SharePoint User Profile Synchronization with Active Directory
Establishing profile synchronization in SharePoint Server is imperative to effectively manage user profiles and foster streamlined collaboration throughout the enterprise. Through utilization of SharePoint Active Directory Import, administrators can proficiently synchronize user profile data from Active Directory to SharePoint.
But why not Microsoft Identity Manager (MIM) Import?
The SharePoint Active Directory import option (AD import) can serve as a viable alternative to Microsoft Identity Manager (MIM) for importing user profile data from Active Directory Domain Services (AD DS) within your domain. Compared to MIM, import operations leveraging AD import are notably faster. However, it’s important to note that AD import is only compatible with AD DS and is not applicable to other directory services. Furthermore, selecting AD Import would preclude the use of MIM or other external identity managers for connecting to alternate data sources like business applications.
In this article, we will explore the benefits of configuring profile synchronization using SharePoint Active Directory Import and provide step-by-step instructions for implementation.
Set up SharePoint Active Directory Import
To configure AD import, a series of three procedures must be executed via Central Administration.
Initially, the first procedure involves configuring SharePoint Server to use AD Import, rather than relying on an external identity manager such as MIM, resulting in enhanced efficiency and flexibility.
The second procedure necessitates the creation of a synchronization connection to AD DS, where the credentials utilized to interact with AD DS are defined, and items to be synchronized are identified.
Lastly, in the third procedure, administrators determine how the properties of user profiles in SharePoint Server correspond with the user information obtained from AD DS, ensuring optimal data mapping and seamless profile synchronization.
To configure SharePoint Server to use AD Import
- Within the Application Management section of the SharePoint Central Administration website, select “Manage service applications” to proceed.
- On the subsequent “Manage Service Applications” page, click on the link associated with the User Profile service application.
- Navigate to the “Synchronization” section of the “Manage Profile Service” page and select “Configure Synchronization Settings.”
- On the ensuing “Configure Synchronization Settings” page, opt for the “Use SharePoint Active Directory Import” alternative located in the “Synchronization Options” section, then click “OK” to confirm the selection.
The process of importing profiles demands the establishment of at least one synchronization connection to AD DS, with the option to establish connections with multiple AD DS servers. Through the following procedure, a synchronization connection can be established with each AD DS server from which profile imports are required. The synchronization process may occur after each connection is established, or alternatively, a one-time synchronization may be performed once all connections have been established. Although performing synchronization after each connection may take longer, it ensures easier troubleshooting of any potential problems that may arise.
To create a connection to a directory service for import
5. Within the SharePoint Central Administration website, access the “Application Management” section and select “Manage service applications.”
6. Proceed by clicking on the link associated with the User Profile service application on the “Manage Service Applications” page.
7. Within the “Synchronization” section of the “Manage Profile Service” page, select “Configure Synchronization Connections.”
8. On the ensuing “Synchronizations Connections” page, opt for “Create New Connection.”
9. In the “Connection Name” box on the “Add new synchronization connection” page, input the name of the synchronization connection.
10. From the “Type” list, select “Active Directory Import.”
11. Complete the Connection Settings section by following these steps:
(A) In the Fully Qualified Domain Name field, enter the fully qualified domain name of the domain.
(B) From the Authentication Provider Type drop-down menu, choose the type of authentication provider that you want to use.
(C) If you choose Forms Authentication or Trusted Claims Provider Authentication, select an authentication provider from the Authentication Provider Instance drop-down menu.
(D) The Authentication Provider Instance drop-down menu displays only the authentication providers that are currently used by a web application.
(E) In the Account name field, enter the name of the account that you want the AD import tool to use for the synchronization. Use the format <DOMAIN><UserName>. The synchronization account must have Replicate Directory permissions at the root of the forest.
(F) In the Password and Confirm password fields, type the password for the account.
(G) In the Port field, enter the connection port that you want the AD import tool to use to connect to AD DS during synchronization.
(H) If an SSL connection is required to connect to the directory service, select the Use SSL-secured connection checkbox.
(I) To filter out disabled users from AD DS, select the Filter out disabled users checkbox.
(J) To filter the objects that you want to import from the directory service, type a standard LDAP query expression in the Filter in LDAP syntax for Active Directory Import field.
(K) In the Containers section, click Populate Containers, and then select the containers from the directory service that you want to synchronize. All organizational units (OUs) that you select will be synchronized with their child OUs. Currently, there is no tool that allows you to select a parent OU while excluding any of its child OUs from synchronization.
(L) Click OK. The newly created connection will be listed on the Synchronization Connections page.
To map user profile properties
- Go to the SharePoint Central Administration website
- Click on the “Application Management” section
- Select “Manage service applications”
- Click on the link for the “User Profile” service application on the “Manage Service Applications” page
- Click on “Manage User Properties” in the “People” section on the “Manage Profile Service” page
- Find the name of the property you want to map to a directory service attribute and click “Edit”
- To remove an existing mapping, select the mapping you want to remove in the “Property Mapping for Synchronization” section and click “Remove”
- To add a new mapping, perform these steps:
(A) Select the directory service data connection from the “Source Data Connection” list in the “Add New Mapping” section.
(B) Type the name of the directory service attribute you want to map to the property in the “Attribute” box.
(C) Click “Add”.
9. Click OK.
10. For mapping more properties, repeat steps 4 through 7.
To start profile synchronization
- On the SharePoint Central Administration website, go to Application Management section and select Manage service applications.
- Click the link for the User Profile service application on the Manage Service Applications page.
- In the Synchronization section, select Start Profile Synchronization on the Manage Profile Service page.
- On the Start Profile Synchronization page, choose Start Full Synchronization if it’s the first-time synchronization or if you’ve made any synchronization connections changes. Choose Start Incremental Synchronization to synchronize only changed information.
- Click OK to start the synchronization process.
- The right pane of the Manage Profile Service page will display the status of the profile synchronization.
By following the steps outlined in this article, you can ensure that your synchronization connections are properly configured and that your user profile properties are mapped correctly. With the right permissions and attention to detail, you can create a smooth and efficient synchronization process that benefits both administrators and end-users.
