Configure profile synchronization (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010

Configuring profile synchronization (or profile sync) is a process that involves many steps. This article divides the process into shorter phases, both so that you can see progress and to reduce the number of steps through which you have to backtrack if you make an error. Depending on your organization's needs, you may not have to implement all of the phases.

In this article:

  • Prerequisites

    This section identifies the information and accounts that you must have to perform these procedures. It also describes how your Microsoft SharePoint Server 2010 farm should be configured before you start the procedures.

  • Procedures

    This section contains detailed instructions for each of the procedures that are required to configure profile synchronization.

Prerequisites

As you configure profile synchronization, you will need information to answer questions in the user interface. You will also need accounts that have the appropriate permissions and a SharePoint Server 2010 farm that is already partly configured. The subsections within this section explain the prerequisites that you must have before you configure profile synchronization.

In this section:

  • Gather information

  • Grant account permissions

  • Install prerequisites

Gather information

Before you perform the procedures in this article, you should complete the following worksheets. You will use the information that you record in the worksheets as you perform the procedures in this article.

  • Connection planning worksheet: Contains details about each profile synchronization connection that you will create. The article Plan for profile synchronization (SharePoint Server 2010) contains instructions for filling out the worksheet.

  • User profile properties worksheet: Identifies user profile properties and how the properties are mapped to external data sources. The article Plan user profiles (SharePoint Server 2010) explains how to fill out most of the worksheet, and the article Plan for profile synchronization (SharePoint Server 2010) contains instructions for adding the property mapping information.

  • Profile synchronization planning worksheet: Collects the information that you will need to create the User Profile service application and its prerequisites. If your farm already contains a User Profile service application, you can omit this worksheet.

The worksheets are available from the following source: https://go.microsoft.com/fwlink/p/?LinkId=202832.

You will need to know the name of the synchronization server. The synchronization server is the server on which the User Profile Synchronization service will run. The Plan for the synchronization server section of the "Plan for profile synchronization" article provides guidance on how to select the synchronization server.

Grant account permissions

To configure profile synchronization you will need to know the farm account and the farm account's password, and you will need a synchronization account for each directory service that you will synchronize with. The permissions that are required for each account are described in the Plan account permissions section of the "Plan for profile synchronization" article. If an account does not have the correct permissions, you might not know that the permissions are wrong until you have progressed part of the way through the configuration procedure.

Note

Incorrect permissions are the most common cause of errors in configuring profile synchronization.

Note

If the Server Farm account is a managed account, you must disable the Enable Automatic Password Change feature for that account.

Install prerequisites

To set up profile synchronization you will need Microsoft SharePoint Server 2010 installed in a farm configuration. We recommend that you also install the most recent SharePoint Server 2010 Cumulative Update, because improvements to profile synchronization are present in most updates. For more information, see the Updates resource center (https://go.microsoft.com/fwlink/p/?LinkID=220218).

You must have a full installation of Microsoft SQL Server, not the Express edition. If you are using SQL Server 2008, you must have Service Pack 1 (SP1) and Cumulative Update 2 (CU2).

Procedures

There are four phases to configuring profile synchronization. Depending on your situation, you might not have to perform all of the phases. This article also includes Phase 0, which contains instructions for configuring the prerequisites that are required before you can configure profile synchronization. The phases are as follows:

Phase 0: Configure the farm

During this phase, you create a site collection to host My Sites and create a User Profile service application. You must be both a farm administrator and a member of the Administrators group on the computer that is running SharePoint Server to perform these tasks.

Phase 1: Start the User Profile Synchronization service

During this phase, you start the User Profile Synchronization service. You must be both a farm administrator and a member of the Administrators group on the computer that is running SharePoint Server to perform these tasks.

Phase 2: Configure connections and import data from directory services

During this phase, you create a synchronization connection to each directory service from which you want to import profile information, and then perform the initial synchronization. You must be a farm administrator or an administrator of the User Profile service application to perform these procedures.

Phase 3: Configure connections and import data from business systems

During this phase, you create a synchronization connection to each business system from which you want to import profile information, and then perform the synchronization. You must be a farm administrator or an administrator of both the User Profile service application and the Business Data Connectivity service application to perform these procedures.

Phase 4: Configure connections and export data to directory services

During this phase, you modify the profile property mappings that you created during Phase 2 to export data from SharePoint Server to directory services. You must be a farm administrator or an administrator of the User Profile service application to perform these procedures.

After you have configured profile synchronization, you can use the information in Schedule profile synchronization (SharePoint Server 2010) to set up a regular synchronization schedule.

Phase 0: Configure the farm

During this phase, you configure the infrastructure for synchronizing profiles.

This phase involves the following tasks:

  1. Create a Web application to host My Sites

  2. Create a managed path for My Sites

  3. Create a My Site Host site collection

  4. Create a User Profile service application

  5. Enable NetBIOS domain names

  6. Start the User Profile service

To perform the tasks in this phase, you must be a member of the Farm Administrators SharePoint group and a member of the Administrators group on the computer that is running SharePoint Server.

Create a Web application to host My Sites

In this procedure, you create the Web application that My Sites will reside in. We recommend that My Sites be in a separate Web application, although the Web application may be in an application pool that is shared with other collaboration sites, or it may be in a separate application pool but in a shared IIS Web site. For more information about SharePoint Server 2010 sites, application pools, and IIS Web sites, see Logical architecture components (SharePoint Server 2010). For more detailed instructions about how to create a Web application, see Create a Web application (SharePoint Server 2010).

To create a Web application

  1. On the Central Administration Home page, in the Application Management section, click Manage web applications.

  2. On the ribbon, click New.

  3. On the Create New Web Application page, in the Authentication section, select the authentication mode that will be used for this Web application.

  4. In the IIS Web Site section, you can configure the settings for your new Web application by selecting one of the following two options (see the Profile Synchronization Planning worksheet):

    • Click Use an existing web site, and then select the Web site on which to install your new Web application.

    • Click Create a new IIS web site, and then type the name of the Web site in the Name box.

      You may also provide the port number, host header, or path for the new IIS Web site.

  5. In the Security Configuration section, select an authentication provider, whether to allow anonymous access, and whether to use Secure Sockets Layer (SSL).

  6. In the Application Pool section, do one of the following:

    • If the My Site application pool (see the Profile Synchronization Planning worksheet) is an existing application pool, click Use existing application pool, and then select the My Site application pool from the drop-down menu.

    • If the My Site application pool (see the Profile Synchronization Planning worksheet) is a new application pool, click Create a new application pool, type the name of the My Site application pool, and either select the account that the application pool will run under (see the Profile Synchronization Planning worksheet) or create a new managed account for the application pool to run under.

  7. In the Database Name and Authentication section, select the database server, database name, and authentication method for your new Web application.

  8. If you use database mirroring, in the Failover Server section, in the Failover Database Server box, type the name of a specific failover database server that you want to associate with a content database.

  9. In the Service Application Connections section, select the service application connections that will be available to the Web application.

  10. In the Customer Experience Improvement Program section, click Yes or No.

  11. Click OK to create the new Web application.

  12. When the Application Created page appears, click OK.

Enter the name of the Web application in the My Site Web application row of the Profile Synchronization Planning worksheet. You will need this information later.

Create a managed path for My Sites

If you want the My Site host (and, therefore, users' My Sites) to be at a URL that does not already have a managed path, use the procedure in Define managed paths (SharePoint Server 2010) to create the My Site managed path in the My Site Web application that you previously created. In most cases, the existing managed paths will be sufficient.

Create a My Site Host site collection

In this procedure, you create the site collection that will host users' My Sites. For more detailed instructions about how to create a site collection, see Create a site collection (SharePoint Server 2010).

To create a My Site Host site collection

  1. On the Central Administration Web site, in the Application Management section, click Create site collections.

  2. On the Create Site Collection page, in the Web Application section, select the My Site Web application (see the Profile Synchronization Planning worksheet).

  3. In the Title and Description section, type the title and description for the site collection.

  4. In the Web Site Address section, select the path to use for the URL of the My Site host. In most cases, using the root directory (/) is appropriate.

  5. In the Template Selection section, click the Enterprise tab, and then select My Site Host.

  6. In the Primary Site Collection Administrator section, type the user name (in the form <DOMAIN>\<username>) for the user who will be the site collection administrator.

  7. In the Secondary Site Collection Administrator section, type the user name for the secondary administrator of the site collection.

  8. If you are using quotas to manage storage for site collections, in the Quota Template section, click a template in the Select a quota template list.

  9. Click OK.

The Top-Level Site Successfully Created page will appear when the My Site Host site collection is created. Enter this URL in the My Site Host site collection URL row of the Profile Synchronization Planning worksheet. Although you can click the link to browse to the root of the site collection, doing so will result in an error because the user profile cannot be loaded. This behavior is to be expected; user profiles have not been imported at this point.

Create a User Profile service application

In this procedure, you create the User Profile service application through which you will manage profile synchronization.

For more detailed instructions about how to create a User Profile service application, see Create a User Profile Service application.

To create a User Profile Service application

  1. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  2. On the Manage Service Application page, on the ribbon, click New, and then click User Profile Service Application.

  3. In the Name section, type the User Profile service application name (see the Profile Synchronization Planning worksheet).

  4. In the Application Pool section, select the application pool that the User Profile service application will run in (if it exists), or create a new application pool. (See the Profile Synchronization Planning worksheet.)

  5. Accept the defaults for the profile database, the synchronization database, and the social tagging database (unless you want different names), and specify failover servers if you are using them.

  6. In the Profile Synchronization Instance section, select the synchronization server (see the Profile Synchronization Planning worksheet).

  7. In the My Site Host URL section, enter the My Site Host site collection URL that you created in the previous step (see the Profile Synchronization Planning worksheet).

  8. In the My Site Managed Path section, enter the part of the path which, when appended to the My Site host URL, will give the path to users' My Sites (see the Profile Synchronization Planning worksheet). For example, if the My Site host URL is https://server:12345/ and you want each user's My Site to be at https://server:12345/personal/<username>, enter /personal for the My Site managed path. The managed path that you enter is created; there does not already have to be a managed path with the name that you provide.

  9. In the Site Naming Format section, select a naming scheme.

  10. In the Default Proxy Group section, select whether you want the proxy of this User Profile Service to be a part of the default proxy group on this farm.

  11. Click Create.

  12. When the Create New User Profile Service Application page displays the message Profile Service Application successfully created, click OK.

To verify that the User Profile service application was created, refresh the Manage Service Applications page. You should see two entries whose value in the Name column is the name that you provided for the User Profile service application that you previously created. The first entry is the service application itself. The second entry is a connection (that is, a "proxy") to the service application.

Enable NetBIOS domain names

If the NetBIOS name of any domain that you are synchronizing with differs from its fully qualified domain name, you must enable NetBIOS domain names on the User Profile service application. If all NetBIOS names are the same as the domain names, you may skip this procedure.

To enable NetBIOS domain names

  1. Verify that you meet the following minimum requirements:

  2. Copy the following code and paste it into a text editor, such as Notepad:

    $ServiceApps = Get-SPServiceApplication
    $UserProfileServiceApp = ""
    foreach ($sa in $ServiceApps)
      {if ($sa.DisplayName -eq "<UPSAName>") 
        {$UserProfileServiceApp = $sa}
      }
    $UserProfileServiceApp.NetBIOSDomainNamesEnabled = 1
    $UserProfileServiceApp.Update()
    
  3. Replace <UPSAName> with the name of the User Profile service application.

  4. Save the file, naming it EnableNetBIOS.ps1.

    Note

    You can use a different file name, but you must save the file as an ANSI-encoded text file whose extension is .ps1.

  5. On the Start menu, click All Programs.

  6. Click Microsoft SharePoint 2010 Products.

  7. Click SharePoint 2010 Management Shell.

  8. Change to the directory where you saved the file.

  9. At the Windows PowerShell command prompt, type the following command:

    .\EnableNetBIOS.ps1
    

Start the User Profile service

In this procedure, you start the User Profile service.

To start the User Profile service

  1. On the Central Administration Web site, in the System Settings section, click Manage services on server.

  2. On the Services on Server page, in the Server box, select the synchronization server (see the Profile Synchronization Planning worksheet).

  3. Find the row whose Service column value is User Profile Service. If the value in the Status column is Stopped, click Start in the Action column.

Phase 1: Start the User Profile Synchronization service

During this phase, you start the User Profile Synchronization service.

This phase involves the following tasks:

  1. Start the User Profile Synchronization service

  2. Remove unnecessary permissions

  3. Reset IIS

To perform the tasks in this phase, you must be a member of the Farm Administrators SharePoint group and a member of the Administrators group on the computer that is running SharePoint Server.

Start the User Profile Synchronization service

In this procedure, you start the User Profile Synchronization service. The User Profile Synchronization service interacts with Microsoft Forefront Identity Manager (FIM) to synchronize information with external systems.

To start the User Profile Synchronization service

  1. On the Central Administration Web site, in the System Settings section, click Manage services on server.

  2. On the Services on Server page, in the Server box, select the synchronization server.

  3. Find the row whose Service column value is User Profile Synchronization Service. If the value in the Status column is Stopped, click Start in the Action column.

  4. On the User Profile Synchronization Service page, in the Select the User Profile Application section, select the User Profile service application.

  5. In the Service Account Name and Password section, the farm account is already selected. Enter the password for the farm account in the Password box, and enter it again in the Confirm Password box.

  6. Click OK.

The Services on Server page shows that the User Profile Synchronization service has a status of Starting. When you start the User Profile Synchronization service, SharePoint Server provisions FIM to participate in synchronization. This may take up to 10 minutes. To determine whether the User Profile Synchronization service has started, refresh the Services on Server page.

If the User Profile Synchronization service does not start, confirm that the farm account has the necessary permissions on the synchronization server. For more information about which permissions are required, see the Plan account permissions section of the article "Plan for profile synchronization."

Remove unnecessary permissions

After the User Profile Synchronization service is started, the farm account is no longer required to be an administrator on the synchronization server. To improve the security of the SharePoint Server installation, remove the farm account from the Administrators group on the synchronization server. However, consider the following two scenarios:

  • When you perform a backup of the User Profile service application, the farm account must be an administrator on the synchronization server so that it can stop and start the service. Before you perform a backup of the User Profile service application, add the farm account to the Administrators group on the synchronization server. After the backup is completed, remove the farm account from the Administrators group on the synchronization server.

    Note

    Some health rules might alert you that the farm account in a member of Administrators group on the local computer. You can ignore these warnings if you intentionally added the farm account to the Administrators group for the purposes of this scenario.

  • If the farm contains multiple servers running SharePoint Server 2010, and two or more servers are running the User Profile service, the timer job responsible for synchronization might fail. This happens when the server that runs the synchronization timer job is not running the synchronization service. To resolve this problem, grant the farm account the Remote Enable permission on the server that runs the synchronization service. Doing this enables the timer job to run successfully regardless of which server picks up the timer job.

    To grant the farm account the Remote Enable permission to Microsoft FIM 2010

    1. On the server that is running the synchronization service, click Start.

    2. Click Run, type wmimgmt.msc, and then click OK.

    3. Right click WMI Control, and then click Properties.

    4. In the WMI Control Properties dialog box, click the Security tab.

    5. Expand the Root list, and then select the Microsoft FIM 2010 namespace MicrosoftIdentityIntegrationServer.

    6. Click the Security button.

    7. Add the farm account to the list of groups and users, and then in the Permissions for Authenticated Users box, select Allow for the Remote Enable permission.

    8. Click OK to dismiss the Security for ROOT\MicrosoftIdentityIntegrationServer dialog box, and then click OK to dismiss the WMI Control Properties dialog box.

Reset IIS

If the Central Administration Web site and the User Profile Synchronization service are running on the same server, you must reset IIS after the User Profile Synchronization service starts. If they are running on different servers, you may skip this procedure.

To reset IIS

  1. On the synchronization server, click Start, click All Programs, expand Accessories, right-click Command Prompt, and then click Run as administrator.

  2. In the User Account Control dialog box, click Yes.

  3. In the Administrator: Command Prompt window, type iisreset and then press ENTER.

  4. When the message Internet services successfully restarted is displayed, close the Administrator: Command Prompt window.

Note

After you reset IIS, pages of the Central Administration Web site will take several seconds to load.

Phase 2: Configure connections and import data from directory services

To import profiles, you must have at least one synchronization connection to a directory service. During this phase, you create a synchronization connection to each directory service that you want to import profiles from. You can synchronize after you create each connection, or you can synchronize one time, after you have created all of the connections. Synchronizing after each connection will take longer, but doing this will make it easier to troubleshoot any problems that you might encounter.

To watch a video that demonstrates the tasks in Phase 2, see Configure a profile synchronization connection in SharePoint Server 2010 (video).

You must be a farm administrator or an administrator of the User Profile service application to perform these procedures. If you are not a farm administrator, start each procedure by using the Manage Profile Service page.

This phase involves the following tasks:

  1. Disable timer jobs

  2. Create a synchronization connection to a directory service

  3. Define exclusion filters

  4. Map user profile properties

  5. Start profile synchronization

Disable timer jobs

You must disable the My Site cleanup timer job before you create or modify connections. For information about this timer job, see the Timer job reference (SharePoint Server 2010) and for information about the Windows PowerShell cmdlets that you use to enable and disable this timer job, see Timer jobs cmdlets (SharePoint Server 2010).

Create a synchronization connection to a directory service

In this procedure, you create a connection to a directory service. The connection identifies the items to synchronize and contains the credentials that are used to interact with the directory service. The information that you enter comes from the Connection Planning worksheet.

To create a Profile Synchronization connection to a directory service

  1. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  2. On the Manage Service Applications page, select the User Profile service application.

  3. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  4. On the Synchronizations Connections page, click Create New Connection.

  5. On the Add new synchronization connection page, type the synchronization connection name in the Connection Name box.

  6. From the Type list, select the type of directory service to which you want to connect.

  7. Fill in the Connection Settings section according to the directory service to which you are creating a connection.

    For Active Directory Domain Services (AD DS), perform the following steps:

    1. In the Forest name box, type the name of the forest.

    2. Do one of the following:

      • If there is only one domain controller in the forest, click Auto discover domain controller.

      • If there are multiple domain controllers in the forest, click Specify a domain controller and type the domain controller name in the Domain controller name box.

    3. In the Authentication Provider Type box, select the type of authentication provider.

    4. If you select Forms Authentication or Trusted Claims Provider Authentication, select an authentication provider from the Authentication Provider Instance box.

      The Authentication Provider Instance box lists only the authentication providers that are currently used by a Web application.

      Tip

      You may have to select Trusted Claims Provider Authentication and then select Forms authentication in the Authentication Provider Type box before the list of authentication providers is displayed.

    5. In the Account name box, type the synchronization account.

    6. In the Password box, type the password for the synchronization account.

    7. In the Confirm Password box, type the password for the synchronization account again.

    8. In the Port box, enter the connection port.

    9. If a Secure Sockets Layer (SSL) connection is required to connect to the directory service, select Use SSL-secured connection.

      Important

      To create a connection that uses SSL, you must install the SharePoint Server 2010 August 31, 2010 Cumulative Update or a more recent cumulative update. For more information, see the Updates resource center (https://go.microsoft.com/fwlink/p/?LinkID=220218).

      Important

      If you use an SSL connection, you must export the certificate of the domain controller from the Active Directory server and import the certificate into the synchronization server.

    For Novell eDirectory, Sun Java System Directory Server, or IBM Tivoli Directory Server (ITDS), perform the following steps:

    1. In the Directory Service Server Name box, type the name of the directory service server.

    2. In the Authentication Provider Type box, select the type of authentication provider.

    3. In the Authentication Provider Instance box, select the authentication provider.

      The Authentication Provider Instance box lists only the authentication providers that are currently used by a Web application.

      Tip

      You may have to select Trusted Claims Provider Authentication and then select Forms authentication in the Authentication Provider Type box before the list of authentication providers is displayed.

    4. In the Account name box, type the synchronization account in LDAP format, for example, uid=username,ou=ouname,dc=yourcompany,dc=Com.

    5. In the Password box, type the password for the synchronization account.

    6. In the Confirm Password box, type the password for the synchronization account again.

    7. In the Port box, enter the connection port.

    8. Verify that the Use SSL-secured connection check box is not selected. SSL connections are not supported for these directory services.

    9. In the Username attribute box, type the name of the attribute in the directory service that serves as the unique identifier of each profile.

  8. In the Containers section, click Populate Containers, and then select the containers from the directory service that you want to synchronize.

  9. Click OK.

Define exclusion filters for a synchronization connection

In this procedure, you define filters for the connection to indicate which user profiles and which groups to exclude from synchronization. The information that you enter comes from the Connection Planning worksheet.

To define connection filters

  1. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  2. On the Manage Service Applications page, click the User Profile service application name.

  3. On the Manage Profile Service page, in the Synchronization section, select Configure Synchronization Connections.

  4. On the Synchronization Connections page, right-click the connection for which you want to configure Profile Synchronization connection filters, and then click Edit Connection Filters.

  5. On the Edit connection filters page, in the Exclusion Filters for Users section, select the operator to use to join the clauses of the filter.

    • To specify that all of the clauses of the filter must be true, select All apply (AND).

    • To specify that at least one of the clauses of the filter must be true, select Any apply (OR).

  6. In the Attributes list, select the directory service attribute to compare.

  7. In the Operator list, select the comparison operator to use.

    Note

    The operators that are available depend on the data type of the attribute that you selected. For a list of which operators are available for each data type, see Connection filter data types and operators (SharePoint Server 2010).

  8. In the Filter box, type the value to compare the attribute to.

  9. Click Add.

    The clause that you added is displayed in the Exclusion Filter for Users area.

  10. To add additional clauses to the filter, repeat steps 6 through 9.

  11. To filter which groups are synchronized, repeat steps 5 through 9, using the Exclusion Filters for Groups section of the page.

  12. When you have finished adding connection filters, click OK.

Note

By using SharePoint Central Administration, you can only define filters with either all AND clauses or all OR clauses. If you want to define complex filters such as a filter with a mix of both AND and OR clauses, you can edit those filters in FIM Synchronization Service Manager. The FIM Synchronization Service Manager is located at %rootdir%\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe.
However, any filter changes made in SharePoint Central Administration will eliminate the complex filter settings by overwriting the settings with either all AND or all OR clauses. Therefore, when you view or change filter settings in SharePoint Central Administration, do not save the settings unless you want the settings to overwrite filter settings in the FIM Synchronization Service Manager.

Map user profile properties

In this procedure, you determine how the properties of SharePoint Server user profiles map to the user information that is retrieved from the directory service. You should have identified how you will map user profile properties on the User profile properties data sheet in the User Profile Properties worksheet.

You will come back to this procedure in later phases to map user profile properties to information that is retrieved from business systems and to map how user profile properties in SharePoint Server can be used to write information back to the directory service. If you have not yet reached these phases, ignore the parts of the procedure that deal with business systems and exporting data.

To map user profile properties

  1. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  2. On the Manage Service Applications page, click the User Profile service application name.

  3. On the Manage Profile Service page, in the People section, click Manage User Properties.

  4. On the Manage User Properties page, right-click the SharePoint Server property that you want to map to a directory service property, and then click Edit.

  5. To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove.

  6. To add a new mapping, do the following:

    1. In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the external system to which you want to map the SharePoint Server property.

    2. In the Attribute list, select the name of the attribute in the external system to which you want to map the property,

      Tip

      You can only map a user profile property to an attribute of an external system if their data types are compatible. If you do not see an attribute listed when you try to create a new mapping, it might be due to a data type mismatch between the user profile property and the attribute. For more information about which data types are compatible, see User profile property data types (SharePoint Server 2010).

    3. In the Direction list, select the mapping direction.

      A direction of Import means that the value of the attribute in the external system will be imported into SharePoint Server and used to set the value of the SharePoint Server property. A direction of Export means that the value of the property in SharePoint Server will be exported to the external system and used to set the value of the attribute in the external system.

      Note

      You cannot edit a mapping. To change the direction of a mapping, you must first remove the mapping with the old direction, and then create a mapping in the new direction and add the mapping.

    4. Click Add.

  7. Click OK.

  8. Repeat steps 4 through 7 to map additional properties.

Start profile synchronization

Use this procedure to synchronize profile information between SharePoint Server 2010 and external systems such as directory services or business systems.

To start profile synchronization

  1. If you have already imported users or created My Sites, and you have enabled NetBIOS domain names, and you have not already done so, you must disable the My Site cleanup timer job before you start profile synchronization. For information about this timer job, see the Timer job reference (SharePoint Server 2010). For information about the Windows PowerShell cmdlets that you use to enable and disable this timer job, see Timer jobs cmdlets (SharePoint Server 2010).

  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click the User Profile service application name.

  4. On the Manage Profile Service page, in the Synchronization section, click Start Profile Synchronization.

  5. On the Start Profile Synchronization page, select Start Full Synchronization if this is the first time that you are synchronizing or if you have added or modified any synchronization connections or property mappings since the last time that you synchronized. Select Start Incremental Synchronization to synchronize only information that has changed since the last time that you synchronized.

  6. Click OK.

    The Manage Profile Service page is displayed.

  7. If you intend to enable the My Site cleanup timer job, complete these additional steps before you enable the job:

    1. Run profile synchronization again as described in this section.

    2. After the second profile synchronization completes, on the Central Administration Web site, in the Application Management section, click Manage service applications.

    3. Click the User Profile Service Application name, and then click Manage User Profiles.

    4. On the Manage Profile Service page, in the People section, click Manage User Profiles.

    5. Next to View, select Profiles Missing from Import.

    6. In the Find Profiles box, type the domain for the profiles, and then click Find.

    7. For each profile that is returned, check the originating directory service, such as Active Directory, for the status of that profile. If the status of any of the returned profiles in the directory is not disabled or is not deleted, do not enable the My Site cleanup timer job. Contact Microsoft support for more assistance. Otherwise, enable the My Site cleanup timer job. For information about the Windows PowerShell cmdlets that you use to enable and disable this timer job, see Timer jobs cmdlets (SharePoint Server 2010).

A full synchronization can take a long time. If you refresh the Manage Profile Service page, you will see the progress of the synchronization job on the right side of the page. Be aware that profile synchronization consists of several stages, and the profiles will not be imported immediately. The Manage Profile Service page is not refreshed automatically as synchronization progresses.

Phase 3: Configure connections and import data from business systems

You can import data from a business system, such as a personnel system or a financial system, and use that data to add properties to existing user profiles. You should already have created an external content type that brings the information from the external system into SharePoint Server 2010. For more information about creating an external content type to synchronize with a business system, see Plan for profile synchronization (SharePoint Server 2010).

To watch a video that demonstrates creating external content types and completing the tasks in Phase 3, see Configure a synchronization connection to a SQL Server database in SharePoint Server 2010 (video).

This phase is optional.

You must be a farm administrator, or an administrator of both the User Profile service application and the Business Data Connectivity service application, to perform these procedures. If you are not a farm administrator, start each procedure at the Manage Profile Service page.

This phase involves the following tasks:

  1. Give the User Profile service application permission to use the external content type

  2. Configure a Business Data Connectivity synchronization connection

  3. Add or edit user profile properties

  4. Import data from the business system

Give the User Profile service application permission to use the external content type

Use this procedure to give the farm account permission to execute operations on the external content type. For more information about how to set permissions on an external content type, see Set permissions on an external content type.

Note

Business Connectivity Services uses the permissions on the external content type and the permissions on the business system to determine authorization rules. You must ensure that the farm account also has permission to access the business system. For more information about authentication and permissions, see Business Connectivity Services security overview (SharePoint Server 2010).

To perform this procedure, you must have one of the following administrative credentials:

  • You must be a farm administrator.

  • You must be an administrator of the Business Data Connectivity service application and have Set Permissions permission on the external content type that you are synchronizing with.

To give the User Profile service application permission to use the external content type

  1. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  2. On the Manage Service Application page, select Business Data Connectivity Service.

  3. Select the check box of the external content type that represents the information that you want to synchronize with.

  4. In the Permissions group, click Set Object Permissions.

  5. In the box, type the farm account, and then click Add.

  6. In the Permissions for <account> box, select Execute.

    Note

    If the farm account is the only account listed in the Permissions for <account> box, you must also give the farm account Set Permissions to the external content type. At least one user, group, or claim in the external content type's access control list must have the Set Permissions permission.

  7. Click OK.

  8. Verify that the Propagate permissions to all methods of this external content type. Doing so will overwrite existing permissions. check box is selected.

  9. Repeat steps 3 through 8 to set permissions on additional external content types.

Configure a Business Data Connectivity synchronization connection

In this procedure, you create a connection for each external content type. The connection specifies how the business system data relates to the profile properties. The information that you enter comes from the Connection Planning worksheet.

To create a Profile Synchronization connection

  1. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  2. On the Manage Service Applications page, select the User Profile service application.

  3. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  4. On the Synchronizations Connections page, click Create New Connection.

  5. On the Add new synchronization connection page, type a name for the synchronization connection in the Connection Name box.

  6. From the Type list, select Business Data Connectivity.

  7. In the Business Data Connectivity Entity box, type the name of the external content type.

    Tip

    If you do not know the name of the external content type, click the Select External Content Type button to see all external content types. Select the external content type from the list, and then click OK.

  8. If each user profile maps to only one external content type instance, do the following:

    1. Click Connect User Profile Store to Business Data Connectivity Entity as a 1:1 mapping.

    2. In the Return items identified by this profile property list, select the user profile property that is used to match user profiles to external content type instances. The user profile property and the external content type identifier define the 1:1 relationship between the user profiles and the external content type, and are used to ensure that the imported properties are applied to the correct user profile.

      Tip

      The Return items identified by this profile property list returns all user profile properties that have a similar data type to the external content type identifier.

  9. If a user profile can map to multiple external content type instances, do the following:

    1. Click Connect User Profile Store to Business Data Connectivity Entity as a 1:many mapping.

    2. In the Filter items by list, select the filter that is used to find the set of external content type instances that apply to a user profile.

      Note

      The Filter items by list displays all filters that are defined in the external content type.

    3. In the Use this profile property as the filter value list, select the user profile property that is used to match user profiles to external content type instances.

  10. Click OK.

  11. Repeat steps 4 through 10 to add more connections.

Add or edit user profile properties

Before you can import the business system data, you must specify how the business system data maps to the user profile properties. The User profile properties data sheet in the User profile properties worksheet lists the business system properties that you want to import and how those properties map to the profile properties in the SharePoint Server profile store.

Follow the procedure in the Map user profile properties section to map additional user profile properties. If the data maps to an existing user profile property, edit the property and add a new mapping. If the data does not map to an existing user profile property, add a new custom property and then map the property.

Import data

To import data from the business system, you must perform a full synchronization. Follow the procedure in the Start profile synchronization section to start a full synchronization.

Phase 4: Configure connections and export data to directory services

In previous phases, you configured the profile synchronization connections that you need. To write profile information back to a directory service, you map the profile properties to attributes in the directory service with a mapping direction of Export. The next time that profile synchronization runs, properties will be imported and exported according to the mappings that you configured.

Note

Although you can import profile data from business systems by using the Business Connectivity Service, you cannot export profile data to business systems.

This phase is optional.

You must be a farm administrator or an administrator of the User Profile service application to perform these procedures. If you are not a farm administrator, start each procedure by using the Manage Profile Service page.

Do not create a new synchronization connection to export properties. To export properties to a directory service, use the same synchronization connection that you created to import properties from the directory service. You cannot use a synchronization connection only to export properties.

Follow the procedure to Map user profile properties again, this time selecting Export for the mapping direction. The properties that you map will be exported from SharePoint Server to the directory service whose connection you select.

Follow the procedure to Start profile synchronization again, this time selecting to do an incremental synchronization. The values of any SharePoint Server profile properties that have been mapped to be exported to directory service attributes will be updated.

Note

For certain directory services, additional permissions may be required to write data back to the directory service. Review the information in the Plan account permissions section of the "Plan for profile synchronization" article, and ensure that the synchronization account has the necessary permissions.

Acknowledgements

The SharePoint Server 2010 Content Publishing team thanks Spencer Harbar, Enterprise Architect, for contributing to this article. His blog can be found at http://www.harbar.net.

See Also

Concepts

Manage profile synchronization (SharePoint Server 2010)
Schedule profile synchronization (SharePoint Server 2010)
Plan for profile synchronization (SharePoint Server 2010)
Configure a profile synchronization connection in SharePoint Server 2010 (video)
Configure a synchronization connection to a SQL Server database in SharePoint Server 2010 (video)