Use a sample MIM solution in SharePoint Server 2016

SharePoint Server 2016

We are in the process of combining the SharePoint Server 2013 and SharePoint Server 2016 content into a single content set. We appreciate your patience while we reorganize things. See the Applies To tag at the top of each article to find out which version of SharePoint an article applies to.

 

Applies to: SharePoint Server 2016

Topic Last Modified: 2017-05-30

Summary: How to configure SharePoint Server 2016 profile synchronization with Microsoft Identity Manager (MIM).

The article outlines a solution that will help you to install and synchronize accounts to SharePoint Server using Microsoft Identity Management, or MIM. MIM 2016 is the successor to a profile synchronization technology leveraged by previous versions of SharePoint Server that was known as Forefront Identity Manager, or FIM. FIM is no longer included as part of the product as of SharePoint Server 2016. However, MIM is not the only synchronization solution that SharePoint Server 2016 offers. If you would prefer to use the Active Directory Direct Import that is built-in with SharePoint Server 2016, please see the configuration article here. Otherwise, follow the steps in this article to configure a new installation of MIM for your User Profile Synchronization.

ImportantImportant:
The solutions files referenced in this article are available for download here. You will need a GitHub account for access. See the section ‘Download the solutions files that you need’ for more details.
Microsoft Identity Manager 2016 is available for download from the Microsoft Volume Licensing Center. (Log in and search on the product name.)
On your MIM server, be sure to install KB3092179.

Download the files used by this solution into a folder on SharePoint Server. Make certain you're logged in as a Farm Administrator and have a local administrator rights on this server.

  1. SharePointSync.psm1 - Windows PowerShell module for deploying and starting the synchronization solution.

  2. MA-AD.xml - This is the MIM management agent for Active Directory.

  3. MA-SP.xml - This is the MIM management agent for SharePoint Server.

  4. MV.xml - This XML file contains additional User Profile Synchronization configuration.

To run the Windows PowerShell commands involved in this solution, you'll need to catalog some information from your Active Directory and your SharePoint Server configuration as well. You should include this information in any build-documentation you keep on the User Profile Synchronization process.

Active Directory

Item Description

ForestDnsName

This is the DNS name of the Active Directory forest to be synchronized.

ForestCredential

This is the username and password of the account that will be used to read objects from Active Directory. This account must have Replicate-Directory-Changes permissions in the Active Directory that is to be synchronized.

OrganizationalUnit

This is the distinguished name of the Active Directory container to be synchronized. You can add more containers after the configuration is loaded. To add more containers, use the Synchronization Service Manager GUI interface to modify the ‘AD’ management agent.

SharePoint Connection Details

Item Description

SharePointUrl

This is the URL of the SharePoint Server running the User Profile Service application, for example, http://SharePoint01:8080.

SharePointCredential

The username and password of the account used to read and write objects into the SharePoint User Profile.

Once you've downloaded the solution files and cataloged the configuration details you can begin running the Windows PowerShell command for installing the SharePoint Synchronization Configuration.

The configuration is installed by loading SharePointSync.psm1 and calling Install-SharePointSyncConfiguration as shown in the following code.

### Load the SharePoint Sync Module
Import-Module C:\SharePointSync\SharePointSync.psm1 -Force


### Install the SharePoint Sync Configuration
Install-SharePointSyncConfiguration `
  -Path C:\SharePointSync `
  -ForestDnsName litware.ca `
  -ForestCredential (Get-Credential LITWARE\adSyncAccount) `
  -OrganizationalUnit 'ou=Litwarians,dc=Litware,dc=ca' `
  -SharePointUrl http://SharePointServer:5555 `
  -SharePointCredential (Get-Credential LITWARE\spUserProfileAdmin) `
  -Verbose 

Once the synchronization configuration is installed, it's ready to be started. Before you make further changes, you can examine the impact your synchronization will have by running the Start-SharePointSync cmdlet with '-WhatIf'.

### Run the Synchronization Service management agents

Start-SharePointSync -WhatIf -Verbose 

Output of the Start-SharePointSync commandlet when run with the -Verbose and -Whatif switches.

To start the SharePoint Server synchronization service on-demand, run the Start-SharePointSync cmdlet.

### Run the Synchronization Service management agents 

Start-SharePointSync -Verbose 

The output of running the Start-SharePointSync commandlet with -verbose switch to run the sync service managment agent.

Now that you've loaded the initial configuration, you can add more domains for synchronization. Follow these steps in the Synchronization Service manager.

1. Add another domain or domains

  1. Open the Synchronization Service Manager.

  2. In the Management Agents tab, select the ADMA management agent > Properties > Actions.

  3. In the Properties dialog box > Configure Directory Partitions.

  4. In the list of directory partitions, select any domain you want to synchronize (and remember that credentials for these domains may be required).

  5. Click OK to save the management agent properties.

Each run profile for the ADMA management agent must be updated for each domain that was added. To update your profiles do the following:

2. Update your run profile

  1. In the Management Agents tab > select ADMA Management agent > select Configure Run Profiles.

  2. Select FullImport run profile > New Step.

  3. Choose a step type of Full Import (Stage Only) > Next.

  4. Choose the partition that matches the domain you just added and click Finish. The run profile should now have two steps.

  5. Select the FullSync run profile next > New Step.

  6. Choose a step type of Full Synchronization > Next.

  7. Choose the partition that matches the domain you just added > Finish. The Run profile will now have two steps.

  8. Click DeltaImport in the run profiles next > New Step.

  9. Choose a step of type Delta Import (Stage Only) > Next.

  10. Choose the partition that matches the domain that was just added > Finish. The run profile should now have two steps.

  11. Select the DeltaSync run profile > New Step.

  12. Choose a step of type Delta Synchronization > Next.

  13. Choose the partition that matches the domain that was just added > Finish. The run profile should now have two steps.

  14. Click Apply to save all the run profile changes > OK.

Show: