Active Directory mode RRS feed

  • Question

  • Is the requirement around Active Directory mode just for the AD that the servers are members of?  My tfssetup account is in a trusted AD and I'm wondering if that could have an impact on our testing.

    In general, our test servers are in a semi-isolated AD and user accounts (developers, testers, etc) are in the trusted AD.  Has this (or a similar configuration) been tested?
    Tuesday, October 4, 2005 5:11 PM


All replies

  • I am working with TFS in a similar environment and am able to connect to the server from the other domain. When connecting to the server you get a nice logon box where you can provide the credentials that you need in the trusted domain.

    Up until now (working now for 3 days on this) I did not experience problems.

    I work with two fully seperated domains with accounts that are also different in username.

    It's great to see that this support is added in BETA 3.

    Thursday, October 6, 2005 8:35 AM
  • Tomf,

    Can you tell me a little more about your AD environment please?
    What domain functional level and forest functional level are you running with?
    What trust relationships do you have between your "Test" domain and your "User" domain?

    Thursday, October 6, 2005 11:04 PM
  •  Dan Kershaw wrote:
    What domain functional level and forest functional level are you running with?
    We're running Windows Server 2003 functional level for both.
     Dan Kershaw wrote:
    What trust relationships do you have between your "Test" domain and your "User" domain?
    the test domain has an outgoing trust to the user domain (non transitive).  The user domain has a corresponding incoming trust to the test domain (again, non transitive).

    From everything I've seen in the docs, that should work just fine.  If you have any concerns or additional questions, let me know.
    Friday, October 7, 2005 6:12 PM
  • Marcel,

    Tom is still having a few issues with his configuration, and I wanted to compare it to yours to understand why his is failing.

    As he's explained, Tom has a User domain and a child Test domain, where there are one way non-transitive trusts set up in either direction, to isolate the trust relationship between these two networks.
    One other piece of info is that Tom used the following 3 accounts:  User\TFSSetup, Test\TFSService and Test\TFSReports.

    Marcel, what trust relationship do you have between your 2 domains and from which domain(s) were the accounts used to setup TFS?

    Friday, October 14, 2005 6:52 PM
  • Dan,
    The interesting is that I don't have any trust relations what so ever. We have two strictly seperated domains. Every user has a different account in both domains (so we don't even share the same user names)
    This is an environment set up because the domain is for 40.000+ users and the administrators are reluctent to give us any servers in the production domain. So we have a dev domain where the TFS server lives and the visual studio environment runs in the production domain.

    When I start VS.NET I only need to provide my dev domain credentials once and I am set to go. I had little problems with Sharepoint at first but that was caused by SP 2 and the server set to Kerberos authentication. I fixed this by setting it back to NTLM, and now I see that when I want to access the portal I get the logon box again and by providing the correct credentials again for the dev domain, I can do everything I want.

    Hope this helps fixing Tom's problem :-)

    Saturday, October 15, 2005 6:47 PM
  • It turns out that Tom was running into some interesting syncing issues when TFS was trying to authenticate accounts.

    Please see http://forums.microsoft.com/msdn/ShowPost.aspx?PostID=111712
    Monday, October 17, 2005 11:31 PM