Configure Active Directory (AD) Synchronization For SharePoint 2010

Configure Active Directory (AD) Synchronization for SharePoint 2010 | JPPinto.com - T...
Page 1 of 22
JPPinto.com Tech Blog

Seasoned IT Dude MCSE, MCSA, MCTS: SharePoint 2010, MCP Home Tech Series Useful Links About JPPinto
Me on MSDN/Technet
Categories
Active Directory (4) Amazon Cloud Services (1) C# (C-Sharp) (2) General (5) IIS 6.0 (4) IIS 7.0 (10) MSDN/TechNet (4) MySQL (1) Office 2010 (1) PHP (1) Reporting Services (1) SharePoint 2007 (8) SharePoint 2010 (21) Error creating Web Application on SharePoint 2010 through Central Administration
http://www.jppinto.com/2011/04/configure-active-directory-ad-synchronization-for-sharepo... 5/8/2013
Configure Active Directory (AD) Synchronization for SharePoint 2010 | JPPinto.com - T... Page 2 of 22
System.Security.AccessControl.PrivilegeNotHeldException error during SharePoint Products C Batch File to Slipstream Service Pack (SP) and Cumulative Updates (CU) for MOSS 2007 or SharePoint 2 Configure Active Directory (AD) Synchronization for SharePoint 2010 Configuring Adobe PDF iFilter 9 for 64-bit platforms for MS SharePoint 2010 Is there a maximum number of folders I can have in a Document Library in SharePoint 2010? Is there an option to Execute a Content Organizer Rule manually? Installing October SharePoint 2010 Cumulative Update Installing August SharePoint 2010 Cumulative Update Error: Only machine administrators are allowed to create administration service job definitions of type SharePoint 2010: Load Balance Central Administration SharePoint 2010: Create Index Mirror SharePoint 2010: Farm Configuration Wizard SharePoint 2010: Web Front End Configuration SharePoint 2010: Index Server (Mirror) Configuration SharePoint 2010: Primary Index Server Configuration SharePoint 2010: Binary Installation SharePoint 2010: IIS Installation SharePoint 2010: Installation Overview Table of Contents SharePoint 2010: Create Web Application You receive an HTTP Error 401.1 error when accessing a SharePoint 2007 or SharePoint 2010 site on a we SMTP (4) SQL Server 2008 (2) SQL Server 2008 R2 (1) Uncategorized (1) URL Rewrite (2) Windows 2003 (9) Windows 2008 (18) Windows 7 (3) Windows Firewall (1) Windows Vista (1)
Recent Posts
Missing GoTo Meeting icon in System Tray Error creating Web Application on SharePoint 2010 through Central Administration GoTo Meeting Tips Access Denied to files in an Amazon S3 Bucket sp_SDS Stored Procedure updated to work with SQL Server 2008 R2
Tags
backconnectionhostnames crash router msncustom columndefault gateway disappearsdisable shutdown event trackererror opening exeexe
blobexternalize sharepoint datafacebook spamfilezilla serverfirewall rules filazillafull installationhttp redirecthttps https redirectIIS iis7 iis 7 installationIIS installationindex server configurationinstalling cumulative updatesload balance central administrationmagic default gatewaymissing default gatewaymoss advanced searchnlbno default
permissionsexternalize
sharepoint 2010 farm buildsharepoint 2010 farm configurationsharepoint 2010 farm installationsharepoint data externalization
gatewayredirect http to httpssearch columnsharepoint
2010 cumulative updates
shutdown event trackershutdown trackerSMTP
storagepoint Windows 7windows firewall configurationwindows live messenger crashwindows server 2008wlbs x86
Blogroll
A Bunch of Useful Links Borghoff.com (MOSS) David Wang (IIS) KnowledgeLake.com Russ Houberg (MOSS) SharePointCoder.com Steve Curran
Unique Page Views

