Tips on deploying TFS in a multi-domain environment

We have been asked about issues related to TFS in a multi-domain environment sporadically. I’m writing this post to share some basic knowledge in this scenario and wish you can benefit from it. Before you continue, please take a look at Trusts and Forests Considerations for Team Foundation Server.

Tip 1: The domain that the TFSSERVICE account is in needs to be trusted by user domains.

TFS caches user accounts in its own databases. In certain conditions, TFS synchronizes cached accounts with AD. See my previous post TFS service account requires read permission in user domains for more information. For instance, you have a domain group Developers in AD. The Developers group is added to the Contributors group of a team project. You then added a new employee Jim to the Developers group. TFS considers Jim is in Contributors group only after a synchronization.

TFS uses the TFSSERVICE account to synchronize user accounts. If your users accounts are from multiple domains, then the TFSSERVICE account needs to be authenticated by all user domains. 

Tip2: When you add users of another domain to a TFS group, you need to log in to your computer with an account that is trusted by the other domain.

Suppose you log in to your computer with DomainA\user1, and you plan to add DomainB\user2 to the Contributors group of a team project with Team Explorer. Then DomainA needs to be trusted by DomainB. Otherwise, you will not be able to specify DomainB\user2 in the Select Users dialogbox like the below:

SelectUser