Active Directory Trusts, Sharepoint and You – Part 1 of 3…
A large percentage of Sharepoint environments are used for Intranet Collaboration. When used with Active Directory you get convenient features such as Integrated Authentication, Centralized User Management, Profile Imports, etc. In a hosted environment customers typically want to maintain all of the advantages that Sharepoint offers while putting their environment in a highly available datacenter and have it supported by a team of dedicated experts.
In this three part series I am going to step through the process of linking a remotely hosted Sharepoint environment to a local Active Directory network safely and securely.
Part 1: Create a One-Way Active Directory Trust
Part 2: Configure the People Picker for your Web Application so it can crawl the local Active Directory domain
Part 3: Configure MOSS Profile Imports to crawl the local Active Directory domain
These instructions assume you have the following necessary elements in place to support this configuration:
1) Site-to-Site VPN between your local network and your hosted environment
2) An Active Directory environment on your local network
3) An Active Directory in your remote Sharepoint environment
4) Sharepoint installed and properly configured
5) Windows Server 2008 (Windows 2003 Trust configuration is essentially the same with a few very minor deviations)
Ensure that both domains have been raised to at least Windows 2003 domain and forest functional level. It doesn’t matter which you choose as long as both are the same
Open Active Directory Users and Computers (Start -> Programs -> Administrative Tools). Right click the domain name and select Raise the domain functional level. Repeat for the other domain involved in the Trust
If Domain Functional Level cannot be raised above Windows 2000 for operational reasons then it will be necessary to use Conditional Forwarding instead of Stub Zones (recommended) as described below. However, it is highly recommended to pursue raising the domain functional level because stub zones are much more stable and tolerant of infrastructure changes.
Create the DNS Stub Zone
Log into the remotely hosted server that hosts the Active Directory DNS, and open the DNS Manager (Start -> Programs -> Administrative Tools). Right click on Forward Lookup Zones and select New Zone…
Click Next –> Select Stub Zone and click Next three times
Input the zone name you want to import (should be the name of the local non-hosted AD domain)
Enter the IP address of one or more DNS servers from the local domain and click Next
Click Finish and you should now be back in the DNS Manager with a new zone created
Create the Trust
Now that your hosted domain for you Sharepoint environment knows how to contact your local network’s AD domain we can build the Trust between the two environments.
Log onto the hosted environment’s Domain Controller as a Domain Admin. Start Active Directory Domains and Trusts (Start -> Programs -> Administrative Tools). Right click on the domain name and select Properties
Select the Trusts tab and click New Trust…
Click Next. In the Trust Name screen enter the domain name of the local network (should be the name of the local non-hosted AD domain) and click Next
Select the type of trust you wish to use:
1) External non-transitive Trust – good for a single domain to domain trust as long as you do not use any Alternate UPN’s (domain aliases) with a different domain name. For example if your local domain is domain.com an ok UPN would be subdomain.domain.com. A UPN of anotherdomain.com would fail to traverse the Trust because it would be seen as a separate domain.
2) Forest transitive Trust – good for when you may need to trust multiple domains in the same forest or when using Alternate UPNs with a different domain name.
In most cases the External Trust is sufficient
On the Direction of Trust screen select One-way: outgoing. This is the ideal Trust configuration when working with a hosted environment. The One-way Trust prevents technicians in the hosted environment from accessing and making changes to your local Active Directory environment. You don’t want that and neither do they. This configuration specifies that your hosted environment will trust your local environment which means that your local users will be able to authenticate to Sharepoint through the Trust, but not the other way around.
On the Sides of Trust screen select Both this domain and the specified domain. This will create the necessary Trust configuration in both domains simultaneously.
On the User Name and Password screen enter the Domain Admin user and password from your local non-hosted Active Directory domain.
On the next screen choose either Domain-wide authentication or Selective authentication. Unless you have a specific reason or are just a glutton for punishment it’s probably best to just select Domain-wide authentication.
Click Next. Look over the summary of your settings choices and if everything looks good click Next again.
Click Next one more time on the Trust Creation complete screen. On the next screen you will be prompted to Confirm the Outgoing Trust. It’s a good idea to go ahead and confirm that the Trust is actually working.
If everything went smoothly you should be faced with the following screen:
If it says successful pat yourself on the back and click Finish.
Stay tuned for part two: Configuring People Picker to crawl your local domain when searching for users to add.