to your site.  An example would be to use the People-Picker on your SharePoint site and you want to add DomainBUser1.  This can work if there is a two-way trust between the the two domains.  But in many environments, there is only one-way trust where DomainA can trust DomainB but DomainB will not trust DomainA.  In this latter scenario, when you try to use the People-Picker to add user DomainBUser1 to your SharePoint server on DomainA, DomainB will not resolve DomainBUser1 because it does not trust the request coming from DomainA.
To do this, it will be necessary to use the Peoplepicker-searchadforests property with the stsadm.exe tool.   To properly use it, a good reference is Joel Oleson’s blog on Cross Forest, Multi Forest Configuration and Additional Info.  The basic gist is to ddo this, you’ll need to run the following commands:
stsadm.exe -o setapppassword -password <some key>
stsadm.exe -o setproperty -url
http://server:port -pn "peoplepicker-searchadforests" -pv "domain:DNSName,Login,Password"
The first statement allows you to set application properties and by supplying a password to protect this information.  The second statement will then allow you to store a trusted DomainB user (e.g. DomainBUser2) and the associated password such that any time the People-Picker is used, it can now use this account (DomainBUser2) to resolve users within DomainB.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s