User Profile Synchronization – SharePoint 2010

Page copy protected against web site content infringement by Copyscape

User Profile synchronization is bit complicated to troubleshoot and this post will aim to give you some pointers and save some time.

Useful Links (there are many useful web sites out there, I am listing a couple)

1)    Technet — http://technet.microsoft.com/en-us/library/ee721049/ — As of writing this the last update was done on September 30, 2010. I am sure MS folks will update this document as they discover new information.

2)    http://www.harbar.net/articles/sp2010ups/ – Spencer Harbar — Good write up on UP sync.

Now pointers:

  • Create a new web application and site collection to host My Sites. Do not mix your content apps with My Sites web apps.

 

  • If possible, create the My Site Host at the site collection root. Example: My Site Host – http://mywebapps.com/ and personal sites at /personal. If done right, the managed path (/personal) will be created for you and you don’t have to create it manually.

 

  • Do not use the Farm Configuration wizard to create the User Profile service apps. No, don’t. Use the New option under Central Admin (CA) – Application Management – Manage service applications.

 

  • Do not start the Forefront services manually (Forefront Identity Manager and Forefront Identity Manager Synchronization). Use CA – System Settings – Manage Services on server and start the User Profile service – This will automatically start the services. The initial state of these services will be “Disabled” but the UP service will reset the status and start it. After this step, execute IIS reset.

 

  • Use the ULS Log viewer and yes read the logs. It does show some useful information sometimes. Do read it to troubleshoot.

 

  • It is tempting to select the entire AD container, but organize your users into specific OUs and then select only those relevant OUs.

 

  • AD Sync – In the first run, ensure the AD sync account you using has all administrator privileges on AD as well as the sync server. Yes, I understand this is not best practice, but this will save you time.  Next, tweak the account for exact privileges. For specific rights, check Technet article. Don’t forget to remove the account from the admin group once you are done.

 

  • Enable Self Service site creation CA– Security – Configure self-service site creation.

So to sum up – Create UP service application – ensure Sync, Profile databases are created – Start UP services – Setup AD Connection – Start full import and then schedule incremental sync.