Wednesday, March 31, 2010

Setting Up the SharePoint 2010 User Profile Service Application to Synch AD Users –Part II

Now that we have our connection to AD configured and the user profile service application is up and running, we’re ready to do our first import of users from AD.
1. In order to perform the synchronization, you’ll need to verify you have the following permissions:

• You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site

• The Farm Administrator account must be a Service Administrator for the User Profile Service that you are configuring. For more information about how to set service permissions, see Assign administration of a User Profile service application (SharePoint Server 2010).

• The account that you use to synchronize profile information with Active Directory Domain Services (AD DS) must have Replicate Directory Changes permissions on the AD DS domains from which you want to import data. If the NETBIOS name is different from the domain name, the account that is used must also have Replicate Directory Changes permissions on the cn=configuration container. For more information about how to configure Replicate Directory Changes in AD DS, see How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account (http://go.microsoft.com/fwlink/?LinkId=47854). Create All Child Objects permission is needed to export properties, such as profile pictures, from SharePoint Server to AD DS.

2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

3. On the Manage Service Applications page, click in the Title column of the User Profile Service Application row to select it.

4. In the Operations group of the ribbon, click Manage.

5. On the Manage Profile Service page, in the Synchronization section, click Start Profile Synchronization.

6. On the Start Profile Synchronization page, select Start Incremental Synchronization to synch only user and group profile data that has changed or select Start Full Synchronization to synchronize all user profile data.


The Start Full Synchronization option is time and resource intensive. We do not recommend it unless absolutely required to reset data that is stored in user profiles or to do an initial synchronization of user profiles.

When using AD DS, you must run full synchronization any time a new profile property mapping is created.

7. Click OK.

After the Profile Synchronization job is finished, you can search for a known profile or for accounts that begin with a known domain name from the Manage User Profiles page.

Because the import uses MIIS/FIM you can also open the miisclient.exe application from C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe to verify that the sync was successful:

No comments: