When TFS is deployed in an active directory domain environment, it makes use of windows accounts stored in domain. TFS uses the service account, usually TfsService, to read SID, email, display name and other account information from AD where TFS users belong to. As you can see here, the service account requires read permission in all TFS user domains.
Account synchronization condition
The synchronization happens
- When TFS starts up
- When an account is added to a TFS group via Team Explorer
- When TFS task scheduler fires a synchronization every one hour
Multiple domain consideration
In organizations that TFS users may come from multiple domains, we can use a service account from a domain that is trusted by all other domains. When using Visual Studio to add users to TFS, we can log on the domain that is trusted by other domains so that we can list all domain accounts.
How to deal with TF200035?
Many customers reported TF200035: One or more errors occurred when Team Foundation Server attempted to synchronize with the following Active Directory identity error. It means TFS can't read account information from active directory for some TFS users. Please check if the account specified in this error message actually exists in the domain. We can also use "TfsSecurity /server:TfsServer /imx domain\account" to simulate TFS synchronizing an account or group. If TFS can retrieve account information for an existing TFS user, it will display something like the following:
More resources to read
Trusts and Forests Considerations for Team Foundation Server.