Export (0) Print
Expand All

Maintain profile synchronization (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010

Topic Last Modified: 2013-11-19

Profile Synchronization in SharePoint Server 2010 enables an administrator of an instance of the user profile service to synchronize user and group profile information that is stored in the SharePoint Server 2010 profile store with profile information that is stored in directory services across the enterprise. After you have configured Profile Synchronization, you must complete tasks to maintain those settings. These tasks include, for example, removing users whose accounts have been disabled or deleted, moving or renaming a server, and starting or stopping the User Profile Synchronization service. For more information, see Plan for profile synchronization (SharePoint Server 2010).

Before you complete the procedures in this article, you must have completed the procedures in Configure profile synchronization (SharePoint Server 2010).

importantImportant
See release notes for other task requirements that may be needed for Profile Synchronization.

SharePoint Server 2010 provides a way to handle several different user migration scenarios. The following are examples of the scenarios handled for Active Directory Domain Services (AD DS):

  • Account name (sAMAccountName) changes in the AD DS where the user exists.

  • Security Identifier (SID) changes.

  • Distinguished Name (DN) changes that include changes in the Organizational Unit (OU) container in the AD DS where the user account exists. This is new in SharePoint Server 2010. For example, if a user's DN is moved in AD DS from "User= EUROPE\John Smith, Manager=CN=John Rodman, OU=Users, DC=EMEA1, DC=corp, DC=contoso, DC=com" to "User= EUROPE\John Smith, Manager=CN=John Rodman, OU=Managers, DC=EMEA1, DC=corp, DC=contoso,DC=com", the MigrateUser command updates the user profile store for this user. The user profile for John Smith is updated when synchronizing user profiles from the EMEA1.corp.contoso.com AD DS to the SharePoint Server user profile store.

To rename users or to change user domains
  1. Verify that you have the following administrative credentials:

    • See Add-SPShellAdmin.

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site.

    • The Farm Administrator account, which is created during the SharePoint farm setup, must also be a Local Administrator on the server where the User Profile Synchronization service is deployed.

  2. If a profile synchronization run is in progress, go to the Central Administration page and click Manage service applications in the Application Management section. Select the appropriate User Profile service application from the list of service applications. On the Manage service application page, click Stop Profile Synchronization.

  3. Disable the User Profile Incremental Synchronization timer job.

  4. Ensure that user migration by using stsadm -o migrateuser has succeeded.

  5. Ensure that the profile of the migrated user can be accessed by browsing to the My Site for that user, for example, http://mysite/person.aspx?accountname=<new account name>.

  6. Run Profile Synchronization. For more information, see Start profile synchronization manually (SharePoint Server 2010).

  7. Recheck access to the profile of the migrated user by browsing to the My Site for that user.

  8. Enable the User Profile Incremental Synchronization timer job.

You can exclude users whose accounts have been disabled in AD DS by using exclusion filters in SharePoint Server 2010. For the steps that are needed to exclude users whose accounts have been disabled, see Configure profile synchronization (SharePoint Server 2010).

There are two reasons why obsolete users or groups can exist in the SharePoint Server 2010 user profile store:

  • Obsolete users: The My Site cleanup timer job is not active. The User Profile Synchronization timer job marks for deletion users who have been deleted from the directory source. When the My Site cleanup job runs, it looks for all users marked for deletion and deletes their profiles. Respective My Sites are then assigned to the manager for the deleted user and an e-mail message notifies the manager of this deletion.

  • Obsolete users and groups: Users and groups that were not imported by Profile Synchronization exist in the user profile store. This can occur, for example, if you upgraded from an earlier version of SharePoint Server and chose to only synchronize a subset of domains with SharePoint Server 2010.

To find and remove obsolete users and groups by using Windows PowerShell
  1. Verify that you meet the following minimum requirements:

    • See Add-SPShellAdmin.

    • You must have Execute permission on the ImportExport_GetNonimportedObjects and the ImportExport_PurgeNonimportedObjects stored procedures in the profile database.

