Friday, September 27, 2013

How to setup SharePoint 2010 user profile synchronization and MySites

Introduction

This posting presents a detailed, step-by-step walkthrough for setting up user profile synchronization and MySites in a SharePoint Server 2010 farm. It is based upon the small two-tier SharePoint Server 2010 farm created in a previous posting.  To prepare for this posting, Active Directory was populated with the Northwind Traders list of employees/users (9).  A new organizational unit was added to Active Directory, SharePoint Users, and the Northwind Traders users were added to this OU.  The synchronization that will be setup here is read only (from Active Directory to SharePoint Server).  Setting up synchronization and My Sites involves the following steps:
  1. Provisioning accounts
  2. Creating a new web application
  3. Creating a new site collection
  4. Provisioning a new profile service application
  5. Configuring a new profile service connection
  6. Testing
For additional information on any step, consult the references.

Step 1: Provision accounts
  1. Provision existing SharePoint farm administration account (sp_admin):
    1. Logon to the SharePoint Server host machine.
    2. In Server Manager, go to: Configuration > Local Users and Groups > Groups.
    3. Double-click the Administrators group
    4. On the Administrators Properties dialog, click Add.
    5. In the Select Users, Computers, Service Accounts, or Groups dialog, enter the SharePoint farm administration account.
    6. Click Check Names:
    7. Click OK.
    8. On the Administrators Properties dialog, click OK.
    9. Close Server Manager.
    10. Go: Start > Administrative Tools > Local Security Policy.
    11. On the Local Security Policy dialog navigation pane at left, go to: Security Settings > Local Policies > User Rights Assignment.
    12. In the list pane at right, look for Allow log on locally.
    13. Double-click Allow log on locally.
    14. On the Allow log on locally Properties dialog, click Add User or Group.
    15. In the Select Users, Computers, Service Accounts, or Groups dialog, enter the SharePoint farm administration account sp_admin.
      • The SharePoint farm administration account must have local administrator privileges during this process - but only during this process.  Once you have successfully created profile synchronization and MySites, you can safely remove this local permission.
    16. Click Check Names, and then click OK.
    17. On the Allow log on locally Properties dialog, click OK.
    18. Close the Local Security Policy applet.
    19. Logout of the SharePoint Server host machine.
    20. This concludes provisioning of the SharePoint farm administration account.
  2. Create new SharePoint profile synchronization account:
    1. Logon to the domain controller host.
    2. Go: Start > Administrative Tools > Active Directory Users and Computers.
    3. On the Active Directory Users and Computers dialog navigation pane at left, go to: Active Directory Users and Computers > [your domain] > Users.
    4. From the Action menu, point to New and then select User.
    5. Launch the Active Directory Users and Computers applet.
    6. Enter information and name the account sp_sync.
    7. Click Next, and then enter password.
    8. Click Next, and then click Finish.
  3. Provision new SharePoint profile synchronization account:
    1. On the navigation pane at left, select the domain (contoso.com).
    2. From the Action menu, select Delegate Control.
    3. Click Next.
    4. On the Users or Groups page of the Delegation of Control Wizard, click Add.
    5. In the Select Users, Computers, or Groups dialog, enter the SharePoint farm administration account.
    6. Click Check Names, and then click OK.
    7. On the Users or Groups page of the Delegation of Control Wizard, click Next.
    8. On the Tasks to Delegate page of the Delegation of Control Wizard, select the Create a custom task to delegate option, and then click Next.
    9. On the Active Directory Object Type page of the Delegation of Control Wizard, click Next.
    10. On the Permissions page of the Delegation of Control Wizard, enable General.
    11. Scroll the Permissions list for the Replicating Directory Changes item, and then enable this item
    12. Click Next, and then click Finish.
    13. Close Active Directory Users and Computers.
    14. Logout of the domain controller host (spdev11).
    15. Logon to the SharePoint Server host (spdev12).
    16. Launch Central Administration.
    17. In the Quick Launch navigation pane at left, click Security.
    18. At right, in the General Security group of links, look for Configure managed accounts:
    19. Click Configure managed accounts.
    20. On the Managed Accounts page, click Register Managed Account.
    21. On the Register Managed Account page, in the Service account credentials section, enter the new account information (e.g., contoso\sp_sync).
    22. Click OK.
    23. In Central Administration, return to the main page.
    24. This concludes provisioning of the SharePoint user profile synchronization account.
Step 2: Create new MySites web application
  1. On the Central Administration Quick Launch pane at left, click Application Management.
  2. On the Application Management page, in the Web Applications group of links, click Manage web applications.
  3. On the Web Applications ribbon, look for the New button:
  4. Click the New button.
  5. Provision the new web application as follows:
    1. Authentication: classic.
    2. IIS Web Site: Create a new IIS web site: MySites (4200).
    3. Port: 4200.
    4. Application Pool: Create new application pool: MySites (4200) App Pool.
    5. Security account: contoso\sp_sync.
    6. Database Server: spdev11.
    7. Database Name: WSS_Content_MySites.
    8. Database Authentication: Windows authentication.
    9. Service Application Connections:
      • User Profile
      • Manage Metadata
      • Search
      • Web Analytics
      • Usage and Health data collection
    10. Click OK.
    11. In Central Administration, navigate back to the main page.
  6. This concludes creating the new MySites web application.
Step 3: Create new MySites site collection
  1. In Central Administration, on the Quick Launch navigation panel at left, click Application Management.
  2. On the Application Management page, in the Site Collections group, click Create site collections.
  3. Provision the site collection as follows:
    1. From the Web Application dropdown, select the web application created in the previous step.
    2. Title: enter a title.
    3. In Select a template, click Enterprise, and then select My Site Host.
    4. For the Primary Site Collection Administrator: enter the domain administrator account.
    5. For the Secondary Site Collection Administrator: enter your domain admin account.
    6. Click OK.
    7. Click OK again.
  4. In Central Administration, navigate back to the main page.
  5. This concludes creating the new site collection.
Step 4: Provision new user profile service application
  1. In Central Administration, on the Quick Launch navigation panel at left, click Application Management.
  2. On the Application Management page, in the Service Applications group, click Manage service applications:
  3. On the Service Applications ribbon, click the New button, and then select User Profile Service Application from the dropdown:
  4. On the Create New User profile Service Application dialog, configure as follows (only non-default values shown here):
    1. Name: User Profile Service App I.
    2. Application Pool: Create new application pool.
    3. Application pool name: User Profile Service App I.
    4. Select a security account for this application pool: Configurable: Contoso\sp_sync
    5. My Site Host URL: [site collection url].
    6. Site Naming Format: User name (do not resolve conflicts).
    7. Click OK.
    8. On the Service Applications page, scroll down to see the newly created User Profile Service App I:
  5. Open a command prompt.
  6. Execute the following command:
    • iisreset /noforce:
  7. Once completed, close the command window.
  8. Go: Start > Administrative Tools > Services.
  9. Verify that the two Forefront Identity Manager services have been added and are started:
  10. This concludes provisioning a new user profile service application.
Step 5: Configure synchronization connection
  1. In Central Administration, on the Quick Launch navigation panel at left, click Application Management.
  2. On the Application Management page, in the Service Applications group, click Manage service applications.
  3. On the Service Applications page, scroll down the list of service applications and look for User Profile Service App I:
  4. Select this service (don't click on its name, just the row).
  5. On the Service Applications ribbon, click Manage.
  6. On the User Profile Service App I page, look for the Synchronization group of links, and then click Configure Synchronization Connections.
  7. On the Synchronization Connections page, click Create New Connection.
  8. On the Add new synchronization connection page, configure as follows (only non-default values shown here):
    1. Connection Name: User Profile Service App I Sync Connection.
    2. Forest name: contoso.com.
    3. Account name: contoso\sp_sync.
    4. Password: [password]
  9. Scroll down to the Containers section.
  10. Click Populate Containers.
  11. Select the users or organizational unit desired
  12. Click OK..
  13. In Central Administration, on the Quick Launch navigation panel at left, click Application Management.
  14. On the Application Management page, in the Service Applications group, click Manage service applications.
  15. On the Service Applications page, scroll down the list of service applications and look for User Profile Service App I
  16. Click this link.
  17. On the User Profile Service App I page, look for the Synchronization group of links, and then click Start Profile Synchronization
  18. On the Start Profile Synchronization page, select Start Full Synchronization, and then click OK.
  19. Wait. This will take several minutes or more.  Once completed, proceed to the next step.
  20. Logout of Central Administration and close all browser instances.
Step 6: Test
  1. Open a  browser and connect to the site.
  2. Sign in as: Andrew.Fuller (Northwind Traders account).
  3. After signing in, look for the user name in the upper right-hand corner, and click it.  A dropdown menu will appear:
  4. Wait.
  5. At the logon prompt, enter this user's username and password.
  6. Wait. On first time connection, the new site must be created and provisioned. After a minute or so, the user's personal site will be displayed:
  7. Close the web page.
Summary

This posting has presented a step-by-step walkthrough for setting up user profile synchronization and My Sites.  The synchronization here is read only (from Active Directory to SharePoint Server).  Additional work remains to add/remove/revise the fields to be imported from AD.

References
Notes
  • Step 2: this posting follows best practices by isolating user mysites in a separate web application. OOTB, a User Profile Service Application service is already entered into the list of services.  However, this one is configured to create My Sites in a subsite off the main site.
  • Step 5: the synchronization presented here is one-way: user profile information in Active Directory is harvested and then ingested into SharePoint Server; there is no write-back of this information to Active Directory after a user changes it.
  • Synchronization Service Manager: tool useful for troubleshooting the SharePoint User Profile Service Application.  You'll find it at this folder location:
    \Program Files\Microsoft Office Servers\15.0\Synchronization Service\UIShell
    Look for miisclient.exe.  It enables you to view the real-time status of UPA processes, among many other things.  I don't use it to manage FIM; just to view status information.  For example, I have used to troubleshoot a UPA that failed to start.  As I tried different troubleshooting steps, I monitored Synchronization Service Manager, watching in real-time to see how far UPA started, before stopping.  It also provides helpful other information, such as confirmation of the Domain Controller that it is connecting to.  If you configured UPA using Auto Detect for DC, you can now determine exactly which DC it is connecting to.  You can also get confirmation of the service account that is running UPA (eg, the farm service account), and the number.

No comments: