People Picker problem in a 2-way domain trust

Question

We have SharePoint 2010 in domain A and a 2-way trust between domains A and B.  The two domains are in two different forests.  When we try to assign a site collection administrator in CA, people picker will display results from BOTH domains (so it seemingly recognizes and searches users from domain A and domain B), but it won't allow us to apply the selected user and save.  The same thing happens in WFE sites themselves, not just in CA.  More specifically, here's what happens:

1. In People Picker, searching for John Smith (who is in domain B) returns search results including users from domains A and B. 
2. Selecting the user and closing the search results pop-up window correctly places the identified user into the Primary or Secondary Site Collection admin field.
3. Mousing-over the recognized user in the field displays a tooltip such as "DomainB\jsmith".  Everything seems peachy so far.
4. But, clicking on OK/SAVE button results in an error that the user cannot be found.  This is not an issue with users from domain A (same domain where sharepoint is located).
5. Here's the weirdest part...  If I go to any file system folder on the server and on the security tab I give  some permission to ANY user from DOMAIN B, apply/save, and go back to SharePoint CA, I can then repeat steps 1-4 above WITHOUT getting any errors in step 4.  The Site collection admin is assigned without any problems.  Why??????

At this point, I can assign site collection admins without any problems, repeatedly, even if I remove the file-system ACL from before.  It lasts for some period of time ( a day or less) and the problem returns again eventually.  Somehow, "priming" of ACLs through File System makes SharePoint "open up" the communication channels to the trusted domain B. 

Why is this?

I found a bunch of posts talking about SP 2007 and peoplepicker-searchadforests property in one-way trusts, and even sometimes in 2-way trusts, but not much in 2010, and nothing that describes the intermittent sort of a problem that we have.

Any thoughts?

Answer 1

Do the SharePoint Servers have full network access to the other domain's domain controller(s)?

---

http://sharepoint.nauplius.net

Answer 2

I'll try to look in to that, but how would that explain the intermittent nature of this issue--the fact that sharepoint starts to work after you make an update to file-system-level ACL?

Also, what type of network communication between SP and domain controllers would I need to check?  Specific port numbers? 

Answer 3

Take a look at:

http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx

Also remember that SharePoint will try to access any domain controller within that specific domain, so it is possible that it is doing a round-robin query.

---

http://sharepoint.nauplius.net

Answer 4

I'll try to look in to that, but how would that explain the intermittent nature of this issue--the fact that sharepoint starts to work after you make an update to file-system-level ACL?

Also, what type of network communication between SP and domain controllers would I need to check?  Specific port numbers? 

I have experienced the same issue you are having. I found the issue happened when the user isn't in the site collection user information list. So rather than open ports to our secure domain the work around for us it to add the user to a sharepoint group (i.e viewers) then remove them. They are then in the site collection user information list and it resolves them just fine from the people picker at that point. I don't know why it can't use the UPSA...otherwise whats the point of me syncronizing the the information in the first place.