Freigeben über


SharePoint: User profiles are imported with wrong domain name

In certain domain configurations, User Profiles can be imported with the incorrect domain name.
For example: account names are supposed to shown as CORP\User1, but profiles are imported as contoso\user1

Note: This applies to both SharePoint Profile Synchronization (aka: FIM Sync) and Active Directory Import (aka: AD Import).

 

What's the impact?

There are a few problems this creates.

Since the profiles have account names at the User Profile Service Application (UPA) level that don't match the account names at the site-level, the "<UPA Name> - User Profile to SharePoint Full Synchronization" timer job (aka: WSSSync) cannot synchronize profile data down to each site, meaning that users job titles, etc will not get updated at the site level.

When users browse to their mysite, or any profile pages, a new "stub" profile will get created instead of using the existing profile that was imported.  For more about these "stub" profiles, see this.

 

How does this happen?

This occurs because the DNS name of the domain is different from the NETBIOS name of the domain.
In the example above:
DNS = contoso.com
Netbios = corp

The profiles are being imported using the DNS name instead of the Netbios name, which is not correct.

If there is any doubt as to whether or not the names are different, you can look in Active Directory Users and Computers.  Right-click on the domain object and choose properties.  The DNS name will be listed at the top of the dialog.  The Netbios name will be listed in the “Domain name (pre-Windows 2000)” box.

Note: This only applies if the left-most portion of the DNS name is different from the Netbios name. For example: if the DNS name is “contoso.com” and the NetBIOS name is “contoso”, that is a match, and none of this applies.

How to fix it?

You must set the NetBiosDomainNamesEnabled property to “true” on the User Profile Service Application (UPA) object.
Once this is done, you must delete and recreate the Sync connection.  That is the only way to get the above change to take effect.  It also helps to stop and restart the Sync service in between.

Note: If there are multiple Sync connections, only the connection that includes the domain that needs the NetBiosDomainNamesEnabled property should be recreated.

Warning: This not a trivial matter. There are several things that need to be re-configured when recreating the Sync connection.
-- The AD Sync connections, including Domains and OUs selected.
-- Any import connection filters.
-- Profile property mappings.  These include custom mappings that have been made to out-of-box properties, and mappings made to custom properties.

You’ll need to document the settings for all of the above so that the Sync connection can be properly reconfigured.
So here are the steps:
-- Set the property:

 $UPA = Get-SPServiceApplication | ? {$_.Typename -eq "User Profile Service Application"}
$UPA.NetBIOSDomainNamesEnabled = $true
$UPA.update()

-- Disable the My Site Cleanup Job (timer job) until you’ve run a few Syncs successfully.
-- Delete the existing Sync connection.
-- Stop and restart the User Profile Synchronization Service (from Central Admin). -- This isn't always required, but helps to be thorough.
-- Re-create the Sync connection, including filters and property mappings.
-- Verify permissions for the Sync account (see additional tips #1).

-- Verify the connection was created correctly (see additional tips #2 -- only applies to FIM Sync).
-- Run a Full Sync.

Additional Tips:

#1  Now that NetBiosDomainNamesEnabled is set, the Sync account may need additional permissions in AD.  See:

https://technet.microsoft.com/en-us/library/8451dde9-bbd1-4285-bc24-71bd795fb912#permission
Particularly, this part is important:
“If the NetBIOS name of the domain differs from the fully qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container. For example, if the NetBIOS domain name is contoso and the fully qualified domain name is contoso-corp.com, you must grant Replicate Directory Changes permission on the cn=configuration container”

So in summary, if it isn’t set already, the Sync account needs to have the “Replicate Directory Changes” permission on the Configuration container for each domain.

 

#2  Once you have re-created the Sync connection, you can check in the FIM client if the NetBIOSDomainNamesEnabled change was properly applied.

Open the FIM client (miisclient.exe) on the Synchronization server and click Management Agents.
Right click on the Active Directory MA (the one of type “Active Directory Domain Services” and choose properties.
Click “Configure Directory Partitions”.  You should see each domain selected along with the “CN=Configuration” container selected.  Example: CN=Configuration,DC=Contoso,DC=com.
If the configuration container is not selected, the NetBIOSDomainNamesEnabled change was not properly applied.