In the first part of this three-part series on SharePoint social computing features, I discussed how the User Profile plays a key role in delivering the overall social networking experience. (See “SharePoint 2010 Goes Social, Part 1”) This month, I discuss how to populate the User Profile via synchronization with other directory sources—specifically with Active Directory Domain Services (AD DS). Part 3 will describe the primary features that are used to better exploit a major information asset of any organization: its people. Note that the social networking features described in this article are available only in a SharePoint Server 2010 deployment and not in a SharePoint Foundation 2010–only deployment.

Understanding Profile Synchronization

Many organizations have several locations that store user information, from HR databases to enterprise directories. Some locations are application-specific, whereas others are multipurpose. Active Directory (AD) is an example of the latter. It’s used as an authentication store as well as a directory store for applications such as Microsoft Exchange Server. Given the need for multiple locations, most organizations use a centralized enterprise directory as a master directory, and they use this directory to synchronize content with other stores, as required.

The User Profile store introduces yet another location that stores information about people. So, you may have to populate certain properties in your User Profile store from one or more repositories. Because it’s important to keep user information consistent across all repositories, you must consider whether to grant users the right to modify such properties. This decision affects how such properties are synchronized with external sources.

SharePoint Server 2010 Profile Synchronization lets you integrate user and group information with the User Profile store when that information is coming from external LDAP directory services (such as AD DS) or from business systems that have been defined via the Business Data Connectivity service (such as SAP or Siebel). You integrate this information by defining connections to the external systems and by mapping individual user profile properties to appropriate properties in the external source.

Furthermore, you can indicate whether each mapped user property is to be synchronized for import or export (but note that mappings to business systems do not support the export capability). When you couple this ability to map a property for export with the option of allowing users to edit user profile properties, you get a powerful result where the value of this property in the external service directory is concerned: These twin features let you put the maintenance of this property value into the hands of your users. However, given the importance of maintaining consistency, you may not consider this appropriate for your own situation.

Microsoft Forefront Identity Manager is the actual engine that is used to execute and control synchronization between the various directory sources. It acts as the central metadirectory for all directory services that are involved in synchronization. This component is not enabled by default, but it’s installed as part of the overall configuration of Profile Synchronization.

Configuring Profile Synchronization with AD DS

Before you tackle the various high-level tasks that are required to set up synchronization with AD DS, it’s important to note that Profile Synchronization is not supported on a standalone installation but only on a server farm installation. (For development and testing purposes, a server farm can be a single server that’s running all roles.)

The main tasks to perform during synchronization are as follows:

  • starting the User Profile Synchronization Service
  • defining your AD connections
  • defining properties that are to be mapped
  • invoking and monitoring synchronization

To run the process, you will have to know the name of your farm account. This is the name that you supplied when you ran the SharePoint Configuration Wizard after you installed SharePoint. This account is the one that you’ll use to access the configuration database, and it’s also the account that serves as the identity for the SharePoint Central Administration application pool in Microsoft IIS. If you forget your farm account name, you can retrieve it from IIS.

Starting the User Profile Synchronization Service

The User Profile Synchronization Service is the service that does the main lifting as far as synchronization is concerned. It leverages the Forefront Identity Manager services, which are not enabled by default.

The first time you start the User Profile Synchronization Service, you are effectively completing an installation of the required Forefront Identity Manager services. Do not be alarmed if this step takes a significant amount of time.

The Forefront Identity Manager services run under the farm account, and these services must meet several prerequisites before the account can fully participate in the synchronization process. Therefore, before you start the User Profile Synchronization Service for the first time, you can help the process along by verifying that the following conditions are true:

  • Your farm account is a member of the local Administrators group on the SharePoint server on which the User Profile Synchronization Service will run.
  • Your farm account can log on locally to the same SharePoint server.
  • If you are using a Windows Server 2003 AD forest, the farm account is a member of the Pre-Windows 2000 Compatible Access group for the domain with which you are synchronizing.
  • You have a User Profile Service application running in your farm. This is typically handled during the post-installation process via the Farm Configuration Wizard, but it can also be configured through Central Administration. To do this, click the New button on the Manage Service Applications page, which you open from the Application Management page.

The first prerequisite affects only the initial provisioning of the Forefront Identity Manager software. Therefore, you can remove the farm account from the local Administrators group when everything is running smoothly. Note, though, that some community evidence suggests that doing this breaks subsequent synchronization.

Therefore, if you experience issues after you remove the farm account, try troubleshooting by re-adding the account. The reason for this prerequisite is to make sure that correct encryption keys can be generated for the Forefront services during the initial provisioning.

If you don’t add the farm account to the local Administrators group before you provision the synchronization service, you must first reset everything before you try to reprovision the service. To do this, reboot your server, and stop the User Profile Synchronization Service by using Windows PowerShell. To stop the service, determine its GUID by using the Get-SPServiceInstance cmdlet, then pass this GUID into a Stop-SPServiceInstance cmdlet.

After you verify that the farm account meets the prerequisites, you can proceed to start the User Profile Synchronization Service by clicking the Manage Services on server link in the System Settings section of Central Administration.

Make sure that the selected server indicated at the top of the page is the one on which your User Profile service application is running, and associate this server with your User Profile Synchronization Service. After you do this, the status of the service changes to Starting.

You must now be patient while the Forefront Identity Manager services and the necessary connections to relevant SQL Server databases are configured. This step can take up to 15 minutes. A successful conclusion to this step is indicated by a change in the status of the service from Starting to Started. Note that if Central Administration is running on the same server, you must reset IIS after the service is started.

There are some things you can check to verify that the configuration is complete. For one, the Forefront Identity Manager and Forefront Identity Manager Synchronization Windows services should now be running.

For another, these services should be associated with your farm account and have a startup type of Automatic. (You should not start these services manually. They must be started by using the User Profile Synchronization Service.)

Finally, make sure that the %Programfiles%\Microsoft Office Servers\14.0\Synchronization Service\MaData folder has been created and that several empty folders have been created within it.

Defining Connections to Active Directory

Profile Synchronization lets you use AD as a master source for populating the SharePoint User Profile. This means that as user and group objects are created, updated, and deleted in AD, they are also created, updated, and deleted in the SharePoint User Profile.

To indicate those objects in AD that you want to synchronize, you create a Synchronization Connection item. During creation, you define the type of directory service that the connection relates to, as well as the objects within the directory that should be synchronized. The following factors affect this process.

Knowledge about your AD forests is required. You must be familiar with aspects of your Active Directory installation such as forests, domain controllers, and organizational units so that you can point your connection at those containers that hold the user and group objects that you want to synchronize with. You must also know whether any of the default port numbers for LDAP access have been changed and whether you are required to use an encrypted LDAP connection (i.e., whether SSL is required).

Filtering of objects may be required. You can specify a filter to the connection and use the filter to fine-tune the objects and groups that you want to pull from AD into the User Profile. If your organization leverages an AD property as part of a provisioning process to determine which users you want to include in the SharePoint User Profile, you have to know which properties are used and what their values should be.

Resource forests are supported. Support is provided if you have two AD forests—one that is used for authentication (i.e., the forest that users log on to, commonly known as the account forest or logon forest) and one that is used for resources (such as Microsoft Exchange or SharePoint).

In this case, the objects in the resource forest are appropriately secured so that they can be used by users who log on to the account forest. Entries in the User Profile are linked to their counterparts in AD by way of the user’s SID, which is associated with the user’s account forest object.

Therefore, in a resource forest scenario, you should link the objects by using the account forest, but you should obtain most of the attributes that require synchronizing from the resource forest. To follow this scheme, you must set up two connections—one for the logon forest and one for the resource forest. The User Profile will then contain the SID for the object in the logon forest and the SID from the associated object in the resource forest.

Appropriate account permissions are required. You must use an account that has the appropriate permissions for the actual synchronization. This account will be designated as the service account for the Metadirectory Services Active Directory Management agent (i.e., Forefront Identity Manager). This account must meet the following requirements to have the appropriate permissions:

  • The account must have Domain Administrative permissions, it must belong to the Domain Administrators group, or it must be explicitly granted Replicating Directory Changes permissions for every domain in the forest that this management agent accesses. You can use an ACL editor or ADSI Edit to add an access control entry to the domain object that grants your account the Replicating Directory Changes permission.
  • If the NETBIOS name is different from the domain name, the cn=configuration container must have at least the Replicating Directory Changes permission. Refer to the Get-SPServiceAppliction cmdlet topic in PowerShell Help for more information about how to enable NETBIOS names on a User Profile Service application.
  • The account must be a member of the Farm Administrators group, or the account must be designated as a User Profile Service administrator.
  • If you intend to export user properties from SharePoint into AD DS, the account must have the Replicating Directory Changes permission on the object and on all child objects for the AD DS domains to which you want to export data. If you intend to export the picture property, the read/write permission is also required on the container that stores the attribute, which is the container to which you want to export. For example, the read/write permission is required on the container that stores the ThumbnailPhoto attribute for profile pictures.

When you have the required information in hand, you can use Central Administration to create a connection to AD by selecting the Configure Synchronization Connections option in the Synchronization section of the User Profile Service Application page.

After you click Populate in the Containers section of the User Profile Service Application page, you will be able to navigate through your AD installation and select the containers that contain the objects you require. To make the selection, select the check box next to the container name. You must select at least one container.

Note that selecting a container automatically selects all the objects contained in it.

Note, too, that although you can select individual objects at this stage, a more common approach would be to select the highest-level container in which your desired objects reside, and to use a filter to extract only the relevant objects from those containers.

You can see an example of a successful connection in Figure 1. In this instance, I have selected the Users container.

Figure 1: Browsing containers
Figure 1: Browsing containers

To fine-tune the objects that are imported, you can define exclusion filters on the Manage Connections page. To do this, hover the mouse pointer over your connection to display a context menu, and click Edit Connection Filter.

On the next page, you can specify exclusion filters for both user and group objects. You can see this in Figure 2, where I have indicated that objects should be excluded if their extensionsAttribute1 value is not equal to 1.

The other filter that you see in Figure 2 excludes disabled objects. This is because of the value setting of the AD DS attribute userAccountControl. The second bit of this value is set if an account is disabled.

Figure 2: Setting exclusion filters
Figure 2: Setting exclusion filters 


Defining Properties to be Mapped

You now have to decide which user profile properties to map to AD, and you must also decide how to direct the mapping for each property. A property can either be imported or exported. In an import process, the AD attribute value is written into the mapped user profile property. In an export process, the user profile property is written into the mapped AD attribute.

You have out-of-the-box access to a default set of mappings for an AD connection, as shown in Table 1. Note that all default properties are marked as Import.

You can override most of these mappings to suit your needs, and you can add new mappings for the properties that you have defined in your own User Profile. For example, you can update an AD extension attribute for a custom property that users are permitted to edit through their own profiles.

This custom property could then be available to other applications that use that AD installation. To define such mappings, click the Manage User Properties link on the User Profile Service Application page, and select the Edit option.

Table 1: Default mappings
Table 1: Default mappings

Invoking and Monitoring Synchronization

The synchronization process involves many stages, and it can take a long time to finish. This is because the process must detect changes in both directory sources.

It must also determine which changes apply to which objects (i.e., which attributes must be written from AD to the user profile and which must be written from the user profile to AD). Finally, the metadirectory service must process the changes, which can involve updates, additions, and deletions.

There are two modes in which you can execute synchronization: full and incremental. A full synchronization is required only if you want to perform a full reset of the User Profile. An incremental synchronization is the preferred method because it processes only those objects that have changed in either directory source since the last synchronization was performed.

During synchronization, any new AD objects that are found in the mapped containers and that are not excluded by any filter rules are added to the User Profile. These objects are added with the required attributes mapped.

The metadirectory uses the objectSID attribute to link the AD user object and the User Profile. This attribute is used to locate existing User Profiles for AD objects that have been modified or deleted.

Synchronization can be invoked manually, and you can also set up a schedule for an incremental synchronization to run routinely at a time of your choosing. Because synchronization is resource-intensive, consider running the process outside your core working hours.

You execute synchronization by using the Start Profile Synchronization option on the User Profile Service Application page. While the process is running, you can monitor its status in the Profile Synchronization Settings section on the right side of the screen.

This section also provides you controls to stop the synchronization process and to view its progress. The number of stages in the process is dependent upon the number and type of connections that you have configured. The progress of each stage is displayed on the page that is produced when you select the Synchronization option, as shown in Figure 3.

Figure 3: Synchronization status and log
Figure 3: Synchronization status and log

After synchronization is complete, you can view the User Profiles by using the Manage User Profiles option. Note, however, that nothing is displayed! This is the default view setting.

To see profiles, you must enter a filter string and click the Filter button to display entries that match the string. A good way to list all entries is to enter the domain name of your AD objects as the string. This is because all your User Profile entries will have the domain name in the Account Name User Property value.

Aiming Toward Connection

Maintaining rich and up-to-date information in your User Profile facilitates better use of a very important resource: your people. Synchronizing with repositories such as AD is the best way to make sure that this information is consistent across your whole organization.

In part three of this article, we will see how to use the information contained in the User Profile to connect people through social networking features.