Wednesday, March 31, 2010

Setting Up the SharePoint 2010 User Profile Service Application to Synch AD Users –Part II

Now that we have our connection to AD configured and the user profile service application is up and running, we’re ready to do our first import of users from AD.
1. In order to perform the synchronization, you’ll need to verify you have the following permissions:

• You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site

• The Farm Administrator account must be a Service Administrator for the User Profile Service that you are configuring. For more information about how to set service permissions, see Assign administration of a User Profile service application (SharePoint Server 2010).

• The account that you use to synchronize profile information with Active Directory Domain Services (AD DS) must have Replicate Directory Changes permissions on the AD DS domains from which you want to import data. If the NETBIOS name is different from the domain name, the account that is used must also have Replicate Directory Changes permissions on the cn=configuration container. For more information about how to configure Replicate Directory Changes in AD DS, see How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account (http://go.microsoft.com/fwlink/?LinkId=47854). Create All Child Objects permission is needed to export properties, such as profile pictures, from SharePoint Server to AD DS.

2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

3. On the Manage Service Applications page, click in the Title column of the User Profile Service Application row to select it.

4. In the Operations group of the ribbon, click Manage.

5. On the Manage Profile Service page, in the Synchronization section, click Start Profile Synchronization.

6. On the Start Profile Synchronization page, select Start Incremental Synchronization to synch only user and group profile data that has changed or select Start Full Synchronization to synchronize all user profile data.


The Start Full Synchronization option is time and resource intensive. We do not recommend it unless absolutely required to reset data that is stored in user profiles or to do an initial synchronization of user profiles.

When using AD DS, you must run full synchronization any time a new profile property mapping is created.

7. Click OK.

After the Profile Synchronization job is finished, you can search for a known profile or for accounts that begin with a known domain name from the Manage User Profiles page.

Because the import uses MIIS/FIM you can also open the miisclient.exe application from C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe to verify that the sync was successful:

Tuesday, March 30, 2010

Setting Up the SharePoint 2010 User Profile Service Application to Synch AD Users - Part I

As part of our demo environment, I’ve been working on our configuration for the user profile service application to import users from our AD so we can start using MySite’s , Profile Pages, Social Tagging, etc… Here are the steps I followed from Microsoft plus some of my own comments:


The Environment & Requirements


• SharePoint 2010 Enterprise Beta server acting as Web and App.


• SQL 2008 SP1 CU2 (separate from SP2010 server)


• AD (domain functional level 2003)


• The account you use to connect to AD must have at least Replicate Directory Changes permissions on the AD DS domain(s) from which you wish to import data and on the cn=configuration container are needed for SharePoint Server 2010. For more information about how to configure Replicate Directory Changes in AD DS, see How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account (http://go.microsoft.com/fwlink/?LinkId=47854). Create All Child Objects permission is needed to export properties, such as profile pictures, from SharePoint Server to AD DS.

For my lab environment, I'm ignoring profile pictures....for now.

•The farm is running either the Standard or Enterprise version of SharePoint Server 2010 and you have run the farm configuration wizard. Profile Synchronization does not work on a stand-alone installation for SharePoint Server 2010 Beta.


• An instance of the User Profile Service application exists and is started. For more information, see Create, edit, or delete a User Profile service application (SharePoint Server 2010).


• If you are using Microsoft SQL Server 2008, Microsoft SQL Server 2008 with Service Pack 1 (SP1) with Cumulative Update 2 (CU2) (http://go.microsoft.com/fwlink/?LinkId=165962) is required.


• The WCF hotfix (KB976462) for Windows Server 2008 R2 is installed.


• You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site.


• The Farm Administrator account, which is created during the SharePoint farm setup, must also be a Local Administrator on the server where the User Profile Synchronization service is deployed


• The Farm Administrator account must be a Service Administrator for the User Profile Service that you are configuring. For more information about how to set service permissions, see Assign administration of a User Profile service application (SharePoint Server 2010).


• The Service Administrator account can log on locally to the server where Profile Synchronization will be deployed.


• If you are using a Windows Server 2003 AD DS forest, the Service Administrator account must be a member of the Pre-Windows 2000 Compatible Access group for the domain with which you are synchronizing. For more information about adding accounts to the Pre-Windows 2000 Compatible Access group, see Some applications and APIs require access to authorization information on account objects (http://go.microsoft.com/fwlink/?LinkId=179420).


Start the Required Services


1. Start the User Profile Synchronization service through Central Administration


• Confirm that the user account performing this procedure is a member of the Farm Administrators SharePoint group.


• On the SharePoint Central Administration Web site, click System Settings, and then on the System Settings page, in the Servers section, click Manage services on server.


• To change the server on which you want to start or stop the service, on the Server menu, click Change Server, and then click the server name that you want.


• By default, only configurable services are displayed. To view all services, on the View menu, click All.


• To start the service, click Start in the Action column of the relevant service.


• Click OK to start or stop the service. Be sure to enter the account info for the SharePoint farm admin account.






Wait about 10 minutes and verify the both ForeFront Identity Management services start up properly in services.msc. Once they start, do an IISRESET.




Create a Profile Synchronization Connection


1. Verify that you have the following administrative credentials:


• You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site


• The Farm Administrator account must be a Service Administrator for the User Profile Service that you are configuring. For more information about how to set service permissions, see Assign administration of a User Profile service application (SharePoint Server 2010).


• If you are synchronizing profile information by using AD DS, the account that is used to connect to AD DS must have Replicate Directory Changes permissions in AD DS. This account must be the same as the farm administrator account or the User Profile Service administrator account and is required to do either full or incremental synchronization with AD DS. Create All Child Objects permission is needed to export properties, such as profile pictures, from SharePoint Server to AD DS.


2. Before proceeding, make sure that you have determined which directory service containers that you want synchronized with SharePoint Server. I have several test users already setup in an OU.


3. On the Central Administration Web site, in the Application Management section, click Manage service applications.


4. On the Manage Service Applications page, click the Name of the User Profile Service Application that you want to manage.


5. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.


6. On the Synchronizations Connections page, click Create New Connection.


7. On the Add new synchronization connection page, type a name for the synchronization connection in the Connection Name box.


8. From the Type list, select the kind of directory service to which you want to connect. AD in this case.


9. If the selected type is Business Data Connectivity, enter a name for the connection in the Name box. Select a Business Data Connectivity application from the Business Data Connectivity Entity box. Select whether the entity has a 1:1 mapping or a 1:many mapping, enter the appropriate profile property, and then click OK. Otherwise, continue with the following steps. - I'm ignoring this functionality for this post.

10. In the Connection Settings section, type the name of the directory service forest to which you want to connect (domain.com), the account credentials for the directory service (domain\admin), and the port that you want to use when you connect to the directory service (use the default) . Select Auto discover domain controller to automatically locate the domain controller for this forest or type the name of the domain controller in the Domain controller name box. - I don't recommend using the autodiscover. There have been other users who've reported problems, but I'll leave it up to you.


11. In the Connection Settings section, select the Use SSL-secured connection: check box, if needed, to use a Secure Socket Layer connection when you connect to the directory service.


12. In the Containers section, click Populate Containers and then select the containers from the directory service that you want to synchronize. Click Select All if you want to synchronize all containers. For example, if you only want to synchronize user information, you can select only those containers that have user profile information.



13. Click OK.


To configure Profile Synchronization settings




1. Verify that you have the following administrative credentials:


• You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site


• You must be a Service Administrator with Full Control permissions for the User Profile Service that you are configuring. For more information about how to set Full Control permissions, see Assign administration of a User Profile service application (SharePoint Server 2010).


• The Farm Administrator account, which is created during the SharePoint farm setup, must also be a System Administrator (sysadmin) on Microsoft SQL Server 2005 or Microsoft SQL Server 2008


• If you are synchronizing profile information with AD DS, the account that is used must have Replicate Directory Changes permissions. This account must be the same as the farm administrator account or the User Profile Service administrator account and is required to do either full or incremental synchronization with AD DS. Create All Child Objects permission is needed to export properties, such as profile pictures, from SharePoint Server to AD DS.


2. On the Central Administration Web site, in the Application Management section, click Manage service applications.


3. On the Manage Service Applications page, click the Name of the User Profile Service Application that you want to manage.


4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Settings.


5. On the Configure Synchronization Settings page, in the Synchronization Entities section, select Users and Groups to synchronize both user information and group information or select Users to synchronize only user information.


You should first do a full synchronization of users only. Once this is complete, run an incremental synchronization of both users and groups.


6. On the Configure Synchronization Settings page, in the Synchronize BDC Connections section, click to clear the Include existing BDC connections for synchronization? check box if you want to exclude data import from the Business Data Connectivity service. - No BDC for now.


7. On the Configure Synchronization Settings page, in the External Identity Manager section, select Use SharePoint Profile Synchronization to use the Profile Synchronization engine in SharePoint Server 2010 or select Enable External Identity Manager to use an external synchronization application such as Microsoft Identity Lifecycle Manager 2007.


Enabling an external identity manager disables all Profile Synchronization options and the status display in SharePoint Server 2010.





8. Click OK.


In Part II of this blog I'll go through the steps to do the initial synchronization and show you how to use the MIIS client to verify it's working properly.

Monday, March 29, 2010

SharePoint 2010 Architecture Drawing

I've recently been working on an architecture drawing for our SharePoint 2010 environment and I thought I'd post it here. The drawing covers all aspects of our environment from development to our internal environment (intranet) to our external facing public website. Take a look and feel free to post your comments.


Friday, March 26, 2010

Automate SharePoint 2010 Farm Backups with Powershell

***Update (01/07/2013): We recently noticed that installing KB2506143 (Windows Management Framework 3.0) breaks the ability for SharePoint Powershell to run the backup. Uninstall it and the script should start working again.***

We've had a lot of requests for more details on how to setup automated SharePoint backups with PowerShell, so we've gone ahead and created a detailed ebook which outlines the steps and permissions you need to get your backups up and running. In addition to screen shots, there are also copies of the scripts we use as well as an email notification section that will let you know if your backups failed. Simply click on the Buy Now button below and you can pay with your Paypal account or credit card. At only $9.99 USD, it's thousands cheaper than a 3rd party solution and will let you sleep a little sounder at night. If you're not satisfied, we'll gladly refund your money! For the basic steps minus some of the more advanced funtionality, see below.


I recently built several server farms for our developers to work on. In order to make sure I could restore the farms to their original condition, I setup the following automated backup process. Below is a brief outline of the steps.

1. Create a folder on a local drive of the SharePoint 2010 server called backups (E:\backups). Share that folder as "backups" and give the account you used to install SharePoint as well as the farm and SQL database accounts full access (share permissions and NTFS).

2. Create a folder in E:\backups called Scripts. Inside there you create 4 files:

backupsharepointfarm.ps1 – This script will backup your entire farm to the share you created. This script will contain the following:

Add-PsSnapin Microsoft.SharePoint.Powershell
Backup-SPFarm -Directory \\ServerName\Backups -BackupMethod full

cleanbackups.ps1 – This script will check the spbrtoc.xml file and delete backups older than 7 days so you don’t run out of disk space. You can change $days value. This script will contain the following:

# Location of spbrtoc.xml
$spbrtoc = "E:\Backups\spbrtoc.xml"

# Days of backup that will be remaining after backup cleanup.
$days = 7

# Import the Sharepoint backup report xml file
[xml]$sp = gc $spbrtoc

# Find the old backups in spbrtoc.xml
$old = $sp.SPBackupRestoreHistory.SPHistoryObject |
? { $_.SPStartTime -lt ((get-date).adddays(-$days)) }
if ($old -eq $Null) { write-host "No reports of backups older than $days days found in spbrtoc.xml.`nspbrtoc.xml isn't changed and no files are removed.`n" ; break}

# Delete the old backups from the Sharepoint backup report xml file
$old | % { $sp.SPBackupRestoreHistory.RemoveChild($_) }

# Delete the physical folders in which the old backups were located
$old | % { Remove-Item $_.SPBackupDirectory -Recurse }

# Save the new Sharepoint backup report xml file
$sp.Save($spbrtoc)
Write-host "Backup(s) entries older than $days days are removed from spbrtoc.xml and harddisc."

Backup.bat – This is a simple batch file to run the above backupsharepointfarm.ps1 script. Create a scheduled task to run it every night. The file contains the following:

powershell -command E:\Backups\Script\BackupSharePointFarm.ps1

Clean.bat – This batch file will run the script to clean out older backup files (cleanbackup.ps1). The file contains the following:

powershell -command E:\Backups\Script\cleanbackups.ps1

3. Create a scheduled task that will run both of the .bat files you created and set them to run at night when no one’s around. You have to make sure the scheduled tasks are set to run with the SharePoint farm account. After a full week you’ll have a directory with 7 days worth of backups similar to the following:







Note: In order to run PowerShell commands on your server, you need to open powershell and execute the following command: Set-ExecutionPolicy Unrestricted

There are several factors involved in running a successful scripted backup which are covered by Todd Klindt in the following Microsoft SharePoint forum thread: http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/f755e7c1-bd0a-4c00-9be6-bbca83cf666b/.

1.Your Central Admin app pool account must have read/write access to the location of the backups.

2.Your SQL Service account must have read/write access to the location of the backups.

3.If you're running a farm backup from STSADM or Windows PowerShell, the account you're running it as must have read/write access to the location of the backups

4.The location must be accessible from the SharePoint machine the backup is running on.

5.The location must be accessible from the SQL instance that SharePoint is trying to back up.

6.This is why all the examples are UNCs, \\server\share, and not local paths, C:\backups

That’s about it. Give it a try and let me know if you have any problems. The file and share permissions are critical!


Thursday, March 25, 2010

HASP HL Causes Blue Screen in Windows 2008


We're running CADWorx on a Windows 2008 server, and after running for several weeks with no issues it started to blue screen (BSOD) on startup.

When we looked at the blue screen info, it indicated the cause of the crash was the aksfridge.sys driver used by the software licensing tool CADWorx uses (Aladdin's HASP HL).
As a workaround, I booted in safe mode and disabled both HASP services. On re-boot, the server came up no problem and I was then able to start the HASP services. As a permanent fix we changed the following registry key:

In HKLM\System\CurrentControlSet\Services\aksfridge\ change the value of “Start” from 2 to 4.

Note: If your protected app uses software protection, this fix might break the app. If your protected app uses hardware protection (a dongle), you should be good to go.

Wednesday, March 24, 2010

Welcome to Imperfect IT!

This blog is dedicated to documenting the every day problems I encounter working in the IT industry. My main areas of expertise are in SharePoint, Exchange, Office Communications Server and Active Directory to name a few. As I come across issues in my day to day work, I'll try to capture them in this blog in order to spare you some of the pain I went through to solve them.