Friday, December 30, 2011

How to: Configure User Profile Service Application in Sharepoint 2010

Hi all,

SharePoint 2010 comes with rich set of new features that enhances Social Networking. I strongly recommend to visit Spencer Harbar website. He is MCM, enterprise architect and an authority when comes to user profile service application. In one of his podcasts, he agreed that UPSA (User Profile Service Application) and search service application are the most complex in terms of the configuration and hard to understand. And yes its really a wild beast to conquer UPSA. I thought,I will put all errors in terms of UPSA in a separate section but after reading his blog its crystal clear at least for me. 

Before I deep dive into step by step for UPSA, I would like to highlight brand new features of SP 2010 when it comes to social networking: 
  •  In MOSS 2007,we had some Web 2.0 technologies that pertain to social networking. SharePoint 2010 team has overhaul the social networking features such as User Profiles and My Sites.   
  • The User Profile Service (UPS) - This service is the heart of the "Social networking". It provides Web 2.0 and Facebook kind of functionality. SharePoint 2010 improves user visibility, people and skill search. In short, users can tag, blog functionality etc.
  • Essentially we are concerned about our user population and we leverage user account from external data source as well. The widely used data source is Active Directory.    
  • In MOSS 2007, we could populate AD users only one way i.e. AD -> SharePoint 2007. In SharePoint 2010, we have two way synchronization. SharePoint team has revamped and we have "ForeFront Identity Manager 2010" and its used as Windows Service. 
  • We can also configure "My Sites" via User Profile Service Application. Please note that My Sites is implemented as a Site Collection
In short, this table in brief describes the components of UPSA:

User Profile Service
It’s a service that resides on the SharePoint 2010. It’s NOT a Windows Service, but some .NET assemblies that do some work with profiles.   
Hosting User profiles
User Profile Synchronization Service 
It’s a wrapper responsible for the provisioning of the Forefront Identity Manager.    
Provide a synchronization service. (AD <-> SP 2010 two way sync)
Forefront Identity Manager
A bundled version of FIM that has two window services.
Provide a client which is useful for viewing progress and identifying errors.  

The forefront Identity Manager could be found at this location: C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe. I put MISSSClient as a short cut at my desktop.

In this walk through I will discuss only on "UPSA" and its configuration. Please note that I have used Spencer Harbar blog for my test environment to configure USPA. However, TechNet updated its content on 13 Dec 2011 and credited Harbor for his contribution.      

Step 1:
Prepare the platform
As suggested by Harbar, we should not use Farm Configuration Wizard (FCW) as its for configuring demo environments. However, my machine is a single box which has AD, SQL Server and SharePoint 2010 installed by default. But I will follow his instructions. 

He also suggested to check for Cumulative Updates (CU) to be installed and deployed for August 2011. I found a TechNet article about all patches and hot fix links. I recommend to bookmark this article in your favorites. I have installed SharePoint 2010 SP1 along with December 2011 update. Please keep in mind that both SharePoint Foundation 2010 and SharePoint Server 2010 have been updated.   

Step 2:
Configure Account and permissions
We have already created 4 services accounts in my previous blog post.  We have to give "sp_usersync" service account appropriate permissions so that this account could pull entries from the Active Directory.

Right click on the "sp_usersync" account and check its permissions as followed below:

Right click on the "", navigate to the "Security" tab, click on the "Add" button and browse "sp_usersync" account.
Check the following permissions "Create all child objects" and "Replicating Directory Changes"
Step 3:
Create users
For the testing purposes I create 3 users as follows:

Step 4: 
Create the UPS Service Application
According to Harbar, its advisbale to have new User Profile Service Application. Navigate to SharePoint 2010 Central Administration >> Application Management >> Manage service applications. We create a new UPSA from the Ribbon,click new and User Profile Service Application. 
I named it UPS with this configuration:
Step 5:
Gearing up the UPSA service
Navigate to Central Administration >> System settings >> Click on "Managing services on server"
Step 6:
Start up UPS and UPSA services
By default "User Profile Service" is already started. We have to start the "User Profile Synchronization Service". I innocently clicked on "Start" while waiting for the service kick start. I have to supply the farm admin account which as sp_farm.

I knew it will take few minutes for UPSA to process. But after 4-5 minutes it again went to "Start" status as follows:

Apparently, I clicked numerous times to Start the UPSA but all my attempts were futile. I then found most amazing article from Spencer Harbar about User profile services and all its intricacies. Later I found a link which he explained in detail. We have to set up additional permissions to make UPSA work which are in my next steps.
Step 7:
Incorrect permissions
Navigate to the "Active Directory Users and Computers" console >> Users >> double click on the "Administrator" which is built-in account 
Go to the "Member" tab in the Administrator window and double click on "Administrators" (again its Built-in).
sp_farm account was not part of "Administrators". Thus, we have to Add that account as follows.
We again go to the  Central Administration >> System settings >> Click on "Managing services on server" and start the "User Profile Synchronization Service". It may take 5-10 minutes.

An IISreset is required if we are running on the same the server. My machine is single box, therefore I did IISreset.

If we are able to get this screen, that means we are able to sync AD to SharePoint successfully.

We have to check if these folders are created at the server "C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service". These folders would be empty.

 The last check which we have to perform is going to the services.msc console and FIM & FIM sync have been started.
Step 8:
Setting up the UPSA connections
Navigate to the Central Administration >> Application Management >> Manage service applications >> Click on "UPS"

We click on "Configure Synchronization Connections" under "Synchronization "

We then click on the "Create New Connection" as follows:

However, when I clicked on that link I got an exception.
I have reset
  • the SharePoint timer job, 
  • IISReset and 
  • Reboot the server. Its very important step.
Configuring is not easy! and we are not done yet.

Step 8:
Adding new synchronization connection
Navigate to the Central Administration >> Application Management >> Manage service applications >> Click on "UPS" >> click on "Configure Synchronization Connections". We will get default "Profiles", "Audiences" and "Profile Synchronization Settings" on right section as shown below:
We will notice that there is an option "Not Complied" under "Audiences" section.This means we have to make a new connection. We will again go back to  UPS service application and click on click on the "Create New Connection" as follows:

This time we have to configure new connection. These are my settings:

Connection Name : People
Type : Active Directory (There are other options such as Business Data Connectivity, IBM, Novell, Sun Java System Directory)
Connections Settings :
Forest name - (we have to supply the AD forest name)
Authentication Provider Type  - Windows Authentication (default)
Account name - contoso\sp_farm
Password - sp2010!
Port - 389 (default)

Click on the "Populate Containers" button, we will be able to view all the entities of AD. I checked Users and my 3 users that will be populated onto SharePoint 2010.

Step 9:
Configure Synchronization Settings and Profile Synchronization

We click on the Configure Synchronization settings link.
We will follow these settings to synchronize entities:

  We then click on the "Start Profile Synchronization" link as shown:
It has be noted that we have to perform the Full Synchronization we don't have any connection so far. Later we can perform Incremental Synchronization for new updates from AD. Its similar to SharePoint 2007. 

As soon as we click on "OK" button SharePoint will run the synchronization service. We have to refresh periodically.
On the right bottom of the page, we have Synchronizing link. If we open that link we could see the progress of Synchronization.
 After few minutes the "Profile Synchronization Status" will be idle as shown:

We can also check the MIIS Client (Synchronization Server Manager) and its status:

We can check how many profiles have been imported to SharePoint 2010 by clicking "Manage User Profiles"
I searched for my name and clicked "Find" button.
I have created a top level site collection under "SharePoint - 80" web application and assigned myself as site owner. I logged into top level site collection and my name is displayed as follows:
I hope this walkthrough was useful for you.

Few Important Notes
  • Please note that my SharePoint 2010 machine is a single box. Thus, for multiple farm configuration you have go for NetBIOS Domain name or SQL Server Alias. Its beautifully described on Spencer article on "Stuck on Staring...". Single box is always easy to configure but multiple farm configuration could be a challenge.(My real world experience)
  • Always look out of SharePoint Cumulative updates and view the details. Last SharePoint 2010 CU was released in December 2011.     

Update 15 Jan 2012:

As I mentioned that single box is always easy. One of SharePoint 2010 administrators gave me two tier set up for SharePoint 2010 user profile service application. I appreciate her time give me steps.
  1. The configuration for two tier farm set up is as follows. Two Web Front Ends (WFEs) backed up SQL Server 2008 R2. 
  2.  In Central admin add it in the "Farm Administrators group"
  3. Add the service account in the following group
  4. Reboot the server.
  5. Navigate to SP 2010 Central Administration >> Manage Services on Server >>  "User Profile Sync Service" >> Start
  6. Key in  your Farm admin password and wait for 20 minutes.

SharePoint Server 2010 User Profile Synchronization (Spencer Harbar)
Stuck on Starting...(Spencer Harbar)
Troubleshoot User Profile Synchronization Service (TechNet)

Update 15 Jan 2012
User Profile Synchronization Service–Hangs on Starting (I fixed it!)
Configuring profile import in SharePoint 2010 (Shane Young SharePoint MVP)


Tobi Mohi said...

thank you very much, your article is reallyhelpfull.

I have here a problem:

Right click on the "", navigate to the "Security" tab.

I dont get this like you, I get other window with 2 tabs! can yoh maybe help me?

thank you in advance


Aroh said...

sorry for late reply. In AD Users and computers, click on "View" and select "Advanced Features". You will get more tabs including Security tab.

How to: Use cascading drop-down lists in PowerApps

Hi all, Using cascading dropdown, users can easily fill the forms by selecting drop-down values dependent on values from another dro...