This presentation details best practices in implementing SharePoint 2010 User Profile Synchronization.

1. SharePoint 2010User Profile Synchronization Nilesh Mehta SharePoint Architect NGenious Solutions, Inc. Nilesh.Mehta@ngenioussolutions.com Dated: 12/1/2010

2. About NGenious Solutions, Inc. Proud Co-Founder of SharePoint User Group, NYC Microsoft Gold Partner Specializing in SharePoint Technologies. Announcing our new Product for Information Rights Management, integrated with SharePoint.

3. Agenda Introduction to User Profile Synchronization Best Reference material Configure User Profile Synchronization Service Import Connections and Connection Filters – Active Directory Importing Pictures from Active Directory Forefront Identity Manager Tips & Tricks Synchronization against SUN LDAP Recap

4. Disclaimer!! This is by no means the final authority on the subject. I learn something new everyday with this topic 

5. What have I done?

6. My Goal Today!! User Profile Synchronization “Its one of the single biggest issue that pops up in support with regards to configuring it properly”

7. SharePoint 2010 – User Profile Synchronization The User Profile Service is a shared service in Microsoft SharePoint Server 2010 that enables the creation and management of user profiles that can be accessed from multiple sites and farms.

8. Best Reference Material There are two blog articles that are pretty much considered the final word on setting up User Profile Synchronization service in SharePoint 2010 Spence Harbar - http://www.harbar.net/articles/sp2010ups.aspx Russ Maxwell - http://blogs.msdn.com/b/russmax/archive/2010/03/20/sharepoint-2010-provisioning-user-profile-synchronization.aspx

9. Uses and benefits of the User Profile service The User Profile service is a shared service in Microsoft SharePoint Server 2010 that provides a central location where service administrators configure and manage the following features: User profiles – contain detailed information about individuals in an organization. A user profile organizes and displays all of the properties related to each user together with social tags, documents and other items related to that user. Organization profiles – contain detailed information about an organization such as teams, divisions, and so on. Profile synchronization – provides a reliable way to synchronize user, group, and organization profile information that is stored in the SharePoint Server 2010 profile store with profile information that is stored in directory services across the enterprise.

10. Uses and benefits of the User Profile service Audiences – enables organizations to target content to users based on their job or task, as defined by their membership in a SharePoint Server group or distribution list, by the organizational reporting structure, or by the public properties in their user profiles.My Site Host – a dedicated site for hosting My Site Web sites. A My Site Host is needed in order to deploy the social features of SharePoint Server.My Site Web site – a personal site that gives users in your organization a central location to manage and store documents, links, and colleagues.Social tags and notes – enables users to add social tags to documents, to other SharePoint Server items, and to other items, such as external Web pages and blog posts. Users can also leave impromptu notes on profile pages of a My Site Web site or any SharePoint Server page. Administrators can delete all tags for employees when they leave the company or remove a tag they do not want.

11. User Profile Synchronization Architecture Courtesy: Spence Harbar Blog

12. Before you start!! If this is a new environment, before you start make sure you get the latest cumulative updates for SharePoint 2010 There are a lot of fixes in there for User Profile Sync

13. Configure User Profile Synchronization Pre-requisites: Need a managed account that has been granted replicate changes on active directory Start User Profile Synchronization Service

14. Active Directory Permissions Grant the Replicating Directory Changes permission on the domain to the managed account. This account will be used to perform the sync. Right Click the Domain, choose Delegate Control… click Next Add the managed account, click Next Select Create a Custom Task to Delegate, click Next Click Next Select the Replicating Directory Changes permission and click Next Click Finish

15. Where to start service? Small farm: Single server with separate AD and SQL Start service on the SharePoint Server Medium / Large farm: 2 or more SharePoint servers with separate AD and SQL Identify Application server and start service there. One user profile service application can only be associated with one server running USPS service

16. Start User Profile Sync Service Identify the server where you want to start service Go to Central administration and Services on the server. Select proper server from the drop down list of servers Click start “User Profile Synchronization Service”

17. User Profile Sync Service in Starting State Most common issue. Give it at least 30 minutes before you take any drastic action Resolutions: Force Stop the starting service using Powershell: Get-SPServiceInstance –Server ServerName Stop-SpServiceInstance –GUID of Service Verify if there are errors with FIM services in Event log

18. Debugging FIM Service issues Stop the FIMService Browse to the c:rogram filesicrosoft Office Servers4.0ervice directory Copy off the Microsoft.ResourceManagement.Service.exe.config file as a backup Remove the existing <system.diagnostics> block Paste in the following XML between </configSections> AND <appSettings> Save the file and start the FIMService An svclog will be created in the service directory above. You can then use SvcTraceViewer.exe (part of Windows 6.0 SDK) to view the traces.

19. Manage User Profile Service application

20. Connecting to Active Directory

21. Connection Filters Very basic settings from GUI Cannot implement complex LDAP filtering from the GUI or PowerShell Once you have setup multiple filter criteria’s there is no way to figure out AND / OR conditions between criteria’s Same from the FIM client

22. Forefront Identity Manager Client Client application that can with “Debugging” Not to be used to make changes to the User Profile Sync settings…or so they say  Make changes in here to import Profile Pictures May have to Make changes in here to connect to other directory servers. PROCEED WITH CAUTION and MS SUPPORT ON THE PHONE DO NOT STOP / START Synchronization from here. Location: C:rogram Filesicrosoft Office Servers4.0ynchronization ServiceIShell

23. Import Profile Pictures from AD New Structure to manage Profile Pictures SharePoint has library at My Site Host to manage Profile Pictures Idea is to “Export” pictures from SharePoint to Active Directory. OOB no synchronization of profile pictures from AD. Make changes through FIM client to import profile pictures In Active Directory, the property needs to be of type URL: http://somesite/myphoto.jpg Reference article from: ChaitanyaMadala http://goodbadtechnology.blogspot.com/2010/05/setting-up-pictureurl-user-profile.html

24. Multiple Directory Sources Unsupported Scenario: Authentication against Active Directory Synchronization against other Directory (SUN LDAP, etc.) SharePoint cannot map login with profile. Unless using custom claims providers that can map against both (Not tested yet)

25. Tips & Tricks Deleting Connections will delete My Sites Refresh page after starting synchronization Applying security patches / hotfixes may stop User Profile Synchronization Service Applying security patches / hotfixes may “remove” existing connections to directory sources Do not perform backup / recovery from Central administration when synchronization is in progress. It will stop sync and may stop services Cannot authenticate against one source and synchronize profiles from other Source unless using Claims Provider. SharePoint will not be able to merge login with Profile DO NOT STOP / START / REBOOT SQL Server while profile sync is in progress. It stops syncs and starts all over again.

26. Tips & Tricks Review Firewall settings between servers, especially if they are on different subnets. FIM uses port 5275. SharePoint Web Services use port 32843, 32844, 32845 After you create active directory connection and start profile synchronization, the resulting page has an “&” in the query string part of the URL. DO NOT CLICK ON REFRESH PAGE WITHOUT REMOVING THE &. OTHERWISE IT KICKS OFF SYNCHRONIZATION FROM SCRATCH AGAIN.

27. Avoid My Site Deletions Deleting Directory connection marks all My sites associated with service application for deletion. Timer job: My Site Cleanup job will run and delete all My Sites Disable My Site Clean up job to prevent my sites from getting deleted Create new directory connection. Run Full Sync It will re-create profiles and associate to My Sites. It will unmark sites from deletion If needed, enable My Site clean up job

28. Recap Understanding the User Profile Sync architecture How to start User Profile Sync service How to setup profile connections to active directory How to manage and maintain an User Profile Service application Understand FIM Client application How to setup connection to Sun LDAP Directory server

29. Questions? Contact me: E-mail: Nilesh.Mehta@ngenioussolutions.com URL: http://www.ngenioussolutions.com

30. A Message from Microsoft Microsoft is hosting a special event for premier customers in January on this topic. Get more details from: LJ.Marinello@microsoft.com rofox@microsoft.com (Bob Fox)