SharePoint UPS (User Profile Service) can be a challenge to setup. UPS in SharePoint requires a little extra attention to make it work as expected but trust me that this service is worth that time.
What is SharePoint User Profile Service?
You may be wondering – why do I need SharePoint UPS. Just to make it simple and short – all social features from
SharePoint 2007, including My Site support, User Profile pages, audiences and social tagging is now bundled in the User Profile Service.
SharePoint 2007, including My Site support, User Profile pages, audiences and social tagging is now bundled in the User Profile Service.
Preparing your SharePoint farm for the User Profile Service
If you never updated your SharePoint 2010 farm with cumulative updates (and no, I am not talking about Windows Update) – you will need to do it to enable UPS. SharePoint 2010 RTM version has many issues related to User Profile Service – you will need to update to the newest cumulative update available. Just to keep you informed – if you have December Cumulative Update for SharePoint 2010 then User Profile Service won’t work at all! I will be focusing this guide on the latest February 2011 Cumulative Update.
The best resource to find the latest SharePoint updates is TechNet athttp://technet.microsoft.com/en-us/sharepoint/ff800847.
For this walkthrough I will be using the SharePoint Foundation 2010 (KB 2475880) and SharePoint Server 2010 (KB
2475878) updates for the SharePoint farm. These updates are downloadable on-demand. It best practise to make a full server backup before you try any Cumulative Updates to SharePoint (including database-backup), because there is no option to roll-back the update.
2475878) updates for the SharePoint farm. These updates are downloadable on-demand. It best practise to make a full server backup before you try any Cumulative Updates to SharePoint (including database-backup), because there is no option to roll-back the update.
After you install both SharePoint Foundation 2010 update and SharePoint Server 2010 update, you should run the SharePoint 2010 Products Configuration Wizard to complete the upgrade. After a successful upgrade you should verify if your SharePoint server is indeed updated. To do this, go to the Central Administration – System
Settings – Manage servers in this farm section. There you can see all your servers that are connected with the SharePoint farm (including smtp servers and SQL Servers).
Settings – Manage servers in this farm section. There you can see all your servers that are connected with the SharePoint farm (including smtp servers and SQL Servers).
Manage Servers in the Farm Window
Unfortunately, there is no clear information about the update – just build number in theConfiguration database version variable. In my case it is 14.0.5136.5002 which means I have the February 2011 Cumulative Update installed.
To verify this I usually Google the exact build number to determine the Update details. If you are following my links and you see 14.0.5136.5002 build – you have February 2011 Cumulative Update and you can continue.
To verify this I usually Google the exact build number to determine the Update details. If you are following my links and you see 14.0.5136.5002 build – you have February 2011 Cumulative Update and you can continue.
One important note: if your build is 14.0.5136.5001 – you also have February 2011 Cumulative Update, but this build contains an error and you should download and reinstall the 5002 build of the February 2011 Cumulative Update to prevent farm issues.
Most of this article is applicable to the original RTM version of SharePoint 2010, but some solutions may not work exactly as described. I know that the UPS Service caused many issues before February 2011 Cumulative Update (and to give you more – the Feb 2001 CU is actually dedicated for UPS Service hotfixes) so I strongly suggest to upgrade – unless you have a strong reason not to.
Verify Managed Metadata Service installation
User Profile Services requires Managed Metadata Service to interact with. The SharePoint Managed Metadata Service (MMS) is a service that publishes a term store and normally some content types that the managed metadata will consume in its services. MMS is the key to the social tags and notes – since it is where where all tags are to be stored. You can create multiple MMS, but for the User Profile Service you will need at least one MMS.
First we will check if there is at least one MMS installed and configured.
Go to Central Administration – Application Management – Manage Service Applications and look for the Managed Metadata Service. If you used Configuration Wizard on your farm (which is what I would personally would recommend), you will probably have one MSS.
Managed Metadata Service in the Service Applications window
If you don’t have one, from the ribbon select the icon New and choose Managed Metadata Service. Then you will have to setup some MMS properties – which you also need to verify when you actually had one MMS before (then you have to mark the Managed Metadata Service and click on the properties icon in the ribbon).
Managed Metadata Service properties window – top
You need to type in/verify the service name (default Managed Metadata Service is fine), check the service database name, select application pool and Content type hub.
Managed Metadata Service Properties window – bottom
Even if you used the Configuration Wizard, the Content Type Hub field will be empty and you will need to select one
of your site collections for this role. For the needs of the User Profile Service this step isn’t necessary, so if you haven’t decided yet where your Content Type Hub should be – you can leave it blank. For this demo I will just type in my default root site collection which ishttp://sps.
of your site collections for this role. For the needs of the User Profile Service this step isn’t necessary, so if you haven’t decided yet where your Content Type Hub should be – you can leave it blank. For this demo I will just type in my default root site collection which ishttp://sps.
Create and Configure Accounts and Permissions
Next is the tricky part. Note that you need to apply all of these settings or your User Profile Service won’t work. To be able to complete this section, you will need full access to the Active Directory to perform AD-Forest based permission settings using the adsiedit tool.
Step 1. Create Service Accounts in Active Directory
We will need two accounts, one for the UPS application pool (we will call this sps_ups_pool) and one for the synchronization between SharePoint and Active Directory (we will call thissps_ups_sync).
These accounts should only have domain user rights (don’t listen to people stating you need local admin or worse – domain admin rights for these accounts). Also, these accounts need to have two flags enabled in AD: User cannot change password and Password never expires.
Some SharePoint resources state that you should not check these options since Managed Accounts in SharePoint handle password changes etc. However this is incorrect, the User Profile Service does not work fully with the Managed Accounts and I have found that using them would causes headaches each time your Active Directory policies demand the service account to change the password.
Account properties window with two important flags enabled.
Step 2 : Check The Farm Administrator Account Permissions
To successfully provision the User Profile Service, the farm admin account needs to be local administrator on all the SharePoint 2010 servers. You should check what account is your farm admin and give that user local admin rights –
remember to remove these permissions after you finish this tutorial and verify that UPS is provisioned.
remember to remove these permissions after you finish this tutorial and verify that UPS is provisioned.
To identify your Farm Admin account, go to Central Administration – Security –Configure Service accounts option and select Farm Account from the menu.
Farm Account credentials configuration in Central Administration
As you can see, my farm admin account is ad\spssetup – so I will have to verify that this user belongs to the local administrators group on every SharePoint server in my farm before going forward with the tutorial.
Step 3 : Setup Active Directory Rights For The sps_ups_sync Account.
Now the most important part of the setup, and one which often causes issues when improperly configured.
Assign Replicating Directory Changes permission to sps_ups_sync account
Login to your AD Server and open up Active Directory Users and Computers console. Now right-click the Active Directory Server name and choose the Delegate Control option.
Active Directory Users and Computers console
On the informational screen click the Next button. Now you need to choose the account for delegation, click on the Add button and find the sps_ups_sync account.
Delegation Control window with sps_ups_sync account added
On the next setup screen, select the Create a custom task to delegate option and click next.
Custom task delegation selected
On the Active Directory Object Type window make sure that the This folder, existing objects in this folder, and creation of new objects in this folder option is selected and click Next.
Active Directory Object Type configuration
Next we should see the permissions setup window. You need to find the Replicating Directory Changes permission type. Do this with care since there are several other similar names. Also make sure that the General Checkbox is selected. The Property-Specific andCreation/Deletion of specific child objects should be unchecked.
Permissions window with the Replicate Directory Changes permission type selected
Now ensure that the proper permission is selected (verify with the screen above) and click Next. On the summary screen, just click Finish.
Now we need to add the same sps_ups_sync account to the AD Configuration container with the same permission set. To do this, press Windows + R buttons and type in:adsiedit.msc
If you do not have adsiedit (which is part of Windows Support tools), go to http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx and follow the instructions specific to your operating system.
In Adsiedit expand the Configuration tree node, right click on the CN=Configuration…container and select the Properties option.
Adsiedit window with CN=Configuration container properties just being selected
Next, go to the Security tab and click Add. If you have this button grayed-out, you probably need to change the ownership of this container. To do this, click the Advancedbutton, select the ownership tab and change the owner of this container to the administrators group or your current user. After changing the permission revert to the original owner if possible to prevent possible issues with system permissions to this container.
When you’ve clicked the Add button in the Security tab – you should add your synchronization account.
AdsiEdit Security Tab on Cn=Configuration main container
In the Permissions for Administrators section below the accounts list, find theReplicating Directory Changes and check the Allow option for our newly addedsps_ups_sync account and click Apply.
Synchronization account permissions – Replicate Directory Changes checked.
You can close the Active Directory Users and Computers windows now and log off from the Active Directory Server. The permission configuration setup is completed.
Configure the User Profile Service
Next, we go back to Central Administration to finally create the User Profile Service.
Navigate to the Central Administration > Application Management > Manage Service Applications. If you used configuration wizard, you will have the User Profile Service already configured. Delete this (unless you have it already working without any issues). If you were configuring everything yourself (which is preferred way of doing the farm configuration) you will not need to destroy anything.
Now on the ribbon click the New icon and choose the User Profile Service Application.
New User Profile Application option
The Create New User Profile Service window will appear. Enter some of the common and obvious fields such Name, database server, database names, etc. I will focus only on those fields where you need to change the default settings.
Create New User Profile Service Application window
As you can see on the above screen, you should create a new dedicated application pool for this service (we can call this the User Profile Service Application Pool), and then assign our dedicated AD account to this pool(i.e. sps_ups_pool). If you don’t have it as the managed account yet, add it now using the Register new managed account option, you will be returned to the UPS configuration after that so don’t be concerned that this cancels the configuration.
The next field you need to setup is My Site Host URL.
My Site Host URL field
You should provide a full URL to your My Sites root location. If you don’t have the My Site location, create one before continuing. It is enough to create a new site collection in your default application with the format similar to the one I’ve used in the example above. You need to create a site collection without a template, and therefore you should mark the Select template later option.
Site Collection creation window with the no-template selected
The good thing about the User Profile Service configuration is that it will setup the template and all necessary My Site settings for us. All you need to do is enter the correct site collection during the UPS configuration.
The final field you should focus on is Site Naming Format. You may want to change how personal sites would be named and used in URLs, personally I favor the default settings.
Site Naming Format field in User Profile Service Configuration
Next, after you hvae double-checked that all options are filled in correct, click the Create button.
When the setup completes, you will need to refresh the Service Applications window in Central Administration to
see the newly created service – just press F5 to refresh the browser.
see the newly created service – just press F5 to refresh the browser.
The next step is to recycle the IIS Server. If you aren’t on the production environment yet, you can simply execute the IISReset command.
Now you need to enable the User Profile Synchronization Service. Navigate to Central Administration – Application Management – Manage Services on Server and search for the User Profile Synchronization Service. It’s state will probably be stopped, if so click Start.
User Profile Synchronization Service status
A new configuration window should appear, where you will need to enter the User Profile Service Application Pool credentials. This would be your Farm Admin account and you cannot change this account to a different one. Before you enter the password twice for this account and click the OK button, make sure that this account is Local Administrator or else the provisioning of this service would fail.
User Profile Synchronization Service startup setting
Now refresh the page until you see that the service is in started status. This may take a couple of minutes.
The User Profile Synchronization Service status we need to see before continuing
When you see that the service started, you need to perform IISReset command again, or you will see the below error message when trying to configure something within the UPS Service.
Error message during UPS Configuration if IISReset has not been re-performed
No comments:
Post a Comment
Thank you for Commenting Will reply soon ......