Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
SharePoint Products TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Operations
 Configure profile synchronization
Configure profile synchronization (SharePoint Server 2010)

Updated: 2009-12-14

[This article is pre-release documentation and is subject to change in future releases.]

This article explains how to connect to a directory service and configure settings to synchronize user profile information between the directory service and Microsoft SharePoint Server 2010. Synchronizing profile information is useful, for example, for importing bulk user profile information from external sources into the user profile store in SharePoint Server 2010. You can use this information, including hierarchy and group information, to drive functionality such as audiences or hierarchy-driven business processes.

Procedures in this article:

Ee721049.Important(en-us,office.14).gifImportant:
Complete the procedures in the following order to configure Profile Synchronization.

  1. Start the User Profile Synchronization service

  2. Create a new Profile Synchronization connection

  3. Edit Profile Synchronization connection filters

  4. Map user profile properties

  5. Configure Profile Synchronization settings

Overview

Profile Synchronization in SharePoint Server 2010 lets you synchronize user and group profile information that is stored in the SharePoint Server 2010 profile store with profile information that is stored in directory services across the enterprise. The directory services supported in the SharePoint Server 2010 Beta include the following:

  • Active Directory Domain Services (AD DS): At least Replicate Directory Changes permissions are needed for SharePoint Server 2010 Beta. For more information about how to configure Replicate Directory Changes in AD DS, see How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account (http://go.microsoft.com/fwlink/?LinkId=47854).

    Ee721049.note(en-us,office.14).gifNote:
    Authenticated users who have Replicate Directory Changes permissions will be granted read-access to AD DS objects. Additional permissions can be granted using access control lists (ACLs) in AD DS. SharePoint Server 2010 will not write profile data back to AD DS unless Write permission is explicitly set on the account that has Replicate Directory Changes permissions.

  • Business Data Connectivity service : The Business Data Connectivity model must include Finders and Specific Finders methods in SharePoint Server 2010 Beta. For more information about Finders and Specific Finders methods, see Designing a Business Data Connectivity Model (http://go.microsoft.com/fwlink/?LinkId=179316).

  • Novell eDirectory version 8.7.3 (LDAP): Only Full Sync for users is supported in SharePoint Server 2010 Beta

  • SunOne version 5.2 (LDAP): Both full and incremental are supported. You must set up a change log to use Incremental Sync.

Profile synchronization can occur when profile information has changed in the SharePoint Server 2010 profile store or when profile information has changed in the directory service. After you configure Profile Synchronization, changes to either store are detected. Import or export occurs depending on the import/export settings for a particular user profile property.

Ee721049.note(en-us,office.14).gifNote:
By default, some user profile properties, such as first name, last name, and so on are automatically mapped to their corresponding properties in the external directory service. By default, no user profile property is set to Export. You must explicitly define the user profile properties that you want to export back to the directory service from the user profile store.

You can synchronize profiles on a recurring schedule. Recurring Profile Synchronization is incremental; that is, only changed profile information will be synchronized. You also have the option to perform a nonrecurring full sync or a nonrecurring incremental sync.

Task requirements

Ee721049.Important(en-us,office.14).gifImportant:
See release notes for other task requirements that may be needed for Profile Synchronization.

Start the User Profile Synchronization service

Perform the following procedure to start the User Profile Synchronization Service. By default, this service is not started.

To start the User Profile Synchronization service

  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site.

    • The Farm Administrator account, which is created during the SharePoint farm setup, must also be a System Administrator (sysadmin) on the server where the User Profile Synchronization service is deployed

    • The Farm Administrator account must be a Service Administrator with Full Control permissions for the User Profile Service that you are configuring. For more information about how to set Full Control permissions, see Delegate administration of a User Profile service application (SharePoint Server 2010).

    • The Service Administrator account can log on locally to the server where Profile Synchronization will be deployed.

    • If you are using a Windows Server 2003 AD DS forest, the Service Administrator account must be a member of the Pre-Windows 2000 Compatible Access group for the domain with which you are synchronizing. For more information about adding accounts to the Pre-Windows 2000 Compatible Access group, see Some applications and APIs require access to authorization information on account objects (http://go.microsoft.com/fwlink/?LinkId=179420).

  2. For the steps that are needed to start the User Profile Synchronization service, see Starting or stopping a service .

  3. When starting the User Profile Synchronization service, you are asked to associate the service with the appropriate User Profile Service application. Select the appropriate User Profile Service application from the Select the User Profile Service Application drop-down list and then click OK.

    Ee721049.note(en-us,office.14).gifNote:
    After starting the User Profile Synchronization service, wait for 5-10 minutes before proceeding to the next step.

  4. Run services.msc and verify that the Forefront Identity Manager Synchronization Service and the Forefront Identity Manager Service are running.

    These services are started automatically when the User Profile Synchronization service is started. It may take up to 10 minutes for these to start after starting the User Profile Synchronization Service. Do not start them manually.

  5. Verify that the ILMMA and MOSS-<User Profile Service application name> folders are present in %Programfiles%\Microsoft Office Servers \14.0\Synchronization Service\MaData. These folders will be empty.

  6. Run IISReset on the server where the User Profile Synchronization service is provisioned. For more information about IISReset, see IIS Reset Activity (http://go.microsoft.com/fwlink/?LinkId=179336).

Create a new Profile Synchronization connection

Perform the following procedure to create a new Profile Synchronization connection.

To create a new Profile Synchronization connection

  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site

    • You must be a Service Administrator with Full Control permissions for the User Profile Service that you are configuring. For more information about how to set Full Control permissions, see Delegate administration of a User Profile service application (SharePoint Server 2010).

    • If you are synchronizing profile information by using AD DS, the account that is used to connect to AD DS must have Replicate Directory Changes permissions in AD DS. This account must be the same as the farm administrator account or the User Profile Service administrator account and is required to do either full or incremental synchronization with AD DS

  2. Before proceeding, make sure that you have determined which directory service containers that you want synchronized with SharePoint Server.

    Ee721049.note(en-us,office.14).gifNote:
    We recommend that you create only one Profile Synchronization connection per directory service forest.

  3. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  4. On the Manage Service Applications page, click in the Title column of the User Profile Service Application row to select it.

  5. In the Operations group of the ribbon, click Manage.

  6. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  7. On the Synchronizations Connections page, click Create New Connection.

  8. On the Add new synchronization connection page, type a name for the synchronization connection in the Connection Name box.

  9. From the Type list, select the kind of directory service to which you want to connect.

  10. If the selected type is Business Data Catalog, select a Business Data Catalog entity and select whether the entity has a 1:1 mapping or a 1:many mapping. Then click OK. Otherwise, continue with the following steps.

  11. In the Connection Settings section, type the name of the directory service forest to which you want to connect, the account credentials for the directory service, and the port that you want to use when you connect to the directory service. Select Auto discover domain controller to automatically locate the domain controller for this forest or type the name of the domain controller in the Domain controller name box.

    Ee721049.Important(en-us,office.14).gifImportant:
    In SharePoint Server 2010 Beta, when you are using AD DS, the first segment of the directory service forest name must contain the NetBIOS name of the computer that is running active directory.

  12. In the Connection Settings section, select the Use SSL-secured connection: check box, if needed, to use a Secure Socket Layer connection when you connect to the directory service.

  13. In the Containers section, click Populate Containers and then select the containers from the directory service that you want to synchronize. Click Select All if you want to synchronize all containers. For example, if you only want to synchronize user information, you can select only those containers that have user profile information.

    Ee721049.note(en-us,office.14).gifNote:
    In SharePoint Server 2010 Beta, this part of the user interface may not function correctly in Internet Explorer 8. If this happens, press F12 to start the developer console and select Internet Explorer 7 from the drop-down menu at the top. Let Internet Explorer reload the page and then click Populate Containers.

  14. Click OK.

Edit Profile Synchronization connection filters

Perform the following procedure to edit Profile Synchronization connection filters

To edit Profile Synchronization connection filters

  1. Verify that you have the following administrative credentials:

    • you must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site

    • you must be a Service Administrator with Full Control permissions for the User Profile Service that you are configuring. For more information about how to set Full Control permissions, see Delegate administration of a User Profile service application (SharePoint Server 2010).

    • The Farm Administrator account, which is created during the SharePoint farm setup, must also be a System Administrator (sysadmin) on Microsoft SQL Server 2005 or Microsoft SQL Server 2008

    • If synchronizing profile information with AD DS, the account that is used must have Replicate Directory Changes permissions. This account must be the same as the farm administrator account or the User Profile Service administrator account and is required to do either full or incremental synchronization with AD DS

  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click in the Title column of the User Profile Service Application row to select it.

  4. In the Operations group of the ribbon, click Manage.

  5. On the Manage Profile Service page, in the Synchronization section, select Configure Synchronization Connections.

  6. On the Synchronization Connections page, right-click the connection for which you want to change Profile Synchronization connection filters and select Edit Connection Filters.

    Ee721049.note(en-us,office.14).gifNote:
    In SharePoint Server Beta, this part of the user interface may not function correctly in Internet Explorer 8. If this happens, press F12 to start the developer console and select Internet Explorer 7 from the drop-down menu at the top. Let Internet Explorer reload the page and then select Edit Filters.

  7. On the Edit connection filters page, in the Exclusion Filters for Users section, select the user property for which you want to apply a synchronization filter from the attributes list, configure the filter parameters for that property and then click Add.

  8. On the Edit connection filters page, in the Exclusion Filters for Groups section, select the group property for which you want to apply a synchronization filter from the attributes list, configure the filter parameters for that property and then click Add.

  9. When you have finished adding Profile Synchronization connection filters, click OK.

Map user profile properties

Perform the following procedure to map profile properties

To map user profile properties

  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site

    • You must be a Service Administrator with Full Control permissions for the User Profile Service that you are configuring. For more information about how to set Full Control permissions, see Delegate administration of a User Profile service application (SharePoint Server 2010).

    • The Farm Administrator account, which is created during the SharePoint farm setup, must also be a System Administrator (sysadmin) on Microsoft SQL Server 2005 or Microsoft SQL Server 2008

    • If you are synchronizing profile information with AD DS, the account that is used must have Replicate Directory Changes permissions. This account must be the same as the farm administrator account or the User Profile Service administrator account and is required to do either full or incremental synchronization with AD DS

  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click in the Title column of the User Profile Service Application row to select it.

  4. In the Operations group of the ribbon, click Manage.

  5. On the Manage Profile Service page, in the People section, select Manage User Properties.

  6. On the Manage User Properties page, right-click the user property that you want to map to a directory service mapping and select Edit.

  7. On the Edit user profile property page, in the Add New Mapping section, select the Profile Synchronization connection that you want to use from the Source Data Connection list.

  8. On the Edit user profile property page, in the Add New Mapping section, select the directory service attribute with which you want to synchronize the user profile property from the Attribute list.

  9. On the Edit user profile property page, in the Add New Mapping section, select import to import the property value from the directory service into the user profile store or select export to export the property value from the user profile store to the directory service and then click Add.

  10. When you have finished adding user profile property mappings, click OK.

Configure Profile Synchronization settings

Perform the following procedure to configure Profile Synchronization settings.

To configure Profile Synchronization settings

  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site

    • You must be a Service Administrator with Full Control permissions for the User Profile Service that you are configuring. For more information about how to set Full Control permissions, see Delegate administration of a User Profile service application (SharePoint Server 2010).

    • The Farm Administrator account, which is created during the SharePoint farm setup, must also be a System Administrator (sysadmin) on Microsoft SQL Server 2005 or Microsoft SQL Server 2008

    • If you are synchronizing profile information with AD DS, the account that is used must have Replicate Directory Changes permissions. This account must be the same as the farm administrator account or the User Profile Service administrator account and is required to do either full or incremental synchronization with AD DS

  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click in the Title column of the User Profile Service Application row to select it.

  4. In the Operations group of the ribbon, click Manage.

  5. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Settings.

  6. On the Configure Synchronization Settings page, in the Synchronization Entities section, select Users and Groups to synchronize both user information and group information or select Users to synchronize only user information.

    Ee721049.note(en-us,office.14).gifNote:
    You should first do a full synchronization of users only. Once this is complete, run an incremental synchronization of both users and groups.

  7. On the Configure Synchronization Settings page, in the Synchronize BDC Connections section, click to clear the Include existing BDC connections for synchronization? check box if you want to exclude data import from the Business Data Connectivity service.

  8. On the Configure Synchronization Settings page, in the External Identity Manager section, select Use SharePoint Profile Synchronization to use the Profile Synchronization engine in SharePoint Server 2010 or select Enable External Identity Manager to use an external synchronization application such as Microsoft Identity Lifecycle Manager 2007.

    Ee721049.note(en-us,office.14).gifNote:
    Enabling an external identity manager disables all Profile Synchronization options and the status display in SharePoint Server 2010.

  9. Click OK.

See Also

© 2010 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker