This blog is intended to quickly ramp up the reader on requirements and steps to successfully provision a user profile synchronization service. User Profile Service Application setup has been one of the most problematic issues for customers so I hope this will clear up some misconceptions. I’ll cover some basics including components involved and improvements made in this area (User Profile Synchronization). The user profile service application contains several new and existing features from previous SharePoint build. User Profile Service Application has broken away from the SSP and is now a separate entity. It is no longer tied to an SSP and contains 3 SQL databases that are bound to each User Profile Service Application. User Profile Sync no longer relies on search architecture\crawl. User Profile Sync now relies on Forefront identity manager to facilitate full\incremental synchronization between a SharePoint 2010 User Profile Service Application (UPA) and directory servers like Active Directory. For the remainder of this blog, I’ll refer User Profile Service Application as “UPA”. The basic steps to completely provision a UPA:
1.) Provision a UPA either through the Farm Configuration Wizard or from Manage Service Application page within Central Administrator. 2.) Start the "User Profile Synchronization Service" within Central Administrator\System Settings\Manage services on server Note: This provisions FIM services 3.) Within Manage Profile page, create a new Sync Connection 4.) Start a full sync Note: Steps 2 and 3 must meet specific permission requirements for functional UPA.
1.) Provision a UPA either through the Farm Configuration Wizard or from Manage Service Application page within Central Administrator.
2.) Start the "User Profile Synchronization Service" within Central Administrator\System Settings\Manage services on server
Note: This provisions FIM services
3.) Within Manage Profile page, create a new Sync Connection
4.) Start a full sync
Note: Steps 2 and 3 must meet specific permission requirements for functional UPA.
In the following section, I’ll break down the components involved and permission requirements to successfully provision a User Profile Service Application Synchronization service.
Important: Provisioning User Profile Synchronization will not work in single server installs with built-in databases. You must have a full install of SQL...
http://technet.microsoft.com/en-us/library/cc263202.aspx
Components
Forefront Identity Manager (FIM)
Forefront Identity Manager (FIM), formerly known as Microsoft Identity Integration Server (MIIS), is used to facilitate synchronization between multiple endpoints. For Example: (FIM sits between Active Directory and User Profile Service Application and is responsible for syncing changes between both endpoints. Without a healthy FIM, SharePoint sync isn’t possible and will fail. FIM automatically gets installed when SharePoint 2010 is installed.
One of the UPA SQL databases is called the Sync database by default. FIM utilizes the profile Sync Database to store data. So what components make up FIM?
1. Two Services
2. Profile Sync database (SQL)
3. MIIS Client.exe used to view progress\troubleshoot sync
4. FIM binaries including the MIIS Client tool are located here:
C:\program Files\Microsoft Office Servers\14.0\Synchronization Service
UPA Components
A user profile service application has multiple components including the following:
· Consists of 3 SQL databases (Social, Profile, Sync)
· Admin Page (ManageUserProfileServiceApplication.aspx)
· User Profile Service Application Proxy
· SharePoint Services (User Profile Service and User Profile Synchronization Service)
Note: These services are located in Central Admin\System Settings\Manage Services on server
Permission Requirements
There are two separate permission requirements that involve running full\incremental profile sync. Specific permissions are required for the account doing either of the following:
1. User Profile Sync account
2. Directory Sync account
User Profile Sync Account
The User Profile Sync Account is responsible for provisioning\running the User Profile Synchronization Service. It is the same account that runs both FIM services. This account requires the following permissions for provisioning:
· Farm Account (timer service account)
· Local Admin (for duration of sync provisioning)
· Logged on as the account during provisioning
· Member of Pre-Windows 2k compatibility group
Question:
Q. Why does this account need to be a member of Pre-Windows 2k compatibility group?
A. It needs membership to this group at a minimum because we call some functions like AuthzInitializeContextFromSid which require access to read the TGGAU attribute. The Pre-Window 2k compatibility group has access to read this attribute. See my blog for more details:
http://blogs.msdn.com/russmax/archive/2010/01/20/why-the-tokengroupsglobalanduniversal-tggau-attribute-matters-in-sharepoint-2010.aspx
Directory Sync Account
The directory sync (dir sync) account is responsible for authenticating\enumerating against a directory server in order to sync changes. This account requires specific permissions to a directory server in order to read and “sometimes” write to a directory. In this example, I’ll be using Active Directory as my directory server because it will be the most widely used directory server. Where\How do you set this account in SharePoint 2010? This account is specified as part of step 3 above which is during the creation of a Sync connection. The permission requirements depend on the following:
Permission requirements: Domain netbios name is the same as the FQDN of the domain
This is the easiest scenario and nothing must be done other than granting directory changes permission to each import domain NC. In a multi domain scenario where a root domain and child domain exists. If users reside solely in the child domain, then the only requirement is to grant the dir sync account replicate directory changes permission on the child domain NC. The dir sync account requires “no” permission within the root domain in order to successfully sync to\from the child domain.
The following permissions are required for functional full sync between UPA and Active Directory. The Directory Sync account needs the following:
· Replicate directory changes permission to each import domain NC
The following article describes how to set this:
How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account
Permission requirements: Domain netbios name is different than the FQDN of the domain
This is not the easiest scenario and requires some explanation. When the domain netbios name is different than the FQDN of the domain, that is the domain netbios name is different than the first portion of the FQDN. For Example:
Domain netbios name: Contoso
FQDN of Domain: rootdomain.local
When domain naming scheme is set in this manner, the requirements are the following:
Note: A walkthrough of each step is detailed below
NetBiosDomainNamesEnabled
NetBiosDomainNamesEnabled is a property that is set on every UPA. By default, this value is set to false which means that you must set it to true in the scenario where the domain netbios\FQDN names are different. PowerShell can be used to drop the UPA into a variable and set this property to true.
For Example:
1.) Get-SPServiceApplication
a. Note: This will output every service application specifically the User Profile Service Application
2.) $var = Get-SPServiceApplication –Identity 00a380ed-2e99-4de3-ae22-dbe8c1b03bab
Note: the identity is the GUID associated with the User Profile Service Application which was retrieved and copied from running the Get-SPServiceApplication cmdlet
3.) $var.NetBiosDomainNamesEnabled
Note: if this is true then it’s enabled and you can skip directly to step 7
4.) $var.NetBiosDomainNamesEnabled = “True”
Note: Here you are setting the property to True
5.) $var.update()
Note: This is simply running update method against the variable which officially updates the property
6.) $var.NetBiosDomainNamesEnabled
Note: This confirms the steps were run correctly as the output will display True instead of False
7.) To utilize the domain Netbios name, a new sync connection must be created and used. Yes, this means you cannot use an existing sync connection and expect it to work. Create a new sync connection via the UI:
Central Admin\Application Management\Manage Service Applications\User Profile Service Application\Configure Synchronization Connections
Grant Replicate Directory Changes perms to each import Domain NC and Config NC
For the Domain NC: Utilize the same step described in the “Permission requirements: Domain netbios name is the same as the FQDN of the domain” section.
For the Config NC:
1. Launch ADSI Edit
2. Right click ADSI Edit and hit connect to
3. Under, “Select a well known Naming Context”, choose Configuration and hit OK:
4. Expand Configuration object and (right click + properties) on the configuration container which should be in a DN format like the following:
CN=Configuration, DC=Contoso,DC=com
5. Select Security tab and hit add the Dir Sync account and grant Replicate Directory Changes (This object only)
For Example, Bill is my dir sync account:
6. Click OK
Note: The account used to access the Configuration NC via ADSI Edit must be a member of Enterprise Administrators group to perform this operation.
Questions and Answers:
Q. My domain netbios name is different than the FQDN. My AD administrator refuses to grant replicating directory changes permission to the Configuration Container without an explanation.
A. This is a read only permission and will not write to the Configuration NC. Also, the dir sync account requires this permission to the Config NC because that’s where Domain NetBios names are stored.
Q. My domain netbios name is different than the FQDN. My AD administrator refused to grant the dir sync account replicating directory changes permission against Configuration NC. The dir sync account was only granted replicating directory changes permission on the domain NC. This appears to work okay and I can view all my users profiles in SharePoint after a full sync? I don’t get it?
A. It’s not that it won’t work if appropriate permissions are missing on the Config NC. The problem is that it will be an undesirable result in that the SAM account name will show up with the first portion of the FQDN as the domain name instead of the netbios domain name of the domain. This has many potential implications which are mostly unknown at this point. This is the reason why this setup will not be supported by Microsoft.
Q. My domain netbios name is different than the FQDN. How can I validate that the permission was properly set on the Config NC for the dir sync account after a full sync?
A. This question assumes that the questioner doesn’t have access to AD/ADSI edit to validate the dir sync account has appropriate permissions. Two ways to validate permissions are correct.
1. Go to Central Admin\Application Management\Manage Service Applications\User Profile Service Application Management page\Manage User Profiles and search by the netbios name of the domain name and ensure all user profiles appear.
2. Access the User Profile database within SQL and inspect some rows within the UserProfile_Full table. The NT column should display the domain name in CAPS for the netbios name of the domain.
Permission requirements: Syncing changes from AD to SharePoint/Syncing changes from SharePoint to AD
This is a major improvement to SharePoint 2010 sync in that now changes can go both ways. Instead of only syncing changes from AD to SharePoint, SharePoint changes can now sync to and update AD. The permission requirements already listed above meet the requirements for syncing changes from AD to SharePoint. However, additional permissions are required for the dir sync account to sync changes from SharePoint to AD:
· Create all child objects (This object and all descendants) to each export domain NC
· Write (This object and all descendants) to each export domain NC
Validation
Great, so permissions are now setup properly and it’s time to follow the original steps which are:
I will discuss validating Step 2 and 3 in sections below.
Validating User Profile Synchronization Service Provision
After a User Profile Service Application is provisioned, the User Profile Sync Service must be started if the UPA will be used for syncing. As stated previously, starting the service provisions FIM so really two ways to validate successful provisioning.
1.) The service will be listed as started within Central Admin
2.) FIM service and FIM Sync service is started
3.) Timerjob status page displays success
In some cases due to lack of permission or some other issues, the User Profile Synchronization Service will get stuck in a Starting state and may never come out of it. This is when validation should include real time monitoring. I recommend using ULS viewer which can be downloaded here:
http://code.msdn.microsoft.com/ULSViewer
Using ULS Viewer, open the current ULS log and filter on category User Profile:
Validating a new Sync Connection
One way to validate a Sync Connection is valid besides a quick visual in Central Administrator is to use the MIIS tool and ensure a third management agent (MA) is present.
More Information
http://technet.microsoft.com/en-us/library/ff182925(office.14).aspx
http://technet.microsoft.com/en-us/library/ee721049(office.14).aspx
- Russ Maxwell, MSFT
Worked great, except now in Sharepoin2010 I can't search any name. They all show up under the user profiles in Central Admin, but the managers' names are incorrect. They show up as originaldomain\username in the listing. When I try to change them to Netbiosname\username, it says that the name is invalid. Even search finds nothing. Any advise?
When you say you can't search any name are you talking about from the User Profile management page or from the People search page? For people search to work from the People search page, you must perform an incremental crawl via the associated Search Service Application Admin page. You would fire it off from the content source hosting SPS3...
Also, are the managers members of the same domain as the users that were imported?
-Russmax
Note: Any further post that I deem inappropriate will immediately be deleted so please don't waste your time or mine...
I am trying to Import UserProfile data using BCS. And while FullSynch..am getting following error :
Microsoft.MetadirectoryServices.NoSuchObjectTypeException: No such object type "user". at Microsoft.MetadirectoryServices.Impl.TypeDescriptionCollectionImpl.get_Item(String Name) at Microsoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportExtension.Microsoft.MetadirectoryServices.IMAExtensibleFileImport.GenerateImportFile(String fileName, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fFullImport, TypeDescriptionCollection types, String& customData) Forefront Identity Manager 4.0.2450.5
Are there any tools out there that we can use to verify that all the permissions are set correctly?
The reason I ask is this:
I have gone through the user profile application service deletion and creation process several times (at least 30) over the last week. I've done this using several different account permission settings.
I've tried this as domain admin as well. I've set the sync AND farm accounts to replicate directory changes in the configuration schema. My test environment is this (all VMs):
2 domain controllers all 2008 R2 with forest in 2008 R2 mode.
The netbios domain name is different than the FQDN
1 SQL server 2008 R2 all patches applied.
1 2008 R2 sharepoint 2010 with December CU applied and nothing else installed (no office web apps and no sites created)
Farm account matches the required permissions as set in this document and MS technet.
Sync account (tried using a specific sync account with the required permissions and also the farm account as the sync account).
These are the issues I've discovered:
1. I can create User profile service app and pool without issue. (if i delete the service app, the next time i try to create it i get a named pipes error - but then if I immediately try to create it again, it works fine)
2. before starting the server service I set the NetBiosDomainNamesEnabled flag to 1 and update(). If I do this, I cannot create the sync connection ever -more on this in a second. If I don't enable netbiosdomainnames on the service app, I can create the connection without issue, but when i sync the links to the profile pages done work (they link to domainx/user instead of domainy/user) and the managers don't resolve correctly.
-With netbiosdomainnamesenabled=1 the error i get when creating the connection is "Unable to process Create message". Remember, using the same exact credentials, this works fine without netbios names enabled. So I'm wondering if something isn't updating in adsi edit correctly when I set the permissions on the schema. I've gone through and tried rebooting between changing and resetting permissions and each actual functional step.
It just seems like a bug where netbios names breaks the connection functionality. The exact process that is broken is the following:
MIISRCW.IMMSMAUtility.UIGetData
Microsoft.ResourceManagement.SyncConfig.TryGetSchema
Event Viewer: EventID 3 Forefront Identity Manager
-------------------------
MIISRCW: System.NullReferenceException: Object reference not set to an instance of an object.
at MIISRCW.IMMSMAUtility.UIGetData(String pszRequestInformation, Int32& pfSuccess, String& ppszResult)
at Microsoft.ResourceManagement.SyncConfig.TryGetSchema(String maType, String initializationString, String& returnString)
at Microsoft.ResourceManagement.ActionProcessor.SyncConfigActionProcessor.Create(String typeName, IList`1 createParameters, Guid creator, Guid cause)
at Microsoft.ResourceManagement.ActionProcessor.SyncConfigActionProcessor.ProcessInputRequest(RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)
--------------------------
MIISRCW: System.Runtime.InteropServices.COMException (0x80230808): Exception from HRESULT: 0x80230808
at MIISRCW.IMMSMAUtility.UIInitialize(String pszMAType, String pszInitString, Int32& pfSuccess, String& ppszResult)
at Microsoft.ResourceManagement.SyncConfig.GetMAUtilityObject(String maType, String initializationString, String& errorMessage)
Believe me, I've googled the crap out of this...
Any thoughts? Do you think this might be a bug?
Thanks in advance!
By the way, I just tried this whole process again as the domain admin (the creation of the service app and pool and all that). Same error as before with netbiosdomainnames enabled.
The sync account was the farm account which was a domain AND enterprise admin (used the same account for everything in this process with full permissions - I want to rule out that it's a permissions issue). Something is buggy, either with AD or with Sharepoint... not sure how to pin point but am willing to TS if you are....
I've SharePoint 2010 site, all users on this site are in domain domain1.net.au (e.g. domain1.net.au\user1).
I've configured the user profile import but after import the user account names in user profile service are different from the ones on sharepoint site.
E.g.:
1) In User profile service: domain1\user1
2) On sharepoint site: domain1.net.au\user1
So the question is how to configure User Profile service so it imports users with domain domain1.net.au?
Thanks,
David
Hi,
i can acknowledge that gustavo´s problem exsists after installing CU dec 2010. Prior i could sucessfully synchronize AD where netbios name differs from FQDN. After installating the CU i had to reestablish the UPA (thx 4 the bug @MS). The activation of netbios domain names fails with the error gustavo describes.
Thank you for this grate post...
But i am facing one problem, we are using Three-Tire farm(1 DB,1 APP.SERVER,2 WFS) for SharePoint 2010 Deployment with User Profile Service Configured and Synchronization, all are working file (I can search and update user profiles from central admin).
We try to access User profile property from Custom WebPart it’s through an exception that “No User Profile Application available to service the request. Contact your farm administrator.”
Exception Log details:
Area : SharePoint Portal Server
Category : User Profiles
Level : High
EventID : cm6y
Message : User Profile Application Proxy failed to retrieve partitions from Us
er Profile Application: Microsoft.Office.Server.UserProfiles.UserPro
fileApplicationNotAvailableException: No User Profile Application av
ailable to service the request. Contact your farm administrator.
at Microsoft.Office.Server.Administration.UserProfileApplicationPro
xy.get_ApplicationProperties() at Microsoft.Office.Server.Admini
stration.UserProfileApplicationProxy.get_PartitionIDs() at Micro
soft.Office.Server.Administration.UserProfileApplicationProxy.IsAvai
lable(SPServiceContext serviceContext)
Hello Marc and Gustavo,
Sorry for the late reply but I think you'll find my latest blog post of interests:
blogs.msdn.com/.../provisioning-user-profile-synchronization-with-december-cu.aspx
Russ
Hi Jeff Pope. I have the same problem. The managers' names are incorrect. This field show the login name of manager and in a workflow with action "Get Manager of User" occurs error, because it can't find the name of manager. Example: User Jeff, with manager John. In profile the manager field is contoso\john and not John. How I can fix it???? Thanks.