The
User Profile Service is an integral part to any SharePoint deployment.
However, setting up and configuring it isn’t as straightforward as most
other SharePoint services. Several of SharePoint’s features depend on
the User Profile Service. My Sites, SharePoint’s social computing
features such as newsfeeds and social tagging as well as user profiles
all rely on the User Profile Service. This is intended to be a practical
guide for configuring the service in a typical Active Directory based
deployment. I will be discussing the main nuts and bolts that make the
service work so that this guide could also provide a good insight for
troubleshooting in case you’re having any trouble with any of the
features that rely on this service.
In Central Administration, the User Profile Service and User Profile Synchronization Service can be started and stopped. But SharePoint doesn’t automatically provision and configure all of the components necessary for the service to run when you click start. Instead, you first have to create a User Profile Service Application.
Before you get into configuring the User Profile Service Application, it is highly recommended and best practice to configure the “Managed Metadata Service” first. Although it is not technically a requirement, I can bet on it that you will run into issues down the line if you skip this. UPS can run independently but some social computing features need it (some fields in a user’s profile use Managed Metadata such as “Country”).
Creating the User Profile Service Application will allow you to define the databases and the application pool the service uses. A database is created to store user and organization profile data (Profile Database), configuration and staging data used for synchronizing user profiles from external sources such as Active Directory (Synchronization Database), and social tags and notes created by users (Social Tagging Database).
The Application pool used by the service runs using a service account. As best practice, this account should be a normal domain user account. However, there are special permissions that need to be granted to this account for the service to work properly.
Components of the User Profile Service
The User Profile Service and User Profile Synchronization Service interacts with the Windows Services, “Forefront Identity Manager Service” and “Forefront Identity Manager Synchronization Service” to synchronize the profile information with external systems.In Central Administration, the User Profile Service and User Profile Synchronization Service can be started and stopped. But SharePoint doesn’t automatically provision and configure all of the components necessary for the service to run when you click start. Instead, you first have to create a User Profile Service Application.
Before you get into configuring the User Profile Service Application, it is highly recommended and best practice to configure the “Managed Metadata Service” first. Although it is not technically a requirement, I can bet on it that you will run into issues down the line if you skip this. UPS can run independently but some social computing features need it (some fields in a user’s profile use Managed Metadata such as “Country”).
Creating the User Profile Service Application will allow you to define the databases and the application pool the service uses. A database is created to store user and organization profile data (Profile Database), configuration and staging data used for synchronizing user profiles from external sources such as Active Directory (Synchronization Database), and social tags and notes created by users (Social Tagging Database).
The Application pool used by the service runs using a service account. As best practice, this account should be a normal domain user account. However, there are special permissions that need to be granted to this account for the service to work properly.
Special Permissions for the User Profile Service Account
The most common reason why the User Profile Service or User Profile Synchronization Service fails is due to incorrect permissions granted to the assigned service account. To grant the service account the correct permissions, follow the steps below:1. Open the ADSI Edit utility on the domain controller. Run> “adsiedit.msc”
2. Right-click the top level of your domain (ex. DC=company, DC=com) and choose Properties.
3. Under the Security Tab, add the User Profile Service account4. Put a tick on “Replicating Directory Changes” and “Replicating Directory Changes All” and remove all the other ticks that were automatically added.5. Click “Apply” and then “OK”.
Step-by-Step Guide to Provision the User Profile Service
1. In the Central Administration page, Click on “Application Management” found on the left side.2. Then click on “Manage service application” under “Service Applications”.
3. Click the drop down under “New” on the SharePoint ribbon and choose “User Profile Service Application”.
4. A pop up screen will appear where you will define the service account, database names and application pool. You can choose to use existing application pools in the wizard, however as best practice, the User Profile Service Application should have its own application pool.
Example Settings:
Note: As best practice, any settings in SharePoint 2010 that require specifying the SQL Database Server should be referenced by a DNS Alias. This provides a layer of protection in case there are any changes made to the database server.
5. Once the User Profile Service Application is created, navigate to the Services on Server page and start the “User Profile Service”.6. After the User Profile Service starts, click Start for the “User Profile Synchronization Service” (This could take up to 10 minutes to start. Keep in mind that this is normal and during the process, the status would show up as “Starting”).
Now that
we have the User Profile Service and User Profile Synchronization
Service setup and ready to go, we have to start importing the user data.
SharePoint supports importing user profile information from a number of
different sources. In this article we will only discuss the most
typically used source of profile information which would be Active
Directory.
Configuring a Synchronization Connection
1. In the “Manage Service Applications” page, click on the “User Profile Service Application” and click “Manage”.2. In the “Manage Profile Service” page, click “Configure Synchronization Connections” under “Synchronization”.3. In this page, we will configure the connection from SharePoint to Active Directory by defining the “Forest name” and the user account credentials used to authenticate to the domain. We will use the user profile service account that we granted “Replicating Directory Changes” permissions.
Take note that this “Configure Synchronization Connections” page makes you explicitly specify the account username and password used for the synchronization connection and saves these credentials separately from the saved credentials under “Managed Accounts”. It doesn’t give you the option to use a registered Managed Account instead. This means that if the automatic password reset has been set for this account, the credentials saved on this page will not be updated. Hence it is advisable to add the user account used for this synchronization connection under Managed Accounts, but keep the automatic password reset turned off. This would in turn force you to make adjustments to the user account if there is a domain wide password policy. In most cases, simply enable “Password never expires” for the account in Active Directory.
4. Once the Forest name and user credentials have been specified, click on the “Populate Containers”. This will show a tree of the Active Directory structure where you can select the specific OUs that you want SharePoint to look for user accounts and groups.5. Click OK.6. Next, we will configure the Timer Job to run the synchronization of the Active Directory accounts on the schedule. Back in the “Manage Profile Service” page, click on “Configure Synchronization Timer Job”.7. Once the schedule has been set, click OK.
Common Issues
Incorrect Permissions
So you didn’t get through all of the steps unscathed? Well, it happens. As per Microsoft, the most common cause of errors with the UPS is insufficient permissions. We touched up a bit on the permissions needed for the service account but here’s a little more insight on security permissions.The account that is used by default in running the windows services “Forefront Identity Manager Service” and “Forefront Identity Manager Synchronization Service” is the Farm Account. It is possible to change that but it’s not supported by Microsoft.
The farm account has to have “Log on Locally” permissions. That permission is included when you make the Farm Account a local administrator. However, if there is a need to remove local administrator rights of the farm account, make sure it still retains the “Log on Locally” permission. Do keep in mind though that during provisioning or re-provisioning UPS, the farm account has to be part of the local administrator group.
No comments:
Post a Comment