Active Directory Import for SharePoint 2013
Content
Step by Step: Active Directory Import for SharePoint 2013 - MEA Center of Expertise - S... Page 1 of 4
Step by Step: Active Directory Import for SharePoint 2013 Ahmed M Khairy 4 Aug 2013 3:49 AM
7
Active Directory Import (AKA Active Directory Direct Import – ADDI) is one of the new features in SharePoint 2013 allowing you to import users from active directory into your SharePoint User Profile Service Application.
Background In SharePoint 2010, there was only one method allowing you to sync user profiles between your user repository and your SharePoint environment which was essentially a lightweight version of FIM. With SharePoint 2013, there are now three methods that you to carry out the aforementioned sync operation. • SharePoint Profile Synchronization Synchronization (lightweight FIM) FIM) • Active Active Directory Directory Import Import • External External Identity Identity Manager Manager (C#)
While the focus of this article is Active Directory Import, the amount of enhancements enhancements that have been done especially with regards to the performance of li ghtweight FIM elicit mentioning. One of the most important areas of enhancements is regarding how FIM retrieves data from BCS. In SharePoint 2013, import operations from BCS are done as batches rather than one by one. Furthermore, Furthermore, indexes were added to user properties that eliminated full table scans. A number of unused provisioning steps were also removed. The end result? One piece of anecdotal evidence show that 300K users took less than 7 hours for a full import operation, previously it took nearly three weeks.
Active Directory Import Active Directory Import allows you to import users from active directory into your SharePoint 2013 environment. environment. The logical question would then be what are the pro and cons of ADI and when should I used it over FIM. The table below summarizes these points.
Pros
Cons
Extremely fast performance
Cannot import from more than one user repository
Very reliable
Cannot import from any other user repository than AD (no LDAP support)
Connect to forests with multiple domains
Sync is one way from AD into SharePoint (hence the “import” in the name)
Did you know?
Readers love Scribd! Our app has over 350,000 5-star reviews. Learn more
Did you know?
Readers love Scribd! Our app has over 350,000 5-star reviews. Learn more Step by Step: Active Directory Import for SharePoint 2013 - MEA Center of Expertise - S... Page 2 of 4
Windows, FBA and claims are all supported
I now use ADI for any development/PoC environment. I would also highly recommend it for any production environment that leverages only AD DS and doesn’t require writing back to AD.
Great! How do I enable ADI? Enabling ADI is done over essentially 4 steps. These 4 steps are done against an instance of the user profile service application with the exception of the first step. 1. 2. 3. 4.
Configure AD DS permissions. Enable Active Directory Import Configure the connection properties Map the user properties between AD and UPSA
1. Configure AD DS permissions In this step, you grant the security permissions (Replicate Directory Changes permission) to the account that SharePoint uses to connect to AD DS during profile synchronization. Step by step instructions are provided here: http://technet.microsoft.com/en-us/library/hh296982.aspx (Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013)
2. Enable Active Directory Import In this step, we select ADI as the import mechanism for the user profile service application instance that we accessing. 1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group. 2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications. 3. On the Manage Service Applications page, click the User Profile service application name. 4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Settings. 5. On the Configure Synchronization Settings page, in the Synchronization Options section, select the Use SharePoint Active Directory Import option, and then click OK.
3. Configure the connection properties The lightweight FIM component that comes with SharePoint 2013 stores its connection configuration in the Sync DB, however ADI stores its connection configuration in the profile DB and t herefore on changing the sync mechanism from FIM to ADI the first time, you will need to configure the connection properties for ADI. These properties include the credentials used to connect to AD DS (these should be the same credentials that were given the permissions in step 1) as well as which items to sync. On subsequently switching between FIM and ADI the connection properties are retrieved for each respectively. The complete steps for doing so are provided in “Configure profile synchronization by using SharePoint Active Directory Import in SharePoint Server 2013” http://technet.microsoft.com/en-us/library/jj219646.aspx
4. Map user properties between AD and UPSA. In this step, you determine how the properties of SharePoint user profiles map to the user i nformation that is retrieved from AD DS.
Did you know?
Readers love Scribd! Our app has over 350,000 5-star reviews. Learn more Step by Step: Active Directory Import for SharePoint 2013 - MEA Center of Expertise - S... Page 3 of 4
2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications. 3. On the Manage Service Applications page, click the User Profile service application name. 4. On the Manage Profile Service page, in the People section, click Manage User Properties. 5. On the Manage User Properties page, right-click the name of the property that you want to map to a directory service attribute, and then click Edit. 6. To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove. 7. To add a new mapping, do the following: a. In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the directory service to which you want to map the user profile property. b. In the Attribute box, type the name of the directory service attribute to which you want to map the property. c. Click Add.
8. Click OK . 9. Repeat steps 5 through 8 to map additional properties.
Tips and Tricks 1. Each time you change the sync mechanism from FIM to ADI the user profile synchronization service is stopped. You will need to restart it if you have switched to FIM. 2. If you are mapping attributes and are using FIM, all of the attributes from AD are listed in the drop down box. However if you are mapping the attributes using ADI, you will need to type the attributes in the textbox. The drop down is still displayed, however empty. This is not an indication that there is something wrong with your security. 3. When setting up the connection details, you will be prompted for the FQDN, this doesn’t include the machine name. If you add the machine name to the FQDN you will be presented with a “ No containers to display” error message.
Comments Gasser Elbiali 4 Aug 2013 11:40 PM
<p>thank you Ahmed , very useful article</p>
Hezequias Vasconcelos 5 Aug 2013 2:04 PM
<p>Congratulations Ahmed. Very good job.</p>
AD Groups 5 Sep 2013 10:31 PM
<p>Hello Ahmed,</p>< p>I configured all Sync settings to i mport users Profilers from a different domain ... Everything is going fine except AD Groups. They were not import properly and I am not able to give permissions to an AD group in my Sharepoint site.</p>< p>Can you help me please ? </p>< p>Best regards !!</p>< p>Luiz</p>
Luis Pena 27 Sep 2013 8:58 PM
<p>I'm having the same problem as Luiz</p>
Did you know?
Readers love Scribd! Our app has over 350,000 5-star reviews. Learn more Step by Step: Active Directory Import for SharePoint 2013 - MEA Center of Expertise - S... Page 4 of 4
<p>If you would like to add those propertymappings programmatically, you have to be aware, that when your connection is of type "ActiveDirectoryImport", the methods of the classic sync-connection won´t work, because Microsoft implemented it in a different way. This is also reflected at <a rel="nofollow" target="_new" href="http://msdn.microsoft.com/enus/library/microsoft.office.server.userprofiles.connection.propertymapping.aspx">msdn.microsoft.com/.../microsoft.office.server.userprofiles.connection.proper where they state, that the Connection.PropertyMapping property is NULL in c ase of ActiveDirectoryImport.</p>< p> The great thing about it is, that it got much simpler through the ActiveDirectoryImportConnection.AddPropertyMapping method.</p> < p>Try this:</p>< p> $site = New-Object Microsoft.SharePoint.SPSite <centraladmin-URL></p> < p> $context = [Microsoft.SharePoint.SPServiceContext]::GetContext($site)</p>< p> $configManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager $context</p>< p> $UPAConnMgr = $configManager.ConnectionManager</p>< p> $Connection = ($UPAConnMgr | select -First 1)</p>< p> if ($Connection.Type -eq "ActiveDirectoryImport"){</p>< p> $Connection.AddPropertyMapping ("streetAddress","SPS-Location")</p> < p> $Connection.Update()</p>< p> }</p>
Behrouz 13 Dec 2013 2:22 PM
<p>I got stuck at the step 3) configure the connection properties. I get an error (NeedsFullImport) and cannot create new sync connection. Any idea?</p>
Tim, Xu 13 Mar 2014 9:46 AM
Do we need start "User Profile Synchronization Service" now if use AD import?
Step by Step: Active Directory Import for SharePoint 2013 Ahmed M Khairy 4 Aug 2013 3:49 AM
7
Active Directory Import (AKA Active Directory Direct Import – ADDI) is one of the new features in SharePoint 2013 allowing you to import users from active directory into your SharePoint User Profile Service Application.
Background In SharePoint 2010, there was only one method allowing you to sync user profiles between your user repository and your SharePoint environment which was essentially a lightweight version of FIM. With SharePoint 2013, there are now three methods that you to carry out the aforementioned sync operation. • SharePoint Profile Synchronization Synchronization (lightweight FIM) FIM) • Active Active Directory Directory Import Import • External External Identity Identity Manager Manager (C#)
While the focus of this article is Active Directory Import, the amount of enhancements enhancements that have been done especially with regards to the performance of li ghtweight FIM elicit mentioning. One of the most important areas of enhancements is regarding how FIM retrieves data from BCS. In SharePoint 2013, import operations from BCS are done as batches rather than one by one. Furthermore, Furthermore, indexes were added to user properties that eliminated full table scans. A number of unused provisioning steps were also removed. The end result? One piece of anecdotal evidence show that 300K users took less than 7 hours for a full import operation, previously it took nearly three weeks.
Active Directory Import Active Directory Import allows you to import users from active directory into your SharePoint 2013 environment. environment. The logical question would then be what are the pro and cons of ADI and when should I used it over FIM. The table below summarizes these points.
Pros
Cons
Extremely fast performance
Cannot import from more than one user repository
Very reliable
Cannot import from any other user repository than AD (no LDAP support)
Connect to forests with multiple domains
Sync is one way from AD into SharePoint (hence the “import” in the name)
Did you know?
Readers love Scribd! Our app has over 350,000 5-star reviews. Learn more
Did you know?
Readers love Scribd! Our app has over 350,000 5-star reviews. Learn more Step by Step: Active Directory Import for SharePoint 2013 - MEA Center of Expertise - S... Page 2 of 4
Windows, FBA and claims are all supported
I now use ADI for any development/PoC environment. I would also highly recommend it for any production environment that leverages only AD DS and doesn’t require writing back to AD.
Great! How do I enable ADI? Enabling ADI is done over essentially 4 steps. These 4 steps are done against an instance of the user profile service application with the exception of the first step. 1. 2. 3. 4.
Configure AD DS permissions. Enable Active Directory Import Configure the connection properties Map the user properties between AD and UPSA
1. Configure AD DS permissions In this step, you grant the security permissions (Replicate Directory Changes permission) to the account that SharePoint uses to connect to AD DS during profile synchronization. Step by step instructions are provided here: http://technet.microsoft.com/en-us/library/hh296982.aspx (Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013)
2. Enable Active Directory Import In this step, we select ADI as the import mechanism for the user profile service application instance that we accessing. 1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group. 2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications. 3. On the Manage Service Applications page, click the User Profile service application name. 4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Settings. 5. On the Configure Synchronization Settings page, in the Synchronization Options section, select the Use SharePoint Active Directory Import option, and then click OK.
3. Configure the connection properties The lightweight FIM component that comes with SharePoint 2013 stores its connection configuration in the Sync DB, however ADI stores its connection configuration in the profile DB and t herefore on changing the sync mechanism from FIM to ADI the first time, you will need to configure the connection properties for ADI. These properties include the credentials used to connect to AD DS (these should be the same credentials that were given the permissions in step 1) as well as which items to sync. On subsequently switching between FIM and ADI the connection properties are retrieved for each respectively. The complete steps for doing so are provided in “Configure profile synchronization by using SharePoint Active Directory Import in SharePoint Server 2013” http://technet.microsoft.com/en-us/library/jj219646.aspx
4. Map user properties between AD and UPSA. In this step, you determine how the properties of SharePoint user profiles map to the user i nformation that is retrieved from AD DS.
Did you know?
Readers love Scribd! Our app has over 350,000 5-star reviews. Learn more Step by Step: Active Directory Import for SharePoint 2013 - MEA Center of Expertise - S... Page 3 of 4
2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications. 3. On the Manage Service Applications page, click the User Profile service application name. 4. On the Manage Profile Service page, in the People section, click Manage User Properties. 5. On the Manage User Properties page, right-click the name of the property that you want to map to a directory service attribute, and then click Edit. 6. To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove. 7. To add a new mapping, do the following: a. In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the directory service to which you want to map the user profile property. b. In the Attribute box, type the name of the directory service attribute to which you want to map the property. c. Click Add.
8. Click OK . 9. Repeat steps 5 through 8 to map additional properties.
Tips and Tricks 1. Each time you change the sync mechanism from FIM to ADI the user profile synchronization service is stopped. You will need to restart it if you have switched to FIM. 2. If you are mapping attributes and are using FIM, all of the attributes from AD are listed in the drop down box. However if you are mapping the attributes using ADI, you will need to type the attributes in the textbox. The drop down is still displayed, however empty. This is not an indication that there is something wrong with your security. 3. When setting up the connection details, you will be prompted for the FQDN, this doesn’t include the machine name. If you add the machine name to the FQDN you will be presented with a “ No containers to display” error message.
Comments Gasser Elbiali 4 Aug 2013 11:40 PM
<p>thank you Ahmed , very useful article</p>
Hezequias Vasconcelos 5 Aug 2013 2:04 PM
<p>Congratulations Ahmed. Very good job.</p>
AD Groups 5 Sep 2013 10:31 PM
<p>Hello Ahmed,</p>< p>I configured all Sync settings to i mport users Profilers from a different domain ... Everything is going fine except AD Groups. They were not import properly and I am not able to give permissions to an AD group in my Sharepoint site.</p>< p>Can you help me please ? </p>< p>Best regards !!</p>< p>Luiz</p>
Luis Pena 27 Sep 2013 8:58 PM
<p>I'm having the same problem as Luiz</p>
Did you know?
Readers love Scribd! Our app has over 350,000 5-star reviews. Learn more Step by Step: Active Directory Import for SharePoint 2013 - MEA Center of Expertise - S... Page 4 of 4
<p>If you would like to add those propertymappings programmatically, you have to be aware, that when your connection is of type "ActiveDirectoryImport", the methods of the classic sync-connection won´t work, because Microsoft implemented it in a different way. This is also reflected at <a rel="nofollow" target="_new" href="http://msdn.microsoft.com/enus/library/microsoft.office.server.userprofiles.connection.propertymapping.aspx">msdn.microsoft.com/.../microsoft.office.server.userprofiles.connection.proper where they state, that the Connection.PropertyMapping property is NULL in c ase of ActiveDirectoryImport.</p>< p> The great thing about it is, that it got much simpler through the ActiveDirectoryImportConnection.AddPropertyMapping method.</p> < p>Try this:</p>< p> $site = New-Object Microsoft.SharePoint.SPSite <centraladmin-URL></p> < p> $context = [Microsoft.SharePoint.SPServiceContext]::GetContext($site)</p>< p> $configManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager $context</p>< p> $UPAConnMgr = $configManager.ConnectionManager</p>< p> $Connection = ($UPAConnMgr | select -First 1)</p>< p> if ($Connection.Type -eq "ActiveDirectoryImport"){</p>< p> $Connection.AddPropertyMapping ("streetAddress","SPS-Location")</p> < p> $Connection.Update()</p>< p> }</p>
Behrouz 13 Dec 2013 2:22 PM
<p>I got stuck at the step 3) configure the connection properties. I get an error (NeedsFullImport) and cannot create new sync connection. Any idea?</p>
Tim, Xu 13 Mar 2014 9:46 AM
Do we need start "User Profile Synchronization Service" now if use AD import?
