IT tutorials
 
Technology
 

Sharepoint 2013 : Configuring User Profile Synchronization (part 1) - Establishing Managed Accounts

4/23/2014 2:24:50 AM
- Windows 10 Product Activation Keys Free 2019
- How to active Windows 8 without product key
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Configuration of User Profile Synchronization in SharePoint is a task that seems to give administrators more trouble than any other area of SharePoint installation and configuration. User Profile Synchronization in SharePoint is complicated and therefore gives administrators the most trouble when it does not work. Do not worry, though—I shall guide you through the configuration of User Profile Sync on a virgin SharePoint 2013 environment.

Establishing Managed Accounts

Establishing the correct credentials and configuring the necessary services and service applications under the correct set of credentials is essential to ensuring smooth installation and operation of User Profile Service and Synchronization. Most of the time, when User Profile Service and User Profile Synchronization fails, it is because of incorrect credentials, or credentials with insufficient privileges.

The notion of managed service accounts in SharePoint—rather than specifying Active Directory account credentials everywhere, you can map these credentials to a managed account name in SharePoint in one central location. Assuming that you have installed SharePoint 2013 and have access to the Central Administration site, the following steps allow you to view a list of managed service accounts in the farm:

  1. Open Central Administration.
  2. Click the Security section heading.
  3. Click the link Configure Managed Accounts in the General Security subsection.

You should see a page similar to Figure 1, although you will likely see a different list of managed accounts from that in my environment.

9781430249412_Fig06-03.jpg

Figure 1. Managed Accounts

Before you begin configuring the User Profile Service infrastructure, make sure the following statements are true:

  • SharePoint is installed and configured without a User Profile Service application (you can delete the application and proxy from the managed service applications list).
  • You have configured a farm account, e.g. DOMAIN\spfarm as a managed account.
  • You have not logged into the server or Central Administration as the farm account.
  • The farm account is not a local administrator on the server running User Profile Service.
  • Your farm does not use a Fully Qualified Domain Name or IP address to connect SharePoint 2013 with SQL Server—use a SQL alias or NetBIOS name to avoid issues with provisioning services later.
  • Your environment has the latest Cumulative Update applied.

With the above provisions met, you are ready to begin configuring User Profile Synchronization in your SharePoint 2013 farm.

Note  Follow all steps, from this point on, in sequence. Do not be tempted to skip or attempt steps in a different order, or you will risk failure in the setup.

The first step, and pertinent to this section, is to create some service accounts in your organization’s Active Directory forest. In a typical SharePoint 2013 configuration, you will need at least the following three domain accounts:

  • DOMAIN\spcontent
  • DOMAIN\spservices
  • DOMAIN\spups

Ensure that these accounts exist as normal users with no password expiration. The DOMAIN\spups account must have Replicating Directory Changes permission in the Active Directory. This account does not run any Windows or SharePoint services nor does it run any application pools.

 Note  Not granting Replicating Directory Changes to the User Profile Service account is typically the first mistake administrators make when configuring User Profile Synchronization, and this may lead to issues later.

The following steps detail how to grant Replicating Directory Changes from within the Active Directory Users and Computers configuration snap-in (please note that these steps require AD Security Account Operators rights):

  1. Log on to your server hosting Active Directory.
  2. Right-click the domain name in Active Directory Users and Computers.
  3. Choose Delegate Control and then click the Next button.
  4. Add the DOMAIN\spups account and click the Next button.
  5. Select Create Custom Task to Delegate and click the Next button.
  6. Click the Next button again.
  7. Select the Replicating Directory Changes permission and click the Next button.
  8. Click the Finish button.

Next, you configure Replicating Directory Changes on the Configuration Naming Context for the domain:

  1. Run ADSIEDIT.msc.
  2. Connect to the Configuration partition.
  3. Select Configuration in the Select a Well-Known Naming Context drop-down list.
  4. Right-click the Configuration partition and choose Properties.
  5. Select the Security tab.
  6. Add the DOMAIN\spups user to the list and give it Replicating Directory Changes permission.

Note  When running the Domain Controller on Windows 2003 or earlier, add the DOMAIN\spups user to the Pre Windows 2000 Compatible Access built-in group.

The SharePoint farm account must have Log on Locally rights on the server performing User Profile Sync. The following steps detail how to configure this:

  1. Log on to the server running SharePoint and host for User Profile Synchronization.
  2. Open Administration Tools.
  3. Open either Group Policy editor or the Local Security Policy editor.
  4. Navigate to Security Settings, Local Policies, User Rights and Assignments.
  5. Click Allow Logon Locally.
  6. Make sure the farm account is either in one of the groups listed or explicitly listed.
  7. If running SharePoint on a domain controller (this is a bad practice), use GPMC.msc to edit the default domain policy.
  8. Execute GPUPDATE.exe from an elevated command line to refresh the policy.

Note  At this stage, I recommend a server reboot to ensure that the DOMAIN\spups account picks up all permission and policy changes—this will help avoid issues with the service provisioning process hanging later.

Next, register managed accounts for the DOMAIN\spcontent and DOMAIN\spservices accounts:

  1. Open Central Administration.
  2. Click the Security section heading.
  3. Click the link Configure Managed Accounts, in the General Security subsection.
  4. Click Register Managed Account.
  5. Provide details for the two domain accounts to register.
  6. You can register the DOMAIN\spups account if you like, but User Profile Service does not use managed accounts and expects a Windows domain account, so there is little point.

With Windows domain accounts and managed accounts configured, now create two web applications—one to host your site collection and another to act as the My Site Host. Use the content account as the application pool account for both web applications. Create a new site collection in the My Site Host, using the My Site Host Template.

Note  As a best practice for large deployment (more than 5000 users), consider hosting a My Site Host in a separate web application.

After creating a new host application for My Sites, and provisioning service accounts, you can now configure the User Profile Service application.

 
Others
 
- Sharepoint 2013 : A User’s Profile, The User Profile Infrastructure
- Microsoft Exchange Server 2013 : Email address policies (part 4) - Creating email address policies with custom filters
- Microsoft Exchange Server 2013 : Email address policies (part 3) - Focusing on certain recipients by using filters
- Microsoft Exchange Server 2013 : Email address policies (part 2) - Creating a new email address policy
- Microsoft Exchange Server 2013 : Email address policies (part 1) - Email policy priority
- Using Office applications with SharePoint 2013 : Using SkyDrive Pro with SharePoint, Using Office Web Apps with SharePoint
- Using Office applications with SharePoint 2013 : Using form libraries, Integrating Project with SharePoint
- Using Office applications with SharePoint 2013 : Integrating Outlook with SharePoint
- Using Office applications with SharePoint 2013 : Integrating OneNote with SharePoint
- Using Office applications with SharePoint 2013 : Integrating Access with SharePoint - Moving Access data into SharePoint lists
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS