The Environment & Requirements
• SharePoint 2010 Enterprise Beta server acting as Web and App.
• SQL 2008 SP1 CU2 (separate from SP2010 server)
• AD (domain functional level 2003)
• The account you use to connect to AD must have at least Replicate Directory Changes permissions on the AD DS domain(s) from which you wish to import data and on the cn=configuration container are needed for SharePoint Server 2010. For more information about how to configure Replicate Directory Changes in AD DS, see How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account (http://go.microsoft.com/fwlink/?LinkId=47854). Create All Child Objects permission is needed to export properties, such as profile pictures, from SharePoint Server to AD DS.
For my lab environment, I'm ignoring profile pictures....for now.
•The farm is running either the Standard or Enterprise version of SharePoint Server 2010 and you have run the farm configuration wizard. Profile Synchronization does not work on a stand-alone installation for SharePoint Server 2010 Beta.
• An instance of the User Profile Service application exists and is started. For more information, see Create, edit, or delete a User Profile service application (SharePoint Server 2010).
• If you are using Microsoft SQL Server 2008, Microsoft SQL Server 2008 with Service Pack 1 (SP1) with Cumulative Update 2 (CU2) (http://go.microsoft.com/fwlink/?LinkId=165962) is required.
• The WCF hotfix (KB976462) for Windows Server 2008 R2 is installed.
• You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site.
• The Farm Administrator account, which is created during the SharePoint farm setup, must also be a Local Administrator on the server where the User Profile Synchronization service is deployed
• The Farm Administrator account must be a Service Administrator for the User Profile Service that you are configuring. For more information about how to set service permissions, see Assign administration of a User Profile service application (SharePoint Server 2010).
• The Service Administrator account can log on locally to the server where Profile Synchronization will be deployed.
• If you are using a Windows Server 2003 AD DS forest, the Service Administrator account must be a member of the Pre-Windows 2000 Compatible Access group for the domain with which you are synchronizing. For more information about adding accounts to the Pre-Windows 2000 Compatible Access group, see Some applications and APIs require access to authorization information on account objects (http://go.microsoft.com/fwlink/?LinkId=179420).
Start the Required Services
1. Start the User Profile Synchronization service through Central Administration
• Confirm that the user account performing this procedure is a member of the Farm Administrators SharePoint group.
• On the SharePoint Central Administration Web site, click System Settings, and then on the System Settings page, in the Servers section, click Manage services on server.
• To change the server on which you want to start or stop the service, on the Server menu, click Change Server, and then click the server name that you want.
• By default, only configurable services are displayed. To view all services, on the View menu, click All.
• To start the service, click Start in the Action column of the relevant service.
• Click OK to start or stop the service. Be sure to enter the account info for the SharePoint farm admin account.
Wait about 10 minutes and verify the both ForeFront Identity Management services start up properly in services.msc. Once they start, do an IISRESET.
Create a Profile Synchronization Connection
1. Verify that you have the following administrative credentials:
• You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site
• The Farm Administrator account must be a Service Administrator for the User Profile Service that you are configuring. For more information about how to set service permissions, see Assign administration of a User Profile service application (SharePoint Server 2010).
• If you are synchronizing profile information by using AD DS, the account that is used to connect to AD DS must have Replicate Directory Changes permissions in AD DS. This account must be the same as the farm administrator account or the User Profile Service administrator account and is required to do either full or incremental synchronization with AD DS. Create All Child Objects permission is needed to export properties, such as profile pictures, from SharePoint Server to AD DS.
2. Before proceeding, make sure that you have determined which directory service containers that you want synchronized with SharePoint Server. I have several test users already setup in an OU.
3. On the Central Administration Web site, in the Application Management section, click Manage service applications.
4. On the Manage Service Applications page, click the Name of the User Profile Service Application that you want to manage.
5. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.
6. On the Synchronizations Connections page, click Create New Connection.
7. On the Add new synchronization connection page, type a name for the synchronization connection in the Connection Name box.
8. From the Type list, select the kind of directory service to which you want to connect. AD in this case.
9. If the selected type is Business Data Connectivity, enter a name for the connection in the Name box. Select a Business Data Connectivity application from the Business Data Connectivity Entity box. Select whether the entity has a 1:1 mapping or a 1:many mapping, enter the appropriate profile property, and then click OK. Otherwise, continue with the following steps. - I'm ignoring this functionality for this post.
10. In the Connection Settings section, type the name of the directory service forest to which you want to connect (domain.com), the account credentials for the directory service (domain\admin), and the port that you want to use when you connect to the directory service (use the default) . Select Auto discover domain controller to automatically locate the domain controller for this forest or type the name of the domain controller in the Domain controller name box. - I don't recommend using the autodiscover. There have been other users who've reported problems, but I'll leave it up to you.
11. In the Connection Settings section, select the Use SSL-secured connection: check box, if needed, to use a Secure Socket Layer connection when you connect to the directory service.
12. In the Containers section, click Populate Containers and then select the containers from the directory service that you want to synchronize. Click Select All if you want to synchronize all containers. For example, if you only want to synchronize user information, you can select only those containers that have user profile information.
13. Click OK.
To configure Profile Synchronization settings
1. Verify that you have the following administrative credentials:
• You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site
• You must be a Service Administrator with Full Control permissions for the User Profile Service that you are configuring. For more information about how to set Full Control permissions, see Assign administration of a User Profile service application (SharePoint Server 2010).
• The Farm Administrator account, which is created during the SharePoint farm setup, must also be a System Administrator (sysadmin) on Microsoft SQL Server 2005 or Microsoft SQL Server 2008
• If you are synchronizing profile information with AD DS, the account that is used must have Replicate Directory Changes permissions. This account must be the same as the farm administrator account or the User Profile Service administrator account and is required to do either full or incremental synchronization with AD DS. Create All Child Objects permission is needed to export properties, such as profile pictures, from SharePoint Server to AD DS.
2. On the Central Administration Web site, in the Application Management section, click Manage service applications.
3. On the Manage Service Applications page, click the Name of the User Profile Service Application that you want to manage.
4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Settings.
5. On the Configure Synchronization Settings page, in the Synchronization Entities section, select Users and Groups to synchronize both user information and group information or select Users to synchronize only user information.
You should first do a full synchronization of users only. Once this is complete, run an incremental synchronization of both users and groups.
6. On the Configure Synchronization Settings page, in the Synchronize BDC Connections section, click to clear the Include existing BDC connections for synchronization? check box if you want to exclude data import from the Business Data Connectivity service. - No BDC for now.
7. On the Configure Synchronization Settings page, in the External Identity Manager section, select Use SharePoint Profile Synchronization to use the Profile Synchronization engine in SharePoint Server 2010 or select Enable External Identity Manager to use an external synchronization application such as Microsoft Identity Lifecycle Manager 2007.
Enabling an external identity manager disables all Profile Synchronization options and the status display in SharePoint Server 2010.
8. Click OK.
In Part II of this blog I'll go through the steps to do the initial synchronization and show you how to use the MIIS client to verify it's working properly.
No comments:
Post a Comment