Comprehensive User Profile Synchronization
Download
Report
Transcript Comprehensive User Profile Synchronization
Whether you like it or not!
Importance increases
significantly with SharePoint
2013
Pretty much every
investment area relies on
Profiles for core functionality
App AuthZ, S2S, etc
Primarily a political endeavor,
NOT a technical one
No toolset from any vendor will
change this
Especially when Active
Directory is externally
managed
e.g. Reboot of domain
controllers, Windows
Update
Large and/or bulk
updates
Replicating Directory
Changes
Additional rights for
property export
One of the most common
causes of weak deployments,
limited functionality and
upgrade pain
Federate or replicate?
Central farms, regional farms,
both?
Relationship with other services
Security
Privacy
Policy
Operations
SQL Server
Distributed Cache
SharePoint Server Search
Managed Metadata
Business Data Connectivity
Large organizations
should be able to
perform a full sync of AD
and SharePoint data over
a weekend
IT Pros should be able to
monitor the performance
and stability of profile
sync and have access to
the information that they
need to take corrective
action when problems
occur
Common Directory
Service configurations
should be supported,
including Forefront
Identity Manager and
LDAP
Lightweight LDAP
approach internal to
SharePoint
Embedded Forefront
Identity Manager
External Forefront
Identity Manager using
the SharePoint Connector
a.k.a Direct AD Import
Same approach as
SP2010 with
improvements “under the
hood”
Custom Code: User
Profiles Web Services and
Object Model
SharePoint
ADI
(User Profile
Service Instance)
Active
Directory
UPS
(SharePoint
FIM)
User Profile
Service
Application
EIM
(External
FIM)
External
System
EIM
(Custom
Code)
Directory
Farm Configuration Wizard
(just kidding )
Via Manage Service Applications
The default schema issue
Farm Account default schema
set incorrectly in Sync DB
Log on as the Farm Account and
execute the PowerShell
We will never be able to start
the UPS service instance
Fix the schema manually – an
unsupported change
Non UAC environments
UAC Environments
Just use this one!
Both simulate interactive logon as the Farm account (Log on Locally)
Both require Local Machine Administrator
For the most common
scenario (AD forest)
Container selection
LDAP filters
One connection per
domain
Import Only!
Inclusion Based
That could be a lot of
connections!
a.k.a Shadow Accounts
For simple data types
As SharePoint 2010
Leverages a change log to drive import
efficiency
Implement immediately after creating the
UPA!
DirSyncRequestControl is scoped at
the domain level
Replicating Directory Changes also required
on the Configuration partition
You can modify the properties of the UPA
to configure Active Directory Import
via Windows PowerShell
Central Administration UI can be
misleading when creating connections
after changing the mode.
You don’t need to worry about BCM for
the Sync DB!
It must exist, but it IS supported to
mirror/log ship an empty database
SPProfileSyncConnection
Windows PowerShell cmdlets
supported
For AD Import only, these cmdlets are NOT
supported for UPS
Known Issues with
Remove-SPProfileSyncConnection
• only removes the organizational unit
(OU) from the profile synchronization
connection
• Fix:
Those that begin with
SPS-
Maximum flexibility
With great power comes great
responsibility
Sweet UI!
As opposed to exclusion based with
UPS
Validate your filters with ADSIEdit
Just because you can, doesn’t mean
you should
Adding or removing OUs
Filter changes
Property mappings
To clean up profiles which are not
created as part of the import
Profiles are marked for deletion
Adding or removing OUs
Filter changes
Property mappings
To clean up profiles which are not created
as part of the import
Profiles are marked for deletion
That’s it!
Manual recreation
required
Or use an XML based
provisioning approach
Understand the design constraints
Document the configuration!!!
Run PurgeNonImportedObjects after a full
import to remove items that should not be
there
Ships as external download
Requires FIM 2010 R2 SP1
Support for SharePoint Server 2013 now
You need to create and use a metaverse
rules extension
Support for SharePoint Server 2010 in
testing
You may not be able to migrate your
existing data
Only FIM Sync Service needed
HR SQL
Database
HR SQL
Database
Impacts pretty much
every product feature
e.g. organic growth of
domains and/or
forests
Sponsored by