woensdag 18 mei 2011

SharePoint 2010 configuring the Profile Synchronization Application Service

In one of my previous post I explained how you could use DELEG CONFIG to configure the Kerberos for the My Site web application. Because before you can use My Sites you need to configure some more this blogs tells about configuring the Profile Synchronization Application Service.

All is done in my Business Intelligence Demo Portal environment:http://blog.arjanfraaij.com/2010/12/sharepoint-2010-installation.html

All action in Central Administration and powershell are done with the initial setup account corp\shpSetup

All actions are done on the SharePoint server SHP01 using the corp\farm1Setup account.

To make the Profile Synchronization Application Service to work we need to configure 2 SharePoint Services and the User Profile Service Application.

User Profile Service

At first we can start the System Service “User Profile Service” there is no need to configure anything for this service you can start it from Central Administration > System Settings > Manage services on server. Or you can simple execute the powershell commands:

Display current status of the User Profile Service:
Get-SPServiceInstance | where-object {$_.TypeName -eq "User Profile Service"}

For starting the service you need the command Start-SPServiceInstance –Identity {GUID}
The GUID is the ID displayed in the previous commad, to make it easy you can make use of the powershell scripting power by using the previous command to pipe the ID to the start command:

Start the User Profile Service:
Get-SPServiceInstance | where-object {$_.TypeName -eq "User Profile Service"} | Start-SPServiceInstance

Create User Profile Service Application

Before we can start the User Profile Synchronization Service we first need to configure the User Profile Service Application. First I will explain how to do this with Central Administration and then build the same configuration using PowerShell.

First, and this is personal, I like to use dedicated accounts for each service so I created the accounts:

  • corp\farm1APUUserProfile, registered in SharePoint as a managed account.

In Central Administration go to Application Management > Manage Service Applications > Click New and select User Profile Service Application.

image

Empty or not mentioned fields are left as default in the below steps.

In the first part of the creation screen we need to give the application service a name, select a existing application pool or create a new one (my preference). Select or configure the security account for the application pool. And we can give the values for the Profile Database. By default this will be “Profile DB” with the space, first that I always will do is remove the spaces from database names. Then and again my personal preference is add a prefix to know where the database is created for.

image

In the following parts we need to define the other databases, here I recommend the same as the Profile databases.

image

image

Next we need to define the location for the my sites and which server is used for profile synchronization.

image

image

When finished defining the settings click create, when everything went well we should see below window appearing!

image

The above actions created 2 new objects in the Service Applications overview:

  • User Profile Service Application
  • User Profile Service Application Proxy

image

The next step we should do is start the User Profile Synchronization Service from Central Administration > System Settings > Manage service on server. (Which can also be found under Application Management). I won’t do this now but first explain you how to create the User Profile Application Service by using PowerShell. [Download script here]

  1. Does the needed managed account already exist?
    Get-SPManagedAccount CORP\Farm1APUUserProfile

    If not create the needed managed account:
    $Cred = Get-Credential --- This will popup a login screen
    New-SPManagedAccount –Credential $Cred
  2. Does the needed application pool exist:
    Get-SPServiceApplicationPool -Identity "UserProfileServiceApplicationPool"

    If not create the needed application pool:
    New-SPServiceApplicationPool –Name "UserProfileServiceApplicationPool" –account CORP\Farm1APUUserProfile
  3. Does the Service Application already exist:
    Get-SPServiceApplication -Name "User Profile Service Application"

    If not we need to create, we can only created when the needed service instance is online.
    Get-SPServiceInstance |?{$_.TypeName -eq "User Profile Service"}
    Check the status and register the ID. We need that for starting the service instance.

    When status is disabled start the service instance:
    Start-SPServiceInstance -Identity "a3877475-4a20-42ad-b6dd-5161f94ee543"
    Use the previous Get command to check when service instance is online, in between status should be provisioning…

    Now we can create the Service Application, because I use the DI\shpFarm1Setup account It needs to be granted db_owner rights to the MySite content database, remove this rights after application is created:
    New-SPProfileServiceApplication -ApplicationPool "UserProfileServiceApplicationPool" -Name "User Profile Service Application" -MySiteHostLocation "http://mysite.corp.local" –MySiteManagedPath “/personal” -ProfileDBName "shpFarm1_ProfileDB" -ProfileDBServer "SQL01\MSSQL01" -ProfileSyncDBName "shpFarm1_SyncDB" -ProfileSyncDBServer "SQL01\MSSQL01" -SocialDBName "shpFarm1_SocialDB" -SocialDBServer "SQL01\MSSQL01"
    Register the ID that is generated to set the other parameters in the next step.

    The last step is to create the Application Instance Proxy for the User profile Service Application:
    New-SPProfileServiceApplicationProxy -Name "User Profile Service Application Proxy" –ServiceApplication 77407dae-a37d-41dc-922f-72d23baac34e –DefaultProxyGroup
  4. We now have created the User Profile Service Application and can start configuring…

Configure User Profile Synchronization.

First we need to start the User Profile Synchronization Service. Against all basic guidelines this service can only be started using the Farm Admin account for the service AND it need to be a local administrator. I added corp\shpFarm to the local administrator group of SHP01 and restarted the server. Some pages and the Microsoft book says remove it when service is started, only on reboot the service will not start anymore. So I simple ignore the health check messages.

Have some patients while starting the Service Instance this could take a few minutes.

  • Central Administration > System Settings > Manage service on server > Click Start
    • Select the User Profile Service Application we just created
    • Provide the password of the corp\shpFarm account
    • Click OK
  • PowerShell:
    First get the ID of the Service Instance:
    Get-SPServiceInstance |?{$_.TypeName -eq "User Profile Synchronization Service"}

    Start the Service Instance:
    Start-SPServiceInstance -Identity "9a3b579f-3064-48e5-b578-39558af6c7d6"
    And then it happens, you do not see an error in PowerShell but when running the Get-SPServiceInstance command you see Provisioning and then soon Disabled again? Looking at the Windows Event viewer application log you will see an error like:
    image
    The easy way is starting it with Central Administration. This won’t work when you like to created a scripted install. I kept looking and found the post: http://gallery.technet.microsoft.com/scriptcenter/04d41bf9-1b9c-454e-8695-575acef82bfd. But first I did try to start it using Central Administration.

    When I tried to start it with Central Administration it seems to stay on Starting status, waiting long enough the service has status stopped again. Event viewer shows warning like:
    image
    What happened? I did all configuration logged on as corp\shpSetup on SHP01 and that makes some difference. When using Central Administration to create the User Profile Application Service and looking at the databases created, the dbo for the databases is set to corp\shpFarm. When doing the configuration with PowerShell the dbo is set to corp\shpSetup, this wrong. We can do 2 things:
    • Login to SHP01 with the corp\shpFarm account to configure the Application Service using PowerShell.
    • Using SQL to alter the DBO on the databases to be the corp\shpFarm account.

I logged in with the corp\shpFarm account to the SHP01 and re-created the User Profile Service Application using powerhell. I could not find much information about SetSynchronizationMachine anyone knows a good description? It’s used to associate the User Profile Service Application with the User Profile Synchronization Service.

This time I tried to start it with PowerShell logged in with the corp\shpSetup account again. I used the before mentioned post to create the PowerShell statement: (The ID is the one from the User Profile Synchronization Services”)
$ServAPP = Get-SPServiceApplication -Name "User Profile Service Application"
$servAPP.SetSynchronizationMachine(“SHP01”, "9a3b579f-3064-48e5-b578-39558af6c7d6", "corp\shpFarm", "<typepasswordhere>")
Start-SPServiceInstance "9a3b579f-3064-48e5-b578-39558af6c7d6

You need to have some patience and don’t get panicked  by errors in the Application event log like:
image

When you wait long enough the status of the service will be Started eventually.

Configure Synchronization Connection

The next to do is configure the Profile Synchronization connection, I used Active Directory.

First create an account that can be used for the profile import function, the account is granted specific rights in Active Directory.

  • On DC01 Create account: corp\Farm1ProfileImport
    • In active directory Users and Computers management console right click the Domain and select delegate control
    • Add the user FarmProfileImport, Click Next
    • Select Create Custom task to Delegate, click next
    • Select This Folder and click Next
    • Select the Replicating Directory Changes permissions and click Next
    • Click Finish

Use Central Administration to configure the Active Directory Import, go to Application Management > Manage Service Applications > Select the User Profile Service Application and click manage > Select Configure Synchronization Connections > Select Create New Connection

image

Give the connection name, select active directory as type and give the credentials of the previous created Farm1ProfileImport user. Click Populate Container to make it possible to select the container that you want to synchronize. I selected the OU BusinessIntelligence / Users to be synchronized and clicked OK.

image

Next is to configure the Synchronization Timer Job. Go to Application Management > Manage Service Applications > Select the User Profile Service Application and click manage > Select Configure Synchronization Timer Job:

image

Click Enable to enable the timer job. Now we can start the Profile Synchronization, Go to Application Management > Manage Service Applications > Select the User Profile Service Application and click manage > Select Start Profile Synchronization.

image

Select Start Incremental and click Ok. When you return to the manage User Profile Service page you will see the status of Synchronizing. After a while this will be finished and the Number of User Profiles number will be updated to the number of profiles available in the selected OU.

image

image

Now how can we do this using PowerShell? Maby some other time?

 

Known Issue (Can’t remove existing Managed Account):

It could be that the Managed Account already exists, when you try to remove it you do get error: An object in the SharePoint administrative framework SPManagedAccount Name = ???? could not be deleted because other objects depend on it…

First look at the application pools and Application Pool users that are
Get-SPServiceApplicationPool

Then remove the related Application Pool
Remove-SPServiceApplicationPool <name>

Now you should be able to remove the Managed Service Account.
Remove-SPManagedAccount –Identity <Account>

 

Hope you enjoy this blog! When you have comments, better solution and recommendation I like to hear from you.

Dynamic Intelligence | LinkedIn | Blog | Twitter

1 opmerking:

Rakshith Roy zei

It can be almost impossible to find well-qualified users on this matter, however, you look like you be aware of exactly what you’re covering!
SharePoint Training Online