Setup SharePoint People Picker Cross-Forest Active Directory
Recently I installed a new SharePoint 2013 environment that connects to three different domains and three different active directory forests. There is a one-way trust setup between the environments. Let’s call the domains/AD Forests A, B and C. I had installed the SharePoint farm into domain A.
After the install, an issue surfaced where users that logged in as “domainA\<UserID>” could not grant access or even see users in domains B or C using the people picker. This issue was occurring because the people picker had not been setup to use domain accounts from the other domains. I was using a specific ID that existed in active directory/domain A to run the profile sync, let’s say the ID was domainA\ID1. I determined the best approach to this is to have this same ID copied to the Active Directories in Domains B and C. I now had the following IDs setup:
- domainA\ID1
- domainB\ID1
- domainC\ID1
It is important to note that each of these IDs need to have read rights in Active Directory in their perspective domains. These IDs then need to be configured to search each of the their forests in each of their domains using the following STSADM commands/steps:
- Open PowerShell from a server within the farm
- Set an app password for the farm.
- stsadm -o setapppassword -password yourpassword
- Set the IDs for each of the 3 domains
- stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:<domainA.com>,<domainA\ID1>,<ID1password>; forest:<domainB.com>,<domainB\ID1,ID1password>; forest:<domainC.com>,<domainC\ID1>,<ID1password>" -url http://yourhostheader.domainA.com
- If there is a need to change the IDs or the add/modify the domains in the future, you will need to run the following command before re-running the previous code:
- stsadm -o setproperty -pn peoplepicker-searchadforests -pv "" -url http://yourhostheader.domainA.com
For more information on Configuring Cross-Farm deployments check out the following Technet article: