whether you like it or not! importance increases significantly with sharepoint 2013 pretty much...
TRANSCRIPT
About Spencer HarbarSharePoint ArchitectEdinburgh, United Kingdomwww.harbar.net | [email protected] | @harbars
Works with Microsoft’s largest enterprise customersWorks with SharePoint Product Group on ReadinessAuthor for MSDN & TechNet
Microsoft Certified Solutions Master | SharePointMicrosoft Certified Architect | SharePoint 2010 Microsoft Certified Solutions Master | SharePoint Instructor & Author Microsoft Certified Master | SharePoint 2010Microsoft Certified Master | SharePoint 2007Most Valuable Professional | SharePoint Server
AgendaIdentity Management
User Profile Service Application Architecture
User Profile Synchronization
Active Directory Import
Demonstration
Windows PowerShell Provisioning
External Identity Manager
Importance of User Profiles
Whether you like it or not!
Importance increases significantly with SharePoint 2013
A SharePoint deployment means you ARE in the Identity Management business
Pretty much every investment area relies on Profiles for core functionality
App AuthZ, S2S, etc
SharePoint 2013 increases the dependency on User Profiles
Primarily a political endeavor, NOT a technical one
No toolset from any vendor will change this
Every Identity Management initiative, ever (and always)
Can make or break a large scale social deployment
Make friends with your DS admins!
Regular communications is a must!
Change Control for pre-requisites
Especially when Active Directory is externally managed
e.g. Reboot of domain controllers, Windows UpdateLarge and/or bulk updates
Replicating Directory ChangesAdditional rights for property export
Lessons from the field
One of the most common causes of weak deployments, limited functionality and upgrade pain
Inadequate understanding of the UPA architecture
Federate or replicate?Central farms, regional farms, both?Relationship with other services
Features and design constraints drive deployment options
Lessons from the field
SecurityPrivacyPolicyOperations
Inadequate planning for User Profiles
SQL ServerDistributed CacheSharePoint Server SearchManaged MetadataBusiness Data Connectivity
Supporting Infrastructure and related services
Performance
SharePoint 2013 Profile Sync Goals
Reliability Compatibility
Large organizations should be able to perform a full sync of AD and SharePoint data over a weekend
IT Pros should be able to monitor the performance and stability of profile sync and have access to the information that they need to take corrective action when problems occur
Common Directory Service configurations should be supported, including Forefront Identity Manager and LDAP
Active Directory Import
(ADI)
Synchronization “modes”User Profile Synchronization
(UPS)
External Identity Manager
(EIM)Lightweight LDAPapproach internal to SharePoint
a.k.a Direct AD Import
Embedded Forefront Identity Manager
Same approach as SP2010 with improvements “under the hood”
External Forefront Identity Manager using the SharePoint Connector
Custom Code: User Profiles Web Services and Object Model
SharePoint
Profile Synchronization “modes”
User ProfileService
Application
UPS(SharePoint
FIM)BCS
External System
?
Active Directory
ADI(User Profile
Service Instance)
EIM(External
FIM)
EIM(Custom
Code)Directory
Provisioning UPA and UPS
Farm Configuration Wizard(just kidding )
Via Manage Service Applications
Central Administration
The default schema issue
Windows PowerShell
The default schema issue
Farm Account default schema set incorrectly in Sync DB
We will never be able to start the UPS service instance
When the Windows PowerShell session is not under the context of the farm account
Log on as the Farm Account and execute the PowerShell
Fix the schema manually – an unsupported change
Potential Workaround
Solution
Non UAC environments
Get-Credential and Start-Job
UAC Environments
Just use this one!
Start-Process -runas
Both simulate interactive logon as the Farm account (Log on Locally)Both require Local Machine Administrator
Get up and running with profile import as quickly as possible
Active Directory Import Capabilities
Users and Groups
Multiple domain support
For the most common scenario (AD forest)
Import Only!
Container selectionLDAP filters
Inclusion Based
One connection per domain
That could be a lot of connections!
Support for secondary accounts
Active Directory Import Capabilities
Custom Property Mappings
Account mappings for Windows, FBA and Trusted Identity providers
a.k.a Shadow Accounts
For simple data types
As SharePoint 2010
Replicating Directory Changes & NetBIOS Domain Names
Leverages a change log to drive import efficiency
DirSyncRequestControl is scoped at the domain level
Replicating Directory Changes permission is still required for AD Import
Implement immediately after creating the UPA!
Replicating Directory Changes also required on the Configuration partition
NetBiosDomainNames property still required if NetBIOS and FQDN of the domain do not match
Provisioning
You can modify the properties of the UPA to configure Active Directory Import via Windows PowerShell
Provisioning the UPA will retain the default mode(User Profile Synchronization)
Provisioning
Central Administration UI can be misleading when creating connections after changing the mode.
You do NOT need to start the UPS service instance
Sync DB created but empty when UPA is provisioned
You don’t need to worry about BCM for the Sync DB!
It must exist, but it IS supported to mirror/log ship an empty database
Scripting Connections
For AD Import only, these cmdlets are NOT supported for UPS
Known Issues withRemove-SPProfileSyncConnection
• only removes the organizational unit (OU) from the profile synchronization connection
• Fix:
*. SPProfileSyncConnection Windows PowerShell cmdlets supported
No cross forest Contact resolution
Active Directory Import Limitations
Mapping to SharePoint system properties is not supported
Augmenting profiles with data from BDC is not supported
Those that begin with SPS-
Mapping multi value to single value or vice versa is not supported
Active Directory Import Limitations
Mapping two different AD attributes to the same SharePoint property is not supported
LDAP Query Filters
Maximum flexibility
With great power comes great responsibility
Sweet UI!
Traditional LDAP queries can be used to constrain imported objects
As opposed to exclusion based with UPS
Validate your filters with ADSIEdit
Just because you can, doesn’t mean you should
Filters are inclusion based
AD Import Behaviour
Adding or removing OUsFilter changesProperty mappings
A full import is required whenever a configuration change occurs
To clean up profiles which are not created as part of the import Profiles are marked for deletion
After full import a purge is required
Profile Sync Performance Improvements
Reduce full import time from up to 2 weeks down to 60 hours for extremely large directories
Batched BDC Import
Elimination of full table scans
History clean up
Removal of unused provisioning steps
Some object resolution moved from SharePoint to Sync
OperationsProvisioning the service and operational characteristics are otherwise identical to SharePoint 2010!
UPS Sync Behaviour
Adding or removing OUsFilter changesProperty mappings
A full import is required whenever a configuration change occurs
After full import a purge is necessary
To clean up profiles which are not created as part of the import
Profiles are marked for deletion
ADI to UPS!Intention is to use ADI to get up and running quicklyIf (when) you later need UPSSwitch modeConfigure connections, filters and mappings
That’s it!
Not intended for back and forth between modes!Numerous bugsDon’t do it!
AD Import stores connections in the Profile DB
Switching modes
UPS stores connections in the Sync DB
Property mappings and filters are NOT moved
Manual recreation required
Or use an XML based provisioning approach
Switching Modes
Understand the design constraints
Document the configuration!!!
Requires strong planning!
Run PurgeNonImportedObjects after a full import to remove items that should not be there
Review and Purge!
External Identity Manager is now supported!This option will disable Profile Sync optionsNow you can use custom code or SharePoint Connector to get profile data into SharePointCustom code will be some implementation of System.DirectoryServices (hopefully)
SharePoint Connector for FIMWhat is it?Management Agent (MA) forForefront
Identity Manager
(FIM) 2010 R2 Service Pack 1
Why use it?No synchronization database to manage
Move UPS BCM complexity outside SharePointBuild powerful, complete global identity solutions
Leverage all FIM Management AgentsFull Synchronization
Use existing FIM investment, expertise, and infrastructure
SharePoint Connector for FIM
Ships as external download
Support for SharePoint Server 2013 now
Support for SharePoint Server 2010 in testing
Availability and Support
Requires FIM 2010 R2 SP1
You need to create and use a metaverse rules extension
You may not be able to migrate your existing data
Only FIM Sync Service needed
Things you need to know
SharePoint 2013
Active Directory
Exchange
FIM
FIMPortal FIM
HR SQLDatabase
Example Scenario (SharePoint)
SharePoint 2013
Active Directory
Exchange
FIMPortal
Authoritative sourceof user data
FIM
HR SQLDatabase
Example Scenario(SharePoint Connector)
SharePoint ConnectorRequires significant FIM configuration and skillsFIM Management AgentSharePoint Management AgentActive Directory Management Agent (and potentially others)FIM Portal ConfigurationPerforming Sync runsUpdate-SPProfilePhotoStore
Walkthrough and guidance coming “soon”- ETA June 2014
Plan! Seriously, you MUST do this!
Think Plan some more
Go back and do some more planning!
Do a little more planning
Plan
Rubbish In == Rubbish Out
Directory Service Health
Poor Active Directory platform hygiene
External DS management
Impacts pretty much every product feature
e.g. organic growth of domains and/or forests
Choosing the right mode…Active Directory ImportSmall to midsize companyNo custom HR system, no SAP Want a fast, single synchronization optionDoes NOT require changes to default mappingsGet up and running quickly
SharePoint Profile SynchronizationSmall to midsize or large company with a non-Microsoft identity solutionSlightly more complex needs such as multiple forestsAdditional data systems (SAP, etc.)
SharePoint Connector with External FIMLarge company that currently uses FIM or wants to invest in an identity solution with MicrosoftUltimate flexibility, offload the Operational Service burden from SharePointDecouple solution arena from SharePoint
MySPCSponsored by
connect. reimagine. transform.
Evaluate sessionson MySPC using yourlaptop or mobile device:myspc.sharepointconference.com
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.