      You can use SQL Management Studio or Transact-SQL to grant permissions. For more information, see GRANT Object Permissions (Transact-SQL) (http://go.microsoft.com/fwlink/?LinkId=213464).

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Right-click SharePoint 2010 Management Shell and then click Run as administrator.

  5. In the User Account Control dialog box, click Yes.

  6. At the Windows PowerShell command prompt, type the following commands:

    1. To get the User Profile Service application object, type the following command:

      $upa = Get-spserviceapplication <identity>
      

      Where <identity> is the GUID of the User Profile Synchronization service application.

    2. To view the users and groups to delete, type the following command:

      Set-SPProfileServiceApplication $upa -GetNonImportedObjects $true
      
    3. To delete the obsolete users and groups, type the following command:

      warningWarning
      This action cannot be undone.
      Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true
      

For more information, see Get-SPServiceApplication and Set-SPProfileServiceApplication.

Profile schema changes include things such as adding a new user profile property, changing a user profile property mapping, or changing a Profile Synchronization connection filter. When the profile schema changes, you must first perform a full nonrecurring synchronization before scheduling recurring profile synchronization. For the steps that are needed to perform full nonrecurring profile synchronization, see Start profile synchronization manually (SharePoint Server 2010).

Use the following procedure to rename a profile synchronization server.

To rename a profile synchronization server by using Windows PowerShell
  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. At the Windows PowerShell command prompt, type the following command:

    Rename-SPServer <Identity> -Name <newName>
    

    Where:

    • Identity is the old name of the server.

    • newName is the new name for the server.

For more information about renaming a server by using Windows PowerShell, see Rename-SPServer.

Use the following procedure to move the User Profile Synchronization service to a new server.

To move the User Profile Synchronization service to a new server by using Central Administration
  1. Verify that you have the following administrative credentials:

    • See Add-SPShellAdmin.

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site.

    • The farm account, which is created during the SharePoint farm setup, must also be a Local Administrator on the server where the User Profile Synchronization service is deployed.

      This is required to start the User Profile Synchronization service. After the User Profile Synchronization service is started you can remove the farm account from the Administrators group.

  2. On the current Profile Synchronization server, on the SharePoint Central Administration Web site, in the System Settings section, click Manage services on Server.

  3. Next to the User Profile Synchronization Service, click Stop to stop the User Profile Synchronization service.

  4. On the new Profile Synchronization server, on the SharePoint Central Administration Web site, in the System Settings section, click Manage services on Server.

  5. Next to the User Profile Synchronization Service, click Start to start the User Profile Synchronization service.

  6. On the new Profile Synchronization server, on the SharePoint Central Administration Web site, in the Application Management section, click Manage service applications.

  7. On the Service Applications page, click the link for the name of the appropriate User Profile service application.

  8. On the User Profile Service Application page, in the Synchronization section, click Start Profile Synchronization.

  9. On the Start Profile Synchronization page, select Start Full Synchronization, and then click OK.

The User Profile Synchronization database serves as a staging area for user profile information. User Profile information that is stored in the profile store and synchronization database is consumed by the User Profile service. By following these steps, you can safely reset a User Profile Synchronization database without losing information in the profile store.

To reset profile synchronization by using Windows PowerShell
  1. Verify that you meet the following minimum requirements:

    • See Add-SPShellAdmin.

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site.

    • The farm account, which is created during the SharePoint farm setup, must also be a Local Administrator on the server where the User Profile Synchronization service is deployed.

      This is required to start the User Profile Synchronization service. After the User Profile Synchronization service is started you can remove the farm account from the Administrators group.

  2. As a precaution, back up the User Profile service application. For more information, see Back up a service application in SharePoint Server 2010.

  3. If you are using the My Site cleanup timer job, you must disable it before you reset the synchronization database. Otherwise, the job will delete all user profiles and My Sites from the farm. For information about this timer job, see the Timer job reference (SharePoint Server 2010). For information about the Windows PowerShell cmdlets that you use to enable and disable this timer job, see Timer jobs cmdlets (SharePoint Server 2010).

  4. Disable the User Profile Incremental Synchronization timer job:

    1. On the SharePoint Central Administration Web site, click Monitoring.

    2. Click Review job definitions.

    3. Click User Profile Service Application Name-User Profile Incremental Synchronization.

      Where User Profile Service Application Name is the name of the User Profile service application.

    4. Click Disable.

  5. On the Start menu, click All Programs.

  6. Click Microsoft SharePoint 2010 Products.

  7. Right-click SharePoint 2010 Management Shell and then click Run as administrator.

  8. In the User Account Control dialog box, click Yes.

  9. At the Windows PowerShell command prompt, type the following command to stop the SharePoint 2010 Timer service:

    net stop sptimerv4
    
  10. Copy the following code and paste it into a text editor, such as Notepad:

    $syncdb=Get-SPDatabase <SyncDBGUID>
    $syncdb.Unprovision()
    $syncdb.Status='Offline'
    $upa=Get-SPServiceApplication <UPSAppGUID>
    $upa.ResetSynchronizationMachine()
    $upa.ResetSynchronizationDatabase()
    $syncdb.Provision()
    
  11. Replace the following placeholders with values where:

    • <SyncDBGUID> is the GUID of the synchronization database.

    • <UPSAppGUID> is the GUID of the User Profile Service application.

    For more information, see Get-SPDatabase.

  12. Save the file as an ANSI-encoded text file and name the file ResetSyncDB.ps1.

  13. At the Windows PowerShell change to the directory where you saved the file.

  14. Type the following command:

    ./ResetSyncDB.ps1
    
  15. Using SQL Server Management Studio, create a login in SQL Server for the User Profile Synchronization service account (that is, the farm account). Then, in the Sync database, create a database user that maps to the login and grant it access to the db_owner database role. For more information, see How to: Create a SQL Server Login (http://go.microsoft.com/fwlink/p/?LinkId=211993), How to: Create a Database User (http://go.microsoft.com/fwlink/p/?LinkId=211994), and Database-Level Roles (http://go.microsoft.com/fwlink/p/?LinkId=211995).

  16. At the Windows PowerShell command prompt, type the following command to start the SharePoint 2010 Timer service:

    net start sptimerv4
    
  17. Start the Profile Synchronization service. For more information, see the Start the User Profile Synchronization service section of the "Configure profile synchronization" topic.

  18. Reset IIS. For more information about how to reset IIS, see the Reset IIS section of the "Configure profile synchronization" topic.

  19. Create connections to the data sources. For more information, see Restore a service application (Search Server 2010).

  20. If you do not intend to use the My Site cleanup timer job, run profile synchronization. For more information about how to run profile synchronization, see Start profile synchronization manually (SharePoint Server 2010). If you intend to enable the My Site cleanup timer job, complete these additional steps before you enable the job:

    1. Run two full profile synchronizations.

    2. After the second profile synchronization completes, on the Central Administration Web site, in the Application Management section, click Manage service applications.

    3. Click the User Profile service application name, and then click Manage User Profiles.

    4. On the Manage Profile Service page, in the People section, click Manage User Profiles.

    5. Next to View, select Profiles Missing from Import.

    6. In the Find Profiles box, type the domain for the profiles and then click Find.

    7. For each profile that is returned, check the originating directory service, such as Active Directory, for the status of that profile. If the status of any of the returned profiles in the directory is not disabled or is not deleted, do not enable the My Site cleanup timer job. Contact Microsoft support for more assistance. Otherwise, enable the My Site cleanup timer job. For information about the Windows PowerShell cmdlets that you use to enable and disable this timer job, see Timer jobs cmdlets (SharePoint Server 2010).

  21. Enable the User Profile Incremental Synchronization timer job:

    1. On the SharePoint Central Administration Web site, click Monitoring.

    2. Click Review Job Definitions.

    3. Click User Profile Service Application Name-User Profile Incremental Synchronization.

      Where User Profile Service Application Name is the name of the User Profile service application.

    4. Click Enable.

Use the following procedure to restrict profile synchronization communication to a specific domain controller.

To restrict profile synchronization communication to a specific domain controller by using Windows PowerShell
  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Right-click SharePoint 2010 Management Shell and then click Run as administrator.

  5. In the User Account Control dialog box, click Yes.

  6. At the Windows PowerShell command prompt, type the following commands:

    1. To get the User Profile Service application object, type the following command:

      $upa=Get-SPServiceApplication <GUID>
      

      Where <GUID> is the GUID of the User Profile Synchronization Service application.

    2. To restrict profile synchronization communication to a specific domain controller, type the following command:

      Set-SPProfileServiceApplication $upa -UseOnlyPreferredDomainControllers $true
      
    noteNote
    It may take up to five minutes for the changed property value to propagate to the Central Administration Web site. Resetting IIS on the Central Administration server will force the new value to be loaded immediately. For more information about resetting IIS, see IIS Reset Activity (http://go.microsoft.com/fwlink/p/?LinkId=179336).

For more information, see Get-SPServiceApplication and Set-SPProfileServiceApplication.

A time-out can occur on the following occasions:

  • When trying to connect to the directory service server on the Add/Edit a synchronization connection page in Central Administration.

    noteNote
    This time-out is available in the Microsoft SharePoint Server 2010 June 2010 Cumulative Update. For more information about the cumulative update, see http://support.microsoft.com/kb/983497.
  • When trying to populate the list of containers on the Add/Edit a synchronization connection page in Central Administration. This will occur as a JavaScript timeout error in the status bar.

  • When clicking OK on the Add/Edit a synchronization connection page in Central Administration. This will result in the following error message and occurs because of a timeout by the Forefront Identity Manager Web service when creating or updating a profile synchronization connection:

    "The request channel timed out while waiting for a reply after 00:01:29.9062626. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allocated to this operation may have been a part of a longer timeout."

To adjust profile synchronization timeouts by using Windows PowerShell
  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. If you want to change the time-out value for connecting to the directory service server, do the following:

    1. Copy the following code and paste it into a text editor, such as Notepad:

      $upsAppProxy = Get-SPServiceApplicationProxy <UPSAppProxyGUID>
      $upsAppProxy.LDAPConnectionTimeout = <NewTimeout>
      $upsAppProxy.Update()
      
    2. Replace <UPSAppProxyGUID> with the GUID of the User Profile service application proxy and <NewTimeout> with the new time-out value in seconds. The default time-out is 120 seconds.

    3. Save the file as an ANSI-encoded text file whose extension is .ps1.

  3. If you want to change the time-out value for the Populate Containers control, do the following:

    1. Copy the following code and paste it into a text editor, such as Notepad:

      $upsAppProxy = Get-SPServiceApplicationProxy <UPSAppProxyGUID>
      $upsAppProxy.ImportConnAsyncTimeout = <NewTimeout>
      $upsAppProxy.Update()
      
    2. Replace <UPSAppProxyGUID> with the GUID of the User Profile service application proxy and <NewTimeout> with the new time-out value in seconds. The default time-out is 1,000 seconds (approximately 17 minutes).

    3. Save the file as an ANSI-encoded text file whose extension is .ps1.

  4. If you want to change the time-out value for calls into the Forefront Identity Manager Web service, do the following:

    1. Copy the following code and paste it into a text editor, such as Notepad:

      $upsApp = Get-SPServiceApplication <UPSAppGUID>
      $upsApp.FIMWebClientTimeOut = <NewTimeout>
      $upsApp.Update()
      
    2. Replace <UPSAppGUID> with the GUID of the User Profile service application and <NewTimeout> with the new time-out value in milliseconds. The default time-out is 300,000 milliseconds (5 minutes).

    3. Save the file as an ANSI-encoded text file whose extension is .ps1.

  5. On the Start menu, click All Programs.

  6. Click Microsoft SharePoint 2010 Products.

  7. Click SharePoint 2010 Management Shell.

  8. Change to the directory where you saved the file(s).

  9. At the Windows PowerShell command prompt, type the following command to execute a script file:

    ./<filename>.ps1
    

    Where <filename> is the name of the file to execute.

For more information, see Get-SPServiceApplicationProxy and Get-SPServiceApplication.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft