Sharepoint 2013 : Configuring User Profile Synchronization (part 1) - Establishing Managed Accounts

Establishing Managed Accounts

Establishing the correct credentials and configuring the necessary services and service applications under the correct set of credentials is essential to ensuring smooth installation and operation of User Profile Service and Synchronization. Most of the time, when User Profile Service and User Profile Synchronization fails, it is because of incorrect credentials, or credentials with insufficient privileges.

The notion of managed service accounts in SharePoint—rather than specifying Active Directory account credentials everywhere, you can map these credentials to a managed account name in SharePoint in one central location. Assuming that you have installed SharePoint 2013 and have access to the Central Administration site, the following steps allow you to view a list of managed service accounts in the farm:

1. Open Central Administration.
2. Click the Security section heading.
3. Click the link Configure Managed Accounts in the General Security subsection.

You should see a page similar to Figure 1, although you will likely see a different list of managed accounts from that in my environment.

Before you begin configuring the User Profile Service infrastructure, make sure the following statements are true:

• SharePoint is installed and configured without a User Profile Service application (you can delete the application and proxy from the managed service applications list).
• You have configured a farm account, e.g. DOMAIN\spfarm as a managed account.
• You have not logged into the server or Central Administration as the farm account.
• The farm account is not a local administrator on the server running User Profile Service.
• Your farm does not use a Fully Qualified Domain Name or IP address to connect SharePoint 2013 with SQL Server—use a SQL alias or NetBIOS name to avoid issues with provisioning services later.
• Your environment has the latest Cumulative Update applied.

With the above provisions met, you are ready to begin configuring User Profile Synchronization in your SharePoint 2013 farm.

The first step, and pertinent to this section, is to create some service accounts in your organization’s Active Directory forest. In a typical SharePoint 2013 configuration, you will need at least the following three domain accounts:

• DOMAIN\spcontent
• DOMAIN\spservices
• DOMAIN\spups

Ensure that these accounts exist as normal users with no password expiration. The DOMAIN\spups account must have Replicating Directory Changes permission in the Active Directory. This account does not run any Windows or SharePoint services nor does it run any application pools.

The following steps detail how to grant Replicating Directory Changes from within the Active Directory Users and Computers configuration snap-in (please note that these steps require AD Security Account Operators rights):

1. Log on to your server hosting Active Directory.
2. Right-click the domain name in Active Directory Users and Computers.
3. Choose Delegate Control and then click the Next button.
4. Add the DOMAIN\spups account and click the Next button.
5. Select Create Custom Task to Delegate and click the Next button.
6. Click the Next button again.
7. Select the Replicating Directory Changes permission and click the Next button.
8. Click the Finish button.

Next, you configure Replicating Directory Changes on the Configuration Naming Context for the domain:

1. Run ADSIEDIT.msc.
2. Connect to the Configuration partition.
3. Select Configuration in the Select a Well-Known Naming Context drop-down list.
4. Right-click the Configuration partition and choose Properties.
5. Select the Security tab.
6. Add the DOMAIN\spups user to the list and give it Replicating Directory Changes permission.

The SharePoint farm account must have Log on Locally rights on the server performing User Profile Sync. The following steps detail how to configure this:

1. Log on to the server running SharePoint and host for User Profile Synchronization.
2. Open Administration Tools.
3. Open either Group Policy editor or the Local Security Policy editor.
4. Navigate to Security Settings, Local Policies, User Rights and Assignments.
5. Click Allow Logon Locally.
6. Make sure the farm account is either in one of the groups listed or explicitly listed.
7. If running SharePoint on a domain controller (this is a bad practice), use GPMC.msc to edit the default domain policy.
8. Execute GPUPDATE.exe from an elevated command line to refresh the policy.

Next, register managed accounts for the DOMAIN\spcontent and DOMAIN\spservices accounts:

1. Open Central Administration.
2. Click the Security section heading.
3. Click the link Configure Managed Accounts, in the General Security subsection.
4. Click Register Managed Account.
5. Provide details for the two domain accounts to register.
6. You can register the DOMAIN\spups account if you like, but User Profile Service does not use managed accounts and expects a Windows domain account, so there is little point.

With Windows domain accounts and managed accounts configured, now create two web applications—one to host your site collection and another to act as the My Site Host. Use the content account as the application pool account for both web applications. Create a new site collection in the My Site Host, using the My Site Host Template.

After creating a new host application for My Sites, and provisioning service accounts, you can now configure the User Profile Service application.