User Profile Sync Setup in SharePoint Server 2010 Beta

Common Tasks
Search
  • Advanced search options...
Tags
Archives
Archives
MSDN Blogs > Jie Li's GeekWorld > User Profile Sync Setup in SharePoint Server 2010 Beta

User Profile Sync Setup in SharePoint Server 2010 Beta

Rate This
19 Nov 2009 1:35 AM
  • Comments 18

This is how I setup user profile sync for SharePoint Server 2010 Beta on my machine. You should not take this as an official guide. But the steps may help if you have been drive crazy. :)

You should also check out TechNet article and the steps on our team blog first, they are more "official". And it's not come from "another MS guy in the wild" like me:)

[Update - we are considering to gather all information and put it back to TechNet article, could be video walkthrough, screenshots, and hope that could help. After that is done, i may remove the content here.]

The following steps in done on Windows Server 2008 R2. But it also applies to Windows Server 2008. The WCF fix for R2 and Win7 is not currently available to public but it will be released in coming days here.

  1. Start with a fresh SharePoint Farm installation, make sure WCF fix (Please refer to my pervious post) is already applied on the machine.
  2. A web application is already created at port 80. A site collection is also created.
  3. Don’t do anything on User Profile Service Application now…If you did, you may need to rebuild the farm. (am i kidding? no… this is beta.)
  4. Click System SettingsManage Services on server.
  5. Start Microsoft SharePoint Foundation User Code Service – this maybe not necessary, but I always do it first.
  6. If you are on Domain Controller, run the following script to make sure User Code Service has the right permission to run.
    $acl = Get-Acl HKLM:\System\CurrentControlSet\Control\ComputerName
    $person = [System.Security.Principal.NTAccount]"Users"
    $access = [System.Security.AccessControl.RegistryRights]::FullControl
    $inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $propagation = [System.Security.AccessControl.PropagationFlags]::None
    $type = [System.Security.AccessControl.AccessControlType]::Allow
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
    $acl.AddAccessRule($rule)
    Set-Acl HKLM:\System\CurrentControlSet\Control\ComputerName $acl
  7. Start User Profile Synchronization Service. After you click the link, it should show something like this:
    snap0120
  8. Although the service is “Starting”, we can check the timer job if it is running properly. Click MonitoringCheck job status. Now you may find a job “ProfileSynchronizationSetupJob” is running. This may take several minutes to finish. If it finished instantly then something is wrong, you may have to rebuild it again.
    snap0119
  9. When it’s finished, the job will disappear from Running category. Now check Services again, user profile sync service should be “Started”.
    snap0121
  10. Time to setup connection! Click Application ManagementManage service applications. Scroll down to find and click User Profile Service Application. (Hint: you can copy the link to this item and add this to Resource links on Central Administration main page to save time in the future. You can do the same to Search and Managed Metadata.)
  11. It is possible that you get an empty status now. It’s okay.
    snap0122
  12. Click Configure Synchronization Connections.
  13. Oh – why I got this? “An error has occurred while accessing the SQL Server database or the SharePoint Server Search Service. If this is the first time you have seen this message, try again later. If this problem persists, contact your administrator.”
    snap0123
  14. Do a IISRESET in cmd line. Refresh the page,  problem solved.
    snap0124
  15. Now, click Create New Connection.
  16. Fill in your domain information. Choose the users or OU you want to import. Click Ok.
    snap0125  snap0126
  17. The connection you just created should be there. If not, you may need to rebuild. (I’m a bad guy, always telling you bad news.)
    snap0127
  18. Now go back to User Profile Service Application, the numbers should be shown on the side.
    snap0128
  19. You can choose to Start Profile Synchronization now. After some time, the number would change. It depends on the size of the OU you just chose.
    snap0129
  20. Click Manage User Profiles, and try to find a user. Yes, he is there!
    snap0130 

Jie Li

Technical Product Manager, SharePoint

,
Leave a Comment
  • Please add 7 and 8 and type the answer here:
  • Post
Comments
  • 25 Nov 2009 12:27 AM

    Hi Jie!

    Some great posts here. I've been following your instructions to the dot, but cannot get User Profile Sync to work.

    I have a Hyper-V virtualized server running Win2k8R2 Enterprise as DC, with SQL 2008 Developer, and all the bells and whistles.

    When you suggest to "rebuild farm", what does that actually imply?

    Just to run PSCONFIG and create a new farm?

    Uninstall/reinstall?

  • 27 Nov 2009 11:17 AM

    @Barney

    Rebuild means you need to tun psconfig to remove the server from the farm. In my case, since it was the only server in the farm, it removed the farm. It would be good if you can also run SQL Management studio to delete all the databases related. Then run psconfig again, recreate a farm.

    The reason I suggested this way is because it is hard to troubleshoot problems and fix them when you have a (most likely) corrupted setup. Remove Service Application and recreate would not work, since FIM is already messed up.

    Which account did you use? I suggest to use the domain administrator to avoid possible problems. One of the key steps is, don't touch User Profile SA before you have user profile sync service fully started. If you didn't do that, it is highly possible only a rebuild would work.

  • 2 Dec 2009 8:09 PM

    Hi, Buddy

    When I created a user profile application service, I got this error:

    Unrecognized attribute 'allowInsecureTransport'. Note that attribute names are case-sensitive. (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebClients\profile\client.config line 34)

    Any idea?

  • 2 Dec 2009 8:12 PM

    one thing more

    The job "ProfileSynchronizationSetupJob" finished, but my profile sync service still be “Starting”.

  • 3 Dec 2009 8:09 PM

    @aleck,

    allowinsecuretransport only happens when you didn't apply WCF fix on Windows Server 2008 R2...

  • 4 Dec 2009 7:41 AM

    Great Post.  Quick Question.  How can I map the picture property URL to an existing site.  I used to use a url in a text field to map to in 2007 but it doesn't seem to work in 2010.  Any clues would be appreciated.

  • 17 Dec 2009 11:22 AM

    Thanks Jie.

    I have manged to get this working with AD (eventually).  But am stumped with LDAP.

    First I'm trying with ADLDS, adn then with Sun One.

    Cannot figure either out.  Any pointers?

  • 2 Mar 2010 8:42 AM

    For the life of me, I cannot get this to work for a domain trust scenario.

    In our example, all user accounts are in forest x (x.company.com is the domain). Our farm (and all servers) are in forest y (y.company.com).

    y.company.com trusts x.company.com.

    When I set up the profile sync to pull from y.company.com, it works fine. But when I put in x.company.com, when I go to enumerate containers, it says "the object does not exist".

    This works great in the exact same setup in MOSS 2007. I can't believe that we are the only people in the world who have an account forest and a resource forest.

    Any suggestions as to how to configure SPS2010 with this type of a setup? We're dead in the water in our testing without being able to actually have user accounts, you know?

  • 4 Mar 2010 12:06 AM

    Just evaluating this for possible use in our organisation - very impressed so far with what I've seen.

    User profile import is still giving me issues though. When I go to configure a connection I'm informed that the user profile sync job is running and to wait until its finished. Nothing showing in the monitoring section as running. Still there after disabling the timer job completely and iisreset/server re-boots...

  • 5 Mar 2010 12:31 AM

    Hello,

    At #13 “An error has occ..." iisrestet isnt solving that issue for me, are there any tips for that issue?

    thx in advice;]

  • 13 Mar 2010 11:18 AM

    CRITICAL STEP Between steps 10 and 11:

    go to Manager Service Applications / User Profile Admin / Administrators --

    Add the valid local and domain users to give full control permissions.  This solved all my problems and allow Jet li's instructions to work flawlessly.

    See this link:

    http://technet.microsoft.com/en-us/library/ee721057(office.14).aspx#section1

  • 13 Mar 2010 11:20 AM

    CRITICAL STEP (CORRECTION) -- NEED To do the previous post between step 9 and 10.  

    Once that is completed you will be able to create the connection without permission errors.  After that everything else works fine.

  • 21 Mar 2010 6:48 AM

    OK, well after starting all over and going through all the steps again, just to prove to myself that the above process is consistently repeatable, I found out that it seems that it is necessary to add the local machine admin account to the 'User Profile Application' administrators.  Why? I have no idea, but as we know, it is Beta.

  • 7 Apr 2010 10:18 PM

    Jet I followed the steps, however not succeed in setting profile syncronisation. Win2k8R2 Enterprise as DC, on which Sharepoint is installed. I am facing issue with FIMSyncronisationService in log it states--

    The service encryption keys could not be found.

    User Action

    Verify that the service account has permissions to the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service

    If the problem persists, run setup and restore the encryption keys from backup.

  • Neel
    16 Jul 2010 7:24 AM

    I have followed your steps in entirety, my sync with AD is working fine except it is not pulling the pictures in the AD.

    Here is my issue, we have photos of all employees stored as xyz.jpg in the custom attribute (emp_pics_2001) with type string, but the picture url type is url (is this the culprit type change), I am using the custom attribute to map the field in the Sharepoint 2010 miis client.

    I am using the below url to do the set up: goodbadtechnology.blogspot.com/.../setting-up-pictureurl-user-profile.html

    i did check the profile db picture url field is NULL, i have all the other values for person except the picture.. I do not why Microsoft is making harder in few small things like this, I have already wasted more than 2 days in figuring this out

    If i just get xyz.jpg pulled to sharepoint, then i can prefix a url in front of it using powershell

    I am using a full trusted service account with full permissions to the domain

    please help me out..

    thank you

    Neel

    neelbh@yahoo.com

Page 1 of 2 (18 items) 12