Comprehensive User Profile SynchronizationSpencer HarbarArchitect

SPC406

About Spencer HarbarSharePoint ArchitectEdinburgh, United Kingdomwww.harbar.net | spence@harbar.net | @harbars

Works with Microsoft’s largest enterprise customersWorks with SharePoint Product Group on ReadinessAuthor for MSDN & TechNet

Microsoft Certified Solutions Master | SharePointMicrosoft Certified Architect | SharePoint 2010 Microsoft Certified Solutions Master | SharePoint Instructor & Author Microsoft Certified Master | SharePoint 2010Microsoft Certified Master | SharePoint 2007Most Valuable Professional | SharePoint Server

AgendaIdentity Management

User Profile Service Application Architecture

User Profile Synchronization

Active Directory Import

Demonstration

Windows PowerShell Provisioning

External Identity Manager

Identity Managementand SharePoint Social

Importance of User Profiles

Whether you like it or not!

Importance increases significantly with SharePoint 2013

A SharePoint deployment means you ARE in the Identity Management business

Pretty much every investment area relies on Profiles for core functionality

App AuthZ, S2S, etc

SharePoint 2013 increases the dependency on User Profiles

Primarily a political endeavor, NOT a technical one

No toolset from any vendor will change this

Every Identity Management initiative, ever (and always)

Identity Management (“IdM”)

10% Technology

90%Everything else!

Can make or break a large scale social deployment

Make friends with your DS admins!

Regular communications is a must!

Change Control for pre-requisites

Especially when Active Directory is externally managed

e.g. Reboot of domain controllers, Windows UpdateLarge and/or bulk updates

Replicating Directory ChangesAdditional rights for property export

User Profile Service Architecture

Lessons from the field

One of the most common causes of weak deployments, limited functionality and upgrade pain

Inadequate understanding of the UPA architecture

Federate or replicate?Central farms, regional farms, both?Relationship with other services

Features and design constraints drive deployment options

Lessons from the field

SecurityPrivacyPolicyOperations

Inadequate planning for User Profiles

SQL ServerDistributed CacheSharePoint Server SearchManaged MetadataBusiness Data Connectivity

Supporting Infrastructure and related services

Performance

SharePoint 2013 Profile Sync Goals

Reliability Compatibility

Large organizations should be able to perform a full sync of AD and SharePoint data over a weekend

IT Pros should be able to monitor the performance and stability of profile sync and have access to the information that they need to take corrective action when problems occur

Common Directory Service configurations should be supported, including Forefront Identity Manager and LDAP

Active Directory Import

(ADI)

Synchronization “modes”User Profile Synchronization

(UPS)

External Identity Manager

(EIM)Lightweight LDAPapproach internal to SharePoint

a.k.a Direct AD Import

Embedded Forefront Identity Manager

Same approach as SP2010 with improvements “under the hood”

External Forefront Identity Manager using the SharePoint Connector

Custom Code: User Profiles Web Services and Object Model

SharePoint

Profile Synchronization “modes”

User ProfileService

Application

UPS(SharePoint

FIM)BCS

External System

?

Active Directory

ADI(User Profile

Service Instance)

EIM(External

FIM)

EIM(Custom

Code)Directory

Provisioning UPA and UPS

Provisioning UPA and UPS

Farm Configuration Wizard(just kidding )

Via Manage Service Applications

Central Administration

The default schema issue

Windows PowerShell

The default schema issue

Farm Account default schema set incorrectly in Sync DB

We will never be able to start the UPS service instance

When the Windows PowerShell session is not under the context of the farm account

Log on as the Farm Account and execute the PowerShell

Fix the schema manually – an unsupported change

Potential Workaround

Solution

Non UAC environments

Get-Credential and Start-Job

UAC Environments

Just use this one!

Start-Process -runas

Both simulate interactive logon as the Farm account (Log on Locally)Both require Local Machine Administrator

“External” file:

Script to call external file:

Provisioning UPA using Windows PowerShellSpencer Harbar

Active Directory Import

Get up and running with profile import as quickly as possible

Active Directory Import Capabilities

Users and Groups

Multiple domain support

For the most common scenario (AD forest)

Import Only!

Container selectionLDAP filters

Inclusion Based

One connection per domain

That could be a lot of connections!

Support for secondary accounts

Active Directory Import Capabilities

Custom Property Mappings

Account mappings for Windows, FBA and Trusted Identity providers

a.k.a Shadow Accounts

For simple data types

As SharePoint 2010

Replicating Directory Changes & NetBIOS Domain Names

Leverages a change log to drive import efficiency

DirSyncRequestControl is scoped at the domain level

Replicating Directory Changes permission is still required for AD Import

Implement immediately after creating the UPA!

Replicating Directory Changes also required on the Configuration partition

NetBiosDomainNames property still required if NetBIOS and FQDN of the domain do not match

Provisioning

You can modify the properties of the UPA to configure Active Directory Import via Windows PowerShell

Provisioning the UPA will retain the default mode(User Profile Synchronization)

Provisioning

Central Administration UI can be misleading when creating connections after changing the mode.

You do NOT need to start the UPS service instance

Sync DB created but empty when UPA is provisioned

You don’t need to worry about BCM for the Sync DB!

It must exist, but it IS supported to mirror/log ship an empty database

Scripting Connections

For AD Import only, these cmdlets are NOT supported for UPS

Known Issues withRemove-SPProfileSyncConnection

• only removes the organizational unit (OU) from the profile synchronization connection

• Fix:

*. SPProfileSyncConnection Windows PowerShell cmdlets supported

No cross forest Contact resolution

Active Directory Import Limitations

Mapping to SharePoint system properties is not supported

Augmenting profiles with data from BDC is not supported

Those that begin with SPS-

Mapping multi value to single value or vice versa is not supported

Active Directory Import Limitations

Mapping two different AD attributes to the same SharePoint property is not supported

LDAP Query Filters

Maximum flexibility

With great power comes great responsibility

Sweet UI!

Traditional LDAP queries can be used to constrain imported objects

As opposed to exclusion based with UPS

Validate your filters with ADSIEdit

Just because you can, doesn’t mean you should

Filters are inclusion based

AD Import Behaviour

Adding or removing OUsFilter changesProperty mappings

A full import is required whenever a configuration change occurs

To clean up profiles which are not created as part of the import Profiles are marked for deletion

After full import a purge is required

Demonstration

Active Directory Import

User Profile Synchronization

Profile Sync Performance Improvements

Reduce full import time from up to 2 weeks down to 60 hours for extremely large directories

Batched BDC Import

Elimination of full table scans

History clean up

Removal of unused provisioning steps

Some object resolution moved from SharePoint to Sync

Removed Provisioning StagesSharePoint Server 2010

SharePoint Server 2013

OperationsProvisioning the service and operational characteristics are otherwise identical to SharePoint 2010!

Provisioning UPS with Windows PowerShell

UPS Sync Behaviour

Adding or removing OUsFilter changesProperty mappings

A full import is required whenever a configuration change occurs

After full import a purge is necessary

To clean up profiles which are not created as part of the import

Profiles are marked for deletion

Demonstration

User Profile Synchronization

Switching Modes

ADI to UPS!Intention is to use ADI to get up and running quicklyIf (when) you later need UPSSwitch modeConfigure connections, filters and mappings

That’s it!

Not intended for back and forth between modes!Numerous bugsDon’t do it!

AD Import stores connections in the Profile DB

Switching modes

UPS stores connections in the Sync DB

Property mappings and filters are NOT moved

Manual recreation required

Or use an XML based provisioning approach

Switching Modes

Understand the design constraints

Document the configuration!!!

Requires strong planning!

Run PurgeNonImportedObjects after a full import to remove items that should not be there

Review and Purge!

External Identity Manager

External Identity Manager is now supported!This option will disable Profile Sync optionsNow you can use custom code or SharePoint Connector to get profile data into SharePointCustom code will be some implementation of System.DirectoryServices (hopefully)

SharePoint Connector for FIMWhat is it?Management Agent (MA) forForefront

Identity Manager

(FIM) 2010 R2 Service Pack 1

Why use it?No synchronization database to manage

Move UPS BCM complexity outside SharePointBuild powerful, complete global identity solutions

Leverage all FIM Management AgentsFull Synchronization

Use existing FIM investment, expertise, and infrastructure

SharePoint Connector for FIM

Ships as external download

Support for SharePoint Server 2013 now

Support for SharePoint Server 2010 in testing

Availability and Support

Requires FIM 2010 R2 SP1

You need to create and use a metaverse rules extension

You may not be able to migrate your existing data

Only FIM Sync Service needed

Things you need to know

SharePoint 2013

Active Directory

Exchange

FIM

FIMPortal FIM

HR SQLDatabase

Example Scenario (SharePoint)

SharePoint 2013

Active Directory

Exchange

FIMPortal

Authoritative sourceof user data

FIM

HR SQLDatabase

Example Scenario(SharePoint Connector)

SharePoint ConnectorRequires significant FIM configuration and skillsFIM Management AgentSharePoint Management AgentActive Directory Management Agent (and potentially others)FIM Portal ConfigurationPerforming Sync runsUpdate-SPProfilePhotoStore

Walkthrough and guidance coming “soon”- ETA June 2014

Wrap Up

Plan! Seriously, you MUST do this!

Think Plan some more

Go back and do some more planning!

Do a little more planning

Plan

Rubbish In == Rubbish Out

Directory Service Health

Poor Active Directory platform hygiene

External DS management

Impacts pretty much every product feature

e.g. organic growth of domains and/or forests

Choosing the right mode…Active Directory ImportSmall to midsize companyNo custom HR system, no SAP Want a fast, single synchronization optionDoes NOT require changes to default mappingsGet up and running quickly

SharePoint Profile SynchronizationSmall to midsize or large company with a non-Microsoft identity solutionSlightly more complex needs such as multiple forestsAdditional data systems (SAP, etc.)

SharePoint Connector with External FIMLarge company that currently uses FIM or wants to invest in an identity solution with MicrosoftUltimate flexibility, offload the Operational Service burden from SharePointDecouple solution arena from SharePoint

MySPCSponsored by

connect. reimagine. transform.

Evaluate sessionson MySPC using yourlaptop or mobile device:myspc.sharepointconference.com

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.