User Profile Service – SharePoint 2010 Setup guide

I’ve had to set up this service 4 times in just as many weeks, and each time I get stuck at some point along the way, so I thought I’d make a quick start guide so I remember all of the steps:

  1. Day of the Dead food offeringsMake a small sacrifice to your desired deity (I find food works well, but if headless chooks are more your thing then go for it).
  2. Make sure the October 2010, February 2011 or later Cumulative Update has been applied and activated (Some bugs with SQL named instances, Support for variations between the NetBios and Fully Qualified Domain names, Central Admin using SSL are fixed in these releases)
  3. Create an account for the User Profile Sync – This is the account that will be used to extract the user profile info from AD (we’ll call this SPADUPSync for this guide – SharePoint Active Directory User Profile Sync)
  4. In AD, grant the user Replicate Directory Changes permission (it does not write to AD, but granting this means it has been authorised to replicate the information to another system – like SharePoint!)
    1. In AD Users & Computers, right-click the domain you want the account to read accounts from and click Delegate Control
    2. Add the SPADUPSync account (or whatever AD Account name you are using)
    3. Create a Custom Task to Delegate, then a few clicks of the “Next” button, then
    4. Select the Replicating Directory Changes permission and click nextNote: If your NetBios name is different from the Fully Qualified Domain Name of the domain, you’ll need to grant the same permissions on the Configuration Naming Context (have not run across an environment where this is the case – more info can be found here)
  5. If your design calls for the ability to write updates back to the AD System, then you will also need to grant the “Create Child Objects” permission on the OU’s you are planning on synching. This means the SPADUPSync account will have the ability to change properties in AD (any account property) – so ensure you have documented approval for this right to be applied, as the (slim) possibility exists for the account to write bogus data to AD.
    1. In AD Users & Computers, click View –> Advanced Features
      image
    2. Find the OU’s you are Syncing and add the following properties
      image
    3. Security Tab –> Advanced
      1. Select the SPADUPSync account (the one with <not inherited> in the “Inherited From” field) and click Edit; if it’s not there click “Add”…
      2. Select “Write All Properties” and “Create Child Objects”, then apply that to “This object and all its descendant objects”
  6. Grant your farm account the right to log on locally on the server that will run this service (if you have more than one SharePoint box, this would probably be your admin server, not a WFE…) – In Local Policy, go to the Security Settings – > Local Policies -> User Rights Assignment section and add the user to the Allow Logon Locally policy. If it’s set at the group policy level, engage your local friendly SysAdmin Smile
  7. Add the Farm account to the Local Admin group (Don’t worry though, it’s just so we can get the Forefront Identity Management (FIM) services set up properly – it’s not required after this is finished, so it can be removed once we’re done here).
    1. If you did not have the farm account set up as a local admin, and you now do, you will need to reboot the machine so the new settings take effect. Logging off and on does not work because some of the SharePoint services are still running under the farm account.
  8. Finally, if you are using a SQL Alias for your SharePoint Farm (and you should be, it makes moving database servers easier in the future), do yourself a favour:
    1. Create a DNS or Hosts file entry for the Alias name on all SharePoint servers – I have come across an instance once where a supported SharePoint Add-on from Microsoft assumed the database name used to connect SharePoint to the database reflected the NetBIOS name of the server
    2. To ensure that the FIM services restart after a reboot, Under Distributed Transaction Coordinator in the Component Services Admin Tool on the SharePoint servers:
      1. Right-click Local DTC and open the Properties
      2. On the Security Tab, Enable “Network DTC Access” and “Allow Remote Clients”
      3. Click OK and accept any necessary warnings
  9. Create the Web App and site collection that will host the My Sites; use the “My Site Host” template (under the “Enterprise” Tab) to do so. Get any DNS names set up and the Alternate Access Mappings configured before proceeding further, as you want the URL’s to be fixed – once you have created the User Profile Service Application, there’s no way to change the URL except by going through this process again.
  10. Create a new User Profile Service Application using the following properties:
    1. Any name you want – I normally name mine “User Profile Svc App – Default”, to identify the purpose of this service app and the Service App profile it will belong to
    2. Create a new application pool, or reuse the app pool that the other Service Applications are using (you have to weigh up here the isolation and robustness of the application vs the amount of CPU & RAM an additional app pool will take in IIS)
    3. Name the Databases anything you want (I normally have a naming convention for databases that includes the application, environment and purpose of the database so that the DBA knows what they are for as well)
    4. Select the machine that will run the FIM Service, and enter the URL for your My Site
    5. Adjust the rest of the values as required, then click Create

You’ll notice that everything up until this point’s been pretty easy. This is where you’ll start earning your pay, because the next step is where – if it’s going to fail – it will fail. However there is one thing you can do to make things easier – Open up your favourite ULS Log File Viewer (this one is mine, because it has realtime farm monitoring, can run in the system tray and has email alerting – http://sharepointlogviewer.codeplex.com/) and filter the Category to User Profiles. If you have been following the process up until this point, you will avoid most of the problems – I’ll cover off the ones I’ve hit at the end.

  1. In “Manage Services on Server”, pick the server running the User Profile Sync and start the User Profile Service.
  2. Click “Start” on the User Profile Sync Service, and enter the password for the Farm service account.
  3. Click OK, and monitor the Logs – you will see a whole stack of ILM Configuration entries – once you see the one that says
    UserProfileApplication.SynchronizeMIIS: End Setup
    you’re done starting the FIM service
  4. Run IISReset
  5. Remove the Farm account from the Local Admin group

Now we need to configure the OU’s we want to import User Profiles from.

  1. Go into the User Profile settings (under “Manage Service Applications” – you can just click the User Profile Service link)
  2. Create a new Synchronization Connection
    1. Enter a Name for the connection, the Domain Name, the Username and password of the AD Sync Account (in this example, it’s SPADUPSync)
    2. Populate the Containers, then tick the OU’s that contain users and click OK
  3. Start the Synchronization.

Where it says “Profile Synchronization Status”, if you see “Synchronising” there, the import has not finished… so don’t bother testing things like the Org Chart Browser and Profile properties until it’s done. The page does not auto-refresh either, so you’ll have to give it a little “nudge” every now and again to see progress.

Just a couple more steps, and then some issue troubleshooting…

If you want to write SharePoint properties back to AD and you have set up the “Create Child Objects” permissions in AD for the account used to do the AD Sync, you will need to go and recreate the User Properties. Unfortunately there’s no way to modify them, you need to delete and recreate them. Before you delete them, take a note of the value in the “Attribute” column so you can use it when you recreate it (saves you time).

Troubleshooting

All of the issues I’ve experienced so far only appear when trying to start the User Profile Sync services. The only one I have come across since following this process was just recently for a UK Investment company; under specific AD and Group Policy configurations (I don’t know which ones exactly, as I’ve only seen it once) it is possible that the provisioning will fail because the Farm Account does not have an SPN set (user accounts normally do not). The actual error is:

UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. 

Exception: System.Security.SecurityException: There are currently no logon servers   available to service the logon request.
     at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn)
     at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type)
     at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName)
     at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GetDomainAccountSIDHexString       (String domainName, String accountName)
     at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GrantSQLRightsToServiceAccount()
     at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.IlmBuildDatabase()
     at Microsoft.Office.Server.UserProfiles.Synchronization.ILMPostSetupConfiguration       .ConfigureIlmWebService(Boolean existingDatabase)
     at Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService       (ProfileSynchronizationServiceInstance profileSyncInstance)
The Zone of the assembly that failed was:  MyComputer.

It appears as 2 errors in the ULS logs (you know, the ones we were monitoring before we tried to start the services) and the fix (according to this guy from Microsoft) is an easy one – just set up a dummy SPN. The Syntax in our example would be:

setspn –a NONE/NONE DomainName\SPADUPSync

Things you may want to do from this point:

  • Limit the amount of profiles imported to just those that are Active (not disabled) – http://www.harbar.net/archive/2011/02/22/323.aspx
  • Not import accounts that have a specific naming convention (like ones that start with Svc_ or ones that have Secure in their name) – Same as above (http://www.harbar.net/archive/2011/02/22/323.aspx)
  • Configure the People Picker / User lookup fields in SharePoint to only look / validate against users first name, last name or given name –
    stsadm -o setproperty -url http://yourwebapp -pn peoplepicker-searchadcustomquery -pv “(userPrincipalName={0}*)(givenName=*{0}*)(sn=*{0}*)(displayName=*{0}*))”

This guy has a process to follow, compliments of Microsoft Premier Support if the User Profile Sync Service in SharePoint hangs on Starting (where it is in a “Starting” state for 15 or more minutes) – http://myspexp.com/2011/04/28/user-profile-synchronization-servicehangs-on-starting-i-fixed-it/

Spence Harbar has some info on his blog as well – this is what I used to use when I started to create User Profiles, although I find this article a bit “preachy”… http://www.harbar.net/articles/sp2010ups.aspx

Good luck, and let me know how you go Smile

Brad

Advertisements

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to User Profile Service – SharePoint 2010 Setup guide

  1. Han Duong says:

    Thanks Brad

  2. Shafaqat Ali says:

    I am using same command but getting this message
    setspn –a NONE/NONE OWSTimerAccount
    Unknown parameter NONE/NONE. Please check your usage.

    • Brad Saide says:

      Hi Shafaqat – have you tried the command with the domain name before the account name as per the example? If it still does not work, have a look at the help message (enter setspn /help to see it on the screen).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s