SharePoint 2013 Social – Part 2 – Synchronizing User Account in Active Directory to SharePoint 2013
In the previous post, I created the new My Site Host site collection before configuring and managing User Profile Service application, as well as experiencing new face of My Site and SharePoint 2013 social features. I also personally wrap up some changes during creating the new Web application and My Site Host site collection at the end of part 1. If you realize anything else changed after reading the first post, please share to community. I would love to learn from you.
In this post, I’m going to create a new User Profile Service application, and then synchronize user accounts stored in my Active Directory to SharePoint prior to starting enjoying new social features.
Before starting working on User Profile Service application on SharePoint 2013 Preview, you should first understand what a user profile is. According to Microsoft TechNet, a user profile is a collection of properties that describe a SharePoint user, such as Name, Email, Contact, Department, Position …etc. As you would have worked as a SharePoint administrator, one of your responsibilities is to synchronize user accounts which have many properties mentioned above from commonly Active Directory to SharePoint. Once synchronized completely, user profiles can be effective in your organization from a social networking solution deployment perspective. You also have the ability to synchronize user profile data from line of business systems, such as SAP, Oracle-based application or external SQL Server via Business Connectivity Service. The series will consist of the following part:
- Part 1 – Setting up a new My Site Host Site collection.
- Part 2 – Synchronizing User Account in Active Directory to SharePoint
- Part 3 – Exploring Community features in real-world scenarios
- Part 4 – Reputation Point is where the love begins
- Part 5 – Something I have not actually found out.
Before getting started with User Profile Service application, you first have to understand fundamentally how it works. I highly recommend you to read the following extremely helpful articles in terms of process of User Profile Service synchronization on SharePoint 2010:
- Rational Guide to implementing SharePoint Server 2010 User profile Synchronization
- “Stuck on Starting”: Common Issues with SharePoint Server 2010 User Profile Synchronization
- How user profile synchronization works in SharePoint 2010
- User Profile Sync – SharePoint 2010
One of the first things you need to know about new things in User Profile Service application is Active Directory Direct Import. This method connects directly to Active Directory once synchronization triggered.
So thanks to Active Directory Import, performance of synchronization is improved much in SharePoint 2013 Preview. Microsoft has said the improvement reduces full import time from up to 2 weeks down to 60 hours for extremely large directories, for example 200,000 users and 600,000 groups. Using this option, you would reduce time of import operation, which is faster than the operation of SharePoint profile synchronization you typically use.
This post will cover two different synchronization options
- SharePoint Profile Synchronization
- SharePoint Active Directory Import
Using SharePoint Profile Synchronization
There are a lot of questions you may have seen on the very popular forums, such as TechNet, SharePoint Stack Exchange… talking about User Profile Service problem. Personally, most issues I have seen every time wandering on such forums.
- Being confused accounts required of synchronization.
- Accounts involved in configuring User Profile synchronization don’t have right permission.
- SharePoint environment isn’t considered updating right hotfixes.
To walk you through easier, I have prepared the following accounts prior to User Profile synchronization.
- User Profile Synchronization service account: this account basically runs under the farm account. Make sure after creating new User Profile Service application, UP synchronization account and farm account are the same. This account must be a member of Local Administrator group on the server serving as synchronization server, as well as it must be applied the local security policy “Allow log on locally”.
- Synchronization account: this account must have Replicate Directory Changes permission on the Active Directory server. If you are not using Windows Server 2008 or later, make user this account must be a member of the Pre-Windows 2000 Compatible Access built-in group. In this post, I use Windows Server 2008 R2.
Consider the following things:
- Don’t use any user account in Enterprise Domain group as a synchronization account. I have seen many people carelessly use domain administrator account. This shouldn’t be when you have a security policy in your organization.
- If you want to write back from SharePoint to Active Directory, the synchronization account must have Create Child Objects and Write All Properties permission on the Organization Unit (OU) you would want to synchronize with. This configuration may be harmful to your Active Directory because if someone who is assigned to permission changes something in SharePoint, an operation will write back to property values of user profiles stored in Active Directory.
- Before manually configuring User Profile Synchronization, make sure you have not actually selected User Profile service application when configuring Farm Configuration Wizard.
Open Central Administration site, click Application Management section, click Manage service applications under Service Application.
Click New in the Ribbon and then select User Profile Service Application. You will realize that there are there new service applications: App Management Service, Machine Translation Service and Work Management Service Application. I hope I will have enough time for writing basically about these service applications.
In the Name setting, type the name of a new User Profile Service Application. In the Application Pool setting, select Create new application pool option instead, and then type its name under Application pool name. Select Configurable and select existing managed account. If you don’t have, click Register new managed account and then carry out basic steps similar to SharePoint 2010.
In the Failover Server setting, type the name of cluster server if you have at least one.
In the Synchronization Database setting, complete information as you have completed in the Profile database setting.
The social tagging database is one of the most important databases you will have to include in the component lists in a backup plan. This database store social tags and notes create by users.
In the Profile Synchronization Instance setting, SharePoint automatically indicates your synchronization server. Keep this setting default. In the My Site Host URL setting, type URL of My Site Host site collection you have completed in the previous post.
This URL may be not a best practice of naming My Site Host URL. You can consider its name like:
- http://abc.com/social (first configuring Managed Path)
In the My Site Managed Path setting, type managed path you would like.
In the Site Naming Format setting, select format you want. I keep it default. In the Default Proxy Group setting, select Yes. If you have multiple User Profile Service application and don’t want to put this one you are creating to default proxy group, select No.
Finally, waiting for approximately 5 – 10 minutes. After created successfully, you can check User Profile Service application and its proxy in the Manage Service Application page.
Now you need to start two services before configuring synchronization. Click Application Management section and then click Manage services on server under Service Applications.
Click Start. If you get the very common problem called “Stuck on Starting”, make sure synchronization service account meet requirements I mentioned above. Back to Central Administration home page, click Security section and then click Configure service accounts in order to check Farm Account and User Profile Synchronization Service account.
Microsoft has said changing the account that the User Profile Synchronization service runs under in the Service Accounts page isn’t supported here: http://technet.microsoft.com/en-us/library/gg750257.aspx.
You may get the following if trying to change User Profile Synchronization Service account:
“An object of the type Microsoft.SharePoint.Administration.SPWindowsServiceCredentialDeploymentJobDefinition named “windows-service-credentials-FIMSynchronizationService” already exists under the parent Microsoft.Office.Server.Administration.ProfileSynchronizationService named “FIMSynchronizationService”. Rename your object or delete the existing object.”
We actually are able to solve this problem by deleting Windows Service “FIMSynchronizationService” Credential Deployment timer job created every time you try to change User Profile Synchronization service account.
After User Profile Service and User Profile Synchronization Service are both started, you are able to start synchronization. Open User Profile Service Application administration site, click Configure Synchronization Connections under Synchronization.
In the Synchronization Connections page, click Create New Connection.
Type the name of the new synchronization connection in the Connection Name setting. Select directory services you want to synchronize with in the Type setting. There are the following directory service types supported in SharePoint 2013 Preview:
- Active Directory
- Active Directory Logon Data
- Active Directory Resource
- Business Data Connectivity
- IBM Tivoli Directory Server (ITDS)
- Novell eDirectory
- Sun Java System Directory Server
Select Active Directory. In the Connection settings, complete all information. If you are not a domain administrator, you should ask the information, such as forest name, domain controller name, authentication provider type. You can select Auto discover domain controller option as its name clearly shows how it helps you.
Under Authentication Provider Type setting, select Windows Authentication. Type synchronization account under Account name, make sure this account meets all requirements I listed earlier.
In the Containers setting, click Populate Containers and select any organization units you want to synchronize to SharePoint.
In the Manage Profile Service: User Profile Service Application page, click Start Profile Synchronization. In the Start Profile Synchronization setting, select Start Full Synchronization option at the first time you synchronize.
Back to Manage Profile Service: User Profile Service Application page , you will see profile synchronization status.
Open Forefront Synchornization Service Manager tool via the location: C:\Program Files\Common Files\Microsoft Office Servers\15.0\Synchronization Service\UIShell\miisclient.exe to see progress of the synchronization. As you can see below, the first process completed successfully and all 18 objects are imported to SharePoint. However, there are remaining two processes before completing the synchronization.
I have added one more user and then use the “Start Incremental Synchronization” option. After three processes, a user will be imported to SharePoint.
You can check by clicking MOSSAD-<Synchronization Connection name> and then click Projections to see a new user added.
Basically when synchronizing, FIM is responsible for doing synchronization operation until it is completed there time of running. In SharePoint 2013 Preview, Microsoft has introduced Active Directory Import which helps you directly connect to Active Directory repository.
Using SharePoint Active Directory Import
As I mentioned in the beginning of this post, a new synchronization setting called “SharePoint Active Directory Import” is new to SharePoint 2013 Preview. When using Active Directory Import, it helps you synchronize faster than SharePoint Profile Synchronization because it doesn’t work throughout FIM, it directly works with Active Directory to get user profiles importing to SharePoint.
When using Active Directory Import, you have to consider the following:
- You cannot write back user profiles to Active Directory because Active Directory runs unidirectional.
- You cannot do an import to external system, such as Dynamic CRM, SAP, Oracle….
To enable Active Directory Import setting, click Configure Synchronization Setting and then select Use SharePoint Active Directory Import.
The next step is to create a new synchronization connection. Complete the information like you have completed with creating a new synchronization connection using SharePoint Profile Synchronization type.
The new things here you can see is that you can filter any users disabled in Active Directory, and use LDAP syntax to filter.
Check this post out if you want to practice in LDAP syntax: http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters-en-us.aspx
If you need to know much more about new changes in User Profile Service application in SharePoint 2013 Preview, let’s read the following:
- First Look: SharePoint Server 2013 Active Directory Import
- A quick note on User Profile Synchronization in SharePoint Server 2013 Preview
- SharePoint 2013 changes and features in the User Profile service application
Active Directory Import is the biggest change in User Profile Service application in SharePoint 2013 Preview. Active Directory Import really helps you reduce time of synchronization; however, before using it, you should have to consider your real-world scenarios and limitations.