User Profile Synchronization Service The User Profile Synchronization (UPS) service is perhaps the most used service application in SharePoint 2010. Unfortunately, it’s also one of the most difficult to configure. In this class, we’ll examine how UPS synchronizes user information with Active Directory and other data sources. We’ll also review the timer jobs that spread profile changes through the rest of the farm environment. We’ll explain the requirements for configuring the service successfully, and we’ll demonstrate how to recover from the common problems that occur during configuration of this service. If you are planning a SharePoint Server 2010 installation that uses User Profiles, then this class is for you. Tips and Troubleshooting SharePoint Fest NYC
Paul Papanek Stork Principal SharePoint Architect for BlueChip Consulting Group http://www.bluechip-llc.com SharePoint MVP for 6 years SharePoint Microsoft Certified Master Author Developer’s Guide to WSS 3.0 MOSS 2007 Best Practices MCTS: WSS 3.0 Configuration Study Guide (70-631) Pro SharePoint 2010 Development for Office 365 Contact Information Email: Paul.Stork@bluechip-llc.com Blog: http://dontPaPanic.com/blog Twitter: @PStork
Agenda User Profile Sync in 2010 User Profile Sync Changes in 2013 AD Profile Sync versus AD Import in 2013 Preparation for User Profile Sync Starting User Profile Sync & Troubleshooting Importing Additional Information The User Profile Synchronization (UPS) service is perhaps the most used service application in SharePoint 2010. Unfortunately, it’s also one of the most difficult to configure. In this class, we’ll examine how UPS synchronizes user information with Active Directory and other data sources. We’ll also review the timer jobs that spread profile changes through the rest of the farm environment. We’ll explain the requirements for configuring the service successfully, and we’ll demonstrate how to recover from the common problems that occur during configuration of this service. If you are planning a SharePoint Server 2010 installation that uses User Profiles, then this class is for you.
Profile Service Application Architecture User Profile Service Related Services Social Data Profiles Sync Search Indexing Tags and Security Trimming Web Front End Profile Synchronization Service Instance Enterprise Metadata Tagging and Profile Properties Profile Service Instance WFE talks to the service and SQL, maintains Front-end cache Mid-tier cache, optimized for most-used profiles, 256 Mb default (good for 500k users on average)
User Profile Service Databases Profile database – used to store user profile information. Synchronization database – used to store configuration and staging information for synchronizing profile data. Social tagging database – used to store social tags and notes created by users. User Information Table – Synchronized with User Profile (stores information like user display name for each site collection)
User Profile Timer Jobs Name Description Timing Activity Feed Cleanup Cleans up pre-computed activities that are used in activity feeds that are older than 14 days. This job does not affect the User Profile Change Log. Daily at 3 AM Activity Feed Pre-computes activities to be shown in user activity feeds. Hourly Audience Compilation Computes memberships of defined audiences. Weekly, Sat at 1 AM My Site Suggestions Email Sends e-mail messages that contain colleague and keyword suggestions to people who do not update their profile often, prompting them to update their profiles. Monthly, 15th at 10 PM Social Data Maintenance Aggregates social tags and ratings and cleans the social data change log. Hourly, 30 min after Social Rating Synchronization Synchronize rating values between Social Database and Content database Change Cleanup Job Cleans up data that is 14 days old from User Profile Change Log. Daily at 10 PM Change Job Processes changes to user profiles Hourly, on the hour Incremental Synchronization Synchronizes user, group and group membership changes between the User Profile Application and specified directory source Daily at 1 AM Language Synchronization Job Looks for new language pack installations and makes sure that strings that related to the user profile service are localized correctly. Every minute SharePoint Full Synchronization Synchronizes user information from the user profile application to SharePoint users and synchronizes site memberships from SharePoint to the user profile application. SharePoint Quick Synchronization Synchronizes user information from the user profile application to SharePoint users who were recently added to a site. Every 5 minutes My Site Cleanup Job When a user is deleted, sends an e-mail message to the manager containing a request to the manager to move any documents or data that the manager wants to preserve, because the site might be deleted in the future. System Job to Manage User Profile Synchronization Manages provisioning, run steps and additional tasks related to User Profile Synchronization. (Note: Don’t Change Timing)
Changes in SharePoint 2013 Re-Introduction of AD Import Faster Synchronization for Full Synch Synchronization with multiple directory services Active Directory Domain Services (AD DS) 2003 SP2 and above Sun Java System Directory Server version 5.2 Novell eDirectory version 8.7.3 IBM Tivoli version 5.2
Why do I need User Profiles People Search is Incomplete SharePoint “App” model security SharePoint 2013 Workflow User Context
Active Directory Import Faster than user Profile Sync. No bidirectional synchronization Limited to a single Active Directory forest. Allows only one farm-wide property mapping. Fewer properties synced by default than AD Sync FirstName, LastName, Department, SPS-JobTitle, Office, PreferredName, SPS-Department, Title, WorkEmail, WorkPhone
Configure AD Import (2013)
Important CUs and SPs 2010 Oct 2010 CU – fix for Central Admin SSL issue Dec 2010 CU – breaks Netbios domain support Feb 2011 CU – fix for Netbios domain support Service Pack 1 – major improvements to User Profile Sync, but don’t use it without a later CU June 2011 CU or August 2011 CU – should be installed after SP1 Feb 2012 CU – improved stored procedures for maintenance of SyncDB 2013 April 2014 CU – Fixed UPS issues introduced by SP1
Prestart Checklist Don’t Run the Farm Config Wizard! If SQL is an Instance or FQDN Create a SQL Alias Updates Install SP1 and August 2011 Cumulative Update (2010) Install SP1 and April 2014 Cummulative Update (2013) Verify Account Permissions See the Next Slide Does AD Netbios Domain Name match FQDN? Example Acme ≠ Acmeman.dev Additional Permissions required $upsa = Get-SPServiceApplication –Id User-Profile-App-GUID $upsa.NetBIOSDomainNamesEnabled=1 $upsa.Update()
Security Rights for User Profile Sync UPS Service Identity (Farm Account) Must run as Farm Account Local Admin during Provisioning Log on Locally Note: Reboot after changing Farm Account rights Synchronization Connection Account Replicating Directory Changes on the Domain Netbios name ≠ FQDN name Replicating Directory Changes on Configuration Partition Member of Pre-Windows 2000 Compatible Access For Export Only – Create Child Objects and Write Access to OUs
Check Pre-requisites
Starting User Profile Sync Provision the User Profile Service Application through Central Admin Start the User Profile Service in Services on Server Reboot the Server Start the User Profile Sync in Services on Server
Common Issues SharePoint Farm account isn’t a Local Admin Add the Farm Account to Local Admin and reboot Creating User Profile Service App using Powershell Sync DB schema is incorrect Running Central Administration over SSL Fixed in October 2010 CU Timeouts when configuring Sync Connections Use PowerShell to slowly increase timeouts until it works Firstly, the Populate Containers timeout, which by default is 30 seconds. We set this property on the User Profile Service Application Proxy: 1$upaProxy = Get-SPServiceApplicationProxy -Id <GUID of User Profile Service Application Proxy> 2$upaProxy.ImportConnAsyncTimeout = 45 3$upapProxy.Update() 4# To get the GUID of the User Profile Service Application Proxy run Get-SPServiceApplicationProxy Next, the Save Synchronization Connection timeout, which by default is approximately 17 minutes. We can adjust this value (in milliseconds this time) on the Service Application: 1$upsa = Get-SPServiceApplication –Id <GUID of User Profile Service Application> 2$upsa.FIMWebClientTimeOut = 240000 3$upsa.Update() 4# To get the GUID of the User Profile Service Application run Get-SPServiceApplication. Lastly you may receive timeouts when simply connecting to the domain. By default the maximum time is 30 seconds. To alter this value, we must install the June Cumulative Update or later. Once we have done that we can modify the connection timeout on the Proxy: 2$upaProxy.LdapConnectionTimeout = 45
Troubleshooting Re-Verify original Checklist Watch provisioning with ULSViewer
Monitoring UPS provisioning in ULS
Troubleshooting Re-Verify original Checklist Watch provisioning with ULSViewer View Sync run with Forefront Identity Manager C:\Program Files\Microsoft Office Servers\14.0\ Synchronization Service\UIShell\miisclient.exe
Watch Sync with MIISclient.exe
Troubleshooting Re-Verify original Checklist Watch provisioning with ULSViewer View Sync run with Forefront Identity Manager Check Event Viewer for Errors C:\Program Files\Microsoft Office Servers\14.0\ Synchronization Service\UIShell\miisclient.exe
What Not to Do Don’t modify the FIM service settings in Windows Services Don’t try to use something other than the FARM account Don’t modify FIM settings using MIISClient.exe Don’t worry about the warning in Health Check about not running other services under the Farm Account
Configure User Profile Sync
Importing Groups Used for Audiences and to calculate MySite Memberships List Has no effect on which users are imported Has no effect on which users are displayed in People Picker
Importing Additional User Data Must have a primary sync with a Directory service Create a BCS external content type ECT must use a Login identifier as Key Configure a BCS sync Connection Can Sync either a Single Valued or Multi Valued Property, but not Multiple records
Import Properties via BDC
Additional Resources Configure profile synchronization (SharePoint Server 2010) - Technet http://technet.microsoft.com/en-us/library/ee721049.aspx Troubleshooting User Profile Sync Issues on SharePoint 2010 – Steve Chen http://blogs.technet.com/b/steve_chen/archive/2010/10/13/troubleshooting-user-profile-sync-issues-on-sharepoint-2010.aspx Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization- Spence Harbar http://www.harbar.net/articles/sp2010ups.aspx
Questions? Contact Information Email: Paul.Stork@bluechip-llc.com Blog: http://dontPaPanic.com/blog Twitter: @PStork