The user could not be created

[Conrad Santiago]

We are having difficulties adding new users to PWA. We set new users up
with Windows Authentication. The error we get is:

<The user could not be created.

Check the spelling of the user name, verify that a valid domain name was
included, and check that duplicate domain was not used.>

The spelling is correct. Our IS Manager double-checked the spelling and
domain name.

The IS Manager is using new Windows accounts to create new users. (Before,
he was reusing old accounts which was causing problems in PWA.) Now, he is
creating new accounts. When I go to add the users to PWA, I get the error
above. If they are new user Windows accounts, it seems logical we wouldn't
be getting duplicate domain errors on that account.

Any suggestions on how to proceed from here?

 

[Rolly Perreaux]

Hi Conrad,

That sounds like a problem accessing the domain controller to verify the
Active Directory User Names.

Run the DSQUERY commands from the Project Server
Open a command line (Start --> Run --> type CMD)
and type the following:

DSQUERY server
(finds all domain controllers in the directory)

DSQUERY user
(finds all users in the directory)
Run this command if you don't have too many users in the domain

DSQUERY user -samid <UserLogonName>
(finds a specific user's logon name, such as jsmith)


Do you get any results running these commands?
Let us know when you have a chance.

Good Luck

--
Rolly Perreaux, PMP, MCSE
Project Server Trainer/Consultant

TriMagna Corporation
Microsoft Gold Partner
http://www.trimagna.com

 

[Wegz]

Hi Rolly,

Sorry to Jump in on your post Conrad but i am having a similar issue.
Basically our Project Server cant sync with AD. I have tried those
querys and i get a failure: The specfied domain either does not exist
or could not be contacted.

Whats happened is our EPM is on our old domains (we were two orgs
combined so we still had two domains loosley connected). In a
'uniformication' process were are moving to a new single domain, single
forrest for AD. Once you move to AD, you cant be recognised on EPM
anymore. I believe it relies on this Active Directory Connector but for
the life of me dont understand it.

As i said i just lost now so if you have any suggestions/info about
this domain controller/ADC that would be great.
Matt

 

[Rolly Perreaux]

Hi Matt,

In your situation you might need to create a Shortcut Trust between
either the two domains within the AD Forest, OR a Forest Trust between
two AD Forests.

Here's a great article showing you how to create the various trusts:

Creating Domain and Forest Trusts
http://technet2.microsoft.com/WindowsServer/en/library/f82e82fc-0700-
4278-a166-4b8ab47b36db1033.mspx

Also...
You are correct when you say, "Once you move to AD (another AD forest),
you cant be recognized on EPM anymore". This makes sense since Active
Directory is essentially a security database. Once you move your server
to be joined into the New Forest/Domain all the previous AD security
objects are no longer valid.

However, that doesn't mean you can't fix it. You would just need to
change the Project Server Users and Groups to point to the new AD
Security Objects (Users and Groups) from the new Forest/Domain.

For example, previous to moving the server, you have the PWA Project
Managers Group configured for AD Sync to point to an Active Directory
Group called CONTOSO\PrjMgrs. All works well. Once you move the server
from the CONTOSO Forest/Domain to the new Forest/Domain called
NWTRADERS, then your synchronization will not work.

You will need to have the NWTRADERS Active Directory Administrator
create a new Global Group called NWTRADERS\PrjMgrs. Add all the AD Users
into the group. Then change the PWA Project Managers Group configured
for AD Sync to point to NWTRADERS\PrjMgrs.

IMPORTANT NOTE
==============
Prior to doing any of these steps you will need to modify the Project
Server User accounts that have moved to the new Forest/Domain. If you do
not, there is a very good chance that you might have 2 Project Server
User accounts for the same person. In using our example
One for CONTOSO\<UserName>
One for NWTRADERS\<UserName>
Same person, two accounts

Now the REAL DANGER here is if you do an AD Sync with the Enterprise
Resource Pool, there is a REAL POTENTIAL to essentially doubling your
resources.

So you will need to plan your Project Server AD migration very
carefully.

If you have any additional questions, post them here and we help you get
through it

Cheers,

--
Rolly Perreaux, PMP, MCSE
Project Server Trainer/Consultant

TriMagna Corporation
Microsoft Gold Partner
http://www.trimagna.com

 

[Conrad Santiago]

Rolly,
Thanks for the response.

Our IS guy ran the command you suggested below. He says, "All three
commands work accordingly. No issues found."

As far as I know, we are not using any of the Active Directory features in
PWA. At least, we are not using the AD options where they show up in the
PWA Admin.

Thanks for any advice moving foward from here.

--Conrad Santiago

 

[Wegz]

Thanks Again Rolly for your help.

I checked it out, there is a two way trust set up between our new AD
Forrest and our Previous Domains where the Server holding Project
Server resides. I have the groups set up in the AD forrest (i.e. a Team
Members Group) but when i try to sync the group to the Resource Pool, i
still get a failure. It seems that the server CAN see the AD
information but PROJECT SERVER cant (if that makes sense).

Mental Meltdown 1234

Matt