Friday, March 16, 2012

Step-by-Step: Create the User Profile Service Application & Synchronization in SharePoint 2010

When we deploy and configure a User Profile service application, we perform the following basic steps:

 

  1. Create and Configure Accounts and Permissions.
  2. Create the User Profile Service Application.
  3. Configure Connections and do Synchronization (Import)

 

As you configure profile synchronization, you will need information to answer questions in the user interface. You will also need accounts that have the appropriate permissions and a SharePoint Server 2010 farm that is already partly configured.

 

1.1    Create Accounts

 

The below Accounts are required to configure search service application

#

Account

Use

1

User Profile Sync account

DOMAIN\spUPS”

The User Profile Sync Account is responsible for provisioning\running the User Profile Synchronization Service. It is the same account that runs both FIM services.

Permissions:

· Farm Account (timer service account)

· Local Admin (for duration of sync provisioning)

· Logged on as the account during provisioning

· Member of Pre-Windows 2k compatibility group (optional)

 

2

Directory Synchronization  account

 

DOMAIN\spADups

For a connection to Active Directory Domain Services (AD DS)

The directory sync (dir sync) account is responsible for authenticating\enumerating against a directory server in order to sync changes. This account requires specific permissions to a directory server in order to read and “sometimes” write to a directory.

Permissions:

1.     It must have Replicate Directory Changes permission on the domain that you will synchronize with

2.     If the domain controller is running Windows Server 2003, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group

3.     If the NetBIOS name of the domain differs from the fully qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container

4.       Optional- If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with.

 

1.1.1     Architecture Overview

The following logical component diagram provides an overview of the different elements that together deliver the profile synchronization capability

 

clip_image002

 

 

 

#

Description - Components

1

Architecture (Databases)

When you create a User Profile service application, SharePoint Server creates three databases for storing user profile information and associated data:

·         Profile database – used to store user profile information.

·         Synchronization database – used to store configuration and staging information for synchronizing profile data from external sources such as the Active Directory Domain Services (AD DS).

·         Social tagging database – used to store social tags and notes created by users. Each social tag and note is associated with a profile ID

 

User Profile Service

 

A “SharePoint Service” in Services on Server. This is not a Windows Service, but some .NET assemblies that do some work with profiles and other elements which are not to do with Synchronising of properties. There are no configuration options. This should run on the machine in the farm you wish to use to host the User Profiles “Role”. When it’s running that machine is known as the Service Machine Instance.

clip_image004

 

 

 

User Profile Synchronization Service

 

A “SharePoint Service” in Services on Server. This is a wrapper responsible for the provisioning of the Forefront Identity Manager (FIM) bits. You select a UPS SA to associate with, and need to specify the credentials under which the FIM Services will run. This should run on the machine in the farm you wish to use to host the User Profiles “Role”. When it’s running that machine is known as the Service Machine Instance.

 

clip_image006

 

 

Forefront Identity Manager (FIM)

 

Forefront Identity Manager (FIM), formerly known as Microsoft Identity Integration Server (MIIS), is used to facilitate synchronization between multiple endpoints. For Example: (FIM sits between Active Directory and User Profile Service Application and is responsible for syncing changes between both endpoints. Without a healthy FIM, SharePoint sync isn’t possible and will fail. FIM automatically gets installed when SharePoint 2010 is installed.

One of the UPA SQL databases is called the Sync database by default. FIM utilizes the profile Sync Database to store data. FIM has the following Components

 

1.         Two Services

Forefront Identity Manager Service

Forefront Identity Manager Synchronization Service

 

             clip_image008

 

2.       Profile Sync database (SQL)

3.       MIIS Client.exe used to view progress\troubleshoot sync

4.       FIM binaries including the MIIS Client tool are located here:

5.       C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell \

 

 

User profile Application Components

 

1.       A user profile service application has multiple components including the following:

2.       Consists of 3 SQL databases (Social, Profile, Sync)

3.       Admin Page (ManageUserProfileServiceApplication.aspx)

clip_image009

4.       User Profile Service Application Proxy

5.       SharePoint Services (User Profile Service and User Profile Synchronization Service)

clip_image010

6.       Note: These services are located in Central Admin\System Settings\Manage Services on server

 

 

1.2     User Profile Service Application

 

Each user that you want to have a profile in SharePoint Server must have an identity in a directory service. (If users are not represented in a directory service, you cannot synchronize user profiles.) Identify which directory services contain information about these users.

 

 

#

Description

1

Create User Profile Synchronization service

 

1.     Central Admin -> Application Management -> Manage service applications

2.     From the Ribbon, click New, followed by User Profile Service Application

3.     Give it a name like ‘Custom User Profile Service Application’

4.     Create a new App Pool (SharePoint Web Services Default) and use the DOMAIN\spUPS managed account

5.     Provide new  Names for the three Databases (Profile DB, Sync DB, Social Tagging DB)

6.     Select the machine in the farm running FIM(Profile Synchronization Instance) , i.e. Application server name

7.     Enter the URL of the mysite host (http://my.sharepoint.com) amazingly this step actually validates the target site collection!

8.     Select your managed path and site naming scheme. (Create the mysite before UPS Config or you can add later too)

9.     In the Site Naming Format section, select a naming scheme.

10.  In the Default Proxy Group section, select whether you want the proxy of this User Profile Service to be a part of the default proxy group on this farm.

11.  Click Create.

12.  When the Create New User Profile Service Application page displays the message Profile Service Application successfully created, click OK. (Service Application, Service Connection and Databases are created.)

2

Start the User Profile Synchronization service

 

In this procedure, you start the User Profile Synchronization service. The User Profile Synchronization service interacts with Microsoft Forefront Identity Manager (FIM) to synchronize information with external systems.

 

To start the User Profile Synchronization service

1.     On the Central Administration Web site, in the System Settings section, click Manage services on server.

2.     On the Services on Server page, in the Server box, select the synchronization server.

3.     Find the row whose Service column value is User Profile Synchronization Service. If the value in the Status column is Stopped, click Start in the Action column.

4.     On the User Profile Synchronization Service page, in the Select the User Profile Application section, select the User Profile service application.

5.     In the Service Account Name and Password section, the farm account is already selected. Enter the password for the farm account in the Password box, and enter it again in the Confirm Password box.

6.     Click OK.

clip_image012

 

7.       Whilst the screen returns immediately the status for the UPS Service will show starting for a while.

8.       It’s provisioning the FIM services and a bunch of other stuff.

9.       An IIS Reset is required if central admin is on the same box as FIM.

10.   Once it’s sorted you can see in services.msc that the two FIM services are running as the farm account, you can run MIISclient and it will connect etc.

clip_image008[1]

The Services on Server page shows that the User Profile Synchronization service has a status of Starting. When you start the User Profile Synchronization service, SharePoint Server provisions FIM to participate in synchronization. This may take up to 10 minutes. To determine whether the User Profile Synchronization service has started, refresh the Services on Server page.

 

 

1.3    Configure Connections and do Synchronization (Import)

 

Plan synchronization connections

Each property in a user's profile can come from an external system. There are two types of external systems: directory services and business systems. Throughout this article, the phrase business system is used to mean an external system that is not a directory service. SAP, Siebel, SQL Server, and custom applications are all examples of business systems.

In SharePoint Server, a synchronization connection is a means to get user profile information from an external system. To import profiles from one of the supported directory services, you create a synchronization connection to the directory service. To import additional profile properties from a business system, you create an external content type to bring the data from the business system into SharePoint Server, and then create a synchronization connection to the external content type. The following sections explain how to gather the information that you will need about each synchronization connection.

Configure connections and import data from directory services

 

To import profiles, you must have at least one synchronization connection to a directory service. During this phase, you create a synchronization connection to each directory service that you want to import profiles from.

This phase involves the following tasks:

1.     Create a synchronization connection to a directory service

2.     Define exclusion filters for a synchronization connection

3.     Map user profile properties

4.     Start profile synchronization

 

 

#

Description

1

To create a Profile Synchronization connection to a directory service

  1. On the Central Administration Web site, in the Application Management section, click Manage service applications.
  2. On the Manage Service Applications page, select the User Profile service application.
  3. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.
  4. On the Synchronizations Connections page, click Create New Connection.
  5. On the Add new synchronization connection page, type the synchronization connection name in the Connection Name box.
  6. From the Type list, select the type of directory service to which you want to connect (Select Active Directory).
  7. Enter the Forest Name (for simple scenarios this will be the same as your domain name)
  8. Choose Windows Authentication
  9. Enter the DOMAIN\spups account credentials for the connection()
    (this is the important bit – this account is what FIM will use to connect – hence the replicating permissions)

clip_image014

  1. Hit the Populate button, and this will test the credentials entered and show a Container Hierarchy tree view.
  2. Don’t select the DOMAIN! Select a OU! This is the OU from which you want to import/sync.

    clip_image016

12.  See that Select All button? Don’t ever click that.

13.  Save the connection by clicking OK. Your connection will be saved and you will be returned to the manage connections page.

 

Define exclusion filters for a synchronization connection

 

In this procedure, you define filters for the connection to indicate which user profiles and which groups to exclude from synchronization.

  1. On the Central Administration Web site, in the Application Management section, click Manage service applications.
  2. On the Manage Service Applications page, click the User Profile service application name.
  3. On the Manage Profile Service page, in the Synchronization section, select Configure Synchronization Connections.
  4. On the Synchronization Connections page, right-click the connection for which you want to configure Profile Synchronization connection filters, and then click Edit Connection Filters.
  5. On the Edit connection filters page, in the Exclusion Filters for Users section, select the operator to use to join the clauses of the filter.
    1. To specify that all of the clauses of the filter must be true, select All apply (AND).
    2. To specify that at least one of the clauses of the filter must be true, select Any apply (OR).
  6. In the Attributes list, select the directory service attribute to compare.
  7. In the Operator list, select the comparison operator to use.

8.     In the Filter box, type the value to compare the attribute to.

9.     Click Add. The clause that you added is displayed in the Exclusion Filter for Users area.

10.  To add additional clauses to the filter, repeat steps 6 through 9.

11.  To filter which groups are synchronized, repeat steps 5 through 9, using the Exclusion Filters for Groups section of the page.

12.  When you have finished adding connection filters, click OK.

 

Map user profile properties

In this procedure, you determine how the properties of SharePoint Server user profiles map to the user information that is retrieved from the directory service.

1.     On the Central Administration Web site, in the Application Management section, click Manage service applications.

2.     On the Manage Service Applications page, click the User Profile service application name.

3.     On the Manage Profile Service page, in the People section, click Manage User Properties.

4.     On the Manage User Properties page, right-click the SharePoint Server property that you want to map to a directory service property, and then click Edit.

5.     To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove.

6.     To add a new mapping, do the following:

1.     In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the external system to which you want to map the SharePoint Server property.

2.     In the Attribute list, select the name of the attribute in the external system to which you want to map the property,

3.     In the Direction list, select the mapping direction.

A direction of Import means that the value of the attribute in the external system will be imported into SharePoint Server and used to set the value of the SharePoint Server property. A direction of Export means that the value of the property in SharePoint Server will be exported to the external system and used to set the value of the attribute in the external system.

4.     Click Add.

7.     Click OK.

8.     Repeat steps 4 through 7 to map additional properties.

 

Start profile synchronization

 

1.       On the Start Profile Synchronization page, click OK.

2.       Refresh the Manage Profile Service Page, you will see the progress on the right hand side.

clip_image018

3.       Click the details link to see some work in a pop up dialog. This and the Manage Profile Service page DO NOT automatically refresh. You can also see some more GUID love from the SharePoint engineering teams in this UI.

4.       You can also see progress by running miisclient.exe

5.       Note that sync has stages, MIIS will report its complete, but SharePoint still has work to do. Be patient! Even for a import there are eight stages, each of which will be reported in the pop up dialog.

6.       Once it’s complete you will see your imported profiles in the Profiles status on the top right and also in the Manage User Profiles page.

clip_image020

 

 

 

Thanks for reading. If you have some other explanation – please post a comment… I’ll be happy to hear.

...HaPpY CoDiNg

Partha (Aurum)

Ref:

http://www.harbar.net/articles/sp2010ups.aspx

http://sharing-the-experience.blogspot.com/2011/11/sharepoint-2007-to-2010-upgrade-online.html

http://blogs.msdn.com/b/russmax/archive/2010/03/20/sharepoint-2010-provisioning-user-profile-synchronization.aspx

http://blogs.msdn.com/b/spsocial/archive/2010/05/04/conceptual-view-of-how-user-profile-synchronization-works-in-sharepoint-2010.aspx

http://technet.microsoft.com/en-us/library/ff182925.aspx

http://technet.microsoft.com/en-us/library/ee721049.aspx#prereqs

http://technet.microsoft.com/en-us/library/ee721049.aspx#NetBIOSProc

FIM in SharePoint 2010

Configuring User Profile Synchronization

1 comment: