Whether you like it or not! Importance increases significantly with SharePoint 2013 Pretty much every investment area relies on Profiles for core functionality App AuthZ, S2S, etc Primarily a political endeavor, NOT a technical one No toolset from any vendor will change this

Especially when Active Directory is externally managed e.g. Reboot of domain controllers, Windows Update Large and/or bulk updates Replicating Directory Changes Additional rights for property export

One of the most common causes of weak deployments, limited functionality and upgrade pain Federate or replicate? Central farms, regional farms, both? Relationship with other services

Security Privacy Policy Operations SQL Server Distributed Cache SharePoint Server Search Managed Metadata Business Data Connectivity

Large organizations should be able to perform a full sync of AD and SharePoint data over a weekend IT Pros should be able to monitor the performance and stability of profile sync and have access to the information that they need to take corrective action when problems occur Common Directory Service configurations should be supported, including Forefront Identity Manager and LDAP

Lightweight LDAP approach internal to SharePoint a.k.a Direct AD Import Embedded Forefront Identity Manager Same approach as SP2010 with improvements “under the hood” External Forefront Identity Manager using the SharePoint Connector Custom Code: User Profiles Web Services and Object Model

SharePoint User Profile Service Application UPS (SharePoint FIM) BCS External System Active Directory ADI (User Profile Service Instance) EIM (External FIM) EIM (Custom Code) Directory

Farm Configuration Wizard (just kidding ) Via Manage Service Applications The default schema issue

Farm Account default schema set incorrectly in Sync DB We will never be able to start the UPS service instance Log on as the Farm Account and execute the PowerShell Fix the schema manually – an unsupported change

Non UAC environmentsUAC Environments Just use this one! Both simulate interactive logon as the Farm account (Log on Locally) Both require Local Machine Administrator

For the most common scenario (AD forest) Import Only! Container selection LDAP filters Inclusion Based One connection per domain That could be a lot of connections!

a.k.a Shadow AccountsFor simple data typesAs SharePoint 2010

Leverages a change log to drive import efficiency DirSyncRequestControl is scoped at the domain level Implement immediately after creating the UPA! Replicating Directory Changes also required on the Configuration partition

You can modify the properties of the UPA to configure Active Directory Import via Windows PowerShell

Central Administration UI can be misleading when creating connections after changing the mode. You don’t need to worry about BCM for the Sync DB! It must exist, but it IS supported to mirror/log ship an empty database

For AD Import only, these cmdlets are NOT supported for UPS Known Issues with Remove-SPProfileSyncConnection only removes the organizational unit (OU) from the profile synchronization connection Fix:

Those that begin with SPS-

Maximum flexibility With great power comes great responsibility Sweet UI! As opposed to exclusion based with UPS Validate your filters with ADSIEdit Just because you can, doesn’t mean you should

Adding or removing OUs Filter changes Property mappings To clean up profiles which are not created as part of the import Profiles are marked for deletion

Adding or removing OUs Filter changes Property mappings To clean up profiles which are not created as part of the import Profiles are marked for deletion

Manual recreation required Or use an XML based provisioning approach

Understand the design constraints Document the configuration!!! Run PurgeNonImportedObjects after a full import to remove items that should not be there

Ships as external download Support for SharePoint Server 2013 now Support for SharePoint Server 2010 in testing Requires FIM 2010 R2 SP1 You need to create and use a metaverse rules extension You may not be able to migrate your existing data Only FIM Sync Service needed

HR SQL Database

Impacts pretty much every product feature e.g. organic growth of domains and/or forests

Sponsored by