SharePoint 2010 User Profile Sync

The SharePoint 2010 User Profile Synchronization is a very complex component in implementation and very fragile in implementation. We have seen a lot of issues in implementing this functionality in our environment. Following are the steps that we have gone through to successfully start a User Profile Synchronization in our environment and some helpful information to help maintain this in Production environment.

How to start User Profile Synchronization:
We followed this best practices document from Spence Harbar to start the User Profile Synchronization in our environment:

The primary requirements for configuring and starting user profile synchronization are to have:
a. A service account that has been granted replicate changes permission at the active directory level
b. Get latest CU for SharePoint 2010. Currently the best CU is August 2010 CU. NOTE: The October CU has some known issues and should not be applied in the environment.

Here is a good diagram on the SharePoint 2010 User Profile Synchronization architecture, once again from Spence Harbars blog site.

The Primary components that build the User Profile Synchronization are:
i. ForeFront Identity Manager
ii. ForeFront Identity Manager Synchronization
iii. User Profile Service Application

The above diagram shows how they are related in the architecture.

Active Directory Requirement:
• Grant the Replicating Directory Changes permission on the domain to the managed account. This account will be used to perform the sync.
• Right Click the Domain, choose Delegate Control… click Next
• Add the managed account, click Next
• Select Create a Custom Task to Delegate, click Next
• Click Next
• Select the Replicating Directory Changes permission and click Next
• Click Finish

We also need to understand where we should start the User Profile Synchronization service. The User Profile Service application is not a load balanced server. It can only connect to one User Profile Synchronization service at any point in time.

This means that if we have 1 User Profile Service Application in our environment, we can have the User Profile Synchronization service running only on 1 server. When you start the service on a server (Ideally on a server that is setup as the application server role), it will prompt you to select the appropriate User Profile Service Application.

NOTE: This service will always run with the FARM administration credentials. You cannot use a service application account to run this service

Start the User Profile Synchronization Service:
• Identify the server where you want to start service
• Go to Central administration and Services on the server
• Select proper server from the drop down list of servers
• Click start “User Profile Synchronization Service”

NOTE: Be patient. This process can take anywhere from 15- 30 minutes to start service successfully.

Known issues: User Profile Sync service stays in starting state
• Give it at least 30 minutes before you take any drastic action
• You can force stop and start the service using PowerShell
o Get-SPServiceInstance -Server “Servername”
o Stop-SPServiceInstance -“GUID of Service”
• Verify if there are errors with FIM services in Event log
FIM will generally throw two errors in the event log stating it cannot communicate with SQL Databases. These are expected errors and nothing to worry about.
Perform IIS reset
If necessary, perform reboot and then click on start service again. If it does not repeatedly work, check firewall settings on the server or if you have another server in the farm, try to start service on another server.

Debugging FIM Services issues:
• Click link to get details on the XML changes for the FIM Debugging: Generate Debug log for FIM in SharePoint 2010

Manage User Profile Service application:

Once the profile synchronization service has started successfully, we can configure connections for profile import and start synchronization. In order to do so, we need to go to “Manage User Profile Service Application”.

Creating new profile import connection:

Connecting to Active Directory:

Select the appropriate containers and save connection.

If you have issues during saving connection, verify the following:
• Do you have latest CU installed in the environment?
• Are there any firewall rules blocking connection from Central administration server to server running User Profile Synchronization Service. FIM uses port 5725,5726 and SharePoint 2010 Web Services use port 32843, 32844 32845, and 32846

Connection Filters:

Connection filters allow us to filter out unnecessary data from our User profile synchronization. It is very basic in functionality and cannot do complex filtering.

Start User Profile Synchronization:

Once you have the connection configured properly, you can start full synchronization of profiles. By default, User Profile Synchronization only brings in “USERS” and “GROUPS”.

Just click on “Start Profile Synchronization” and select “Full”.

Once you have kicked off the synchronization, the FIM client gives a better idea of how Synchronization is proceeding.

There are 6 stages to User Profile Synchronization:

1. DS_FULLIMPORT – Imports data from Active Directory
2. DS_FULLSYNC – Synchronizes data internally (First sync, inserts; then synchronizes internally)
3. MOSS_EXPORT – Exports data to SharePoint Profile Database
4. MOSS_SYNC – Synchronizes data in the SharePoint Profile Database
5. DS_DELTASYNC – Perform Delta sync internally
6. DS_EXPORT – Perform exports to SharePoint

Soon to follow:

Deep Dive in to the FIM Client

Additional Tips & Tricks:
• Deleting Connections will delete My Sites
• Refresh page after starting synchronization
• Applying security patches / hotfixes may stop User Profile Synchronization Service
• Applying security patches / hotfixes may “remove” existing connections to directory sources
• Do not perform backup / recovery from Central administration when synchronization is in progress. It will stop sync and may stop services
• Cannot authenticate against one source and synchronize profiles from other Source unless using Claims Provider.
• SharePoint will not be able to merge login with Profile
• DO NOT STOP / START / REBOOT SQL Server while profile sync is in progress. It stops syncs and starts all over again.
• Review Firewall settings between servers, especially if they are on different subnets. FIM uses port 5725, 5726. SharePoint Web Services use port 32843, 32844, 32845, 32856
• After you create active directory connection and start profile synchronization, the resulting page has an “&” in the query string part of the URL. DO NOT CLICK ON REFRESH PAGE WITHOUT REMOVING THE “&”. OTHERWISE IT KICKS OFF SYNCHRONIZATION FROM SCRATCH AGAIN.

Avoid My Site Deletions:

• Deleting Directory connection marks all My sites associated with service application for deletion.
• Timer job: My Site Cleanup job will run and delete all My Sites
• Disable My Site Cleanup job to prevent my sites from getting deleted
• Create new directory connection.
• Run Full Sync
• It will re-create profiles and associate to My Sites.
• It will unmark sites from deletion. If needed, enable My Site cleanup job