Comments on: Help with SharePoint Audiencing

By: David Tappan

David Tappan — Fri, 08 Jan 2010 16:27:17 +0000

OK, I didn’t realize you were dealing with multiple forests; in that case, what you say is correct. Putting AD groups in SharePoint groups is supported since WSS 3.0 SP2, so that’s a good workaround. One issue with it is that you have to maintain this audience in every site collection separately, but you can automate this with PowerShell or some third party tools.

If you are planning on consolidating the forests, you can also get around the problem by populating sIDHistory on the new users with the ADMT, and synchronizing passwords with the ILM Feature Pack or full-blown ILM. Or another way to address the problem would be to use a forms-based authentication provider against AD LDS if you don’t mind forms-based login. You could sync userproxy objects from AD LDS from both forests and build your audiences based on that.

So there are a lot of ways to crack this nut!

Good luck!

David

By: Justin

Justin — Fri, 08 Jan 2010 13:06:39 +0000

Ok, if you have two seperate AD Forests, using Universal Groups will not help as you can’t have members of a Universal Group from a different Forest. Universal Groups can contain members of any domain in the SAME forest that the group resides. Another thing that we’ve found, if you are working with Global Audiences (built in the SSP), they are created based off of User Profiles in the SSP. When Users are imported, they contain an attribute called “MemberOF”, which contains group membership in the same domain or same Forest (if targeting a GC). It does NOT contain groups from other forests. So….if you build an audience in the SSP and target an AD group, it will only pull in users that are from the same domain or forest as that AD group.

There is a way around this. You have to use site level audiences and base them on a Sharepoint Group. Inside this Sharepoint Group can be an AD group that contains members from multiple forests. The audience will correctly bring in all users from every forest. This is because site level audiences don’t work based on the User Profiles…..they go out to AD directly so they are “intelligent” enough to navigate through multiple AD’s.

By: David

David — Mon, 04 Jan 2010 14:12:45 +0000

Ah, yes, that makes sense. How many AD sites do you have? How many users? Do you have Exchange? Obviously a lot of things drive the global catalog placement decision–it look like this will have to be added in as a factor in your design process. In general I do think it makes sense to have more than one GC.

Thanks for following up–you bring up a very good point!

David

By: Justin

Justin — Tue, 29 Dec 2009 14:40:20 +0000

All internal firewalls are disabled. Seems that you can only designate DC’s in source’s domain. For example, my top level domain (domain.int) contains the Global Catalog for the forest, but my users are in a child domain (users.domain.int). When I target the child domain for the profile import it’s only seeing DC’s in the users.domain.int domain and doesn’t see the forest GC which is in the top level domain. I’ve double checked and DNS seems correct. To test, I made the DC in the child domain a global catalog, then forced replication. I then did a full profile import and recompiled my audience. Wah lah, all users are there. However, I won’t always be able to do this in the real world. I’m speaking to Microsoft today about this issue to see their recommendation. Will update after.

By: David

David — Sun, 27 Dec 2009 12:42:48 +0000

Hi Justin,

You should see all domain controllers in your domain, including global catalog servers. If you don’t, there must be something wrong. Perhaps your _msdcs entries are incorrect. Perhaps you are blocking port 3268 (the GC LDAP port) is blocked between your GC and your SSP server. I’d investigate that kind of thing.

By: Justin

Justin — Thu, 24 Dec 2009 17:06:13 +0000

Awesome post. I would like to use Universal Groups as the target of an audience. However, I’m not sure how to “hard code the connection to a particular domain controller”. When I look in the custom connection settings on my profile import connection, I can designate a domain controller, but it’s a drop down and I can’t make it the global catalog server.

By: René

René — Wed, 15 Jul 2009 15:31:41 +0000

Hi David,

thanks for sharing your experiences!

I think some of the restrictions you mentioned have recently been relieved by WSS 3.0 Service Pack 2. For example we can now put an AD-group into a SharePoint group and use this construction as a target audience.

Using AD-groups that are nested into each other still don’t seem to be accepted as a target audience, though.

Cheers
René