Plan for profile synchronization (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010

This article provides guidance to help you plan how to implement profile synchronization in Microsoft SharePoint Server 2010. Profile synchronization (also known as "profile sync") allows you to create user profiles by importing information from other systems that are used in your organization. Before you read this article you should understand the concepts introduced in the article Profile synchronization overview (SharePoint Server 2010).

This article will explain:

  • How to get the information that you will need to configure profile synchronization.

  • Who you will need to work with to gather the necessary information.

  • The external content types that will have to be created, if any.

As you go through this article, you can fill out Worksheets to record your decisions. When you have finished this article and completed the worksheets, you will have the information that you need to configure profile synchronization by using Central Administration. You can either give the completed worksheets to the profile synchronization administrator, or you can use them to do the configuration yourself. If you will need external content types to represent information from external business systems, you will have specified the requirements for these external content types. You can give the specifications to the developer who will create the external content types.

This article will not describe how to implement your plan. That information is covered in the article Configure profile synchronization (SharePoint Server 2010).

Before you work through the planning tasks in this article, you should already:

  • Know which users you want to have profiles in SharePoint Server.

  • Know what properties a user profile will have, and have filled out the User Profile Properties Planning worksheet as explained in the article Plan user profiles (SharePoint Server 2010).

  • Understand general concepts about directory services.

In this article:

  • About planning for profile synchronization

  • Plan synchronization connections

  • Identify property mappings

  • Synchronizing groups

  • Plan for the synchronization server

  • Plan the synchronization schedule

  • Plan account permissions

  • Next steps

  • Worksheets

About planning for profile synchronization

As the first step towards planning for profile synchronization, you will identify synchronization connections, and gather information that you will need when you create the connection. If you will need any external content types, you will document the requirements for those external content types, provide the requirements to a developer, and receive the details that you will use to specify a synchronization connection to the business system.

Next, you will figure out how to map user profile properties to information in the external systems so that they can be synchronized.

Finally, you will answer more straightforward questions such as whether you will synchronize groups, which server you will use to run the synchronization service, and how often you will synchronize profile information.

Plan synchronization connections

Each property in a user's profile can come from an external system. There are two types of external systems: directory services and business systems. Throughout this article, the phrase business system is used to mean an external system that is not a directory service. SAP, Siebel, SQL Server, and custom applications are all examples of business systems.

Note

For a list of supported directory services, see the Supported directory services section in the "Profile synchronization overview" article.

In SharePoint Server, a synchronization connection is a means to get user profile information from an external system. To import profiles from one of the supported directory services, you create a synchronization connection to the directory service. To import additional profile properties from a business system, you create an external content type to bring the data from the business system into SharePoint Server, and then create a synchronization connection to the external content type. The following sections explain how to gather the information that you will need about each synchronization connection.

Note

To import profiles from an unsupported directory service, you can import a Lightweight Directory Interchange Format (LDIF) file. To create user profiles in any other manner, you must write a custom program. See Configure profile synchronization using a Lightweight Directory Interchange Format (LDIF) file (SharePoint Server 2010) for more information about how to import an LDIF file.

Connections to directory services

Each user that you want to have a profile in SharePoint Server must have an identity in a directory service. (If users are not represented in a directory service, you cannot synchronize user profiles.) Identify which directory services contain information about these users. Unless you are able to access the directory service yourself, you should also identify an administrator of the directory service. You will need this person's help to gather some of the information that will be needed to create synchronization connections.

The Connection Planning worksheet (https://go.microsoft.com/fwlink/p/?LinkId=202832) contains templates for the information that you need to gather for each type of connection. Each template is in a separate tab that is labeled with the name of the directory service provider it applies to. Create a new tab for each directory service that you identified. Copy the template for the type of directory service into the new tab. Then fill in the information on each new tab according to the following table.

Row name in worksheet Applies to connection type Instructions

Synchronization connection name

All

Choose a name that will help you remember which directory service this is a connection to.

Connection type

All

The type of directory service that this is a connection to.

This information is already filled in on each tab.

Forest

AD DS

The name of the directory service forest.

Domain controller

AD DS

The name of the preferred domain controller. You only need to identify the domain controller if there are multiple domain controllers in the forest and you want to synchronize with a specific domain controller.

Authentication provider type

All

The type of authentication SharePoint Server should use to connect to the directory service. This is one of the following:

  • Windows authentication

  • Forms-based authentication

  • Claims-based authentication

The systems architect should be able to provide this information.

Authentication provider

All

If forms-based authentication or claims-based authentication will be used, fill in the name of the trusted provider. The systems architect should be able to provide this information. An authentication provider is not needed for Windows authentication.

Synchronization account

All

The account, including the domain, that will be used to connect to the directory service. It is likely that the directory service administrator will create a new account to be used for synchronization.

Note

The permissions that the synchronization account must have are described in the Plan account permissions section of this topic.

Synchronization account password

All

The password for the synchronization account.

securitySecurity Note
You will need to know the password for the synchronization account, but we recommend that you do not record the password in the worksheet.

Connection port

All

The port that will be used to connect to the directory service.

Use SSL?

AD DS

Whether to use an SSL-secured connection to connect to the directory service. SSL is only supported for connections to AD DS.

Directory service server

Tivoli, Sun, eDirectory

The name of the directory service server.

Username attribute

Tivoli, Sun, eDirectory

The name of the attribute in the directory service that serves as the unique identifier for each profile. In most cases, the default username attribute of "uid" is correct.

Containers

All

The names of the directory service containers, also known as organizational units (OU), that contain the profiles to synchronize.

Filter for users

All

See the detailed instructions in the section About exclusion filters.

Filter for groups

All

See the section Synchronizing groups.

About exclusion filters

SharePoint Server will synchronize all of the profiles from the containers that you identify unless you choose to exclude profiles by using a filter. For example, you might create a filter to exclude users whose accounts are disabled.

A filter consists of a set of clauses and the connector to use to join the clauses. Each clause has three parts:

There are two ways to join the clauses of an exclusion filter:

  • All apply (AND): An account matches the filter if all of the clauses apply.

  • Any apply (OR): An account matches the filter if any clause applies.

You cannot mix ANDs and ORs within a filter.

For example, assume that temporary employees in your organization are given Active Directory accounts that begin with "T-". You want to synchronize profiles for all permanent (non-temporary) users whose accounts are not disabled. You could create a filter that uses the clauses in the following table.

Attribute Operator Value

sAMAccountName

starts with

T-

userAccountControl

bit on equals

2

The filter would join the clauses by using Any apply (OR).

Note

In AD DS, userAccountControl is a bitmask that represents several useful aspects about the status of the user account. For a list of some of the more frequently-used filters that you can create by using the userAccountControl attribute, see https://go.microsoft.com/fwlink/p/?LinkId=217163.

You cannot create a filter that is based on membership in a directory service group, such as a distribution list. For alternatives to importing users based on group membership, see https://go.microsoft.com/fwlink/p/?LinkId=220892.

Connections to business systems

To import properties from a business system, you will need an external content type that brings the property value from the external system into SharePoint Server 2010. This article does not cover how to create an external content type. That task is usually done by a developer. This article describes what data you must gather and give to the developer, and tell you what to do with the information that you receive. For developer information, see How to: Create External Content Types.

You can use the External Content Type Planning worksheet (https://go.microsoft.com/fwlink/p/?LinkId=202832) to specify the external content types to be created. Go through the User Profile Properties Planning worksheet that you completed when you read the article Plan user profiles (SharePoint Server 2010). In the External Content Type Planning worksheet, create one row for each user profile property that comes from a business system. Fill in the first three columns of each row according to the instructions in the following table.

Column in worksheet Instructions

Business system

A name of your choosing that identifies the business system that contains the property.

Item

The data in the business system that corresponds to the property. Be as specific as possible. For example, if the business system is a database, provide the name of the table and column, if known.

Possible identifiers

A list of the user profile properties that could uniquely identify a user.

After you have filled in the first three columns of each row, give the worksheet to the external content type developer. The developer should perform the following tasks, and then return the worksheet:

  • Create external content types to provide the external system data that is described in the worksheet.

  • Choose an appropriate identifier for each external content type.

  • If user profiles will have a one-to-one relationship with items of the external content type, create a specific finder method. An external content type that contains a user's birthdate is an example of a one-to-one relationship. Each user profile will match one item of the external content type.

  • If user profiles will have a one-to-many relationship with items of the external content type, create a finder method and a comparison filter. An external content type that contains the license plate of a vehicle the user owns is an example of a one-to-many relationship. A user might own multiple vehicles, so each user profile might match more than one item of the external content type.

  • Update the worksheet to describe the external content types that were created.

The Connection Planning worksheet (https://go.microsoft.com/fwlink/p/?LinkId=202832) contains a tab for a connection to a business system. When you receive the information back from the external content type developer, group together all user profile properties that share the same external content type. Create a new tab in the Connection Planning worksheet for each external content type, and copy the information from the Business systems tab to each new tab. Fill in the information on each tab that you created according to the instructions in the following table.

Row in worksheet Instructions

Synchronization connection name

Choose a name that will help you remember which business system this is a connection to.

Connection type

"Business data connectivity"

This information is already filled in.

Business data connectivity entity

The name of the external content type.

One-to-one or one-to-many mapping

The number of items of the external content type that might match a given user profile. Enter "one-to-one" or "one-to-many" as appropriate.

Profile property to match against

The name of the user profile property that corresponds to the external content type's identifier.

Comparison filter

The name of the comparison filter.

A filter is only required for one-to-many mappings.

Identify property mappings

To indicate that a user profile property comes from an external system, you map the property to a specific attribute of the external system. Certain user profile properties are mapped by default. For a list of the default mappings for each type of directory service, see Default user profile property mappings (SharePoint Server 2010). You can only map a profile property to an attribute whose data type is compatible with the data type of the property. For example, you cannot map the SPS-HireDate user profile property to the homePhone Active Directory attribute because SPS-HireDate is a date and homePhone is a Unicode string. For a list of which user profile property data types are compatible with which AD DS data types, see User profile property data types (SharePoint Server 2010).

When you synchronize profile information, in addition to importing profile properties from external systems, you can also write data back to a directory service. You cannot write data back to a business system. To indicate that SharePoint Server should export a user profile property, you map the property, and set the direction of the mapping to Export. Each property can only be mapped in one direction. You cannot both import and export the same user profile property. The data that is exported overwrites any values that might already be present in the directory service. This is true for multivalued properties as well—the exported value is not appended to the existing values, it overwrites them.

Examine the User Profile Properties Planning worksheet that you completed as you read the Plan user profiles (SharePoint Server 2010) topic. For each row (property) whose value will be imported from an external system, fill in the final three columns according to the instructions in the following table.

Row in worksheet Instructions

Direction

"Import", indicating that the property will be imported into SharePoint Server.

Synchronization connection

The name of the synchronization connection through which this property will be provided.

Attribute

The name of the external system element that will provide the value of the user profile property.

If the synchronization connection is to a directory service, this is the name of the directory service attribute.

If the synchronization connection is to a business system, this is the name of the column in the external content type.

Note

You cannot use a connection to a business system to map a binary property to a property that implements the Stream accessor method.

For each row (property) whose value will be exported to a directory service, fill in the final three columns according to the instructions in the following table.

Row in worksheet Instructions

Direction

"Export", indicating that the property will be exported from SharePoint Server to a directory service.

Synchronization connection

The name of the synchronization connection through which this property will be exported. This can only be a connection to a directory service.

Attribute

The name of the directory service attribute whose value should be updated with the value of the user profile property.

Synchronizing groups

By default, SharePoint Server synchronizes groups, such as distribution lists, when it synchronizes user profiles. You can turn off this functionality from the Configure Synchronization Settings page of Central Administration. Synchronizing groups is only supported for AD DS.

If you synchronize groups in addition to users, SharePoint Server imports information about the groups as well as about which users are members of the groups. Synchronizing a group does not create a profile for the group, and does not cause any additional user profiles to be created. In SharePoint Server, groups are only used to create audiences and to display which memberships a visitor has in common with the person whose My Site the person is visiting.

If you decide to synchronize groups, SharePoint Server will import information about all of the groups that exist in the directory service containers that you are synchronizing unless you choose to exclude groups by using a filter. The filter for excluding groups is different than the filter for excluding users, although both follow the same format.

Return to the Connection Planning worksheet and fill in the Filter for groups cell.

Plan for the synchronization server

In addition to determining the synchronization connections and identifying the property mappings, you also have to plan for the more straightforward aspects of synchronizing profiles. The first of these is identifying the synchronization server.

You can only run one instance of the User Profile Synchronization service on a farm. The computer on which the User Profile Synchronization service runs is called the synchronization server. You specify the synchronization server when you create the User Profile service application. SharePoint Server provisions a version of Microsoft Forefront Identity Manager (FIM) on this computer to participate in synchronization.

When SharePoint Server synchronizes profiles, it makes heavy use of the network to communicate between the synchronization server and the domain controllers. Choosing a synchronization server that is physically close to the domain controllers will reduce the time it takes to synchronize.

Plan the synchronization schedule

The first time that you synchronize profile information between SharePoint Server and external systems, you must run a full synchronization. After that, you should configure the User Profile Incremental Synchronization timer job to perform an incremental synchronization on a recurring schedule. You can configure the timer job to run every few minutes, hourly, daily, weekly, or monthly. With the hourly, daily, weekly, and monthly options, you specify when you want the timer job to start.

The more often the synchronization timer job runs, the fewer changes there will be to synchronize, and therefore the quicker the job will finish. The default frequency is daily. We recommend that you schedule synchronization to start at a time when the network is lightly utilized.

For instructions about how to configure the User Profile Incremental Synchronization timer job, see Schedule profile synchronization (SharePoint Server 2010).

Plan account permissions

In the Connection Planning worksheet, you provided the name of a synchronization account for each directory service. These synchronization accounts must be granted specific permissions so that the synchronization service can obtain the information it needs from the directory service. The following sections identify which permissions are needed for each type of directory service. Work with the administrator of the directory service to grant the accounts the appropriate permissions.

Active Directory Domain Services (AD DS)

The synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:

  • It must have Replicate Directory Changes permission on the domain that you will synchronize with. For more information, see the Grant Replicate Directory Changes permission on a domain section of the "Grant Active Directory Domain Services permissions for profile synchronization" procedural reference article.

    Note

    The Replicate Directory Changes permission allows an account to query for the changes in the directory. This permission does not allow an account to make any changes in the directory.

  • If the domain controller is running Windows Server 2003, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group. For more information, see the Add an account to the Pre-Windows 2000 Compatible Access group section of the "Grant Active Directory Domain Services permissions for profile synchronization" procedural reference article.

  • If the NetBIOS name of the domain differs from the fully qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container. For example, if the NetBIOS domain name is contoso and the fully qualified domain name is contoso-corp.com, you must grant Replicate Directory Changes permission on the cn=configuration container. For more information, see the Grant Replicate Directory Changes permission on the cn=configuration container section of the "Grant Active Directory Domain Services permissions for profile synchronization" procedural reference article.

  • If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with. For more information, see the Grant Create Child Objects and Write permission section of the "Grant Active Directory Domain Services permissions for profile synchronization" procedural reference article.

Novell eDirectory version 8.7.3

The synchronization account for a connection to Novell eDirectory must have the following permissions:

  • Entry Rights: Browse rights for the specified tree.

  • All Attributes Rights: Read, Write, and Compare rights for the specified tree.

Sun Java System Directory Server version 5.2

The synchronization account for a connection to a Sun Java System Directory Server must have the following permissions:

  • Read, Write, Compare, and Search permissions to the RootDSE.

  • To perform incremental synchronization, the synchronization account must also have Read, Compare, and Search permissions to the change log (cn=changelog). If the change log does not exist, you must create it before synchronizing.

IBM Tivoli version 5.2

The synchronization account for a connection to IBM Tivoli must have the following permission:

  • The synchronization account must be a member of an administrative group.

The farm account

The User Profile Synchronization service runs under the farm account. The farm account requires specific permissions in order to configure profile synchronization. A person with administrator rights on the synchronization server can grant these permissions.

  • The account must be a member of the Administrators group on the synchronization server. You can remove this permission after you have configured the User Profile Synchronization service.

  • The account must be able to log on locally to the synchronization server.

    Note

    The farm account is not the same as the farm administrator account. To determine the farm account, from Central Administration, click Configure service accounts, and then click Farm account.

If you will synchronize user profiles with a business system by using an external content type, the farm account must also have permission to execute operations on the external content type. A farm administrator can use the procedure "Set permissions on an external content type" to give the farm account Execute permission on each external content type that you will synchronize with.

Next steps

To implement your profile synchronization plan, follow the instructions in the article Configure profile synchronization (SharePoint Server 2010). After you have configured profile synchronization and synchronized profile information for the first time, implement your synchronization schedule by following the procedure described in the article Schedule profile synchronization (SharePoint Server 2010).

Worksheets

Download the connection planning worksheet, the external content type planning worksheet, and the user profile planning worksheet from the following source: https://go.microsoft.com/fwlink/p/?LinkId=202832.

See Also

Concepts

Plan for social computing and collaboration (SharePoint Server 2010)
Profile synchronization overview (SharePoint Server 2010)
Plan user profiles (SharePoint Server 2010)
Configure profile synchronization (SharePoint Server 2010)
User Profile Service administration (SharePoint Server 2010)
User Profile service application overview (SharePoint Server 2010)
Grant Active Directory Domain Services permissions for profile synchronization (SharePoint Server 2010)

Other Resources

Resource Center: Enterprise Collaboration in SharePoint Server 2010
Resource Center: Social Computing in SharePoint Server 2010