When SharePoint 2010 was introduced, one of the major changes that it brought with it was a completely new infrastructure for working with user profiles. This infrastructure was based on the Forefront Identity Manager, and represented a fairly bold leap. With it, the integration possibilities were greatly increased, and it allowed for not only read, but write synchronization on a field by field basis (either read or write… not both!).
The problem was that it was unwieldy. Being from an agricultural background, I liken it to a combine. Useful, a lot of moving parts, and it breaks down easily. Couple this with the fact that with the initial release of SharePoint 2010, it wasn’t fully baked, and you have the recipe for what became the top support issue for SharePoint 2010 up until this point. Subsequent Service Packs and Hot Fixes have greatly improved the system (my gold standard is currently Service Pack 1 with the December 2011 Cumulative Updates), but the system does remain complex, and is arguably overkill where a simple Active Directory import is all that is required.
Well, everything old is new again. With SharePoint 2013, the product team heard these messages and brought back the simpler profile import that was in SharePoint 2007 as an option. It’s not available by default, and I don’t necessarily recommend using it (as always, it depends) but if your requirements are a simple import, then it may be for you. Here’s how to get it working.
To start with, do NOT start the User Profile Synchronization Service. This is the FIM based system, and is NOT required for the simple import to work.
Navigate to the User Profile Service Application (from Central Administration, Select Application Management, Manage Service Applications, and then your Profile Service Application). Then, select Configure Synchronization Settings from the Synchronization Section.
Then, instead of “Use SharePoint Profile Synchronization”, select “Use SharePoint Active Directory Import”, and click OK.
Once that is complete, you need to set up an import. To do that, select the “Configure Synchronization Connections” link from the Service Application page.
Then, click “Create New Connection”, and fill out the connection form accordingly.
One thing to note, and a deviation from the original SharePoint 2007 import mechanism is that the account used above MUST have the “Replicating Directory Changes” permission in Active Directory for the import to work. This is the same requirement as the 2010 synchronization, and the full synchronization service with SharePoint 2013.
Navigate back to the Profile Service Application page, and select “Start Profile Synchronization”.
Finally, Select the full synchronization option, and click OK.
After a relatively short period of time, your user profiles should be available.
Again, I don’t necessarily recommend the simpler option if your only problem is complexity, but I do think that is was wise of the product team to add this back in. If your requirements are truly import only, and you don’t have multiple identity systems, this is a quick way to get up and running. It’s also great for testing and demo environments.
When setting up a SharePoint farm, whether 2007 or 2010, you have the option of providing various service identities throughout the process. Indeed, every application can run with its own identity. Far too often, administrators pick a single account, and use it for everything. While this is certainly the easiest approach, it is far from the most secure, and it can be very limiting down the road if you need to get granular with your permissions. The trouble is that there are a lot of intricacies as to what account does what, and getting it right requires a pretty comprehensive understanding of the product.
We now have enough work under our belt with SharePoint 2010 that I feel comfortable sharing some of our best practices around account creation for SharePoint 2010. The product itself has gotten more complex, and so therefore have the configuration options. There is no “one size fits all” approach for all scenarios, but the list that I am providing below should work as a good starting point. There is often a trade-off between the ease of manageability and providing good security, and the approach below,I feel,find a good balance.
The chart below describes the account, its purpose, what rights it needs to the local machines in the farm (including the SQL server machine(s), the rights it needs for SQL Server directly, and the rights it needs to the Active Directory domain.
Base Set of SharePoint 2010 Service Accounts
Account
Purpose
Local Rights
SQL Rights
Domain Rights
spSetup
Used to login to the farm servers
Used to install bits on the farm servers
Administrator
Remote Desktop Login
DB Creator
Security Admin
Member
spFarm
Identity for all Windows Services
Identity for all SQL Services (optional)
Identity for Profile Synchronization Service
Identity for all code running with elevated permissions (web parts)
None (1)(3)
DB Creator
Security Admin
Member
spApps
Identity for all SP Application App Pools (4)
None
None
Member
spServices
Identity for all SP Service Applications (4)
None
None
Member
spUPS
Identity for the User Profile Service
None
None
Member
Replicating Directory Changes(2)
spCrawl
Used by the Indexer to crawl content
None
None
Member (5)
spBI
Trusted account for Reporting Services and PerformancePoint when not using Kerberos
None
DB Access as appropriate
Member
spSuperUser
Used for Object Caching
None
None
Member
spSuperReader
Used for Object Caching
None
None
Member
(1) Needs to be a part of the Local Administrators group while the User profile service is being created. See my previous post for more details. Once created, this account can be removed.
(2) AD Permission required by the User Profile service
(3) Required for a specific AD container when using the incoming email service. See this post for details on how.
(4) There may be a large number of these, one per entity
(5) Appropriate rights will need to be granted to this account for any EXTERNAL content being crawled (file system, shared folder, Lotus Notes, etc)
Hopefully this will help a few of you get started with a little less head scratching.
Author’s Note – July 17 2012. When I originally wrote this in early 2010 it was based on some (at the time) sketchy Technet documentation and experience. It was meant to be an easy to understand guide to setting up the User Profile Service. I want to point out that there is a much more comprehensive guide out there on the topic, the Rational Guide to the User Profile Service by Spencer Harbar. It’s the reference I use when I get into trouble, and if this article doesn’t do it for you, I recommend going there.
Profile synchronization has changed drastically in SharePoint 2010 compared to 2007. The 2010 profile synchronization uses the Forefront Identity Management services. There are a lot of good things about this, one of which is that it provides for bi-directional synchronization. User changes to their profile store can be synchronized back to their identity store (Active directory, etc). This of course can be tightly controlled, on a field by field basis. There’s a great post on how to do so here.
Of course, all of this added power is not without its cost in complexity. I had a great deal of trouble even getting profile imports to work at all with some of the pre-release builds, and the final release is still a little rough around the edges. There is a Technet document available here that details precisely how to configure profile imports. It’s completely accurate, but doesn’t necessarily answer all of your questions. This post is my attempt to help guide around the worst of the thorns, and get it working with Active Directory.
First, you’ll need to have a Profile application running. If you’ve done a migration, you already do. If you’ve run the setup wizard, and selected user profile application, you also already have one. Synchronization will however not be happening,even if you’ve done a migration. It will need to be configured.
If you don’t already have a Profile Service application,you’ll need to create one. You do that from the Manage Service Applications screen and choose the New button in the upper left. You’ll want to select “User Profile Service Application”.
There is a lot of configuration here, make sure that you scroll to the bottom and fill out all of the relevant options. You’ll be choosing databases for social tagging, a database for storing user profiles, a database for storing user tags, and the URL of your MySite Host. If you haven’t already created a MySite site collection, the configuration screen here will allow you to do so. Once you have successfully created the application, you may then proceed to starting the service. This of course is in a completely different are where the services on the server are controlled. Once there, start the User Profile Synchronization Service.
When you start most of the services, they either start immediately, or give you a configuration screen and start quickly thereafter. Clicking this one gives you the configuration screen where you’re prompted to associate the service with your application from above, and the credentials that the two Windows Service accounts will run with. However once completed, you’ll notice that the service is in a “starting state”. This is normally a bad thing with SharePoint, and indicates that something is hung. Not so in this case. It takes a very long time for this service to start. When it does, you should see the following two services started:
DO NOT attempt to start these services manually, and that will confuse the system in a very big way. Just have patience, and all should be well. You should now be ready to go ahead and perform an import. However, there’s a very import step that likely needs to be performed. The service account that was specified above to run the synchronization service (the one that the two forefront services are running as) need to be granted the “replicating directory changes” permission. There is another Technet article on how to do this, so I won’t go into detail on how.
If you do not perform this step, your import will fail, and you’ll have very little idea as to why. The error message is far from clear. Below I’ll talk a little about how you can troubleshoot import issues.
The next step is to set up the import itself. To do this, open up or manage your Profile service application, and select “Configure Synchronization Connections”
Once here, you either edit your existing connection(s), or create a new one. The options for import source are greatly increased from 2007 and now include Active Directory, Active Directory Resource (ADAM), Active Directory Logon Data, BDC (they’ve forgotten to rename it to BCS), IBM Tivoli, Novell eDirectory, or Sun Java System Directory Server. Another improvement in this version is that the import can now use Forms authentication credentials, but can also make use of Claims based authentication if available.
Give the connection a name, select an authentication type, and any appropriate credentials. Once you have done this, press the “Populate Containers” button. If everything is OK, you should see your import source appear below:
This dialog is NOT particularly responsive, be prepared for long waits between mouse clicks. The beauty of it is that you can now very easily cherry pick which containers, and even users get imported very easily. This is not something that was straightforward in 2007. Once completed, select OK, and your connection should be created. Note – subsequent edits of the connection will not retain the credential information. This is normal.
At this point you are ready to perform your firs import. Return to the Profile Service Application main page, and in the Synchronization section, select “Start Profile Synchronization”. You then have the option to choose full or incremental sync. Once selected, synchronization runs, and you can keep track of its status on the main profile application screen:
The import job will take a very long time, compared to import jobs in 2007. The good news is that the status messages are relatively verbose. If however, you feel that the job is taking too long, and you feel that there is a problem and can’t locate it, an excellent tool to use is the Forefront Identity Synchronization Manager Client UI. THis will be installed on your server at:
<install Drive>:Program FilesMicrosoft Office Servers14.0Synchronization ServiceUIShell and the application to run is miisclient.exe. This application is installed by default, but there is no entry in the start menu. Running this file will give you a screen that looks like the following:
This screen shows no problems, but if there are, they will be displayed for each step in a great amount of detail. I’ve used it to troubleshoot a few connection issues already.
In conclusion, the new profile synchronization system in 2010 has quite a few more moving parts, is a little rough around the edges (at the moment), and can be a bit of a bear to get going. However, it’s new capabilities make it well worth the effort, and lay the groundwork for what I can see to be some great new features down the road.
