SharePoint 2010 configuring the Profile Synchronization Application Service
In one of my previous post I explained how you could use DELEG CONFIG to configure theKerberos for the My Site web application. Because before you can use My Sites you need to configure some more this blogs tells about configuring the Profile Synchronization Application Service.
All is done in my Business Intelligence Demo Portal environment:http://blog.arjanfraaij.com/2010/12/sharepoint-2010-installation.html
All action in Central Administration and powershell are done with the initial setup account corp\shpSetup
All actions are done on the SharePoint server SHP01 using the corp\farm1Setup account.
To make the Profile Synchronization Application Service to work we need to configure 2 SharePoint Services and the User Profile Service Application.
Display current status of the User Profile Service:
Get-SPServiceInstance | where-object {$_.TypeName -eq "User Profile Service"}For starting the service you need the command Start-SPServiceInstance –Identity {GUID}
The GUID is the ID displayed in the previous commad, to make it easy you can make use of the powershell scripting power by using the previous command to pipe the ID to the start command:
Start the User Profile Service:
Get-SPServiceInstance | where-object {$_.TypeName -eq "User Profile Service"} | Start-SPServiceInstance
First, and this is personal, I like to use dedicated accounts for each service so I created the accounts:
Empty or not mentioned fields are left as default in the below steps.
In the first part of the creation screen we need to give the application service a name, select a existing application pool or create a new one (my preference). Select or configure the security account for the application pool. And we can give the values for the Profile Database. By default this will be “Profile DB” with the space, first that I always will do is remove the spaces from database names. Then and again my personal preference is add a prefix to know where the database is created for.
In the following parts we need to define the other databases, here I recommend the same as the Profile databases.
Next we need to define the location for the my sites and which server is used for profile synchronization.
When finished defining the settings click create, when everything went well we should see below window appearing!
The above actions created 2 new objects in the Service Applications overview:
The next step we should do is start the User Profile Synchronization Service from Central Administration > System Settings > Manage service on server. (Which can also be found under Application Management). I won’t do this now but first explain you how to create the User Profile Application Service by using PowerShell. [Download script here]
Have some patients while starting the Service Instance this could take a few minutes.
First create an account that can be used for the profile import function, the account is granted specific rights in Active Directory.
Give the connection name, select active directory as type and give the credentials of the previous created Farm1ProfileImport user. Click Populate Container to make it possible to select the container that you want to synchronize. I selected the OU BusinessIntelligence / Users to be synchronized and clicked OK.
Next is to configure the Synchronization Timer Job. Go to Application Management > Manage Service Applications > Select the User Profile Service Application and click manage > Select Configure Synchronization Timer Job:
Click Enable to enable the timer job. Now we can start the Profile Synchronization, Go to Application Management > Manage Service Applications > Select the User Profile Service Application and click manage > Select Start Profile Synchronization.
Select Start Incremental and click Ok. When you return to the manage User Profile Service page you will see the status of Synchronizing. After a while this will be finished and the Number of User Profiles number will be updated to the number of profiles available in the selected OU.
Now how can we do this using PowerShell? Maby some other time?
First look at the application pools and Application Pool users that are
Get-SPServiceApplicationPool
Then remove the related Application Pool
Remove-SPServiceApplicationPool <name>
Now you should be able to remove the Managed Service Account.
Remove-SPManagedAccount –Identity <Account>
Hope you enjoy this blog! When you have comments, better solution and recommendation I like to hear from you.
All is done in my Business Intelligence Demo Portal environment:http://blog.arjanfraaij.com/2010/12/sharepoint-2010-installation.html
All action in Central Administration and powershell are done with the initial setup account corp\shpSetup
All actions are done on the SharePoint server SHP01 using the corp\farm1Setup account.
To make the Profile Synchronization Application Service to work we need to configure 2 SharePoint Services and the User Profile Service Application.
User Profile Service
At first we can start the System Service “User Profile Service” there is no need to configure anything for this service you can start it from Central Administration > System Settings > Manage services on server. Or you can simple execute the powershell commands:
Display current status of the User Profile Service:
Get-SPServiceInstance | where-object {$_.TypeName -eq "User Profile Service"}For starting the service you need the command Start-SPServiceInstance –Identity {GUID}
The GUID is the ID displayed in the previous commad, to make it easy you can make use of the powershell scripting power by using the previous command to pipe the ID to the start command:
Start the User Profile Service:
Get-SPServiceInstance | where-object {$_.TypeName -eq "User Profile Service"} | Start-SPServiceInstance
Create User Profile Service Application
Before we can start the User Profile Synchronization Service we first need to configure the User Profile Service Application. First I will explain how to do this with Central Administration and then build the same configuration using PowerShell.First, and this is personal, I like to use dedicated accounts for each service so I created the accounts:
- corp\farm1APUUserProfile, registered in SharePoint as a managed account.
Empty or not mentioned fields are left as default in the below steps.
In the first part of the creation screen we need to give the application service a name, select a existing application pool or create a new one (my preference). Select or configure the security account for the application pool. And we can give the values for the Profile Database. By default this will be “Profile DB” with the space, first that I always will do is remove the spaces from database names. Then and again my personal preference is add a prefix to know where the database is created for.
In the following parts we need to define the other databases, here I recommend the same as the Profile databases.
Next we need to define the location for the my sites and which server is used for profile synchronization.
When finished defining the settings click create, when everything went well we should see below window appearing!
The above actions created 2 new objects in the Service Applications overview:
- User Profile Service Application
- User Profile Service Application Proxy
The next step we should do is start the User Profile Synchronization Service from Central Administration > System Settings > Manage service on server. (Which can also be found under Application Management). I won’t do this now but first explain you how to create the User Profile Application Service by using PowerShell. [Download script here]
- Does the needed managed account already exist?
Get-SPManagedAccount CORP\Farm1APUUserProfileIf not create the needed managed account:
$Cred = Get-Credential --- This will popup a login screen
New-SPManagedAccount –Credential $Cred - Does the needed application pool exist:
Get-SPServiceApplicationPool -Identity "UserProfileServiceApplicationPool"
If not create the needed application pool:
New-SPServiceApplicationPool –Name "UserProfileServiceApplicationPool" –account CORP\Farm1APUUserProfile - Does the Service Application already exist:
Get-SPServiceApplication -Name "User Profile Service Application"
If not we need to create, we can only created when the needed service instance is online.
Get-SPServiceInstance |?{$_.TypeName -eq "User Profile Service"}
Check the status and register the ID. We need that for starting the service instance.
When status is disabled start the service instance:
Start-SPServiceInstance -Identity "a3877475-4a20-42ad-b6dd-5161f94ee543"
Use the previous Get command to check when service instance is online, in between status should be provisioning…
Now we can create the Service Application, because I use the DI\shpFarm1Setup account It needs to be granted db_owner rights to the MySite content database, remove this rights after application is created:
New-SPProfileServiceApplication -ApplicationPool "UserProfileServiceApplicationPool" -Name "User Profile Service Application" -MySiteHostLocation "http://mysite.corp.local" –MySiteManagedPath “/personal” -ProfileDBName "shpFarm1_ProfileDB" -ProfileDBServer "SQL01\MSSQL01" -ProfileSyncDBName "shpFarm1_SyncDB" -ProfileSyncDBServer "SQL01\MSSQL01" -SocialDBName "shpFarm1_SocialDB" -SocialDBServer "SQL01\MSSQL01"
Register the ID that is generated to set the other parameters in the next step.
The last step is to create the Application Instance Proxy for the User profile Service Application:
New-SPProfileServiceApplicationProxy -Name "User Profile Service Application Proxy" –ServiceApplication 77407dae-a37d-41dc-922f-72d23baac34e –DefaultProxyGroup - We now have created the User Profile Service Application and can start configuring…
Configure User Profile Synchronization.
First we need to start the User Profile Synchronization Service. Against all basic guidelines this service can only be started using the Farm Admin account for the service AND it need to be a local administrator. I added corp\shpFarm to the local administrator group of SHP01 and restarted the server. Some pages and the Microsoft book says remove it when service is started, only on reboot the service will not start anymore. So I simple ignore the health check messages.Have some patients while starting the Service Instance this could take a few minutes.
- Central Administration > System Settings > Manage service on server > Click Start
- Select the User Profile Service Application we just created
- Provide the password of the corp\shpFarm account
- Click OK
- PowerShell:
First get the ID of the Service Instance:
Get-SPServiceInstance |?{$_.TypeName -eq "User Profile Synchronization Service"}
Start the Service Instance:
Start-SPServiceInstance -Identity "9a3b579f-3064-48e5-b578-39558af6c7d6"
And then it happens, you do not see an error in PowerShell but when running the Get-SPServiceInstance command you see Provisioning and then soon Disabled again? Looking at the Windows Event viewer application log you will see an error like:
The easy way is starting it with Central Administration. This won’t work when you like to created a scripted install. I kept looking and found the post:http://gallery.technet.microsoft.com/scriptcenter/04d41bf9-1b9c-454e-8695-575acef82bfd. But first I did try to start it using Central Administration.
When I tried to start it with Central Administration it seems to stay on Starting status, waiting long enough the service has status stopped again. Event viewer shows warning like:
What happened? I did all configuration logged on as corp\shpSetup on SHP01 and that makes some difference. When using Central Administration to create the User Profile Application Service and looking at the databases created, the dbo for the databases is set to corp\shpFarm. When doing the configuration with PowerShell the dbo is set to corp\shpSetup, this wrong. We can do 2 things:- Login to SHP01 with the corp\shpFarm account to configure the Application Service using PowerShell.
- Using SQL to alter the DBO on the databases to be the corp\shpFarm account.
I logged in with the corp\shpFarm account to the SHP01 and re-created the User Profile Service Application using powerhell. I could not find much information about SetSynchronizationMachine anyone knows a good description? It’s used to associate the User Profile Service Application with the User Profile Synchronization Service.
This time I tried to start it with PowerShell logged in with the corp\shpSetup account again. I used the before mentioned post to create the PowerShell statement: (The ID is the one from the User Profile Synchronization Services”)
$ServAPP = Get-SPServiceApplication -Name "User Profile Service Application"
$servAPP.SetSynchronizationMachine(“SHP01”, "9a3b579f-3064-48e5-b578-39558af6c7d6", "corp\shpFarm", "<typepasswordhere>")
Start-SPServiceInstance "9a3b579f-3064-48e5-b578-39558af6c7d6
You need to have some patience and don’t get panicked by errors in the Application event log like:
When you wait long enough the status of the service will be Started eventually.
Configure Synchronization Connection
The next to do is configure the Profile Synchronization connection, I used Active Directory.First create an account that can be used for the profile import function, the account is granted specific rights in Active Directory.
- On DC01 Create account: corp\Farm1ProfileImport
- In active directory Users and Computers management console right click the Domain and select delegate control
- Add the user FarmProfileImport, Click Next
- Select Create Custom task to Delegate, click next
- Select This Folder and click Next
- Select the Replicating Directory Changes permissions and click Next
- Click Finish
Give the connection name, select active directory as type and give the credentials of the previous created Farm1ProfileImport user. Click Populate Container to make it possible to select the container that you want to synchronize. I selected the OU BusinessIntelligence / Users to be synchronized and clicked OK.
Next is to configure the Synchronization Timer Job. Go to Application Management > Manage Service Applications > Select the User Profile Service Application and click manage > Select Configure Synchronization Timer Job:
Click Enable to enable the timer job. Now we can start the Profile Synchronization, Go to Application Management > Manage Service Applications > Select the User Profile Service Application and click manage > Select Start Profile Synchronization.
Select Start Incremental and click Ok. When you return to the manage User Profile Service page you will see the status of Synchronizing. After a while this will be finished and the Number of User Profiles number will be updated to the number of profiles available in the selected OU.
Now how can we do this using PowerShell? Maby some other time?
Known Issue (Can’t remove existing Managed Account):
It could be that the Managed Account already exists, when you try to remove it you do get error: An object in the SharePoint administrative framework SPManagedAccount Name = ???? could not be deleted because other objects depend on it…First look at the application pools and Application Pool users that are
Get-SPServiceApplicationPool
Then remove the related Application Pool
Remove-SPServiceApplicationPool <name>
Now you should be able to remove the Managed Service Account.
Remove-SPManagedAccount –Identity <Account>
Hope you enjoy this blog! When you have comments, better solution and recommendation I like to hear from you.
No comments:
Post a Comment