Sharepoint using People Picker in a Resource Forest Model
Hi, We have a standard resource domain model with SharePoint in one forest and user accounts in another & all has been working fine :) We now have an issue where our fine network security chaps want to limit the communcations that are possible from the forest that has sharepoint in to the forest that has the user accounts in. The outcome of this is that simplistically our Active Directory Servers are still allowed to talk accross the network boundry, but our sharepoint servers are not :( So to mitigate this issue we are going to implement a RODC for the forest that has our user accounts in in the same physical site as the SharePonint resource forest & servers. The problem I have is that the SharePoint server will righly query for GC's when it tries to do a directory lookup and it is going to be a one in four (we have 3 GCs in the account forest plus the RODC we will implement) chance of hitting the right GC - our network peeps are not happy with this 'chance' attempt of communicating over the network boundry (plus firewalls are going to be configured to block the request). So, is there any way of forcing SharePoint/People Picker to utilise the RODC for when we are trying to query for attributes in the account forest? Cheers David.
June 12th, 2010 11:06pm
Hello David, Below is a an article which talks about RODC and SharePoint. http://support.microsoft.com/kb/970612 : SharePoint supportability of Read only Domain controllers However we can point SharePoint explicitly to a particular GC that is located in the site locally where the SharePoint box is located. This can be done through the following commandline: Stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:GCSERVER.DOMAIN.INTRANET" -url http://URLofWebApplication This would ensure that we don't keep bouncing between different DCs/GCs for individual lookups of different forests but go directly to the only GC which responds back with list of users. ------------------------------------------------------------ Manas-MSFT
June 16th, 2010 6:49pm
HI Manas, Thanks for the answer - apologies for the delay in my reply the notifications were not working for some reason. That really looks good, I will definately give it a go, just to check, can you add multiple entries, so: "forest:GCSERVER.DOMAIN1.INTRANET1, forest:GCSERVER.DOMAIN2.INTRANET2" etc? Kind Regards David.
June 18th, 2010 2:50pm
Hello David, Thank you for the update. Since you are pointing it to a GC and The Global Catalog contains a partial replica of every object in the enterprise so really not sure if you would want to point it to multiple GC . If server is also a GC, the remaining domains in the forest are held as read-only, partial copies. "Partial" means that only a subset of the attributes is kept. Check out 1> http://technet.microsoft.com/en-us/library/cc728188(WS.10).aspx Global Catalog 2> http://technet.microsoft.com/en-us/magazine/ff679947.aspx Windows Server 2008 R2 Domain Controllers: Plan Carefully for RODCs Also people picker can exhibit delay in responses when it has to do a lookup within multiple servers , reason we point it to a GC. But to answer your question , yes you can still append people picker control and have it do a lookup from one way trusted sources stsadm.exe -o setproperty -url http://server:port -pn "peoplepicker-searchadforests" -pv "forest:foo.corp.com;domain:bar.foo.corp.com", LoginName, P@ssword Check out http://blogs.msdn.com/b/joelo/archive/2007/01/18/multi-forest-cross-forest-people-picker-peoplepicker-searchadcustomquery.aspx Regards, Manas
June 18th, 2010 6:18pm
Thanks again - all looks good, am testing currently and everything seems to work :) Regards David.
June 24th, 2010 10:21am