3. Active Directory Import
The Active Directory Import (ADI)
synchronization method provides administrators with a new option for
syncing profiles. One of the benefits of choosing this method is that
you don’t have to provision the User Profile Synchronization Service.
No, this is not a joke. Recall reading that ADI is much easier to
configure. This synchronization process runs entirely in the context of
the User Profile Service Application. In general, ADI is configured in
three steps: selecting ADI as the sync option, as covered in the
previous section; creating a connection; and mapping user profile
properties. The following steps provide the details for creating a
connection:
1. In the Synchronization section of the Manage Profile Service page, click Configure Synchronization Connections.
2. Click Create New Connection.
3. Enter a name in the Connection Name box.
4. Enter the fully qualified domain name of the domain you wish to sync.
5. Select the
Authentication Provider type. Most administrators will use Windows
Authentication. Click the Authentication Provider Type drop-down menu
to familiarize yourself with the options available.
6. Enter the account name and password of the Active Directory account you configured to do the import. Figure 3 shows an example of a completed connection.
7. Make sure the default port is correct and check whether your domain uses SSL.
8. Optionally, check the box to filter disabled users from the import.
9. Add any
LDAP filters that you want to use to filter users from the
synchronization process. Here’s a common filter that includes accounts
that are not disabled:
(&(objectCategory=person)(objectClass=user)
( !(userAccountControl:1.2.840.113556.1.4.803:=2))).
NOTE The LDAP filters used here are inclusion filters;
they tell the sync process what to include, not what to exclude. This
is different from the User Profile Synchronization process, where the
filters are exclusion filters. Also,
since there is a check box for excluding disabled users, you could use
the following filter as another example for users with an e-mail address: (&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=*)).
10. Click Populate Containers to load the tree view.
11. Select the objects that you want included in the import.
12. Click OK. The connection information is stored in the profile database.
As you can see, this is much easier and faster to
configure compared to configuring the SharePoint Profile
Synchronization process. However, administrators need to be aware of
the limitations:
- This is a single Active Directory forest sync.
- Mapping to SharePoint system properties that begin with “SPS-” is not allowed.
- Mapping multi-value data types to single-value data types and vice versa is not supported.
- Mapping two different attributes to the same property is not supported.
- Augmenting profile information using the BCS is not supported.
By default, the import process runs every five
minutes. Either you can wait for the job to run or you can manually
start a full synchronization from the Manage Profile Service page. To
change the schedule of the job, click Configure Synchronization Timer
Job under the Synchronization heading on the Manage Profile Service
page. Note that a full import is required whenever a configuration
change occurs. A configuration change includes one of the following:
- Adding or removing organizational units (OUs)
- Changing the filter properties
- Adding or changing property mappings
It’s a good idea to purge the profile database
after a full import has been completed. You can do that using the
following PowerShell cmdle:
Set-SPProfileServiceApplication - Identity $UPS_to_Update
-PurgeNonImportedObjects $true
The final configuration step involves mapping
user properties in the user directory to SharePoint properties. This is
discussed in the next section, but keep in mind that it also applies
here. To summarize the preceding, the ADI process requires selecting
the ADI option, creating a new connection, and mapping user attributes.
Once completed, the farm administrator can initiate an incremental or
full sync from the Start Profile Synchronization page. This page is
accessed using the Start Profile Synchronization link in the
Synchronization section of the Manage Profile Service page. The sync is
initiated by choosing one of the following:
- Start Full Synchronization — Use this if syncing for the first time or if connections have been added or modified since the last sync.
- Start Incremental Synchronization — Use this to synchronize only information that has changed since the last sync.
