Configuring User Profile Synchronization to support Site Mailboxes in SharePoint 2013

Part 2 of the series will cover how to configure the User Profile Synchronization service in SharePoint 2013 and start the initial synchronization. To get a better understanding of what a user profile is in SharePoint, see the information contained here. In short, a user profile contains information from various different sources, including AD DS, LoB applications and data supplied by users in SharePoint such as hobbies and expertise. The data contained in a user profile is stored in a separate SQL database named the UserProfileDB (renamed) database.

Note* – You must have SharePoint configured to use a full installation of SQL Server. Profile synchronization will not work if you are using SQL Server Express edition.

To configure the farm for profile synchronization we will follow the steps outlined in the TechNet article located here. Keep in mind that these steps apply only to SharePoint 2013. Configuration of user profile synchronization does have some prerequisites which will be addressed prior to any farm configuration. The first of these prerequisites is to configure the required account permissions for directory synchronization with AD DS.   To do this, first create a user account in AD DS with a secure username and password that adheres to the organizations requirements for service accounts. After the account has been created it must be granted the “Replicate Directory Changes” permission on the domain that will be synchronized. The below steps will grant the required permissions to the service account recently created.

1. Create a user in AD DS, my example is named “svcsp13upsync”
2. Launch Active Directory Users and Computers, right click the domain and select “Delegate Control” to launch the delegation of control wizard shown below.

3.  On the Add Users or Groups page, add the service account previously created and click “Next” to proceed.

4. Select the “Create a custom task to delegate” radio button.

5.  On the Active Directory Object Type page, select “This folder, existing objects in this folder, and creation of new objects in this folder” and click “Next“.

6.  The permissions page will allow for selection of the “Replicate Directory Changes” permission as shown below. Place a check mark in the appropriate box and select “Next” to continue, then finally, “Finish” to complete the delegation of permissions.

Creating a web application to host MySites

Ensure that the account used to follow the below steps is a member of the farm administrators group.

1. Launch SharePoint Central Administration, in the “Application Management” section, select “Manage Web Applications“.

2.  Select “New” from the ribbon.

3.  Configure the new web application as required for your specific environment. My example has been configured as a new IIS Web Site Named, MySites with all defaults except for the below modifications.

Create a site collection to host users’ My Sites

The following steps will create a site collection to host the users’ My Sites in the farm. Start by navigating to Central Administration, and then to “Application Management“. Click “Create Site Collection”

1. In the create site collection page, select the MySites web application created in the previous section. My example is reflected by the site with a port number 22349 as shown below.

2.  I’ve configured my additional settings as shown below for the new site collection that will host MySites for the users’. The screen shot below does not show the primary and secondary site collection administrators that have been configured.

3.  At this point, the top-level site will have been successfully configured but will result in an error if accessed because user profile synchronization is not configured and/or in place yet.

Create a User Profile service application

Next, we need to create a user profile service application which will allow us to manage profile synchronization with Active Directory Domain Services. To do this, navigate to “Central Administration”, “Application Management” and select “Manage Service Applications“.

1. In the SharePoint 2013 ribbon, select “New“, then “User Profile Service Application“.

2. I have named the databases based on my personal naming convention and created a new application pool for the service. The remainder of the settings have been left at defaults and are shown below.

Start the User Profile Service

The User Profile service must be started. In “Central Administration”, “System Settings“, select “Manage services on this server”

1. Navigate to the User Profile service and if currently stopped, click “Start” to start the service. Once successfully started it should show as below.

Start the User Profile Synchronization service

Similar to the previous steps taken to start the user profile service, we need to start the User Profile synchronization service. Navigate to the System Setting section again in Central Admin and start the service which should be displayed like in the below image. Click “Start” to start the service.

On the User Profile Synchronization, select the user profile synchronization service and provide the proper password for the farm administrator account. When completed, click OK to proceed. Please ensure that the farm administrator account specified is a member of the servers local administrator groups and granted the rights to log on local in the local policy or via group policy. For more information on how to grant local logon rights, see the post located here.

During this process SharePoint 2013 is configuring a local instance of FIM (Forefront Identity Manager) with synchronization configurations so it may take a few minutes to start the service.

Lastly, because my SharePoint environment is only a two server farmer (wfe and sql) I need to reset IIS because central administration and they synchronization service are on the same SharePoint 2013 server.

Creating a Directory Services Connection and Importing Data

Before we can import data from a directory source, which in our case is Active Directory Domain Services, we need to create a connection to the directory source. This connection will identify what to synchronize and be configured with the proper credentials to facilitate the synchronization. To create the connection, follow the below steps:

1. Open Central Administration, in the Application Management section, click Manage service applications.

2.  In Central Administration, click the User Profile application which I have named ADDS_profile_sync

3. On the Manage Profile Service page, in the Synchronization section, click “Configure Synchronization Connections“.

4. Select Create New Connection.

5. I have configured my connection with the below settings. Substitute with the proper values where necessary. I am only synchronizing with my “Demo Users” organizational unit.

I will not be adding any exclusions into my connection configuration but if desired, you can then edit the newly created connection and add filters for excluding specific user accounts from synchronizing.

Mapping User Profile Properties

In order to import data from the directory and synchronize the property values properly with the SharePoint 2013 user profile we need to map the properties as needed. To do this, follow the below steps:

1. In Central Administration, select “Application Management” and click “Manage service applications“.

2. In Central Administration, click the User Profile application which I have named ADDS_profile_sync

3. Click Manage User Properties

4. Take a look at the properties in both the directory source (AD DS) and SharePoint 2013 user profile. If any edits need to be made to map properties between the two directories, edit them as needed.

Start the User Profile Synchronization

Finally, we can start the user profile synchronization process by completing the following steps:

1. In Central Administration, select “Application Management” and click “Manage service applications“.

2. In Central Administration, click the User Profile application which I have named ADDS_profile_sync

3. In the Manage Profile Service page, select “Start Profile Synchronization“.

4. Because this is my first synchronization and only a small amount of data is in scope, I am selecting a full synchronization. Choose the option necessary taking into consideration your particular scenario and needs.

5. After clicking Ok, and executing the full synch, you can see the status changed to “Synchronizing” on the “Manage Profile Service” page.  When completed the status will change back to Idle.

You should then see a increase in the number of user profiles as shown below.

User Profile Synchronization has been configured for the farm and is place to support the various different features and functionality in SharePoint 2013, including in our case, the new Site Mailboxes feature.

Part 3 will continue with the prerequisites required to provide Site Mailbox access to SharePoint and Exchange users and outline how to configure the app management service application for the farm…