I first introduced Service Applications and User Profile Service Synchronization back when SharePoint 2010 was in beta, and as many of you who would have attempted this feat, would have come to realize that there were a couple of known issues, in particular those around utilizing a least privilege model with service accounts. I’m confident in stating that these issues have now been resolved with RTM and in today’s article I will share with you my step by step guide in setting up the User Profile Service application, focusing on its configuration and administration and how we can enable the creation of user profiles via an Active Directory import .
SharePoint 2010 introduces the notion of “Service Applications” which build’s upon the “Shared Services Provider (SSP)” which was introduced in SharePoint 2007. Service Applications are individual services that can be configured independently and can be shared across other sites within your farm with some service applications that can also be configured across farms.
The individual service applications provided with SharePoint 2010 are listed as follows;
- Access Services
- Business Data Connectivity
- Document Conversion
- Excel Services
- Managed Metadata Service
- Search Service
- Secure Store
- State Service
- Visio Graphics Service
- User Profile Service
This article will build upon our initial SharePoint 2010 install utilizing the least privilege model which I have documented here, so check it out if you haven’t already done so.
Managed Metadata Service
The User Profile service requires that the Managed Metadata Service is setup and configured first before attempting setting up our first User Profile Service. The Managed Metadata service allows you to utilize managed metadata and provides you with the ability to share content types across sites. You can read more about Managed Metadata here.
To setup our Managed Metadata Service, navigate to Central Administration / Application Management / Manage Service Applications.
Click New and select “Managed Metadata Service”
Enter the follow details;
Name: Managed Metadata Service
Database Server: <server_name>
Database Name: Managed Metadata DB
I will utilize the sp_farm account for the Application Pool Identity.
Lastly, navigate to Central Administration / System Settings / Manage services on server and start the Managed Metadata Web Service.
User Profile Service
Now that we have successfully configured our Managed Metadata service we can now focus our attention on the User Profile Service. The User Profile Service provides our SharePoint farm with all the social networking features that we have come to love in SharePoint 2007, plus more. It forms the basis of My Site support, User profile pages, Audiences and some of the newer features in SharePoint 2010 social computing such as social tagging.
Before we begin, we need to ensure that our Farm account (DOMAIN\sp_farm) is listed as a member of the Local Administrator’s group where the User Profile Synchronization (UPS) service will be deployed. Please make a note to remove the DOMAIN\sp_farm account from the Local Administrator’s group after provisioning the User Profile Synchronization service. Please also note, that if you ever have to re-provision the UPS service at a later date, that you will need to ensure the DOMAIN\sp_farm account is added back to the Local Administrator’s group.
Let’s now navigate to Central Administration / Application Management / Manage Service Applications.
Click New and select “User Profile Service Application”
The “Create New User Profile Service Application” window pops up in which you will enter the following details; (you will obviously enter in the details based on your environment setup)
Name: User Profiles
Create new application pool: SharePoint – User Profiles
Register a new managed account: e.g. DOMAIN\sp_userprofiles (nb: this account will need to be provisioned in Active Directory first)
Enter your Profile Database server details and database authentication. You will notice that SharePoint 2010 introduces the ability to configure Failover Server which allows you to associate your SharePoint databases with another SQL server for failover purposes utilising SQL Server database mirroring. We will not specify a Failover Database server for any of our databases at this present time.
Specify your Synchronization Database which is used to store configuration and staging data for synchronization of profile data such as that from Active Directory.
Next, specify your Social Tagging Database which is used to store tags and notes that are created by users. Social Tagging is a new feature in SharePoint 2010 which is not only displayed against the items that user’s are tagging, but are also displayed in the user’s activity feed.
Next, select your Profile Synchronization Instance Server.
In the proceeding section, we will not create a My Site Host URL and will leave this for part two of this series.
You should now have the User Profiles service application listed and started.
We will now venture back into Central Administration / System Settings / Manage services on server.
Scroll down to the User Profile Service and User Profile Synchronisation Service and start both. The User Profile Service should start without any further user interaction, however the User Profile Synchronization Service will ask for your SharePoint Farm credentials.
Both services should now be listed as started.
This in turn, will correctly configure and start our ForeFront Identity Manager Windows Services (FIM).
At this point, it is imperative you run an IIS reset. Even better, just reboot the machine 🙂
We will now configure our User Profile Connection to our Active Directory Domain.
Navigate to Central Administration / Application Management / Manage Service Applications.
Click on User Profiles / Manage.
Click on Configure Synchronizations connections / Create New Connection.
Enter the follow details;
Type: Active Directory
Auto discover domain controller or specify a domain controller
Authentication Provider Type: Windows Authentication
Account Name / Password:
Click on Populate Containers
Your connection should now be listed as follows upon successful creation.
We can now easily setup connection filters against our Active Directory User Profile connection by clicking on the connection that was just created and selecting “Edit Connection Filters”.
Specify and Add any User or Group exclusions and then click OK.
Next we will Configure a Synchronization Timer Job via Central Administration / Application Management / Manage Service Applications / User Profiles.
We will finish off by initiating a full synchronization via Central Administration / Application Management / Manage Service Applications / User Profiles / Start Profile Synchronization.
In order to confirm that the import was a success, the Number of User Profiles should now be set to the number of users in your organization, in my case I have 269 dummy users in my Active Directory domain. Word of note; this will take some time and is considerably slower than an Active Directory User Profile import in SharePoint 2007.
You can also venture into Manage User Profiles and search for users (please take note that SharePoint 2010 does not display any users by default and that you will have to search for them).
Edit a User Profile to ensure that all the necessary Active Directory attributes were successfully imported.
We have now successfully completed a User Profile Synchronization which will form as a basis for User’s My Sites in my next article. Until then, happy SharePointing!!
User Profile Service administration (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/ee721050.aspx
Configure profile synchronization (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/ee721049.aspx