Bookmark and Share Subscribe Bookmark and Share

Categories

Advertisement



Configure Active Directory (AD) Synchronization for SharePoint 2010

Apr
04


 « »    

Step 1 – Prerequisites

Account needed for Syncing

We need an account set up for the AD profile synchronization. Let’s call it “Service-spADsync“, we need to configure a couple of things on this account in AD:

  1. Add “Replicate Directory Changes” permission
    1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
    2. In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
    3. On the first page of the Delegation of Control Wizard, click Next.
    4. In the Users or Groups page, click Add.
    5. Type the name of the synchronization account, and then click OK.
    6. Click Next.
    7. In the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
    8. On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.
    9. On the Permissions page, in the Permissions box, select Replicate Directory Changes, and then click Next.
    10. Click Finish.
  2. Add account to “Pre-Windows 2000 Compatible Access” group
    1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
    2. In Active Directory Users and Computers, expand the domain, expand Builtin, right-click Pre-Windows 2000 Compatible Access, and then click Properties.
    3. In the Properties dialog box, select the Members tab, and then click Add.
    4. Type the name of the synchronization account, and then click OK.
    5. Click OK.
  3. Grant Replicate Directory Changes permission on the cn=configuration container
    1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
    2. In ADSI Edit, if the Configuration node is not already present, select ADSI Edit, on the Action menu click Connect to, in the Connection Point area of the Connection Settings dialog box select Select a well known Naming Context, select Configuration from the drop-down list, and then click OK.
    3. Expand the Configuration node, right-click the CN=Configuration… node, and then click Properties.
    4. In the Properties dialog box, select the Security tab.
    5. In the Group or user names section, click Add.
    6. Type the name of the synchronization account, and then click OK.
    7. In the Group or user names section, select the synchronization account.
    8. In the Permissions section, select Replicating Directory Changes (select Replicate Directory Changes on Windows Server 2003), and then click OK.

Forefront Services

On the box that will be running the “User Profile Synchronization Service”

Go to Start > Administrative Tools > Services

Set both “Forefront Identity Manager Service” and “Forefront Identity Manager Synchronization Service” to run under your farm account and set them to automatically start and start both services

Step 2 – Delete any current User Profile Service Application (Optional)

I like to delete the current “User Profile Service Application” that gets created if you use the wizard to create your farm, I will be creating my own in the next step.

Under Central Administration > Application Management > Manage Service Applications

Select “User Profile Service Application” and then select Delete from the ribbon bar

Select “Delete data associated with the Service Application”

Press “OK”

Press “OK”

Step 3 – Create New User Profile Service Application

Under Central Administration > Application Management > Manage Service Applications

Select “User Profile Service Application” under the “New” button on the ribbon bar

If you do not have “User Profile Service” installed then you will have more options than the couple of options listed below. Just fill out all the appropriate information to create the application. Other options that will appear are things like creating the Profile DB and other options related to My Sites.

Name: AD Sync – User Profile Service Application

Create a new application pool called WSS_ADSYNC

Select the account to use for the application pool; I use my farm account which also runs all other service applications

Press “Create”

Press “OK”

Step 4 – Configure the Service

Under Central Administration > System Settings > Manage services on server

Press “Start” next to “User Profile Synchronization Service”

Select the “AD Sync – User Profile Service Application” that you just created

Enter the password for the service account you are using

Press “OK”

The service will be stuck at starting for several minutes; this process can take up to 20 minutes. Refresh the page to determine if the service has started yet. If the service does not start check the services on the local computer “Forefront Identity Manager Synchronization Service” and make sure it is not disabled.

After the “User Profile Synchronization Service” shows as being started, run an IISRESET on the server that is running the “User Profile Synchronization Service”

Start > Run > CMD (Make sure you see “Administrator:” in the title bar or you might get an access denied when trying to perform an IISRESET.

Type in “IISRESET”

Step 5 – Configure connections and import data from Active Directory

Under Central Administration > Application Management > Manage Service Applications

Select “AD Sync User Profile Service Application” and then select Manage from the ribbon bar or you can just click the name “AD Sync User Profile Service Application”

Click “Configure Synchronization Connections”

Click “Create New Connection”

I named the connection “AD Sync Connection”

The type is “Active Directory”

The Forest name is “PINTOLAKE”

The Authentication Provider Type is “Windows Authentication”

Enter the Service Account we created in Step 1 and the password

The port for AD is “389”

Select “Populate Containers”, this will popular your AD information in the window below

Select the containers you want to sync or press “select all”, for this particular install we are going to select all

Press “OK”

SharePoint will process your request

You should now see your connection listed. If you get an error try again, sometimes it times out while trying to make the connection to AD. Just try to configure a new connection again.

Step 6 -Synchronization Options (Optional)

There are a couple options you can go through before you start synchronization

  1. Define connection filters – this is if you want to filter information from the AD sync

Under Central Administration > Application Management > Manage Service Applications

Select “AD Sync User Profile Service Application” and then select Manage from the ribbon bar or you can just click the name “AD Sync User Profile Service Application”

Click “Configure Synchronization Connections” then pull the drop down menu on your connection then select “Edit Connection Filters”

  1. Map User Profile Properties – this option already has a bunch of preconfigured fields but you might need to change some of them or reconfigure existing ones

Under Central Administration > Application Management > Manage Service Applications

Select “AD Sync User Profile Service Application” and then select Manage from the ribbon bar or you can just click the name “AD Sync User Profile Service Application”

Click “Manage User Properties” under the “People” section

Step 7 -Start Profile Synchronization

Under Central Administration > Application Management > Manage Service Applications

Select “AD Sync User Profile Service Application” and then select Manage from the ribbon bar or you can just click the name “AD Sync User Profile Service Application”

Under “Synchronization” select “Start Profile Synchronization”

Select “Start full Synchronization”

Press “OK”

You should now see that the “Profile Synchronization Status” has changed to “Synchronizing” and the “Current Synchronization Stage” has changed to “Active Directory Import (xxx)”. Watch this for a while and make sure the (xxx) increases in value; this is the number of objects being imported from AD.

Start of Sync

During Syncing

By default the job will run every day at 1:00 AM, you can change this from:

Select “AD Sync User Profile Service Application” and then select Manage from the ribbon bar or you can just click the name “AD Sync User Profile Service Application”

Under “Synchronization” select “Configure Synchronization Timer Job”


    Did I save you time and headaches? Buy me a cup of coffee.
    The more coffee I drink the more articles I can write.