Problem synchronizing users from a forest other than the one Project Server 2010 is installed on - "No groups were found matching that description" RRS feed

  • Question

  • Hi,

    I'm brand new to Project Server and need some assistance on being able to give AD users permission to the Project Web App I've created on a new installation of PS 2010.

    I have one PS 2010 farm with the databases connected to a SQL server.  The server is on our development domain.  I used the technet how-to videos to run through the configuration.  I was able to get to the point where I successfully installed SharePoint 2010 and PS 2010.  I created the Project Web App successfully.  When I got to the point where I wanted to add users for permissions to the site, I noticed that they were still getting access denied.  Even if I made them site collection administrator.  The only account I could use to gain access to the site was the account I used to configure the initial installation.  I discovered that you need to synchronize with Active Directory so you can add users into the various permissions groups within Project Server.

    On the PWA site, I went to Server settings - Active Directory Resource Pool synchronization - Find group.. and discovered that I could only add groups that were in my development domain. (It says: "Search is restricted to the Project Server's Active Directory forest. This forest is: devdomain.com")  I want to be able to add users from the production domain.  Under Synchronization status I get the message "The synchronization failed because the Active Directory group was not found.  If the Active Directory group no longer exists, click Clear Group to clear Active Directory information for the group."  I'm trying to add the domain admins group in this case.  I get an error in the application log.  Event ID 7709 "Active Directory ERP synchronization cannot resolve reference to group."  The local firewalls are off and there is no firewall between the PS server and the domain controllers.

    In doing some research, I found the following article:


    It says that I can add the group from another forest if there is a 2 way trust.  For example, I could add domainadmins@proddomain.com or user@proddomain.com  However, when I try to do this, the error message says "No groups were found matching that description".  There is a trust between the 2 forests.

    Perhaps I don't completely understand how this is supposed to work and I'm missing a step or 2.  Would somebody be able to explain to me what I need to do give users permission to this site.

    Monday, November 29, 2010 6:28 PM


  • I'm not sure what happened, but I ended up just reinstalling SharePoint and Project Server from scratch.  Then followed the same steps to configure the PWA.  Everything works now.
    Tuesday, November 30, 2010 8:08 PM

All replies

  • Use the full Fully Qualified Domain Name (FQDN) to specify the group. For example, use the following FQDN to specify the group:
  • Make sure that the target domain in the remote forest contains a copy of the global catalog for that forest
  • Make sure the required ports are opened for communication between App Server and DC
  • Make sure your service account can read through all domains

    Hope this helps


  • Thanks Sunil Kr Singh http://epmxperts.wordpress.com/
  • Proposed as answer by epmXperts Wednesday, December 1, 2010 8:33 AM
Monday, November 29, 2010 7:38 PM
  • Thank you for your reply. I have been using the full qualified domain name. (domainadmins@devdomain.com, domainadmins@proddomain.com) All DCs are global catalogs (there are only 2 for each forest) There is no firewall between the app server and DCs. (Is there a list of the ports that need to be open?) "Make sure your service account can read through all domains" What does this mean and how would I verify this? Thanks.
    Monday, November 29, 2010 7:49 PM
  • I think a simple test to make sure the trust relationship is working is to try and add a user from the remote forest to one of the local Windows groups on the project server machine (for instance the Users group).  this will simply tell you if the trust is functioning properly and if all necessary DNS configs is in place to ensure the DCs can find each other. Obviously if this is working then there is a probably a problem in how Project Server\SharePoint handles authentication to remote forests... :) 
    Tuesday, November 30, 2010 9:40 AM
  • I'm not sure what happened, but I ended up just reinstalling SharePoint and Project Server from scratch.  Then followed the same steps to configure the PWA.  Everything works now.
    Tuesday, November 30, 2010 8:08 PM