Import user profile from another domain active directory

Question

Hi,

I have SharePoint 2010 running on DomainB andwe have corporate users on DomainA. i need to import users from both domainA and DomainB. I am able to import users from domainB and not able to import users from DomainA. I made a successful connection to both Domain A Ad and DomainB AD in SharePoint 2010 user profile synchronize connections. I am able to sync users only from DomainB (SharePoint 2010 running on domainB) and not able to synchronize profiles from DomainA (outside domain). Is there any additional configuration I need to do. Please help me on this issue.

Thanks,

Ratna

Answer 1

Hi Ratna,

There's two ways to go about this.
You can either setup a 2 way trust between the 2 domains.
Or you can setup sync connections for resource and login domains. This is an option in the drop down on the create sync connections page.

Hope that helps.

---

Mirjam
Microsoft Certified Master | SharePoint 2007
sharepointchick.com

Answer 2

Hi Mirjam,

Thanks for the reply. I did try the sync connection by selecting the Active directory resource and still getting the same problem. Does it need domain trust between 2 active directories.

 If i go to FIIMsync tool i am getting replication access was denied error message.

Any idea on the above error message.

 

Thanks,

Ratna

 

Answer 3

Does the directory sync account also has Replicate Directory Changes permission for domain A?

Please read http://blogs.msdn.com/b/russmax/archive/2010/03/20/sharepoint-2010-provisioning-user-profile-synchronization.aspx for more.

Answer 4

Yes, you must set he replicating directory changes permission on the source domin for the sync account. In this case, this is because the domain is different.

Please don't use Russmax's beta instructions, which includes a few errors/out of date details - please follow the guidance on TechNet or the guide on my site.

---

Cheers
Spence
www.harbar.net
Microsoft Certified Master | SharePoint 2010
Microsoft Certified Master | SharePoint 2007

Answer 5

Yes, you must set he replicating directory changes permission on the source domin for the sync account. In this case, this is because the domain is different.

Please don't use Russmax's beta instructions, which includes a few errors/out of date details - please follow the guidance on TechNet or the guide on my site.

---

Cheers
Spence
www.harbar.net
Microsoft Certified Master | SharePoint 2010
Microsoft Certified Master | SharePoint 2007

Hi Spence,

Do we achieve this kind of functionality by Using ADFS 2.0 settings also? If yes please let me know How we can do that ?

---

Thanks n Regards, RB. Twit me @ranjeetbhargava Follow me @Bhargavablog.wordpress.com, www.assigncorp.com, www.assigninfo.com, Assign Lab India

Answer 6

Hi all,

I have had an ongoing call open with MS now for about 5 months trying to achieve just this. I am sure I acheived this in a lab but in a live environment I am having problems.

I have a SharePoint 2010 resource forest (DomainA) and a user forest (DomainB), I have ADFS2.0 federation working perfectly to allow users from DomainB to authenticate to the SharePoint farm in DomainA. I pass across the sAMAccountName as my ADFS claim.

I am at the point now where I want to syncrhonise user profile data from DomainB and map this against my ADFS claim. I have configured the mapping and have successfully created a User Profile Sync connection using an account (DomainB\mySyncAccount with Replicating Directory Changes permissions. The sync connection pulls through the OU structure of my external domain, allows me to pick my OU and then creates the connection.

Problem is the sync connection does not sync, and I see failed authentication in the FIM client.

Has anybody been able to successfully get this working in an environment where there is no AD trust between the domains?

PLEASE HELP!!! :)

Chris