Step by Step – Configuring Least-Privileged User Profile Service Application and User Profile Sync Service in SharePoint 2010 Developer VM

Please note that this article refers to only SharePoint 2010 and SharePoint 2013 On-premises. Both User Profile Service and User Profile Syronization Service are pre-configured in Office 365 and SharePoint Online tenants.

Here are the high level steps you need to follow to configure User Profile Service Application and User Profile Sync Service in your SharePoint 2010 Developer VM and On-Premises farm. This article also applies to SharePoint 2013 On-premises multi-server farm as well but it can vary slightly depending on your farm configuration especially how SP_Farm account is used during UPS provisioning process and how it required logon local permission without having local admin rights. Alternatively you can download step by step visual guide from my Sky Drive folder.

Important Notes

  • Please plan to use this guidance only for Least-Privileged Developer VMs to learn how and what really happens under the hood when you configure User Profile Service and User Profile Sync Service. This is more of “How” article instead of “Why” article as a quick reference for me in future. For real-world multi-server farm building scenarios (or even hardcore Developer VMs), please plan to use automated PowerShell scripts like AutoSPInstaller.
  • It is also important to note that although I have used SP_Farm account (Bad practice according to Spencer Harbar) to configure these services upon logging into the server, preferred approach would be using SP_Install account or any other Farm Admin Account with sufficient privileges to configure Services and Service Applications (AutoSPInstaller uses this approach) using PowerShell or Upon logging into the server or using Central Admin from remote server. Discussions about whether to use SP_Install or SP_Farm or any other Farm Administrator account is out of scope of this article. Since this is Single Server Developer VM, I have used SP_Farm account. In real world multi-server farm scenario, I would use SP_Install and AutoSPInstaller to configure these services.

Scenario

Configure User Profile Service Application and User Profile Synchronization Service with NTLM Authentication in Single-Server Least-Privileged Developer VM.

Planning and Pre-requisites:

  • SharePoint Edition – SharePoint 2010 Standard or Enterprise, This feature is not available in SharePoint 2010 Foundation.
  • Service Application Dependency – Managed Metadata Service and Managed Metadata Service Application – Although this is not required, it’s recommended to ensure all the multi-value user profile properties dependent on Managed Metadata term store works correctly. Please refer to this article for detailed step by step instructions.
  • Logon Account to Configure Service Application – Access to SP_Install or any other Farm Administrator Account to login to the server for Service Configuration. I will be using SP_Farm account in this guide and SP_Farm is local admin on the machine. More specifically, SP_Farm account is domain admin on DC since I am configuring UPA and UPS on single server All-UP VM.
  • User Profile Service Application Pool Account Identity – SP_ServiceApps, either already created or access to AD to provision new domain user for service account. Additionally, this account must be configured as Managed Account in the Central Admin. (this step is discussed in this article but it’s already created for Managed Metadata Service Application)
  • User Profile Sync Service Account Identity – This must be SP_Farm account. After UPS is configured successfully, FIM windows services will be running under this account. SP_Farm account must be local admin during User Profile Sync Service provisioning process.
  • User Profile Sync Connection Service Account Identity – SP_UPS, either already created or access to AD to provision new domain user account. This account doesn’t need to be configured as Managed Account in the Central Admin since UPS doesn’t support Managed Accounts. (this step is discussed in this article) and this account must have “Replicate Directory Changes” Permission on the AD Domain. This account will be used to perform the user profile sync and won’t be used to run any services or application pools

High Level Steps:

  • Prepare the Service Accounts for the User Profile Service Application
  • Configure the User Profile Service and User Profile Service Application
  • Verify the User Profile Service Application Configuration
  • Prepare the Service Accounts for the User Profile Sync Service and Add Sample Users to Import in SharePoint User Profile System
  • Grant Replicate Directory Changes Permission to User Profile Sync Service Account in the Active Directory
  • Start the User Profile Synchronization Service
  • Verify User Profile Synchronization Service Started
  • Import the User Profiles from the AD using Sync
  • Verify the User Profiles Synchronization Process

Detailed Step by Step Directions:

Step 1 – Prepare the Service Accounts for the User Profile Service Application

For the Least Privileged Setup, create service application domain user account (e.g. Niks\sp_serviceapps). Majority of the service applications along with User Profile Service Application will run under this account identity. Ensure “User cannot change password” and “Password never expires” are checked.

1-SP Service App Account

Log in to the server as a farm account (e.g. Niks\sp_farm). Visit the Central Admin and register the “Niks\sp_serviceapps” as managed account. User Profile and other SharePoint Service Applications requires Service Application pool configured as Managed Account in the central administration.

2-Managed Account

Step 2 – Configure the User Profile Service and User Profile Service Application

Log in to the server as a Niks\sp_farm user. To setup User Profile Service Application properly, please ensure that User Profile Service is already activated on the farm. Please note that this step is NOT mandatory but much more preferred approach. If you don’t start User Profile Service prior to provisioning User Profile Service Application, it would start automatically for you.

Visit the Central Administration -> System Settings -> Manage services on server and verify that User Profile Service is started. This service gets started automatically. If it doesn’t start automatically, start the service manually.

3-Services on Server

4-User Profile Service Started

To setup new User Profile Service application, Navigate the Central Administration -> Application Management -> Manage Service Applications to create the new User Profile Service Application.

5-Manage Service Applications

Click New and select “User Profile Service Application”

6-New Service Application

On the new User Profile Service Application creation page, enter the service application name and Application Pool. Specify new Application Pool and use the “Niks\sp_serviceapps” as Application Pool identity.

7-1-User Profile Service App Settings

Specify Profile Database Name, Server, and Authentication Info.

7-2-User Profile Service App Settings - Profile DB

Specify Synchronization Database Name, Server, and Authentication Info.

7-3-User Profile Service App Settings - Sync DB

Specify Social Tagging Database Name, Server, and Authentication Info.

7-4-User Profile Service App Settings - Social DB

Specify Profile Synchronization Server Instance where User Profile Service will be activated. If you already have My Site Host site collection, please specify My Site Host URL. In my case, I haven’t configured My Site Host site collection. Please note that this step checks for valid My Site Host URL.

7-5-User Profile Service App Settings - My Site Info

Specify My Site Managed Path and My Site Naming Format.

7-6-User Profile Service App Settings - My Site Info

Upon clicking OK, Both User Profile Service Application and User Profile Service Application Proxy is created.

8-User Profile Service Application

Step 3 – Verify User Profile Service Application Configuration

After successful configuration, you can visit the User Profile Service Administration page by clicking the User Profile Service Application link. As you can notice stats on the right side of the screen, there are no user profiles. Also, notice that Profile Synchronization Settings are disabled.

9-User Profile Service Application Admin Page

For advanced SharePoint IT Pro related verification, please see Appendix A in downloadable document (link specified above) to understand what happens under the cover when you provision new User Profile service application.

In general, when SharePoint provisions new User Profile service application, it typically configures various components on the server:

  • Central Administration
    • User Profile Service is started and User Profile Service Application and Proxy is created
    • Both SharePoint Farm Account and Default Web Application Pool Account are added with Full Control Permission on the User Profile Service Application Permissions Page
    • Associate User Profile Service Application with Content Web Application
    • Service Application Pool is configured for User Profile service on the Configure Service Accounts page.
  • Active Directory
    • SharePoint Service Account is added to member of IIS_IUSERS and WSS_WPG group
  • IIS
    • New Service Application Pool is created
    • New WCF Endpoint for User Profile Service Application is configured.
  • SQL Server
    • New User Profile Service Application Databases – Profile DB, Social DB, and Sync DB are provisioned
    • SharePoint Service Account is added as Login account on the database Server
    • SharePoint Service  Account is configured with “db_owner” role on the all three User Profile Service Application databases
    • SharePoint Service Account is configured as WSS_Content_Application_Pools role in the SharePoint_Admin and SharePoint_Config database.
    • SharePoint Service Account doesn’t have any access to the content web application database

Step 4 – Prepare the Service Accounts for the User Profile Sync Service and Add Sample Users to Import in SharePoint User Profile System

To import the user profiles into the SharePoint environment, we need to configure the User Profile Sync Service. User Profile Sync service is a wrapper of provisioning of the Forefront Identity Manager (FIM) on the server.
To make sure My Sites, User Profiles, and People Search work more efficiently, login to the server using the “Niks\Administrator” and add More Users to the Active Directory using the Active Directory Services from the Start -> Administrative Tools -> Active Directory Users and Computers. Add User – Nik Patel. Copy the first user and create a small # of the users if you want.

10_Add Sample User

Login to the server as “Niks\sp_farm” and make sure “Niks\sp_farm” account is the local admin when you provision the User Profile Sync Service on the Server. Add the “Niks\sp_ups” service account in the AD. This account will run the User Profile Sync Service and Perform the User Profile Sync using the FIM.

11_Add UPS Account

Step 5 – Grant Replicate Directory Changes Permission to User Profile Sync Service Account in the Active Directory

In order to be able to sync with AD, you need to ensure User Profile Sync account (e.g. “Niks\sp_ups”) have “Replicate Directory Changes” permission. You will need this account name and password when you create a connection. Please do not proceed without having an account with these rights. This AD right is required for both full and incremental sync. Open the Active Directory Users and Computers snap-in. On the View menu, click Advanced Features. Right click on the domain object – niks.local and choose Delegate Control. To verify the Replication Directory Changes permission on the “Niks\sp_ups” object, right click on the domain object – niks.local and choose properties. Select the Security Tab and verify that “Replicating Directory Changes” permission was added to “Niks\sp_ups” account. See the attached guide for details.

12_Replicating Directory Changes

Step 6 – Start the User Profile Synchronization Service

To Configure the User Profiles Sync, Open the Central Administration. Click on Central Administration -> Manage Services on Server; provision the new User Profile Synchronization Service Application by clicking “Start”

13_Start UPS

Select user profile service application and specify the farm account – Niks\sp_farm password. Specify the User Profile Service Application instance if you have multiple User Profile Service Applications are running on farm. Additionally, please note warning in Red – If SharePoint Central Administration is deployed on this machine, you must recycle Internet Information Services after provisioning the User Profile Synchronization Service.

14_UPS runs under Farm Account

User Profile Synchronization Service status should be “Starting”. This step can take up to 10 minutes depending on the network and hardware configuration in the farm. Alternatively, you can monitor running jobs to see the progress of User Profile Sync service provisioning process by reviewing ProfileSynchronizationSetupJob on the Running Jobs page in Central Admin Monitoring section.

15_UPS Starting

16_Profile Sync Job

Refresh the Manage Services on the Server Page to see if User Profile Synchronization Service status is “Started”. It will take a while because this process provisions the FIM service on the server.

17_1_UPS Started

As specified earlier, run the IISRESET. It is required if FIM is installed on the same box as Central Admin.

17_2_IIS Reset

Step 7 – Verify User Profile Synchronization Service Started

Run Services Snap-in through Administrative Services -> Services or type the services.msc on the Run command. On services snap-in, verify that “Forefront Identity Manager Synchronization Service” and “Forefront Identity Manager Service” windows services are started set to automatic, and running under “Niks\sp_farm” account. Do not start them manually if they are not running and troubleshoot the issue.

18_1_FIM Services Started

Since I have started User Profile Sync service on the Developer machine hosting both SQL Server, often FIM windows service may fail to start during VM startup process because of its dependency on SQL Server services. Although this is not necessary in Production environment because SQL server is hosted on different servers, plan to have FIM services started with “Automatic (Delayed)” to ensure FIM services able to start on the Developer machine hosting both SharePoint and SQL servers.

18_2_FIM Services Delayed Start

Check the folder %Programfiles%\Microsoft Office Servers \14.0\Synchronization Service\MaData to see if there are two subfolders \ILMMA and \MOSS-XYZ (where XYZ is the name of your user profile service application). These folders should be empty at this time.

18_3_UPS MA Folder

Step 8 – Import the User Profiles from the AD using Sync

Open the Central Admin -> Application Management -> Manage Service Applications and Click on the “User Profile Service Application” to configure the AD Synchronization Connection. On the Manage Profile Service screen, click on the Manage User Profiles link to verify that there isn’t any profiles imported yet. On right side on stats, there are no profiles. You can also manage User Profiles, Audiences, User Profile Synchronization Connections, and My Sites from this page. Click on the “Configure Synchronization Connections” on the Manage Profile Service screen.

19_UPA Admin Page

Click on the “Create New Connection”

20_Create Sync Connection

Specify the User Profile Synchronization Connection Name, LDAP directory type – Active Directory, forest name – Niks.local, Authentication Provider – Windows for NTLM Authentication, and “Niks\sp_ups” as User to connect to the AD to sync the users. FIM will use this user to connect to the AD.

21_AD NTLM Connection

Click “Populate Containers”. Expand “Niks” domain, select “Users” and click Ok. Do not select all.

22_Populate Container

System may take while to create the AD synchronization connection. Once created, profile service should show new AD connection. If FIM services are not started, you may get error specifying MA Folder can’t be created while creating AD Sync Connection.

23_Create Connection

Based on the numbers of users and groups in your system, it may take much longer to sync users and groups. On the Manage Profile Services page, click on the “Configure Synchronization Settings” link. Select “Users Only”, Use SharePoint User Profile Sync and click Ok.

24_Configure Sync Settings

Now, you can synchronize the AD users to the SharePoint using “Start Profile Synchronization” link from the Manage Profile Service page. Select “Start Full Synchronization” and click Ok.

25_Start Profile Sync

If you refresh the Manage Profile Service page, you will see the Profile Import Status may show “Synchronizing”.

26_Profile Syncing

Profile Synchronization Process can take long time depending on number of user profiles needs to be imported along with network and hardware configuration. Alternatively, to monitor the Profile Synchronization, Please visit the C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell and Click on the miisclient.exe. Clicking miisclient.exe will open the FIM/Metaverse Manager which is used by the SharePoint Sync Service to import/export/sync the AD profiles with the SharePoint. Please review attached guide for more details. Refresh the User Profile Admin Page after several minutes (approx. 10 minutes). Once Profile Import Status is Idle, User Profile Synchronization is completed. On the right side of the screen, you can see the number of profiles imported and other stats. In this case, there are 11 User Profiles are imported.

27_Profile Sync is Done

Step 9 – Verify the User Profiles Synchronization Process

On Manage User Profiles link, you should find all the profiles are imported.

28_Profiles Imported

Difference between My All-UP VM Scenario and Production Multi-Server Farm Scenario

This article provides detailed instructions to configure UPA and UPS in All-Up SharePoint 2010 VM with DC, SharePoint, and SQL hosted on single server farm. In production environment, most likely you would be running DC and SQL on different servers other than SharePoint 2010 servers. There are couple of major differences how I would deploy UPS in multi-server production farm scenario which can differ than this article.

  • Logon Account – In this article, I have logged into the server using SP_Farm account which is local admin on the box to configure UPA and UPS service. In production environment, you would be logging in as SP_Install account to configure UPA and UPS service. I would use AutoSPInstaller to configure UPA service and manually follow steps from this article to configure UPS by logging in as SP_Install account on the UPS server.
  • SP_Farm Account Permissions – In this article, I have logged into the server using SP_Farm account which is local admin on the box to configure UPA and UPS service. UPS Service (FIM windows services) runs under SP_Farm account and this account must be local admin during UPS provisioning process. In Production, SP_Farm account needs to be local admin only during UPS provisioning process. You can remove SP_Farm from local admin after UPS is provisioned. Additionally, SP_Farm account requires to have “Allow log on locally” right on the machine running the UPS service, which can be granted via Group Policy or Local Security Policy on the UPS Machine. If SP_Farm doesn’t have “Allow log on locally” right on the farm without SP_Farm being local admin on the box, FIM windows services may not start properly.
  • FIM and SQL Issues – Since I have provisioned UPS on the same server as SQL Server in my All-UP VM, I needed to make sure FIM windows services are started with “Automatic (Delayed)” status to ensure it starts after SQL Server windows services. In Production environment, most likely SQL Server would be running on different server than UPS service server. You don’t need to worry about changing FIM windows services status from “Automatic” to “Automatic (Delayed)” in the production environment with SQL and FIM windows services running on different servers.

Master References:

That’s it as far as Step by Step details of configuring User Profile Service Application and User Profile Sync Service. Don’t forget to check Harbar’s guides to understand “Why”. They are The best resources on the internet as far as User Profile Sync service for SharePoint 2010 and SharePoint 2013.

Advertisements
This entry was posted in SP2010 Admin, SP2013 Admin. Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s