SharePoint 2010 - Multiple Domains - People picker
The other day I had to configure a SharePoint 2010 server to support 2 AD using a one way trust. The AD the server it self resides in and a customer AD. I found out that you need to tell SharePoint to look search in other Domains too. Fortunately this is quite simple.
You need to run 2 stsadm commands.
stsadm -o setapppassword -password <yourkey>
Replace <yourkey> with your own key. This key is used to encrypt things(I'll explain what later on). This command should be run on each server in the farm with the exact same Key.
Next you register all the domains you want searched (except the on your server is in). You'll need to do this for each web application, not for each server.
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:domainA.local,domainA\account,password -url http://webapplication
Running this command overwrites the previous entry. Fortunately the commands support adding multiple domains. You do that like this:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:domainB.local,domainB\account,password;domain:domainA.local,domainA\account,password -url http://webapplication
<domain:domainA.local> - this is how you specify what domains to tell SharePoint to search in. You separate different domains with a ";"
<domainA\account,password> - is used to give SharePoint an account to traverse a domain to look for accounts. This is needed to find people by the people picker. The user account needs read rights and rights to traverse the AD tree. Now here the Key set in the first stsadm command comes into play. The key is used as an encryption key to encrypt the password during communication between the SharePoint server and the AD.
It is also possible to add a Forest instead of a domain. You do that like this:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv
forest:domainA.local,domainA\account,password -url http://webapplication
You could combine forests and domains like this:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv
forest:domainA.local,domainA\account,password;domain:domainB.local,domainB\account,password -url http://webapplication
If the domains or forests are trusted, it is not necessary to pass in the loginname or password (if you don't mind not finding people from the trusted domain in the people picker). You could then skip that part and your command would look something like this:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv
forest:domainA.local;domain:domainB.local -url http://webapplication
You need to run 2 stsadm commands.
stsadm -o setapppassword -password <yourkey>
Replace <yourkey> with your own key. This key is used to encrypt things(I'll explain what later on). This command should be run on each server in the farm with the exact same Key.
Next you register all the domains you want searched (except the on your server is in). You'll need to do this for each web application, not for each server.
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:domainA.local,domainA\account,password -url http://webapplication
Running this command overwrites the previous entry. Fortunately the commands support adding multiple domains. You do that like this:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:domainB.local,domainB\account,password;domain:domainA.local,domainA\account,password -url http://webapplication
<domain:domainA.local> - this is how you specify what domains to tell SharePoint to search in. You separate different domains with a ";"
<domainA\account,password> - is used to give SharePoint an account to traverse a domain to look for accounts. This is needed to find people by the people picker. The user account needs read rights and rights to traverse the AD tree. Now here the Key set in the first stsadm command comes into play. The key is used as an encryption key to encrypt the password during communication between the SharePoint server and the AD.
It is also possible to add a Forest instead of a domain. You do that like this:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv
forest:domainA.local,domainA\account,password -url http://webapplication
You could combine forests and domains like this:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv
forest:domainA.local,domainA\account,password;domain:domainB.local,domainB\account,password -url http://webapplication
If the domains or forests are trusted, it is not necessary to pass in the loginname or password (if you don't mind not finding people from the trusted domain in the people picker). You could then skip that part and your command would look something like this:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv
forest:domainA.local;domain:domainB.local -url http://webapplication
No comments:
Post a Comment