Export (0) Print
Expand All
3 out of 7 rated this helpful - Rate this topic

Configure profile synchronization by using SharePoint Active Directory Import in SharePoint Server 2013

SharePoint 2013

Published: July 16, 2012

Summary: Learn how to import user profiles by using the SharePoint Active Directory Import tool for SharePoint Server 2013.

Applies to:  SharePoint Server 2013 

You can use the SharePoint Active Directory Import option (AD Import) as an alternative to using SharePoint Profile Synchronization to import user profile data from Active Directory Domain Services (AD DS) in your domain. This option to configure profile synchronization (also known as profile sync) involves three steps:

  • Selecting the option

  • Creating or editing a connection

  • Mapping user profile properties

This tool works only with Active Directory Domain Services (AD DS) and does not work with other directory services.

note Note:

This article assumes that you have already provisioned the User Profile Service, have created the User Profile service application, and that you have gathered the required information about your environment. For more information, see Synchronize user and group profiles in SharePoint Server 2013.

In this article:

Before you begin

Before you begin this operation, review the following information about prerequisites:

  • You must be a member of the Farm Administrators group.

  • You must know the credentials of the domain controller that has synchronization permissions.

    For more information about required permissions, see the “Plan account permissions” section of Plan profile synchronization for SharePoint Server 2013.

note Note:

Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

Configure SharePoint Active Directory Import by using Central Administration

You perform three procedures in Central Administration to configure AD Import.

In the first procedure, you select the SharePoint Active Directory Import (AD Import) option to import user profile data from AD DS. This AD Import option improves the performance of the import process and is simpler to use, although it is not as flexible as the SharePoint Profile Synchronization method. Consider the following when you determine whether to use the AD Import option:

  • Import operations that use this option are significantly faster than the same operations that use SharePoint Profile Synchronization.

  • The AD Import option does not perform bidirectional synchronization. That means changes made to SharePoint user profiles will not be synchronized with the domain controller.

  • Referential integrity among users and groups is only maintained within a single Active Directory forest.

  • The AD Import option lets you configure and use only a single, farm-wide property mapping.

In the second procedure, you create a connection to a directory service. The connection identifies the items to synchronize and contains the credentials that are used to interact with the directory service. The information that you enter comes from the Connection Planning worksheet.

In the third procedure, you determine how the properties of SharePoint user profiles map to the user information that is retrieved from the directory service. You should have identified how you will map user profile properties on the User profile properties data sheet in the User Profile Properties worksheet.

To import profiles, you must have at least one synchronization connection to a directory service. You may have connections to multiple AD DS servers. During this phase, you create a synchronization connection to each AD DS server that you want to import profiles from. You can synchronize after you create each connection, or you can synchronize one time, after you have created all of the connections. Although synchronizing after each connection takes longer, doing this makes it easier to troubleshoot any problems that you might encounter.

To select SharePoint Active Directory Import

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click the User Profile service application name.

  4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Settings.

  5. On the Configure Synchronization Settings page, in the Synchronization Options section, select the Use SharePoint Active Directory Import option, and then click OK.

To create a connection to a directory service for import

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click the User Profile service application name.

  4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  5. On the Synchronizations Connections page, click Create New Connection.

  6. On the Add new synchronization connection page, type the synchronization connection name in the Connection Name box.

  7. From the Type list, select Active Directory Import.

  8. Fill in the Connection Settings section by using the following steps:

    1. In the Fully Qualified Domain Name box, type the Fully Qualified Domain Name of the domain.

    2. In the Authentication Provider Type box, select the type of authentication provider.

    3. If you select Forms Authentication or Trusted Claims Provider Authentication, select an authentication provider from the Authentication Provider Instance box.

      The Authentication Provider Instance box lists only the authentication providers that are currently used by a Web application.

      Tip Tip:

      You may have to select Trusted Claims Provider Authentication and then select Forms authentication in the Authentication Provider Type box before the list of authentication providers is displayed.

    4. In the Account name box, type the synchronization account in the form <DOMAIN>\<UserName>. The synchronization account must have Replicate Directory permissions or higher on the root OU of Active Directory.

    5. In the Password box, type the password for the synchronization account.

    6. In the Confirm password box, type the password for the synchronization account again.

    7. In the Port box, type the connection port.

    8. If a Secure Sockets Layer (SSL) connection is required to connect to the directory service, select Use SSL-secured connection.

      Important Important:

      If you use an SSL connection, you must export the certificate of the domain controller from the AD DS server and import the certificate into the synchronization server.

    9. If you want to filter the objects to be imported from the directory service, in the Filter in LDAP syntax for Active Directory Import box, type a standard LDAP query expression to define the filter.

  9. In the Containers section, click Populate Containers, and then select the containers from the directory service that you want to synchronize. All OUs selected will be synchronized with their child OUs. There is currently no utility to allow a parent OU to be selected with any of its child OUs excluded from synchronization.

  10. Click OK.

    The newly created connection is listed on the Synchronization Connections page.

    Tip Tip:

    On the Synchronization Connections page, you can right-click the name of a synchronization connection, and then click Edit or Delete to edit or delete the connection.

To map user profile properties

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click the User Profile service application name.

  4. On the Manage Profile Service page, in the People section, click Manage User Properties.

  5. On the Manage User Properties page, right-click the name of the property that you want to map to a directory service attribute, and then click Edit.

  6. To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove.

  7. To add a new mapping, do the following:

    1. In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the directory service to which you want to map the user profile property.

    2. In the Attribute box, type the name of the directory service attribute to which you want to map the property.

    3. Click Add.

      note Note:

      You cannot add multiple mappings or edit a mapping. To change mapping settings for a property, you must first remove the existing mapping, and then create a new mapping.

  8. Click OK.

  9. Repeat steps 5 through 8 to map additional properties.

To start profile synchronization

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click the User Profile service application name.

  4. On the Manage Profile Service page, in the Synchronization section, click Start Profile Synchronization.

  5. On the Start Profile Synchronization page, select Start Full Synchronization if this is the first time that you are synchronizing or if you have added or modified any synchronization connections since the last time that you synchronized. Select Start Incremental Synchronization to synchronize only information that has changed since the last time that you synchronized.

  6. Click OK.

    The Manage Profile Service page is displayed, showing the profile synchronization status in the right pane.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.