36859
Advertisement
Apr
04
Configure Active Directory (AD) Synchronization for SharePoint 2010
SharePoint AD Network File Sync Sync Folder
Configuring Adobe PDF iFilter 9 for 64-bit platforms for MS SharePoint 2010
Batch File to Slipstream Service Pack (SP) and Cumulative Updates (CU) for MOSS 2007 or SharePoint 2010
Welcome Googler! If you find this page useful, why not subscribe to the RSS feed for more interesting posts in the future?
Step 1 Prerequisites
Account needed for Syncing
We need an account set up for the AD profile synchronization. Lets call it Service-spADsync, we need to configure a couple of things on this account in AD: 1. Add Replicate Directory Changes permission 1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers. 2. In Active Directory Users and Computers, right-click the domain, and then click Delegate Control. 3. On the first page of the Delegation of Control Wizard, click Next. 4. In the Users or Groups page, click Add. 5. Type the name of the synchronization account, and then click OK. 6. Click Next. 7. In the Tasks to Delegate page, select Create a custom task to delegate, and then click Next. 8. On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next. 9. On the Permissions page, in the Permissions box, select Replicate Directory Changes, and then click Next. 10. Click Finish. 2. Add account to Pre-Windows 2000 Compatible Access group 1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers. 2. In Active Directory Users and Computers, expand the domain, expand Builtin, rightclick Pre-Windows 2000 Compatible Access, and then click Properties. 3. In the Properties dialog box, select the Members tab, and then click Add. 4. Type the name of the synchronization account, and then click OK. 5. Click OK. 3. Grant Replicate Directory Changes permission on the cn=configuration container 1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK. 2. In ADSI Edit, if the Configuration node is not already present, select ADSI Edit, on the Action menu click Connect to, in the Connection Point area of the Connection Settings dialog box select Select a well known Naming Context, select Configuration from the drop-down list, and then click OK. 3. Expand the Configuration node, right-click the CN=Configuration node, and then click Properties. 4. In the Properties dialog box, select the Security tab. 5. In the Group or user names section, click Add. 6. Type the name of the synchronization account, and then click OK. 7. In the Group or user names section, select the synchronization account.
8. In the Permissions section, select Replicating Directory Changes (select Replicate Directory Changes on Windows Server 2003), and then click OK.
Forefront Services
On the box that will be running the User Profile Synchronization Service Go to Start > Administrative Tools > Services Set both Forefront Identity Manager Service and Forefront Identity Manager Synchronization Service to run under your farm account and set them to automatically start and start both services
Step 2 Delete any current User Profile Service Application (Optional)

I like to delete the current User Profile Service Application that gets created if you use the wizard to create your farm, I will be creating my own in the next step. Under Central Administration > Application Management > Manage Service Applications Select User Profile Service Application and then select Delete from the ribbon bar
Select Delete data associated with the Service Application Press OK
Press OK
Step 3 Create New User Profile Service Application

Under Central Administration > Application Management > Manage Service Applications Select User Profile Service Application under the New button on the ribbon bar
If you do not have User Profile Service installed then you will have more options than the couple of options listed below. Just fill out all the appropriate information to create the application. Other options that will appear are things like creating the Profile DB and other options related to My Sites. Name: AD Sync User Profile Service Application Create a new application pool called WSS_ADSYNC Select the account to use for the application pool; I use my farm account which also runs all other service applications Press Create
Press OK
Step 4 Configure the Service

Under Central Administration > System Settings > Manage services on server
Configure Active Directory (AD) Synchronization for SharePoint 2010 | JPPinto.com - ... Page 10 of 22
Press Start next to User Profile Synchronization Service
Select the AD Sync User Profile Service Application that you just created Enter the password for the service account you are using Press OK
The service will be stuck at starting for several minutes; this process can take up to 20 minutes. Refresh the page to determine if the service has started yet. If the service does not start check the services on the local computer Forefront Identity Manager Synchronization Service and make sure it is not disabled.
After the User Profile Synchronization Service shows as being started, run an IISRESET on the server that is running the User Profile Synchronization Service
Start > Run > CMD (Make sure you see Administrator: in the title bar or you might get an access denied when trying to perform an IISRESET. Type in IISRESET
Step 5 Configure connections and import data from Active Directory

Under Central Administration > Application Management > Manage Service Applications Select AD Sync User Profile Service Application and then select Manage from the ribbon bar or you can just click the name AD Sync User Profile Service Application Click Configure Synchronization Connections
Click Create New Connection
I named the connection AD Sync Connection The type is Active Directory The Forest name is PINTOLAKE The Authentication Provider Type is Windows Authentication
Enter the Service Account we created in Step 1 and the password The port for AD is 389
Select Populate Containers, this will popular your AD information in the window below
Select the containers you want to sync or press select all, for this particular install we are going to select all Press OK
SharePoint will process your request
You should now see your connection listed. If you get an error try again, sometimes it times out while trying to make the connection to AD. Just try to configure a new connection again.
Step 6 -Synchronization Options (Optional)

There are a couple options you can go through before you start synchronization 1. Define connection filters this is if you want to filter information from the AD sync Under Central Administration > Application Management > Manage Service Applications Select AD Sync User Profile Service Application and then select Manage from the ribbon bar or you can just click the name AD Sync User Profile Service Application Click Configure Synchronization Connections then pull the drop down menu on your connection then select Edit Connection Filters
1. Map User Profile Properties this option already has a bunch of preconfigured fields but you might need to change some of them or reconfigure existing ones Under Central Administration > Application Management > Manage Service Applications Select AD Sync User Profile Service Application and then select Manage from the ribbon bar or you can just click the name AD Sync User Profile Service Application Click Manage User Properties under the People section
Step 7 -Start Profile Synchronization

Under Central Administration > Application Management > Manage Service Applications Select AD Sync User Profile Service Application and then select Manage from the ribbon bar or you can just click the name AD Sync User Profile Service Application Under Synchronization select Start Profile Synchronization
Select Start full Synchronization Press OK
You should now see that the Profile Synchronization Status has changed to Synchronizing and the Current Synchronization Stage has changed to Active Directory Import (xxx). Watch this for a while and make sure the (xxx) increases in value; this is the number of objects being imported from AD. Start of Sync
During Syncing
By default the job will run every day at 1:00 AM, you can change this from: Select AD Sync User Profile Service Application and then select Manage from the ribbon bar or you can just click the name AD Sync User Profile Service Application Under Synchronization select Configure Synchronization Timer Job
X Welcome Googler! If you find this page useful, why not subscribe to the RSS feed for more interesting posts in the future?
SharePoint Training
Get Trained in Microsoft SharePoint Live Remote Training From Home/Work SharePoint.QuickStart.com
Tags: AD Sync, SharePoint 2010 AD Synchronization, Syncing AD to SharePoint

This entry was posted on Monday, April 4th, 2011 at 8:05 am and is filed under Active Directory, SharePoint 2010. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Login This blog post All blog posts Subscribe to this blog post's comments through...
Add to Add to My Yahoo!
Add to Google Add to
RSS Icon
RSS Feed Subscribe via email

Email Address
Subscribe
Follow the discussion
Comments (17)
Logging you in... Close Login to IntenseDebate Or create an account Username or Email: Password:
Forgot login? Cancel Login Close
WordPress.com
Username or Email: Password:
Lost your password? Cancel Login Dashboard | Edit profile | Logout Logged in as Sort by: Date Rating Last Activity 0 Vote up Vote down
Ragu 92 weeks ago You are fantastic...After a great struggle, I bumped up on your page and followed every step and got this working. I can't thank you enough...Ragu Report Reply -1 Vote up Vote down
Ramesh 90 weeks ago This is very nice article!!! Very good.. Report Reply 0 Vote up Vote down
Akbar (EvoboY) 89 weeks ago Very helpful post , worked like a charm. Cheers mate. Report Reply 0 Vote up Vote down
Brian 86 weeks ago Let's look at this possible scenario: - full import completed, all properties are mapped to import - the telephone field/property (for example) is then changed to export - a new user is added to AD, all properties added including telephone number - will this still import the telephone number? OR - would the first sync after the user is added, not import the telephone, then subsequent sync could theoretically 'blank' the telephone number out in AD as it is set to export? Report Reply 1 reply active 57 weeks ago 0 Vote up Vote down
paul 57 weeks ago Did you ever get an answer for this. This is my exact question Report Reply 0 Vote up Vote down
MikeF 84 weeks ago I cannot thank you enough, this got me past the spot I was stuck at. Bless you sir. Report Reply 0 Vote up Vote down
GaryD 76 weeks ago This is what I was looking for that Microsoft, for whatever reason, does not include in their documentation. HOWEVER! When you state the account to use in AD, you call it the Sync account.(Service-spADsync) There is , on the FIM server, a synchronization service account that is created in Active directory. And there is an Active directory account(according to their instructions but no info beyond that as to what to do with it.) This account you refer to, which is it? FIM Sync account or the AD account? Report Reply 0 Vote up Vote down
Louis 75 weeks ago After struggling for three weeks to get UPS working I stumbled upon your page - and after following it step by step it's finally working. You're a star!! Report Reply 0 Vote up Vote down
Akhil 63 weeks ago I bow down to thee..this is the most definitive guide out there ..thanks a ton! I must add that in Step 3 after I created a new user profile application my FIM services got stopped and set to Disabled. So I had to change the services back to Automatic and start them up before I ran the ..the rest of the guide was a breeze from that point. Report Reply 0 Vote up Vote down
@kmtaotao 62 weeks ago great one! Report Reply 0 Vote up Vote down
Alexander 61 weeks ago Self-service web-part to fill AD profiles on SharePoint: http://www.harepoint.com/Products/HarePointSelfSe... WBR, Alexander Report Reply 0 Vote up Vote down
Barry McConnell 59 weeks ago Actually it is bidirectional, it just isn't easy... see http://www.harbar.net/articles/sp2010ups.aspx Report Reply 0 Vote up Vote down
greg 37 weeks ago Thanks a lot for your article! It was very helpful for me! Report Reply 0 Vote up Vote down
Alecarfersa 32 weeks ago Hi! i just followed your instruccions. When i started the User Profile Sync, all sharepoint sites give me 403 forbiden error. Any suggestion? Report Reply 0 Vote up Vote down
Prathima 29 weeks ago thanks Report Reply 0 Vote up Vote down
Abid 16 weeks ago it didn't worked for me. I have created new user service profile and at the time of synchronization, the data connection is different that the one i have created. for example, i have created ad_sync user profile and it is showing in FIM also but at the same time i can see MOSS-08539245-84c4-4311-a3c0 -c1bd584e5787 data connection with type "extensible connectivity" users are not synchronized yet :( Report Reply 0 Vote up Vote down
jjenkins 11 weeks ago Thanks! Here's more help for errors I encountered: If you get error clicking on User Profile Service Application - update sharepoint to all latest hotfixes (worked for me). If you then get error page trying clicking 'ok' after populating containers w/AD info - do this (worked for me): 1.Stop UPSS (User Profile Sync Service)
2.Make the following change on the App SharePoint Server 3.Click Start --> Run --> GPEdit.msc Computer Configuration Windows Security Settings Local policies Security Options "Network security: LDAP client signing requirements", set the parameter value on "None" (by default it will set to 'Negotiate Signing', details can be found on 'Explain' tab) 4.Run "gpupdate /force" without quotes on command prompt 5.Restart UPSS Report Reply
Post a new comment

Enter text right here!
Comment as a Guest, or login: Login to IntenseDebate Login to WordPress.com Login to Twitter Go back
facebook
Share on Facebook
Connected as (Logout) Email (optional) Not displayed publicly. Tweet this comment
Connected as (Logout) Email (optional) Not displayed publicly. Name Email Website (optional)
Displayed next to your comments.
Not displayed publicly.
If you have a website, link to it here. Submit Comment Subscribe to None Comments by IntenseDebate 2013 JPPinto.com, John P Pinto. All Rights Reserved.Entries RSSComments RSS

Configure Active Directory (AD) Synchronization For SharePoint 2010

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Configure Active Directory (AD) Synchronization For SharePoint 2010

Caricato da

Copyright:

Formati disponibili

Configure Active Directory (AD) Synchronization for SharePoint 2010 | JPPinto.com - T...

JPPinto.com Tech Blog

2010 cumulative updates

shutdown event trackershutdown trackerSMTP

Unique Page Views

Step 2 Delete any current User Profile Service Application (Optional)

Select Delete data associated with the Service Application Press OK

Step 3 Create New User Profile Service Application

Step 4 Configure the Service

Press Start next to User Profile Synchronization Service

Step 5 Configure connections and import data from Active Directory

Click Create New Connection

SharePoint will process your request

Step 6 -Synchronization Options (Optional)

Step 7 -Start Profile Synchronization

Select Start full Synchronization Press OK

Tags: AD Sync, SharePoint 2010 AD Synchronization, Syncing AD to SharePoint

Add to Google Add to

RSS Feed Subscribe via email

Follow the discussion

Forgot login? Cancel Login Close

Username or Email: Password:

Prathima 29 weeks ago thanks Report Reply 0 Vote up Vote down

Post a new comment

Displayed next to your comments.

Not displayed publicly.

Potrebbero piacerti anche