Two Trust & AD sync

R

Richard Lovelace

I am trying to allow users from a remote domain (B) to connect to a
project server in our local domain (A). I have created an AD global
group (A Project Users) and can successfully synchronize that group
with the Project Server. What I would like to do is create a local
domain group (Project Users) with my global group (A Project Users) as
a member. I want domain B to create their own global group (B Project
Users) and then add that group to the Project Users group as a member
and get Project to sync with the Project Users group. There is a two
way trust in place and working between the domains. I have tried this
setup and while project will report a successful sync of the Project
Users group none of the remote domain's users will get into Project,
in fact no changes made to either child group make it in. Project does
not deactivate any current users when I try to sync the Project Users
group however. Is there anyone who can help with this or have a
suggestion on a better way to do it? The remote users need to have the
same functionality as the local ones.

Thanks,
Richard
 
A

Aaron Tamblyn

Have you had a look at this KB article it provides some detail on your
question? http://support.microsoft.com/kb/887025/en-us

It describes the behaviour of the sych as:
The Active Directory synchronization component in Project Server 2003 does
the following things, in this order: 1. Contacts a global catalog in a
specific Active Directory forest.
2. Performs a Lightweight Directory Access Protocol (LDAP) query by using
ActiveX Data Objects (ADO) to search for a specified Active Directory group
or organizational unit (OU).
3. Uses Active Directory Service Interfaces (ADSI) to obtain a reference to
the group or to the OU to iterate through the members of the group or the
members of the OU. This includes nested groups and organizational units.

It goes on to say:

When you synchronize Active Directory to a group cross forest, do the
following things: • Use the full Fully Qualified Domain Name (FQDN) to
specify the group. For example, use the following FQDN to specify the group:
(e-mail address removed)
• Make sure that the target domain in the remote forest contains a copy of
the global catalog for that forest.



I would assume that if you are running Active Directory in Windows 2003
native mode then can't you add both the groups to a container global group
and use that for the sync?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Resource pool from different forests 7
AD synchronization with external trusted domain 2
Resource Pool AD sync with groups from trusted domains 0
Outlook - Catgorizing emails by names 0
AD Enterprise Resource Pool Synchronization & Domain Users Group 3
Group for AD Sync 1
Turning Off Active Directory Sync 2
Active Directory Sync - AD Group Has No Members 0

Top