In the first part of this three-part series on SharePoint social computing features, I discussed how the User Profile plays a key role in delivering the overall social networking experience. (See “SharePoint 2010 Goes Social, Part 1”) This month, I discuss how to populate the User Profile via synchronization with other directory sources—specifically with Active Directory Domain Services (AD DS). Part 3 will describe the primary features that are used to better exploit a major information asset of any organization: its people. Note that the social networking features described in this article are available only in a SharePoint Server 2010 deployment and not in a SharePoint Foundation 2010–only deployment.
Understanding Profile Synchronization
Many organizations have several locations that store user information, from HR databases to enterprise directories. Some locations are application-specific, whereas others are multipurpose. Active Directory (AD) is an example of the latter. It’s used as an authentication store as well as a directory store for applications such as Microsoft Exchange Server. Given the need for multiple locations, most organizations use a centralized enterprise directory as a master directory, and they use this directory to synchronize content with other stores, as required.
The User Profile store introduces yet another location that stores information about people. So, you may have to populate certain properties in your User Profile store from one or more repositories. Because it’s important to keep user information consistent across all repositories, you must consider whether to grant users the right to modify such properties. This decision affects how such properties are synchronized with external sources.
SharePoint Server 2010 Profile Synchronization lets you integrate user and group information with the User Profile store when that information is coming from external LDAP directory services (such as AD DS) or from business systems that have been defined via the Business Data Connectivity service (such as SAP or Siebel). You integrate this information by defining connections to the external systems and by mapping individual user profile properties to appropriate properties in the external source.
Furthermore, you can indicate whether each mapped user property is to be synchronized for import or export (but note that mappings to business systems do not support the export capability). When you couple this ability to map a property for export with the option of allowing users to edit user profile properties, you get a powerful result where the value of this property in the external service directory is concerned: These twin features let you put the maintenance of this property value into the hands of your users. However, given the importance of maintaining consistency, you may not consider this appropriate for your own situation.
Microsoft Forefront Identity Manager is the actual engine that is used to execute and control synchronization between the various directory sources. It acts as the central metadirectory for all directory services that are involved in synchronization. This component is not enabled by default, but it’s installed as part of the overall configuration of Profile Synchronization.
Configuring Profile Synchronization with AD DS
Before you tackle the various high-level tasks that are required to set up synchronization with AD DS, it’s important to note that Profile Synchronization is not supported on a standalone installation but only on a server farm installation. (For development and testing purposes, a server farm can be a single server that’s running all roles.)
The main tasks to perform during synchronization are as follows:
- starting the User Profile Synchronization Service
- defining your AD connections
- defining properties that are to be mapped
- invoking and monitoring synchronization
To run the process, you will have to know the name of your farm account. This is the name that you supplied when you ran the SharePoint Configuration Wizard after you installed SharePoint. This account is the one that you’ll use to access the configuration database, and it’s also the account that serves as the identity for the SharePoint Central Administration application pool in Microsoft IIS. If you forget your farm account name, you can retrieve it from IIS.
Starting the User Profile Synchronization Service
The User Profile Synchronization Service is the service that does the main lifting as far as synchronization is concerned. It leverages the Forefront Identity Manager services, which are not enabled by default.