[What you have]:
You have a 2010 farm.
[What you want]:
You want to pull users from AD into Profiles.
[What you want to know]:
Here is a beautiful represenation of User Profile Architecture from UPA 2010 : Intro – Part1
In order to get AD connection configured, you want to configure User Profile Synchronization.
Before you get your hands dirty with that, the essential understanding of the User Profile architecture is required.
Terminology:
User Profile Application - a logical set of functionality that allows to have profiles, and if needed social tagging, my site functionality (note: you can configure whether users will be able to create "my site" -Central Administration Manage Profile Service: User Profile Service -> Manage User Permissions)
"A key thing to understand is that Service Applications, in the general case, are just a logical concept made up of one or more components, one of which may be an actual Service Application component that defines the configurations for a particular implementation of a specific Service Instance." (Gary Lapointe's book)
( you want more of that? - Service Application : Architecture in one picture)
What is the User Profile Synchronization service anyway? - just a wrapper for the ForeFront Identity Manager (FIM) services.
[What you want to do]:
Make sure that:
1. Start the “User Profile Service” first.
2. Create the “User Profile Service Application”
"You must create the User Profile Service Application while logged on as the Farm Account
This is generally contrary to well-understood best practices that stipulate that you should never log as the Farm Account, but unfortunately, it is a neccessary eveil due to an issue with how the Service Application is created."
(Gary Lapointe's book)
Now you are ready to kick the User Profile Synchronization server off:
1. Make sure that A farm account is in the Farm Administrator group (/_layouts/people.aspx?MembershipGroupId=3).
2. Add temporarily a farm account into Local Administrators group on the application server where you want to run the User Profile Synchronization service.
3. You logged as a farm account into the application server where you want to start the User Profile Synchronization service.
4. Network service account is a member of WSP_WPG group on that application server
5. Don't forget to reset the application server if you have just added a member to the local group. I even would recommend to restart IIS and SharePoint 2010 Timer.
In case NetBIOS Name and FQDN mismatch:
6. Run User Profile Synchronization service on the same application server where the User Profile Service is running.
7. IIS reset after the provisioning of User Profile Synchronization service
8. The permanent assigment "log on locally" must be granted to the Farm Account (Local Policies->User Rights Assignments - Allow Log on locally).
"Though adding the farm Account into the Local Administrator group does achieve this, do not be tempted to leave the Farm Account in the group as doing so is considered a security risk". (Gary Lapointe's book)
9.Check whether User Profile Synchronization works. If it does, remove the farm account from Local Administrator group, you don't need it anymore.
* Because User Profile Sync Service doesn't work with the managed account, if you ever change the farm account password, it will break the user profile synchronization
**Farm backup will stop the User Profile and after the backup job is done, it will try to start the User Profile Service. If at that time all required conditions (That mention above) don't meet, you will end up with broken USP after the farm backup. (Why SharePoint backups break the User Profile Sync Service and other mysteries solved (Todd Klindt))
[What you want to consider]:
To get more details on the topic - Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization
To know exactly what's going on under the hood - refer to UPA 2010 : Setting up the User Profile Service Application
My personal respect to the author of the post Forefront Identity Manager & User Profile Synchronization Service. This post is responsible for that I got the User Profile Synchronization running.
To encourage me to write you helpful posts, you can acquire knowledge from a great book by Gary Lapoint through Amazon associate program. (just click this link and buy Automating SharePoint 2010 with Windows PowerShell 2.0)
You have a 2010 farm.
[What you want]:
You want to pull users from AD into Profiles.
[What you want to know]:
Here is a beautiful represenation of User Profile Architecture from UPA 2010 : Intro – Part1
Before you get your hands dirty with that, the essential understanding of the User Profile architecture is required.
Terminology:
User Profile Application - a logical set of functionality that allows to have profiles, and if needed social tagging, my site functionality (note: you can configure whether users will be able to create "my site" -Central Administration Manage Profile Service: User Profile Service -> Manage User Permissions)
"A key thing to understand is that Service Applications, in the general case, are just a logical concept made up of one or more components, one of which may be an actual Service Application component that defines the configurations for a particular implementation of a specific Service Instance." (Gary Lapointe's book)
( you want more of that? - Service Application : Architecture in one picture)
What is the User Profile Synchronization service anyway? - just a wrapper for the ForeFront Identity Manager (FIM) services.
[What you want to do]:
Make sure that:
1. Start the “User Profile Service” first.
2. Create the “User Profile Service Application”
"You must create the User Profile Service Application while logged on as the Farm Account
This is generally contrary to well-understood best practices that stipulate that you should never log as the Farm Account, but unfortunately, it is a neccessary eveil due to an issue with how the Service Application is created."
(Gary Lapointe's book)
Now you are ready to kick the User Profile Synchronization server off:
1. Make sure that A farm account is in the Farm Administrator group (/_layouts/people.aspx?MembershipGroupId=3).
2. Add temporarily a farm account into Local Administrators group on the application server where you want to run the User Profile Synchronization service.
3. You logged as a farm account into the application server where you want to start the User Profile Synchronization service.
4. Network service account is a member of WSP_WPG group on that application server
5. Don't forget to reset the application server if you have just added a member to the local group. I even would recommend to restart IIS and SharePoint 2010 Timer.
In case NetBIOS Name and FQDN mismatch:
Before Start User Profile Synchronization Service:
First, enable netbios name
$UserProfileServiceApp = Get-SPServiceApplication | where {$_.TypeName -eq "User Profile Service Application"}
$UserProfileServiceApp.NetBIOSDomainNamesEnabled
= 1
$UserProfileServiceApp.Update()
6. Run User Profile Synchronization service on the same application server where the User Profile Service is running.
7. IIS reset after the provisioning of User Profile Synchronization service
8. The permanent assigment "log on locally" must be granted to the Farm Account (Local Policies->User Rights Assignments - Allow Log on locally).
"Though adding the farm Account into the Local Administrator group does achieve this, do not be tempted to leave the Farm Account in the group as doing so is considered a security risk". (Gary Lapointe's book)
9.Check whether User Profile Synchronization works. If it does, remove the farm account from Local Administrator group, you don't need it anymore.
* Because User Profile Sync Service doesn't work with the managed account, if you ever change the farm account password, it will break the user profile synchronization
**Farm backup will stop the User Profile and after the backup job is done, it will try to start the User Profile Service. If at that time all required conditions (That mention above) don't meet, you will end up with broken USP after the farm backup. (Why SharePoint backups break the User Profile Sync Service and other mysteries solved (Todd Klindt))
[What you want to consider]:
To get more details on the topic - Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization
To know exactly what's going on under the hood - refer to UPA 2010 : Setting up the User Profile Service Application
My personal respect to the author of the post Forefront Identity Manager & User Profile Synchronization Service. This post is responsible for that I got the User Profile Synchronization running.
To encourage me to write you helpful posts, you can acquire knowledge from a great book by Gary Lapoint through Amazon associate program. (just click this link and buy Automating SharePoint 2010 with Windows PowerShell 2.0)
Thank you! Thank you! Thank you! Pointed me in the right direction - unfortunately my hair managed to turn grey before finding this post :)
ReplyDelete