When we deploy and configure a User Profile service application, we perform the following basic steps:
- Create and Configure Accounts and Permissions.
- Create the User Profile Service Application.
- Configure Connections and do Synchronization (Import)
As you configure profile synchronization, you will need information to answer questions in the user interface. You will also need accounts that have the appropriate permissions and a SharePoint Server 2010 farm that is already partly configured.
1.1 Create Accounts
The below Accounts are required to configure search service application
| # | Account | Use |
| 1 | User Profile Sync account “DOMAIN\spUPS” | The User Profile Sync Account is responsible for provisioning\running the User Profile Synchronization Service. It is the same account that runs both FIM services. Permissions: · Farm Account (timer service account) · Local Admin (for duration of sync provisioning) · Logged on as the account during provisioning · Member of Pre-Windows 2k compatibility group (optional)
|
| 2 | Directory Synchronization account
DOMAIN\spADups | For a connection to Active Directory Domain Services (AD DS) The directory sync (dir sync) account is responsible for authenticating\enumerating against a directory server in order to sync changes. This account requires specific permissions to a directory server in order to read and “sometimes” write to a directory. Permissions: 1. It must have Replicate Directory Changes permission on the domain that you will synchronize with 2. If the domain controller is running Windows Server 2003, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group 3. If the NetBIOS name of the domain differs from the fully qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container 4. Optional- If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with. |
1.1.1 Architecture Overview
The following logical component diagram provides an overview of the different elements that together deliver the profile synchronization capability
| # | Description - Components |
| 1 | Architecture (Databases) When you create a User Profile service application, SharePoint Server creates three databases for storing user profile information and associated data: · Profile database – used to store user profile information. · Synchronization database – used to store configuration and staging information for synchronizing profile data from external sources such as the Active Directory Domain Services (AD DS). · Social tagging database – used to store social tags and notes created by users. Each social tag and note is associated with a profile ID |
|
| User Profile Service
A “SharePoint Service” in Services on Server. This is not a Windows Service, but some .NET assemblies that do some work with profiles and other elements which are not to do with Synchronising of properties. There are no configuration options. This should run on the machine in the farm you wish to use to host the User Profiles “Role”. When it’s running that machine is known as the Service Machine Instance.
|
|
|
User Profile Synchronization Service
A “SharePoint Service” in Services on Server. This is a wrapper responsible for the provisioning of the Forefront Identity Manager (FIM) bits. You select a UPS SA to associate with, and need to specify the credentials under which the FIM Services will run. This should run on the machine in the farm you wish to use to host the User Profiles “Role”. When it’s running that machine is known as the Service Machine Instance.
|
|
| Forefront Identity Manager (FIM)
Forefront Identity Manager (FIM), formerly known as Microsoft Identity Integration Server (MIIS), is used to facilitate synchronization between multiple endpoints. For Example: (FIM sits between Active Directory and User Profile Service Application and is responsible for syncing changes between both endpoints. Without a healthy FIM, SharePoint sync isn’t possible and will fail. FIM automatically gets installed when SharePoint 2010 is installed. One of the UPA SQL databases is called the Sync database by default. FIM utilizes the profile Sync Database to store data. FIM has the following Components
1. Two Services Forefront Identity Manager Service Forefront Identity Manager Synchronization Service
2. Profile Sync database (SQL) 3. MIIS Client.exe used to view progress\troubleshoot sync 4. FIM binaries including the MIIS Client tool are located here: 5. C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell \
|
|
| User profile Application Components
1. A user profile service application has multiple components including the following: 2. Consists of 3 SQL databases (Social, Profile, Sync) 3. Admin Page (ManageUserProfileServiceApplication.aspx) 4. User Profile Service Application Proxy 5. SharePoint Services (User Profile Service and User Profile Synchronization Service) 6. Note: These services are located in Central Admin\System Settings\Manage Services on server |
1.2 User Profile Service Application
Each user that you want to have a profile in SharePoint Server must have an identity in a directory service. (If users are not represented in a directory service, you cannot synchronize user profiles.) Identify which directory services contain information about these users.
| # | Description |
| 1 | Create User Profile Synchronization service
1. Central Admin -> Application Management -> Manage service applications 2. From the Ribbon, click New, followed by User Profile Service Application 3. Give it a name like ‘Custom User Profile Service Application’ 4. Create a new App Pool (SharePoint Web Services Default) and use the DOMAIN\spUPS managed account 5. Provide new Names for the three Databases (Profile DB, Sync DB, Social Tagging DB) 6. Select the machine in the farm running FIM(Profile Synchronization Instance) , i.e. Application server name 7. Enter the URL of the mysite host (http://my.sharepoint.com) amazingly this step actually validates the target site collection! 8. Select your managed path and site naming scheme. (Create the mysite before UPS Config or you can add later too) 9. In the Site Naming Format section, select a naming scheme. 10. In the Default Proxy Group section, select whether you want the proxy of this User Profile Service to be a part of the default proxy group on this farm. 11. Click Create. 12. When the Create New User Profile Service Application page displays the message Profile Service Application successfully created, click OK. (Service Application, Service Connection and Databases are created.) |
| 2 | Start the User Profile Synchronization service
In this procedure, you start the User Profile Synchronization service. The User Profile Synchronization service interacts with Microsoft Forefront Identity Manager (FIM) to synchronize information with external systems.
To start the User Profile Synchronization service1. On the Central Administration Web site, in the System Settings section, click Manage services on server. 2. On the Services on Server page, in the Server box, select the synchronization server. 3. Find the row whose Service column value is User Profile Synchronization Service. If the value in the Status column is Stopped, click Start in the Action column. 4. On the User Profile Synchronization Service page, in the Select the User Profile Application section, select the User Profile service application. 5. In the Service Account Name and Password section, the farm account is already selected. Enter the password for the farm account in the Password box, and enter it again in the Confirm Password box. 6. Click OK.
7. Whilst the screen returns immediately the status for the UPS Service will show starting for a while. 8. It’s provisioning the FIM services and a bunch of other stuff. 9. An IIS Reset is required if central admin is on the same box as FIM. 10. Once it’s sorted you can see in services.msc that the two FIM services are running as the farm account, you can run MIISclient and it will connect etc. The Services on Server page shows that the User Profile Synchronization service has a status of Starting. When you start the User Profile Synchronization service, SharePoint Server provisions FIM to participate in synchronization. This may take up to 10 minutes. To determine whether the User Profile Synchronization service has started, refresh the Services on Server page. |
1.3 Configure Connections and do Synchronization (Import)
Plan synchronization connections
Each property in a user's profile can come from an external system. There are two types of external systems: directory services and business systems. Throughout this article, the phrase business system is used to mean an external system that is not a directory service. SAP, Siebel, SQL Server, and custom applications are all examples of business systems.
In SharePoint Server, a synchronization connection is a means to get user profile information from an external system. To import profiles from one of the supported directory services, you create a synchronization connection to the directory service. To import additional profile properties from a business system, you create an external content type to bring the data from the business system into SharePoint Server, and then create a synchronization connection to the external content type. The following sections explain how to gather the information that you will need about each synchronization connection.
Configure connections and import data from directory services
To import profiles, you must have at least one synchronization connection to a directory service. During this phase, you create a synchronization connection to each directory service that you want to import profiles from.
This phase involves the following tasks:
1. Create a synchronization connection to a directory service
2. Define exclusion filters for a synchronization connection
3. Map user profile properties
4. Start profile synchronization
| # | Description |
| 1 | To create a Profile Synchronization connection to a directory service
12. See that Select All button? Don’t ever click that. 13. Save the connection by clicking OK. Your connection will be saved and you will be returned to the manage connections page. |
|
| Define exclusion filters for a synchronization connection
In this procedure, you define filters for the connection to indicate which user profiles and which groups to exclude from synchronization.
8. In the Filter box, type the value to compare the attribute to. 9. Click Add. The clause that you added is displayed in the Exclusion Filter for Users area. 10. To add additional clauses to the filter, repeat steps 6 through 9. 11. To filter which groups are synchronized, repeat steps 5 through 9, using the Exclusion Filters for Groups section of the page. 12. When you have finished adding connection filters, click OK. |
|
| Map user profile propertiesIn this procedure, you determine how the properties of SharePoint Server user profiles map to the user information that is retrieved from the directory service. 1. On the Central Administration Web site, in the Application Management section, click Manage service applications. 2. On the Manage Service Applications page, click the User Profile service application name. 3. On the Manage Profile Service page, in the People section, click Manage User Properties. 4. On the Manage User Properties page, right-click the SharePoint Server property that you want to map to a directory service property, and then click Edit. 5. To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove. 6. To add a new mapping, do the following: 1. In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the external system to which you want to map the SharePoint Server property. 2. In the Attribute list, select the name of the attribute in the external system to which you want to map the property, 3. In the Direction list, select the mapping direction. A direction of Import means that the value of the attribute in the external system will be imported into SharePoint Server and used to set the value of the SharePoint Server property. A direction of Export means that the value of the property in SharePoint Server will be exported to the external system and used to set the value of the attribute in the external system. 4. Click Add. 7. Click OK. 8. Repeat steps 4 through 7 to map additional properties. |
|
| Start profile synchronization1. On the Start Profile Synchronization page, click OK. 2. Refresh the Manage Profile Service Page, you will see the progress on the right hand side. 3. Click the details link to see some work in a pop up dialog. This and the Manage Profile Service page DO NOT automatically refresh. You can also see some more GUID love from the SharePoint engineering teams in this UI. 4. You can also see progress by running miisclient.exe 5. Note that sync has stages, MIIS will report its complete, but SharePoint still has work to do. Be patient! Even for a import there are eight stages, each of which will be reported in the pop up dialog. 6. Once it’s complete you will see your imported profiles in the Profiles status on the top right and also in the Manage User Profiles page.
|
Thanks for reading. If you have some other explanation – please post a comment… I’ll be happy to hear.
...HaPpY CoDiNg
Partha (Aurum)
Ref:
http://www.harbar.net/articles/sp2010ups.aspx
http://sharing-the-experience.blogspot.com/2011/11/sharepoint-2007-to-2010-upgrade-online.html
http://technet.microsoft.com/en-us/library/ff182925.aspx
http://technet.microsoft.com/en-us/library/ee721049.aspx#prereqs
http://technet.microsoft.com/en-us/library/ee721049.aspx#NetBIOSProc
FIM in SharePoint 2010
Configuring User Profile Synchronization
Great Article!! Seems hands on done properly.
ReplyDelete