Active Directory Group Synchronization across domains RRS feed

  • Question

  • I've been struggling with this for quite some time now.

    We host Project Server for another company on a different domain. When we first deployed the solution, we recreated all of the (other) company's Users on our Active Directory. Recently, though, we established a one-way trust between our domains so that we will be able to simplify user management and minimize duplication. The trust runs one-way from our domain to theirs (ie. we have an outgoing forest trust to the other company's domain).

    This has presented a rather sizeable problem for our Project Server deployment. In our Active Directory we have groups that contain users from the external (trusted) domain that we want to synchronize with Project Server. (Side note: we also host TFS for this company and are using the same methodology to manage their users in that program and things work flawlessly there) The problem is that the groups that contain these external users will not synchronize.

    We drilled down and found out that the Project Server Service Account tries to authenticate on the external domain controller but can't, thus resulting in a "Partial Fail" synchronization. What's more is that no users from the foreign trusted domain can be individually added to the user list either. Interstingly, these two operations generate different logs in Event Viewer. Directory Synchronization generates Event ID 7721 with source Project Server under the Application log category (Active Directory Synchronization cannot resolve reference to a foreign security principal in a remote forest or external domain. This could be because the object does not exist, the user does not have permission or because of a communication problem between the project server application server and Active Directory) whereas a failed user addition generates Event ID 40961 from LsaSrv under the System category (The Security System could not establish a secured connection with the server <dc info> No authentication protocol was available).

    Last night I came across a post that suggested using the Powershell to set the property of the PeoplePicker to allow it to authenitcate on different domains. It references this technet page:

    So now I have the ability to add individual users but the AD sync still fails.

    I understand that a two-way trust is the recommended configuration but for certain reasons that is not possible at this time. I had the notion of giving the service account Read permissions on the external domain but, again, due to the nature of our setup, that can't be achieved. Before coming across the above solution, my workaround was to change the SA to an account that can authenticate on the external domain (I created an AppPool in IIS and gave it the identity of the foreign account we have on the trusted, then moved just the Project Server application to it). This was less than ideal as I had to also add the external user to SQL. Also, this being a foreign account, it doesn't have the required permissions on our servers. Has anyone had any success with a similar configuration? Are there any suggestions? Thanks in advance.

    • Edited by Reza Etezal Friday, October 21, 2011 11:03 PM
    Friday, October 21, 2011 10:55 PM

All replies

  • Hi Reza,

    Interestingly enough I had to deal with what sounds to be the exactly same problem a couple of months ago.  We actually confirmed (using a support call to Microsoft Product Support) that this configuration is not supported with Project Server - SharePoint on its own seems to be fine with it, however.

    sorry I cannot be of more help...

    Monday, October 24, 2011 4:11 PM