Download presentation
Presentation is loading. Please wait.
1
SPC2012 – IT-Pro 11/19/2018 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
User Profile Synchronization Best Practices in SharePoint Server 2013
SPC Developer 11/19/2018 SPC245 User Profile Synchronization Best Practices in SharePoint Server 2013 Spencer Harbar © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
3
About Spencer Harbar SharePoint Architect Edinburgh, United Kingdom
| Microsoft Certified Solutions Master | SharePoint Microsoft Certified Architect | SharePoint 2010 Microsoft Certified Master | SharePoint 2010 Microsoft Certified Master | SharePoint 2007 Microsoft Certified Master | SharePoint Instructor & Author Most Valuable Professional | SharePoint Server SharePoint Patterns & Practices Advisory Board Member Works with SharePoint Product Group on Readiness Author for MSDN & TechNet
4
Agenda Identity Management
#SPC245 IT-Pro, Level 300 Identity Management User Profile Service Application Architecture Active Directory Import User Profile Synchronization Windows PowerShell Provisioning Demonstration Wrap Up and Recommendations
5
Identity Management and SharePoint Social
6
Identity Management (“IdM”)
Leveraging SharePoint User Profiles means you are in the Identity Management business Every Identity Management initiative, ever (and always) Whether you like it or not! Importance increases significantly with SharePoint 2013 Primarily a political endeavor, NOT a technical one No toolset from any vendor will ever change this IdM consulting skills a must have
7
Identity Management (“IdM”)
10% Technology 90% Everything else!
8
IdM Primary Considerations
Ownership Data Quality Who owns which data Departmental controls IS systems Organizational culture Is the data even there? Is the data “clean”? Is the data up to date?
9
IdM Primary Considerations
System Quality Access Control e.g. Health of Active Directory Too many forests and/or domains Line of business systems External (to SharePoint) data sources Authentication and Authorization
10
Make friends with your DS admins!
Can make or break a large scale social deployment Regular communications is a must! Change Control for pre-requisites Especially when Active Directory is externally managed e.g. Reboot of domain controllers, Windows Update Large and/or bulk updates Replicating Directory Changes Additional rights for property export
11
User Profile Service Application Architecture
12
Lessons from the field Inadequate understanding of the UPA architecture Features and design constraints drive deployment options One of the most common causes of weak deployments, limited functionality and upgrade pain Federate or replicate? Central farms, regional farms, both? Relationship with other services
13
Lessons from the field Inadequate planning for User Profiles
Supporting Infrastructure and related services Security Privacy Policy Operations SQL Server Distributed Cache SharePoint Server Search Managed Metadata Business Data Connectivity
14
Profile Sync Goals for SharePoint 2013
Performance Reliability Compatibility Large organizations should be able to perform a full sync of AD and SharePoint data over a weekend IT Pros should be able to monitor the performance and stability of profile sync and have access to the information that they need to take corrective action when problems occur Common Directory Service configurations should be supported, including Forefront Identity Manager and LDAP
15
Profile Sync Performance Improvements
Reduce full import time from up to 2 weeks down to 60 hours for extremely large directories Elimination of full table scans Batched BDC Import Removal of unused provisioning steps History clean up Some object resolution moved from SharePoint to Sync
16
Synchronization “modes”
Active Directory Import User Profile Synchronization Custom Code Lightweight LDAP approach internal to SharePoint a.k.a Direct AD Import Forefront Identity Manager User Profiles Web Services and Object Model
17
Active Directory Import
18
Active Directory Import Capabilities
Get up and running with profile import as quickly as possible Users and Groups Multiple domain support For the most common scenario (AD forest) Import Only! Container selection LDAP filters One connection per domain
19
Active Directory Import Capabilities
Support for secondary accounts Custom Property Mappings Account mappings for Windows, FBA and Trusted Identity providers a.k.a Shadow Accounts For simple data types As SharePoint 2010
20
Scripting Connections
*. SPProfileSyncConnection cmdlets fully supported For AD Import only
21
Replicating Directory Changes
Is still required for AD Import Leverages a change log to drive import efficiency
22
Active Directory Import Limitations
No cross forest Contact resolution Mapping to SharePoint system properties is not supported Augmenting profiles with data from BDC is not supported Those that begin with SPS-
23
Active Directory Import Limitations
Mapping multi value to single value or vice versa is not supported Mapping two different AD attributes to the same SharePoint property is not supported
24
LDAP Query Filters Traditional LDAP queries can be used to constrain imported objects Filters are inclusion based Maximum flexibility As opposed to exclusion based with UPS
25
AD Import Behaviour A full import is required whenever a configuration change occurs After full import a purge is required Adding or removing OUs Filter changes Property mappings Set-SPProfileServiceApplication -Identity $upa – PurgeNonImportedObjects $true
26
Switching modes AD Import stores connections in the Profile DB
UPS stores connections in the Sync DB Property mappings and filters are NOT moved Manual recreation required Or use an XML based provisioning approach
27
Switching modes Requires strong planning!
Understand the design constraints Document the configuration!!!
28
Provisioning the UPA and UPS
29
Provisioning UPA and UPS
Central Administration Windows PowerShell Farm Configuration Wizard (just kidding ) Via Manage Service Applications The default schema issue
30
The default schema issue
When the Windows PowerShell session is not under the context of the farm account Potential Workaround Farm Account default schema set incorrectly in Sync DB We will never be able to start the UPS service instance Log on as the Farm Account and execute the PowerShell Fix the schema manually – an unsupported change
31
Solution Get-Credential and Start-Job Start-Process -runas
Non UAC environments UAC Environments
32
Demo Provisioning UPA using Windows PowerShell
Active Directory Import Mode User Profile Synchronization
33
Wrap Up and Recommendations
34
Plan! Seriously, you MUST do this!
Think! Plan Plan some more Do a little more planning Go back and do some more planning!
35
Directory Service Health
Rubbish In == Rubbish Out Poor Active Directory platform hygiene External DS management Impacts pretty much every product feature e.g. organic growth of domains and/or forests
36
Recommendations Leverage AD Import to get up and running quickly
Switch to User Profile Synchronization as and when you need those capabilities e.g. BCS Augmentation Property Export
37
MySPC Evaluate this session now on MySPC using your laptop or mobile device:
38
11/19/2018 4:51 AM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
