Best practices for people and profiles (SharePoint Server 2010)
Published: August 11, 2011
This article is one of a series of best practices articles for Microsoft SharePoint Server 2010. This article describes the typical characteristics and best practices for working with user profiles in SharePoint Server. For additional information and resources about best practices for SharePoint Server 2010, see Best Practices for SharePoint Server 2010 (http://go.microsoft.com/fwlink/p/?LinkId=220280).
1. Clean up the directory service
The organization of objects in your directory service has a large impact on how long it takes to synchronize profile information. To improve the performance of synchronization, prune the objects in the directory service.
SharePoint Server uses Microsoft Forefront Identity Manager (FIM) to import all of the objects in the containers that you select, and then applies the synchronization filters to the imported objects. To the extent possible, move user accounts that you do not want to be imported into containers that are not synchronized. Similarly, move groups that you do not want to be synchronized into containers that you are not synchronizing with.
Audit your organization's use of groups within the directory service, and delete any groups that are no longer needed.
Ensure that you do not synchronize the same group membership information multiple times. For example, if you represent the same distribution group on multiple farms, place all except one instance of the distribution group into containers that you are not synchronizing.
2. Use synchronization filters
Use filters to synchronize only the users whom you want to have profiles in SharePoint Server. For example, if user accounts and service accounts both exist in a directory service container that you are synchronizing with, create a filter to exclude service accounts from synchronization. For more information about synchronization filters, see the About exclusion filters section in the Plan for profile synchronization (SharePoint Server 2010) article.
3. Configure policies for profile properties
Use policies to specify privacy settings for profile properties. There are default policies for properties. However, you should review them and determine whether to change them depending on your organization, company, and governmental rules. You can allow users to override a policy setting or specify that the policy cannot be changed.
4. Specify the domain controller to synchronize with
When you create a synchronization connection to a forest that has multiple domain controllers, select a specific domain controller to synchronize with. The connection between the domain controller and the synchronization server should have as low latency as possible. For information about how to specify a domain controller when you create a profile synchronization connection, see the Create a synchronization connection to a directory service section in the Configure profile synchronization (SharePoint Server 2010) article.
In a very large directory services forest, optimize the domain controller itself. Move as much of the directory service database as possible to RAM, and use fast disk drives. This will reduce the time that is required for profile synchronization. For more information about the directory service database for Active Directory Domain Services (AD DS), see Administering the Active Directory Database (http://go.microsoft.com/fwlink/p/?LinkId=225582).
5. Make friends with the directory service administrator
Stay in contact with the administrators of the directory services that you synchronize with. Make sure that you are notified if the administrator plans to restart a domain controller or to make large changes to the directory service, and try to get those events scheduled for a time when profile synchronization is not occurring.
6. Restart the synchronization service after installing updates
Whenever you install an update to Microsoft SharePoint Server 2010, stop and then restart the User Profile Synchronization service.
When you start the User Profile Synchronization service, SharePoint Server provisions a version of Microsoft Forefront Identity Manager (FIM) to participate in synchronization. If you install a SharePoint Server 2010 service pack, cumulative update, or other update that modifies the SharePoint Server private version of FIM, the modification will not take effect until FIM is reprovisioned. To reprovision FIM, stop and then restart the User Profile Synchronization service. For instructions about how to start and stop a service, see Manage services on the server (SharePoint Server 2010).
7. Run database maintenance jobs before synchronizing profiles
If profile synchronization will have to process many changes, run a full scan of the profiles database before starting profile synchronization.
Microsoft SQL Server uses historical statistics about a database to optimize queries. For the optimization to be as good as possible, the statistics should be as fresh as possible. Running a full scan generates the most accurate statistics. To update statistics with a full scan of the database, run the Health Analyzer rule Databases used by SharePoint have outdated index statistics.
8. Optimize the profile and synchronization databases
The configuration of the profile database and the synchronization database has a significant impact on the overall performance of profile synchronization. For recommendations about how to optimize database performance, see Storage and SQL Server capacity planning and configuration (SharePoint Server 2010) and Best practices for SQL Server 2008 in a SharePoint Server 2010 farm. In particular, if you have many user profiles, consider the following:
Proactively manage the size of the profiles database. Use a fixed size data (.mdf) file and log file, but also enable autogrowth in case the size is too small.
If you enable autogrowth, use a fixed growth size — for example, 100 MB — instead of a growth percentage.
Profile synchronization creates a lot of disk I/O. For the profiles and synchronization databases, use disk drives that can perform high Input/Output Operations Per Second (IOPS), and consider using solid-state drives (SSD).
If you have many profiles and you run profile synchronization frequently, consider placing the data (.mdf) file and the log file on separate physical disks.
Have at least one data (.mdf) file for tempdb per CPU core. For more information about how to optimize tempdb, see Optimizing tempdb Performance (http://go.microsoft.com/fwlink/p/?LinkId=225583).
In the event of heavy utilization, consider a dedicated SQL Server instance to support the User Profile service application databases.
9. Check timer job settings
Timer jobs propagate information through SharePoint Server and to and from directory services. In some cases, one timer job performs work that another timer job takes further action on. For example, the User Profile Incremental Import job updates SharePoint Server user profiles with information about the user that has changed in the directory service. The Activity Feed job computes activities to be shown in the Activity Feed section of a user's My Site. If a user's job title changes in the directory service, that change might not show up in the activity feeds of the user's colleagues, depending on the progress of one timer job relative to the other timer job. To get more consistent results and improve performance, adjust the timing at which timer jobs run.
For more information about the SharePoint Server timer jobs, see Timer job reference (SharePoint Server 2010).
10. Do not synchronize during large directory service updates
Ensure that profile synchronization is not running while you are making large changes to the directory service. For example, stop profile synchronization if you are updating directory service schemas or preparing a Microsoft Exchange Server forest. When the directory service changes are complete, perform a full synchronization.
11. Avoid synchronizing large objects
A user's profile is probably not the best place to store large binary data. Consider storing binary large objects (BLOBs) elsewhere, such as in a database, and keeping only a link to the BLOB in the profile.
The time that is required to run profile synchronization is related to the size of the attributes being synchronized, and also the frequency with which the attributes change. If you replicate profile information across farms, the impact of storing large objects in profiles is even greater.
The SharePoint Server 2010 Content Publishing team thanks the following contributors to this article:
Chris Gideon, Microsoft Premier Field Engineering
Steve Peschka, Microsoft Consulting Services
Bill Baer, Microsoft SharePoint Technical Product Marketing
Yancho Yanev, Microsoft SharePoint Product Team
Siva Subbiah, Microsoft SharePoint Product Team
Jon Rosenberg, Microsoft SharePoint Product Team
Spencer Harbar, Enterprise Architect
Todd Lehmann, Microsoft Information Services
Sheyi Adenouga, Microsoft Customer Support Services
Joe McTaggart, Microsoft Premier Field Engineering
Ron Grzywacz, Microsoft Premier Field Engineering
Bassem Yacoube, Microsoft Consulting Services