SharePoint 20XX: What if the Domain NetBIOS Name is Different than the FQDN of the Domain with User Profile

When User Profile Service Application is set up correctly and if it imports data from Active Directory you can be proud of yourself. But what does actually mean import data?

• All Data?
• Correct data?
• Any Data?

On a Publishing website hosted on SharePoint Server we couldn’t see the names of our Users/Contributors but only their Account Name. There is a Service Application Publishing farm that hosts the User Profile Service Application.

http://gokanx.files.wordpress.com/2013/06/netbiosdomainnamesenabled.png?w=480&h=273

 

 

When an external contributors hits the user’s name SharePoint is not redirecting to the User Profile My Sites but to the default my site (without User Profile). After a while even the names couldn’t be retrieved by the User Profile Service and only the account names were displayed.

After discussing a while with the teammates it was a known issue at the society…

http://gokanx.files.wordpress.com/2013/06/netbiosdomainnamesenabled1.png?w=480

Permission requirements: Domain NetBIOS name is different than the FQDN of the domain

A little explanation: When the domain NetBIOS name is different than the FQDN of the domain, which is the domain NetBIOS name is different than the first portion of the FQDN. For Example:

• Domain NetBIOS name: Pegasus
• FQDN of Domain: Corp.Pegasus

When domain naming scheme is set in this manner, the requirements are the following:

1. Delete the existing      Connection and (if possible) User Profile Synchronization

1. Enable the NetBiosDomainNamesEnabled property to true for the User Profile Synchronization
2. If you’ve already created your AD connections before you set NetBiosDomainNamesEnabled, you MUST delete & recreate your AD connections.

NetBiosDomainNamesEnabled

NetBiosDomainNamesEnabled is a property that is set on User Profile Synchronization. By default, this value is set to false (0). PowerShell is our tools that we are going to use for setting this true.

For Example:

• Get-SPServiceApplication
  • This will output every service application specifically the User Profile Service Application
• $var = Get-SPServiceApplication –Identity GUID
  • The identity is the GUID associated with the User Profile Service Application which was retrieved from Get-SPServiceApplication
• $var.NetBiosDomainNamesEnabled = “1”
  • We are going to set the setting to True
• $var.update()

To use the domain NetBIOS name, a new synchronization connection must be created and used. This means that you can’t use the existing synchronization connection.

Delete (?) the User Profile Synchronization Service

If you want to delete the User Profile Synchronization Service Application and begin from scratch please perform the following actions:

To create a User Profile Service application by using Central Administration

1. Verify that the user account that completes this procedure has the following credentials:

• The user account that performs this procedure is a member of the Farm Administrators SharePoint group.

1. Start SharePoint 201X Central Administration.

• For Windows Server 2008 R2:
  • Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint 201X Central Administration.

1. On Central Administration, in the Application Management section, click Manage service applications.
2. On the Manage Service Applications page, click the Service Applications tab to enable the ribbon.
3. In the Create group of the ribbon, click New, and then click User Profile Service Application in the list of service applications to create.
4. In the Create New User Profile Service Application dialog box, in the Name section, type a unique name for the User Profile service application.
5. In the Application Pool section, select Use existing application pool to choose an existing application pool from the list or select create a new application pool to create a new application pool. For information about when to choose an existing application pool or create a new one, see Managing Application Pools in IIS 7.
6. In the Application Pool section, for the Select a security account for this application pool option, select Predefined to choose an existing predefined security account from the list or select Configurable to choose an existing managed account.
7. In the Profile Database section, in the Database Server box, type the name of the database server where you want to create the profile database. In the Database Name box, type the name that you want to use for the profile database.
8. In the Profile Database section, for the Database authentication option, select Windows Authentication (recommended) to use Integrated Windows authentication to connect to the profile database or select SQL authentication to enter the credentials that will be used to connect to the profile database.
9. In the Failover Server section, in the Failover Database Server box, type the name of the database server to be used together with SQL Server database mirroring.
10. In the Synchronization Database section, in the Database Server box, type the name of the database server where you want to create the synchronization database. In the Database Name box, type the name of the synchronization database.
11. In the Synchronization Database section, for the Database authentication option, select Windows Authentication (recommended) to use Integrated Windows authentication to connect to the synchronization database or select SQL authentication to type the credentials that will be used to connect to the synchronization database.
12. In the Failover Server section, in the Failover Database Server box, type the name of the database server to be used together with SQL Server database mirroring.
13. In the Social Tagging Database section, in the Database Server box, type the name of the database server where the social tagging database will be located. In the Database Name box, type the name of the database where social tags will be stored.
14. In the Social Tagging Database section, for the Database authentication option, select Windows Authentication (recommended) to use Integrated Windows authentication to connect to the social tagging database or select SQL authentication to type the credentials that will be used to connect to the social tagging database.
15. In the Failover Server section, in the Failover Database Server box, type the name of the database server that you want to use with SQL Server database mirroring.
16. In the My Site Host URL section, type the URL of the site collection where the My Site Host is provisioned.
17. In the My Site Managed Path section, type the managed path where you want to create individual My Sites.
18. In the Site Naming Format section, select one of the following formats for naming new personal sites:

• User name (do not resolve conflicts)
• User name (resolve conflicts by using domain_user name)
• Domain and user name (will not have conflicts)

19. In the Default Proxy Group section, select whether you want the proxy of this User Profile service application to be a part of the default proxy group on this farm.

Source: http://technet.microsoft.com/en-us/library/ee721052.aspx#createapp

If you don’t want to delete the User Profile Service Application you can use Stefan Bauer’s script to clear your User Profiles

http://gokanx.files.wordpress.com/2013/06/netbiosdomainnamesenabled4.png?w=480&h=261

 

 

After executing the script of Stefan, you should delete the synchronization connection. It’s possible that User Profile Synchronization fails during the delete operation. The solution is to wait a few seconds (minutes) and he will by himself perform the action.

http://gokanx.files.wordpress.com/2013/06/netbiosdomainnamesenabled5.png?w=480&h=96

 

 

To complete our stuff we need to perform an IISRESET and recreate a Synchronization Connection to a Directory Service. When SharePoint accepts your credentials please perform a Full Crawl.

http://gokanx.files.wordpress.com/2013/06/netbiosdomainnamesenabled6.png?w=480&h=459

If you don’t know how to create a Connection or start the Profile synchronization pleases check:

• Please check here for: Disable timer jobs
• Please check here for: Create a synchronization connection to a directory service
• Please check here for: Define exclusion filters for a synchronization connection
• Please check here for: Map user profile properties
• Please check here for: Start profile synchronization

Replicating Directory changes

The Replicate Directory Changes permission enables the synchronization account to read AD DS objects and to discover AD DS objects that have been changed in the domain. The Grant Replicate Directory Changes permission does not enable an account to create, modify or delete AD DS objects.

Use this procedure to grant Replicate Directory Changes permission on a domain to an account.

1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
2. In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
3. On the first page of the Delegation of Control Wizard, click Next.
4. On the Users or Groups page, click Add.
5. Type the name of the synchronization account, and then click OK.
6. Click Next.
7. On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
8. On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.
9. On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on Windows Server 2003), and then click Next.
10. Click Finish.

Source: http://technet.microsoft.com/en-us/library/hh296982.aspx

http://gokanx.files.wordpress.com/2013/06/netbiosdomainnamesenabled7.png?w=480&h=364

Conclusion (or summary)

So with this article you should normally know how to correct the “bug” (we can’t name it error or virus) on User Profile Synchronization Service Application. A little summary:

1. Delete User Profile Service Application or User Profiles
2. Delete AD Connection
3. Set NetBiosDomainNamesEnabled to TRUE
4. Perform a IISReset
5. Create User profile Service Application ( if deleted )
6. Give user Replicating Directory changes rights
7. Create AD Connection
8. Perform a Full Import
9. Test!

Hopefully this article will help you into debugging User Profile NetBiosDomainNamesEnabled issue.