AD Import Connections in Multi-Domain Environment
https://sharepoint.stackexchange.com/questions/263662
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
I have a question regarding AD Import in a multi-domain environment. I currently have my SharePoint 2016 farm setup sync'ing users from the root domain in a forest. We also have a child domain under that. Now I'd like to modify the UPS to sync users from that domain as well.
All the guides and info I've found have indicated that only one User Profile Service Application is needed per forest, and furthermore, that one synchronization connection is good for an entire forest (i.e. no need to create a separate one for a subdomain in the same forest). However, I am having trouble setting mine up according to these guidelines.
Let me add that I have granted my AD sync account the necessary rights in both the parent and child domain already (it has "Replicating Directory Changes" rights at the root of both domains, plus membership in the Pre-Win2K Compatible group in both domains, and also "Replicating Directory Changes" rights on the Configuration partition in the root domain).
My research has indicated that all objects in a forest should show up when "Populate Containers" is clicked in the UPSA sync connection configuration, assuming the creds have the proper rights in all domains. However, in my testing, I've found this not to be the case. No matter what I do, I cannot get the subdomain containers to show up when I click "Populate Containers" in the existing synchronization connection. I've used my sync account creds, I've used domain admin creds from the root domain and even domain admin creds from the child domain, and in all cases, all I get back is the container list from the root domain.
I'm starting to think this is because my FQDN for this connection is specified as my root domain (lets call it "example.com"). Because if I go to create a new sync connection (under the same UPSA), and put in that domain, with any creds, I get the same results. However, if I go to create a new connection and put in the subdomain as the FQDN (e.g. "subdomain.example.com"), then I get the containers populated from the subdomain, as expected.
I have also read that problems can arise with multiple connections to the same forest, so I don't want to create an additional sync connection unnecessarily. But based on the above experience its starting to seem like I indeed do need a second connection in order to sync users from a subdomain in an AD forest (using AD Import).
Is this the case? Is there something else I'm missing here?
Any help is much appreciated!
Soluzione
ADI does not support single connection to multiple forest but it support the multiple connection to single support. We have exact same scenario where we have 5 child domains, so we create 6 connections, 1 for root domain and 5 for 5 child domains.
If you are using the any custom property mapping, then make sure you map that property for each domain. See this blog, as it is for multi domain scenario.SharePoint 2016: AD Import Profile Property Mappings aka: my profiles are missing email address
