Supporting Multiple Active Directory Domains

In many environments there is more than one Active Directory forest with users that need access to the SharePoint farm. Setting up support for users on multiple domains is pretty easy and can provide new collaborative features for users throughout the extended organization.

Trust Relationship
The only prerequisite is that there has to be a trust relationship between the forests. Users from the other domain(s) will need to be able to authenticate and access resources on the host domain.

If that trust is not in place, here is a good resource: Support for Cross-forest deployments

Setting up the Import
The Profile import settings are in the Shared Service Provider’s User Profile section. Setting up the primary domain, the domain the server is on, is pretty straight forward and the default settings should be fine.

To setup an import for additional domains click on the “View import connections” link from the main User Profiles and Properties page followed by the Add Connection item in the toolbar. Fill in the domain information and click the Auto Fill Root Search Base button. If the SharePoint Administration account does not have access to read from the target domain you will need to supply an account to read the directory.

People Picker Control
If there is a one way trust, or there are duplicate accounts (display names) on different domains it may be a good idea to set some additional properties. In the article Select user from multiple forest domains it provides a path to specify which forests to search, and allows the passing of credentials if the SharePoint Administration account does not have the required privileges.

The platform does a good job of supporting cross domain collaboration, and it is a lot easier to setup than many enterprise systems. In one environment I had to support over thirty domains so the information included above really came in handy.

One Reply to “Supporting Multiple Active Directory Domains”

  1. Hi Mike

    Thanks for the article. I have a quick question. I have an ADFS server and federated domains. There is a publicly available Sharepoint site, where users come in and provide a domain login credentials that belong to one domain. The complexity is that there are users who come from outside organizations to login to the site and use the domain credentials. The account they use to login is from the same AD. However the external users will be using machines that are home/office systems, i.e, they will be workgroup machines or domain joined machines from domains that are not part of the federation. How can I implement a SSO solution for this? Should I use a forms based authentication or use a redirect for the external user to get redirected to the ADFS proxy? Please help!!! Any documentation will be equally appreciated.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: