SharePoint 2010 User Profile Sync


Published on

This presentation details best practices in implementing SharePoint 2010 User Profile Synchronization.

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • What does this mean? In a large farm, you cannot have more than one servers running the User Profile Synchronization Service and connected to the same service application.If you have on service application called “User Profile Service Application”. You start UPSS service on Server 1 and associate with UPSA and then start UPSS services on Server 2, it will stop the UPSS service on Server 1.
  • Be patient. This process can take anywhere up to 30 minutes to start successfully.
  • FIM will generally throw two errors in the event log stating it cannot communicate with SQL Databases. These are expected errors and nothing to worry about. Perform IIS resetIf necessary, perform reboot and then click on start service again. If it does not repeatedly work, check firewall settings on the server or if you have another server in the farm, try to start service on another server.It is a game of Patience!! Not for the weak of heart 
  • <system.diagnostics><sources><source name="System.ServiceModel" switchValue="Critical,ActivityTracing"propagateActivity="false"><listeners><add type="System.Diagnostics.DefaultTraceListener" name="Default"><filter type="" /></add><add name="ServiceModelTraceListener"><filter type="" /></add></listeners></source><source name="Microsoft.ResourceManagement" switchValue="Verbose,ActivityTracing"><listeners><add type="System.Diagnostics.DefaultTraceListener" name="Default"><filter type="" /></add><add name="ServiceModelTraceListener"><filter type="" /></add></listeners></source><source name="System.ServiceModel.MessageLogging" switchValue="Verbose,ActivityTracing"><listeners><add type="System.Diagnostics.DefaultTraceListener" name="Default"><filter type="" /></add></listeners></source></sources><sharedListeners><add initializeData="C:\\Program Files\\Microsoft Office Servers\\14.0\\Service\\Microsoft.ResourceManagement.Service_tracelog.svclog"type="System.Diagnostics.XmlWriterTraceListener, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"name="ServiceModelTraceListener" traceOutputOptions="LogicalOperationStack, DateTime, Timestamp, ProcessId, ThreadId, Callstack"><filter type="" /></add></sharedListeners><trace autoflush="true" /></system.diagnostics>
  • SharePoint 2010 User Profile Sync

    1. 1. SharePoint 2010User Profile Synchronization<br />Nilesh Mehta<br />SharePoint Architect<br />NGenious Solutions, Inc.<br /><br />Dated: 12/1/2010<br />
    2. 2. About NGenious Solutions, Inc.<br />Proud Co-Founder of SharePoint User Group, NYC<br />Microsoft Gold Partner<br />Specializing in SharePoint Technologies.<br />Announcing our new Product for Information Rights Management, integrated with SharePoint. <br />
    3. 3. Agenda<br />Introduction to User Profile Synchronization<br />Best Reference material<br />Configure User Profile Synchronization Service<br />Import Connections and Connection Filters – Active Directory<br />Importing Pictures from Active Directory<br />Forefront Identity Manager<br />Tips & Tricks<br />Synchronization against SUN LDAP<br />Recap<br />
    4. 4. Disclaimer!!<br />This is by no means the final authority on the subject.<br />I learn something new everyday with this topic <br />
    5. 5. What have I done?<br />
    6. 6. My Goal Today!!<br />User Profile Synchronization<br />“Its one of the single biggest issue that pops up in support with regards to configuring it properly”<br />
    7. 7. SharePoint 2010 – User Profile Synchronization<br />The User Profile Service is a shared service in Microsoft SharePoint Server 2010 that enables the creation and management of user profiles that can be accessed from multiple sites and farms.<br />
    8. 8. Best Reference Material<br />There are two blog articles that are pretty much considered the final word on setting up User Profile Synchronization service in SharePoint 2010<br />Spence Harbar -<br />Russ Maxwell -<br />
    9. 9. Uses and benefits of the User Profile service<br />The User Profile service is a shared service in Microsoft SharePoint Server 2010 that provides a central location where service administrators configure and manage the following features:<br />User profiles – contain detailed information about individuals in an organization. A user profile organizes and displays all of the properties related to each user together with social tags, documents and other items related to that user.<br />Organization profiles – contain detailed information about an organization such as teams, divisions, and so on.<br />Profile synchronization – provides a reliable way to synchronize user, group, and organization profile information that is stored in the SharePoint Server 2010 profile store with profile information that is stored in directory services across the enterprise.<br />
    10. 10. Uses and benefits of the User Profile service<br />Audiences – enables organizations to target content to users based on their job or task, as defined by their membership in a SharePoint Server group or distribution list, by the organizational reporting structure, or by the public properties in their user profiles.My Site Host – a dedicated site for hosting My Site Web sites. A My Site Host is needed in order to deploy the social features of SharePoint Server.My Site Web site – a personal site that gives users in your organization a central location to manage and store documents, links, and colleagues.Social tags and notes – enables users to add social tags to documents, to other SharePoint Server items, and to other items, such as external Web pages and blog posts. Users can also leave impromptu notes on profile pages of a My Site Web site or any SharePoint Server page. Administrators can delete all tags for employees when they leave the company or remove a tag they do not want.<br />
    11. 11. User Profile Synchronization Architecture<br />Courtesy: Spence Harbar Blog<br />
    12. 12. Before you start!!<br />If this is a new environment, before you start make sure you get the latest cumulative updates for SharePoint 2010<br />There are a lot of fixes in there for User Profile Sync<br />
    13. 13. Configure User Profile Synchronization<br />Pre-requisites:<br />Need a managed account that has been granted replicate changes on active directory<br />Start User Profile Synchronization Service<br />
    14. 14. Active Directory Permissions<br />Grant the Replicating Directory Changes permission on the domain to the managed account. This account will be used to perform the sync.<br />Right Click the Domain, choose Delegate Control… click Next <br />Add the managed account, click Next <br />Select Create a Custom Task to Delegate, click Next <br />Click Next <br />Select the Replicating Directory Changes permission and click Next <br />Click Finish<br />
    15. 15. Where to start service?<br />Small farm:<br />Single server with separate AD and SQL<br />Start service on the SharePoint Server<br />Medium / Large farm:<br />2 or more SharePoint servers with separate AD and SQL<br />Identify Application server and start service there.<br />One user profile service application can only be associated with one server running USPS service<br />
    16. 16. Start User Profile Sync Service<br />Identify the server where you want to start service<br />Go to Central administration and Services on the server. <br />Select proper server from the drop down list of servers<br />Click start “User Profile Synchronization Service”<br />
    17. 17. User Profile Sync Service in Starting State<br />Most common issue. <br />Give it at least 30 minutes before you take any drastic action<br />Resolutions:<br />Force Stop the starting service using Powershell:<br />Get-SPServiceInstance –Server ServerName<br />Stop-SpServiceInstance –GUID of Service<br />Verify if there are errors with FIM services in Event log<br />
    18. 18. Debugging FIM Service issues<br />Stop the FIMService<br />Browse to the c:program filesMicrosoft Office Servers14.0Service directory<br />Copy off the Microsoft.ResourceManagement.Service.exe.config file as a backup<br />Remove the existing <system.diagnostics> block<br />Paste in the following XML between </configSections> AND <appSettings><br />Save the file and start the FIMService<br />An svclog will be created in the service directory above. You can then use SvcTraceViewer.exe (part of Windows 6.0 SDK) to view the traces. <br />
    19. 19. Manage User Profile Service application<br />
    20. 20. Connecting to Active Directory<br />
    21. 21. Connection Filters<br />Very basic settings from GUI<br />Cannot implement complex LDAP filtering from the GUI or PowerShell<br />Once you have setup multiple filter criteria’s there is no way to figure out AND / OR conditions between criteria’s<br />Same from the FIM client<br />
    22. 22. Forefront Identity Manager Client<br />Client application that can with “Debugging”<br />Not to be used to make changes to the User Profile Sync settings…or so they say <br />Make changes in here to import Profile Pictures<br />May have to Make changes in here to connect to other directory servers. PROCEED WITH CAUTION and MS SUPPORT ON THE PHONE<br />DO NOT STOP / START Synchronization from here.<br />Location: C:Program FilesMicrosoft Office Servers14.0Synchronization ServiceUIShell<br />
    23. 23. Import Profile Pictures from AD<br />New Structure to manage Profile Pictures<br />SharePoint has library at My Site Host to manage Profile Pictures<br />Idea is to “Export” pictures from SharePoint to Active Directory.<br />OOB no synchronization of profile pictures from AD.<br />Make changes through FIM client to import profile pictures<br />In Active Directory, the property needs to be of type URL: http://somesite/myphoto.jpg<br />Reference article from: ChaitanyaMadala<br /><br />
    24. 24. Multiple Directory Sources<br />Unsupported Scenario:<br />Authentication against Active Directory<br />Synchronization against other Directory (SUN LDAP, etc.)<br />SharePoint cannot map login with profile.<br />Unless using custom claims providers that can map against both (Not tested yet)<br />
    25. 25. Tips & Tricks<br />Deleting Connections will delete My Sites<br />Refresh page after starting synchronization<br />Applying security patches / hotfixes may stop User Profile Synchronization Service<br />Applying security patches / hotfixes may “remove” existing connections to directory sources<br />Do not perform backup / recovery from Central administration when synchronization is in progress. It will stop sync and may stop services<br />Cannot authenticate against one source and synchronize profiles from other Source unless using Claims Provider. <br />SharePoint will not be able to merge login with Profile<br />DO NOT STOP / START / REBOOT SQL Server while profile sync is in progress. It stops syncs and starts all over again.<br />
    26. 26. Tips & Tricks<br />Review Firewall settings between servers, especially if they are on different subnets. FIM uses port 5275. SharePoint Web Services use port 32843, 32844, 32845<br />After you create active directory connection and start profile synchronization, the resulting page has an “&” in the query string part of the URL. DO NOT CLICK ON REFRESH PAGE WITHOUT REMOVING THE &. OTHERWISE IT KICKS OFF SYNCHRONIZATION FROM SCRATCH AGAIN.<br />
    27. 27. Avoid My Site Deletions<br />Deleting Directory connection marks all My sites associated with service application for deletion.<br />Timer job: My Site Cleanup job will run and delete all My Sites<br />Disable My Site Clean up job to prevent my sites from getting deleted<br />Create new directory connection.<br />Run Full Sync<br />It will re-create profiles and associate to My Sites. <br />It will unmark sites from deletion<br />If needed, enable My Site clean up job<br />
    28. 28. Recap<br />Understanding the User Profile Sync architecture<br />How to start User Profile Sync service<br />How to setup profile connections to active directory<br />How to manage and maintain an User Profile Service application<br />Understand FIM Client application<br />How to setup connection to Sun LDAP Directory server <br />
    29. 29. Questions?<br />Contact me:<br />E-mail:<br />URL:<br />
    30. 30. A Message from Microsoft<br />Microsoft is hosting a special event for premier customers in January on this topic.<br />Get more details from: <br /><br /> (Bob Fox)<br />