Share point saturday2013 upsa_3rd_party_tool awareness


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The concepts and information within this presentation apply to SP2010, but could also apply to SP2013.
  • FIMS stands for: Forefront Identity Manager Synchronization Service.FIMS should not be started (or restarted) via Windows services.
  • Thanks to all of our sponsors, please visit their booths. Without them, the wonderful and FREE SharePoint knowledge sharing events couldn’t happen.
  • Share point saturday2013 upsa_3rd_party_tool awareness

    1. 1. User Profile Service “Lessons Learned from the Trenches” - Cindy Walby Global SharePoint/Web Services Architect
    2. 2. About me ….. I’m a SharePoint MCP and have been a dedicated evangelist for SharePoint for the past 6 years, with experience in design/implementation of all things SharePoint from small farms to global instances. What I’m not? Is a SharePoint developer. My focus is on the back end architecture. Past IT history: Worked for multiple consulting companies in projects ranging from design, implementation, migration, support for AD, Exchange, SQL, VMWare, SAN’s, mobile, firewalls, w ireless, network devices, and more...
    3. 3. So, why are we here? To learn a few things you may not know about the beast Microsoft calls “User Profile Service” when enhancing the Social experience by adding tools on top of it. My goal is to have you walk away from this session knowing what to ask and what things to consider if you plan to use any additional tools/software on top of the UPSA, including what issues you may run in to, and ideas for what to troubleshoot.
    4. 4. AGENDA 1. Why should you care? 2. What tools might you consider? 3. How would they “plug in to” SharePoint? 4. What areas could become problematic? 5. My sync stopped working, what do I do? 6. Other
    5. 5. Why should you care? Have you configured the UPSA? If you have, then most likely you know why you should care. If you haven’t, highly recommend visiting Harbar’s site, it’s well worth creating a shortcut to - Remember: You only have one UPSA, which cannot be made redundant. If a UPSA server fails, your social community will be opening a lot of tickets.
    6. 6. What tools might be used to enhance the UPSA? - NewsGator Social Sites ( - Bamboo’s Community Central central.aspx?gclid=CKuE0uDu6bcCFQE6QgodpCwA2Q - Blue Rooster’s Sepulveda ( - What about your company’s SharePoint development strategy? SharePoint is a platform, not a product! Be willing to make a good size investment if you don’t like the OOTB social features and UI. - What type of tool is it: an internal installation or external service? Which type addresses your requirements? NO matter which you choose, you must be aware of how it ties in with your UPSA configuration, and how it may complicate your life.
    7. 7. How would the tool plug in to the UPSA? Many spokes in the UPSA wheel: - Databases - Connectors - Synchronization - Timer Jobs - Activity streams - Solution installs - Permissions - Development - email - and the list goes on……..
    8. 8. What areas may become problematic? • Databases • AD Connectors • Profile fields/mappings and properties • PII • Notifications • Web Application Changes • Timer Jobs Let’s look at each of these areas…….
    9. 9. Database Considerations How does a 3rd party tool tie in to UPS databases or does it have own database (s)? How do they connect or sync with the UPSA databases? - RecordID: Every sync’d profile has one. Is your 3rd party tool dependent upon it? - “Non-imported objects”: profiles not added via the sync. Command to find them, then use a purge command to remove them if necessary to resolve sync issues with 3rd party database (s). us/library/ff681014.aspx#RemoveObsUsers
    10. 10. Database Considerations, cont… -Bdelete = 1: SQL query will tell you how many objects are set to be deleted. - MySite cleanup tool creates them, so compare with 3rd party database. -Reset the Sync database: why? May have too much garbage in it to fix the UPSA. Use if you have a badly broken UPS sync, and cannot rebuild the UPSA. Commands that are part of this: Get-SPserviceapplication Get-SPDatabase
    11. 11. Example: UPSA Purge from Database UPSA Purge Process SQL stats Prior to running the purge: User Profile db total =48,761 (includes non-imported objects) User Profile db total: table “user profile_Full”, “bdeleted = 1” = 0 User Profile database: Purge should mark removal of 25,840 rows. Leaving 22,921 in the table. Steps for Purge: 1. Disable the MySite Cleanup job. 2. Disable User Profile sync Jobs. 3. Backup all User Profile databases (profile, social, sync). 4. Run Purge powershell command (completes fairly quickly, just a few minutes). Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true | Out-File -filepath “M:PurgeNonImportedObjects.txt” SQL Stats: Select COUNT(*) from [UPS_DB].[dbo].[UserProfile_full] where bdeleted =1 (No column name): 25839 Select COUNT(*) from [UPS_DB].[dbo].[UserProfile_full] (No column name): 48761 5. Run MySite Cleanup job to remove the accounts from the UPSA. Note: analysis showed processing about 1000 profiles/min SQL results: Select COUNT(*) from [UPS_DB].[dbo].[UserProfile_full] 22922 Select COUNT(*) from [UPS_DB].[dbo].[UserProfile_full] where bdeleted =1 0 6. Enable User Profile sync Job. 7. Run a FULL people search.
    12. 12. AD connector What if you have to rebuild it? What is affected? Outline your AD Connector rebuild process step by step: Keeping in mind: order of activity with 3rd Party tool on top of UPSA. Contact your vendor and discuss before you delete it!!! If not rebuilt in the right order, you could end up with duplicates or failed sync. NetBios Naming: if applying this, you must delete and rebuild the connector. Sync failure: domain changes could affect the sync, requiring rebuild.
    13. 13. AD connector, cont…. Review SQL: check for any bdelete objects in SQL, your 3rd party tool may not see them as deleted and cause duplicates to be created (non-imported objects). Review UPSA sync status via FIMS prior to any reset of a Sync database to verify status. C:Program FilesMicrosoft Office Servers14.0Synchronization ServiceUIShellmiisclient.exe NOTE: Always DISABLE the MySite clean up job prior to any connector rebuild to prevent unwanted emails.
    14. 14. UPSA Field mappings/properties As you develop your Social experience, you may find a requirement to modify and/or delete various profile fields, the property of a field, and their order. - Social UI designers: ask them to document field change requirements, this will help verify them for future DR. - Be prepared: time consuming process to modify the field properties. If you do have custom field properties, how will they be affected by an AD connector rebuild? - Found the custom fields retained, but may need to remap some of them along with some default fields. Your documentation will help here. - Field reordering is painfully slow process: highly recommend using this Codeplex tool for reordering the profile fields, and save yourself a lot of frustration and time:
    15. 15. Personal Identifiable Information (PII) Development Global Country
    16. 16. Notifications Activity Stream Alerts (instant and daily digest) are critical to a positive Social experience. Does the 3rd party tool send alerts? SharePoint Inbound Email: are you already configured? Are you using DMS? -Verify what your 3rd party tool requires and what they need configured. When in multiple environments (dev/test/qa/prod) and using DMS, a 3rd party tool may create lists and contacts, and if not modifiable, you cannot use DMS in other environments. Alert notification settings: watch your profile alert settings, or you could inadvertently mass email your company. Recommend: use Exchange Block Rules to drop any notification emails while you are testing.
    17. 17. Notifications cont…. My Site Suggestions Email Job – review if the business wants this notification? Who has notifications enabled within their profile? (can use a powershell script to find out) Does the business require all users to have notifications enabled?
    18. 18. Web Application changes Rename your MySite web app: - backup all SharePoint Social and vendor databases. - Perform process in correct order when using 3rd party tool to sync up the databases . - Not a small task, and pending how many profiles you have in the database could take an entire weekend to complete! NOTE: Pictures Library URL will not be updated – you can use a script to update them. - Pre-populate MySites: if you plan for 15K+ users to access, prepare for it. Run script to prepopulate the MySite site collections to reduce performance hit. Work with your storage team!
    19. 19. Web Application changes Issue with claims: after the MySite renaming process was completed, found some web parts would error out with Access denied. Fix was to swap out the MySite web application account, then change back, to reset claims permissions. Be sure to verify all Claims services are started (also important for BI related configuration using kerberos) TIP: What if you find you cannot create a site collection using a 3rd party template? Try disable/enable of the 3rd party features within the web application. Solution Files: what gets installed and how can it be uninstalled?
    20. 20. Timer Jobs Ask if any timer jobs installed and what do they do? How do they correlate with SharePoint’s native Social timer jobs? MySite Cleanup job: useful, but know what it does! Caveat: if the MySite web app is configured for Claims, it will not send email to the mgr. If not claims how do you manage the emails sent to managers? Check out Joel’s excellent article (includes purging): D8320%2Dba5369008acb&ID=532
    21. 21. Timer Jobs cont… Code deployments: - Verify timer jobs that are running prior to a deployment! Some may cause deployment to fail. - Remember, when you save a change to the web.config file, the Web application in Internet Information Services (IIS) 7.0 automatically gets recycled. Use caution: clearing of SharePoint file system cache. (you may want to stop your 3rd party timer jobs that are scheduled for short time intervals (1 min – 5 min, while you perform clearing of file system cache). IIS Reset is your friend: I can’t tell you how many times just running an IIS Reset on ALL of the SharePoint servers resolved various custom code related issues.
    22. 22. Your UPSA Sync has Stopped or Filters not working - Check FIMS: when was the last time it ran? C:Program FilesMicrosoft Office Servers14.0Synchronization ServiceUIShellmiisclient.exe - Are you using SCCM? check WMI, may have removed the “MicrosoftIdentityIntegrationServer” Start>run>wmimgmt.msc (there is a fix, but check before you run wmi service stop/start, as it will want to restart the following as well: SMS Agent Host, VMware Tools Service, IP Helper Forefront Identity Manager Synchronization Service) s
    23. 23. Your UPSA Sync has Stopped or Filters not working, cont…. - AD Changes? has the AD Team made any domain changes or modified the UPS AD connector account? (or removed domains, OU moves, etc..), depending how you configured your connector. - ULS Viewer Use it and filter using category “User Profiles”. Watch the ULS Viewer after you kick off a sync to locate errors. Set verbose logging: Set-sploglevel -tra verboseex Set-sploglevel -tra medium "User Profiles" | Set-SPLogLevel -TraceSeverity Verboseex "User Profiles" | Set-SPLogLevel -TraceSeverity medium s
    24. 24. Other areas…. - Code related gotchas: If the CAS policy does not correctly reflect claims it will fail. Using web analytics: be sure your code takes in to account the number of user count difference between non-prod and prod (prod will have more hits). - What if you have users moving between child domains? - Performance issue? Look at implementing blob caching, but use caution for MySites, users won’t see their upload for what ever max-age time you specify.
    25. 25. Other areas…. - Planning to use any custom site templates? Do you want to allow them to be used for MySite sub-sites? Could cause them to show up in a central listing for communities (disable “Create Subsites” under the Use Permissions for the web app). - MS Fix: If you see this ULS log error: "The site with ID b2c3034f-e80c-4fb1-8327- fedd17816d2e cannot be synchronized due to an unprovisioned root web“;EN-US;2597150,
    26. 26. Take Aways… - Do your homework to review/document your environment (especially if you didn’t build it!). - Get in-depth with the vendor for specifics. - Test the tool against your non-production environment. - Do what you can to prep your MySite and UPSA in advance. - Verify if you have to rebuild AD connector prior to implementing a 3rd party tool.
    27. 27. Resources: NetBios Naming: Http:// MySite Cleanup: timer-job.aspx cb&ID=532 Profile Sync: Picture URL issue: WMI affecting UPSA sync: Blob Cache: CTWTS: PII:
    28. 28. THANK YOU for attending this session!!! twitter: @cinsps Member of Silicon Valley SharePoint Users Group (SVSPUG occurs 3rd Thurs each month at VTA building in Santa Clara)
    29. 29. Join us right after the event at the Firehouse Grill! Socialize and unwind after our day of learning. 1765 E. Bayshore Road East Palo Alto, CA