Export (0) Print
Expand All

Configure profile synchronization by using SharePoint Active Directory Import in SharePoint Server 2013

SharePoint 2013
 

Applies to: SharePoint Server 2013

Topic Last Modified: 2015-02-11

Summary: Learn how to import user profiles from Active Directory to SharePoint Server 2013 by using the Active Directory import tool for SharePoint Server 2013.

You can use the SharePoint Active Directory import option (AD import) as an alternative to using SharePoint profile synchronization to import user profile data from Active Directory Domain Services (AD DS) in your domain. This option to configure profile synchronization (also known as profile sync) involves three steps:

  • Selecting the option

  • Creating or editing a connection

  • Mapping user profile properties

Once you have imported user profiles, if you have pictures in your organization that you want to synchronize, you also need to run the Update-SPProfilePhotoStore cmdlet.

The Active Directory import tool works only with Active Directory Domain Services (AD DS) and does not work with other directory services.

NoteNote:
This article assumes that you have already provisioned the User Profile service, have created the User Profile service application, and that you have gathered the required information about your environment. For more information, see Synchronize user and group profiles in SharePoint Server 2013.

In this article:

Before you begin the tasks in this article, review the following information about prerequisites:

  • You must be a member of the Farm Administrators group.

  • You must know the credentials of the domain controller that has synchronization permissions.

    For more information about required permissions, see the “Plan account permissions” section of Plan profile synchronization for SharePoint Server 2013.

Consider the following situations and note what the AD import option does not support when you determine whether to use this option:

  • Import operations that use this option are significantly faster than the same operations that use SharePoint profile synchronization.

  • The AD import option does not perform bidirectional synchronization. That means changes made to SharePoint user profiles will not be synchronized back to the domain controller.

  • Referential integrity among users and groups is only maintained within a single Active Directory forest.

  • The AD import option lets you configure and use only a single, farm-wide property mapping.

  • The AD import option does not automatically synchronize photos from Active Directory to SharePoint Server 2013. You first need to do profile synchronization to import photos and then you need to run the Update-SPProfilePhotoStore cmdlet each time a change is made to a photo in Active Directory after it is imported.

  • The AD import option does not support generic (non-AD) LDAP sources.

  • The AD import option does not support Source Schema Discovery.

  • The AD import option does not support multi-Forest scenarios such as:

    • If you have a trust between two forests, the trusted forest objects will not be imported.

    • If you need to import users from multiple domain, you must create multiple synchronization connections. If you have multiple domains to manage, using Profile Synchronization or FIM may be a better option.

  • The AD import option does not support Contact objects (also known as cross-object pointers).

  • The AD import option does not support custom object classes besides User and Group.

  • The AD import option does not filter user interface to create complex Boolean expressions.

  • The AD import option does not provide object filtering based on object property values (you must use simple LDAP filters).

  • The AD import option does not provide Logon and Resource Forest support. That is, custom joins of data from multiple sources.

  • The AD import option does not support Business Connectivity Services Import.

  • The AD import option does not support property mappings for complex types like pictures and special AD types.

  • The AD import option does not support exporting data from SharePoint to Directory Sources.

  • The AD import option does not support Upgrading/Translating FIM based connections or synchronizing configuration to AD import (or in reverse order).

  • The AD import option does not ensure single-master of each object property (currently, the last writer wins).

  • The AD import option does not perform per-tenant property mapping.

NoteNote:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

You perform three procedures in Central Administration to configure AD import.

In the first procedure, you select the SharePoint Active Directory Import (AD Import) option to import user profile data from AD DS. This AD import option improves the performance of the import process and is simpler to use, although it is not as flexible as the SharePoint profile synchronization method.

In the second procedure, you create a connection to a directory service. The connection identifies the items to synchronize and contains the credentials that are used to interact with the directory service. The information that you enter comes from the Connection Planning worksheet.

In the third procedure, you determine how the properties of user profiles in SharePoint Server 2013 map to the user information that is retrieved from Active Directory Domain Services. You should have identified how you will map user profile properties on the User profile properties data sheet in the User Profile Properties worksheet.

To import profiles, you must have at least one synchronization connection to AD DS. You may have connections to multiple AD DS servers. During this phase, you create a synchronization connection to each AD DS server from which you want to import profiles. You can synchronize after you create each connection, or you can synchronize one time, after you have created all of the connections. Although synchronizing after each connection takes longer, doing this makes it easier to troubleshoot any problems that you might encounter.

To select SharePoint Active Directory import
  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click the name of the User Profile service application.

  4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Settings.

  5. On the Configure Synchronization Settings page, in the Synchronization Options section, select the Use SharePoint Active Directory Import option, and then click OK.

To create a connection to a directory service for import
  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click the name of the User Profile service application.

  4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  5. On the Synchronizations Connections page, click Create New Connection.

  6. On the Add new synchronization connection page, type the synchronization connection name in the Connection Name box.

  7. From the Type list, select Active Directory Import.

  8. Fill in the Connection Settings section by completing the following steps:

    1. In the Fully Qualified Domain Name box, type the fully-qualified domain name of the domain.

    2. In the Authentication Provider Type box, select the type of authentication provider.

    3. If you select Forms Authentication or Trusted Claims Provider Authentication, select an authentication provider from the Authentication Provider Instance box.

      The Authentication Provider Instance box lists only the authentication providers that are currently used by a web application.

      TipTip:
      You may have to select Trusted Claims Provider Authentication and then select Forms authentication in the Authentication Provider Type box before the list of authentication providers idisplays.
    4. In the Account name box, type the name of the account you want the AD import tool to use to perform the synchronization in the form <DOMAIN>\<UserName>. The synchronization account must have Replicate Directory permissions or higher on the root OU of Active Directory.

    5. In the Password box, type the password for the account you want the AD import tool to use to perform the synchronization.

    6. In the Confirm password box, type the password again.

    7. In the Port box, type the connection port you want the AD import tool to use to connect to AD DS when it performs the synchronization.

    8. If a Secure Sockets Layer (SSL) connection is required to connect to the directory service, select Use SSL-secured connection.

      ImportantImportant:
      If you use an SSL connection, you must export the certificate of the domain controller from the AD DS server and import the certificate into the synchronization server.
    9. If you want to filter the objects that you import from the directory service, in the Filter in LDAP syntax for Active Directory Import box, type a standard LDAP query expression to define the filter.

  9. In the Containers section, click Populate Containers, and then select the containers from the directory service that you want to synchronize. All organizational units (OUs) that you select will be synchronized with their child OUs. There is currently no utility that allows you to select a parent OU while excluding any of its child OUs from synchronization.

  10. Click OK.

    The newly created connection is listed on the Synchronization Connections page.

    TipTip:
    On the Synchronization Connections page, you can right-click the name of a synchronization connection, and then click Edit or Delete to edit or delete the connection.
To map user profile properties
  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click the User Profile service application name.

  4. On the Manage Profile Service page, in the People section, click Manage User Properties.

  5. On the Manage User Properties page, right-click the name of the property that you want to map to a directory service attribute, and then click Edit.

  6. To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove.

  7. To add a new mapping, do the following:

    1. In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the directory service to which you want to map the user profile property.

    2. In the Attribute box, type the name of the directory service attribute to which you want to map the property.

    3. Click Add.

      NoteNote:
      You cannot add multiple mappings or edit a mapping. To change mapping settings for a property, you must first remove the existing mapping, and then create a new mapping.
  8. Click OK.

  9. Repeat steps 5 through 8 to map additional properties.

To start profile synchronization
  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, click name of the User Profile service application.

  4. On the Manage Profile Service page, in the Synchronization section, click Start Profile Synchronization.

  5. On the Start Profile Synchronization page, select Start Full Synchronization if this is the first time that you are synchronizing or if you have added or modified any synchronization connections since the last time that you synchronized. Select Start Incremental Synchronization to synchronize only information that has changed since the last time that you synchronized.

  6. Click OK.

    The Manage Profile Service page is displayed, showing the profile synchronization status in the right pane.

NoteNote:
If you need to import photos you must use profile synchronization. For more information, see Synchronize user and group profiles in SharePoint Server 2013.

Once you have imported user profiles from AD DS, you need to update the user profile photo store. You do this by running the Update-SPProfilePhotoStore Windows PowerShell cmdlet. For instructions, see Update-SPProfilePhotoStore.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft