AD synchronization with external trusted domain

E

Erik Hastens

I have installed an application (MS Project Server 2007) in our AD in domain
abc.com . For granting rights now, I'm using local domain groups in the
abc.com domain.

Furthermore, in the local domain groups, I have included nested global
security groups from other external domains, to which my domain abc.com has
an external two-way trust.

However, when I start Active Directory synchronization from Project Web
Access server settings, this partially fails because the nested groups from
the trusted external domain def.com cannot be resolved or access isn't
sufficient. In eventlog, I get the message:

---
Standard Information:pSI Entry Point:
Project User: ABC\projectadmin
Correlation Id: f596dbdc-c3bf-4902-9b96-fd3c657bb6b6
PWA Site URL: http://projects.abc.com/main
SSP Name: SharedServices1
PSError: Success (0)
Active Directory Synchronization cannot resolve reference to a foreign
security principal in a remote forest or external domain. This could be
because the object does not exist, the user does not have permission or
because of a communication problem between the project server application
server and Active Directory. Distinguished Name :
LDAP://abc.com/CN=S-1-5-21-3977916586-269920929-2514719504-2232,CN=ForeignSecurityPrincipals,DC=abc,DC=com
---

I don't really understand whether this is caused by insufficient access or
dns problems. The MS Project admin users which runs the AD sync is domain
administrator in abc.com domain, but does he need also access in the
external
trusted def.com domain?

Any hints would be appreciated.

Regards
Erik
 
P

Paul Conroy

open AD Users & Computers from the Project Server whilst logged on with the
SSP admin account.

Can you expand the security groups to see the nested group members ?

Is the AD server you're logged onto a Global Catalogue server ? If not, try
connecting to one that is.

Can you browse the other domain objects ?

If not, then you need to elevate the permissions of the SSP Admin account
across other domains so it can read all user objects.

HTH

Paul
--
Did this post help you. Consider passing on the good will by making a
donation this great charity.
http://www.fundraiseonline.co.nz/TheProjectServerGuru/

http://theprojectserverguru.spaces.live.com
 
E

Erik Hastens

Hi Paul, thaks for your hints.

Paul said:
open AD Users & Computers from the Project Server whilst logged on
with the
SSP admin account.

Can you expand the security groups to see the nested group members ?

Ok, I have logged on with the SSP admin account, opened AD Users & Computers
and connected to domain controller which is global catalog for my domain. I
can successfully connect to the external trusted domain and browse groups
and users - so from this point of view, it seems for me that I have
sufficient access.
Next I opened one of my domainlocal groups and tried to insert objects from
the external domains. This works well, too, I can insert global groups or
users. This seems ok for me.

I am not the AD guru, but I want to try to investifate this as far as
possible. But I don't know really what I can check anymore - the message in
eventlog (see basic posting) is the only information I have.

Regards
Erik
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top