Tallan Blog

Tallan’s Experts Share Their Knowledge on Technology, Trends and Solutions to Business Challenges

Setting up an External Domain Trust in a simple SharePoint 2010 Extranet with separate AD Domains – and completing a profile sync.

Background

The requirement for a domain trust relationship depends on how a SharePoint Farm is configured, the SharePoint Farm could either reside in a perimeter network (or hosted environment), or the SharePoint Farm could be split between a perimeter network and the internal network.

Scenario

In this post we will assume a simple SharePoint Extranet where a SharePoint Farm and an Active Directory are in a hosted environment, and resource from the local Corporate domain (domain.local) are needed in the hosted environment (domain.ext).

 

Extranet Topology

As you can see in the figure above, Active Directory 2 needs to trust Active Directory 1 and access it’s resources.

After the trust is successfully established, we will configure User Profile Synchronization in the hosted environment.

Assumptions

  • DNS  or NetBIOS name resolution between the 2 domains.

Before a trust can be established, there are name resolution requirements that must be met to ensure that the domain can resolve the address of the domain controller in the target domain.

  • Domain Functional Level on both domains.

Both domains must have the same domain functional level (or close to the same), this can be simply done by going to Administrative Tools > Active Directory Domains and Trusts, then right click on the root of the domain then select Raise Domain Functional Level.

both of the prerequisites are out of the scope of this post, so I wont be discussing those in details, you can refer to the following TechNet Articles for more details:

http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc787290(v=WS.10).aspx

Setting up the Trust

The Incoming Trust

1. In Domain.local Doman Controller, Go to Administrative Tools > Active Directory Domains and Trusts.

2. Right click the domain (Domain.local) then select Properties, then go to the Trusts tab.

3. You will be presented with this screen:

trusts1

4. Click the New Trust button, this will start the New Trust Wizard

5. Click Next, In the Trust Name screen, type the external domain domain.ext then click Next.

6. On the Trust Type screen, select External Trust, click Next.

7. On the Direction of Trust screen, select One-way: incoming, Next.

8. On the Sides of Trust screen, select This domain only, click Next.

9. On the Trust Password screen, enter and confirm the trust password twice, click Next.

This password is to be used in establishing the trust with the other domain admin.

10. On the Trust Selections Complete screen, you can review your input and selections, click Next.

11. Finally On the Confirm Incoming Trust screen, you can either select to confirm the incoming the trust or not to.

12. Click Finish.

The Outgoing Trust

1. In Domain.ext Doman Controller, Go to Administrative Tools > Active Directory Domains and Trusts.

2. Right click the domain (domain.ext) then select Properties, then go to the Trusts tab.

3. Again You will be presented with this screen:

trusts1

4. Click the New Trust button, this will start the New Trust Wizard

5. Click Next, In the Trust Name screen, type the external domain domain.local then click Next.

6. On the Trust Type screen, select External Trust, click Next.

7. On the Direction of Trust screen, select One-way: outgoing, Next.

8. On the Sides of Trust screen, select This domain only, click Next.

9. On the Outgoing Trust Authentication Level screen, select Domain-wide authentication, and then click Next

10. On the Trust Password screen, enter and confirm the trust password twice, click Next.

This password is to be used in establishing the trust with the other domain admin.

11. On the Trust Selections Complete screen, you can review your input and selections, click Next.

12. Finally On the Confirm Outgoing Trust screen, you can either select to confirm the incoming the trust or not to.

13. Click Finish.

The Trust is now completed.

The results of configurations made both in the Incoming Trust and Outgoing trust are:

Users in the domain.local domain can authenticate in the domain.ext domain but
users in the domain.ext domain cannot authentication in the domain.local domain.

Completing a Profile Sync in SharePoint 2010

Before going to Central Administration and configuring the User Profile Service Application, make sure that you have your users from the corporate domain (domain.local) in an OU (organization unit) in the domain.ext domain controller.

Also confirm that you have all your SharePoint domain accounts created and configured, those accounts are:

  • User Profile Service Content Access Account (ex: EXT\SP_UserProfile)
  • User Profile Synchronization Service Account(ex: EXT\SP_UserProfileService)
  • User Profile Synchronization Account (ex: EXT\SP_ProfileSync)

Domain Controller Configurations

1) In the Domain.ext domain controller, open the Active Directory Users and Computers console, right click on the domain > Delegate Control

trust5

2) Add the EXT\SP_ProfileSync user, click Next, select Create a Custom Task to Delegate, click Next then Next.

3) Check Replicating Directory Changes, click Next, then click Finish.

SharePoint Server Configurations

Set Log on Locally rights for Farm Account

1. Start > Administrative Tools > Local Security Policy.

2. Expand Local Policies > User Rights Assignments.

3. On the right Pane, Double click Allow log on locally to open it.

4. Click Add User of Group and add EXT\SP_Farm, click Apply then click OK to close the window.

5. From the Start Menu go to Run then Type gpupdate (this will refresh the changes made).

Temporary Grant The Farm Account Local Admin Rights

Add the EXT\SP_Farm account to the local administrators group on the SharePoint server. (remember to remove this account from the local administrator group at the end of the tutorial).

Setting up the Profile Sync

Create the User Profile Sync Service Application:

In Central Admin (login as SP_Farm):

1. Under Application Management click Manage Service Applications.

2. From the Ribbon, Click New > User Profile Service Application.

  • Name: SharePoint User Profile Service Application
  • Application Pool:
    • Name: UserProfileSvcAppPool.
    • Account (Configurable): EXT\SP_UserProfileService
  • My Site Host URL.
  • Everything else (including databases) stays the same.
  • Click Create.

Start the User Profile Sync Related SP Services:

Back to Central Admin:

1. System Settings > Manage service on Server.

2. Start the following Services:

  • User Profile Service.
  • User Profile Synchronization Service (Select the Service App created in previous steps and type in the passwords for the Farm account).

3. Wait till the status changes to Started. (Approx. 10 mins).

4.  Perform an IISreset.

Configure Connections and Perform a Sync (Import)

In Central Admin:

1. Under Application Management > Click Manage Service Application.

2. Select SharePoint User Profile Service Application then Click on Manage from the ribbon.

3. Click on Configure Synchronization Connections under Synchronization.

trust6

4. Click Create New Connection

  • Connection Name: SP AD Sync
  • Type: Active Directory
  • Forest Name: Domain.​ext
  • Account Name: EXT\SP_ProfileSync
  • Password: Type the password.
  • Click Populate Containers and check the required OUs (including the one from the Domain.local
  • Click Ok.
  • Go back to The SharePoint User Profile Service Application management page.
  • Under Synchronization click Start Profile Synchronization and start a Full Synchronization.
  • You can monitor the Synchronization status by clicking on Synchronizing on the right hand side. (Wait for the sync to complete before going to the next step).

trust7

To Confirm Profiles are syncing, Under People Click on Manage User Profiles and type a user name (from domain.local) in Find profiles field, if results are returned then that means the sync is configured successfully.

Share this post:

8 Comments. Leave new

Reddy Kadasani
April 30, 2013 4:44 pm

Ashraf,
Can you use the same setup to create an extranet zone on an existing farm that is being used for intranet?

Ashraf Hameed
April 30, 2013 9:17 pm

Yes, after extending the existing intranet web application to an Extranet zone, the farm could be split between the perimeter network and the internal network, then one or more WFEs could be setup in the perimeter network along with an AD, and the SQL database with App server(s) all remain in the local network.
You can then apply the trust between the AD in the perimeter network and the local AD in the internal network.

Craig Shrimpton
August 29, 2013 4:52 pm

In the instructions you have: “Before going to Central Administration and configuring the User Profile Service Application, make sure that you have your users from the corporate domain (domain.local) in an OU (organization unit) in the domain.ext domain controller.”

On my external domain there doesn’t appear to be anyway to add internal users to an OU. However, I can add internal users to a member server of the external domain.

Thanks,

Craig

Ashraf Hameed
August 30, 2013 9:44 am

Craig,
Are you trying to add the internal user to an internal OU or an external one ?

Thanks,
Ashraf

Craig Shrimpton
August 30, 2013 1:31 pm

External OU. I am unable to enumerate any internal accounts (for permission purposes) on the extranet SP server if the app pool is running under an external domain service acount. However, I can enumerate the internal accounts for sites running under the built-in service account.
You stated to make sure your internal users are in an OU on the external DC. I don’t see any way to do that. I can add groups, but not users.

Thanks,

Craig

Hi Ashraf,

I am running into the issue as Craig. Could you please elaborate a bit on what you meant with:
“Before going to Central Administration and configuring the User Profile Service Application, make sure that you have your users from the corporate domain (domain.local) in an OU (organization unit) in the domain.ext domain controller.”?

Thanks in advance, Michael

Ashraf Hameed
October 16, 2013 2:38 pm

Michael, by that I mean importing your users to the external domain from the local one, have you tried that? also check to see if you can resolve users in people picker in SharePoint. If you are still running into problems then there could be other issues in the way (DNS, Name resolution, etc..).

If you aren’t sure what’s the issues, I suggest setting a two-way trust, import your users, then set the trust back to one-way.

Hi Ashraf,
Thanks a lot for this great user’s guide! I think I’ll need it very soon!
Anyway, at some point you say:
“The results of configurations made both in the Incoming Trust and Outgoing trust are:
Users in the domain.local domain can authenticate in the domain.ext domain but
users in the domain.ext domain cannot authentication in the domain.local domain.”
Now I’m wondering: isn’t it the opposite way around?
Maybe I just misinterpreted what you wrote but, if I have a Sharepoint farm (domain.ext) that needs to access a DB in another domain (domain.local), it means that accounts of domain.ext need to be authenticated in domain.local’s AD, am I right?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

\\\