Udostępnij za pośrednictwem


Step by Step: Active Directory Import for SharePoint 2013

Active Directory Import (AKA Active Directory Direct Import – ADDI) is one of the new features in SharePoint 2013 allowing you to import users from active directory into your SharePoint User Profile Service Application.

Background

In SharePoint 2010, there was only one method allowing you to sync user profiles between your user repository and your SharePoint environment which was essentially a lightweight version of FIM.

With SharePoint 2013, there are now three methods that you to carry out the aforementioned sync operation.

  • SharePoint Profile Synchronization (lightweight FIM)
  • Active Directory Import
  • External Identity Manager (C#)

While the focus of this article is Active Directory Import, the amount of enhancements that have been done especially with regards to the performance of lightweight FIM elicit mentioning.
One of the most important areas of enhancements is regarding how FIM retrieves data from BCS.

In SharePoint 2013, import operations from BCS are done as batches rather than one by one.
Furthermore, indexes were added to user properties that eliminated full table scans. A number of unused provisioning steps were also removed.
The end result? One piece of anecdotal evidence show that 300K users took less than 7 hours for a full import operation, previously it took nearly three weeks.

Active Directory Import

Active Directory Import allows you to import users from active directory into your SharePoint 2013 environment. The logical question would then be what are the pro and cons of ADI and when should I used it over FIM. The table below summarizes these points.

Pros Cons
Extremely fast performance Cannot import from more than one user repository
 Very reliable Cannot import from any other user repository than AD (no LDAP support)
Connect to forests with multiple domains Sync is one way from AD into SharePoint (hence the “import” in the name)

Windows, FBA and claims are all supported

 

I now use ADI for any development/PoC environment. I would also highly recommend it for any production environment that leverages only AD DS and doesn’t require writing back to AD.

Great! How do I enable ADI?

Enabling ADI is done over essentially 4 steps. These 4 steps are done against an instance of the user profile service application with the exception of the first step.

  1. Configure AD DS permissions.
  2. Enable Active Directory Import
  3. Configure the connection properties
  4. Map the user properties between AD and UPSA

1. Configure AD DS permissions

In this step, you grant the security permissions (Replicate Directory Changes permission) to the account that SharePoint uses to connect to AD DS during profile synchronization.

Step by step instructions are provided here: https://technet.microsoft.com/en-us/library/hh296982.aspx (Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013)

2. Enable Active Directory Import

In this step, we select ADI as the import mechanism for the user profile service application instance that we accessing.

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.
  3. On the Manage Service Applications page, click the User Profile service application name.
  4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Settings.
  5. On the Configure Synchronization Settings page, in the Synchronization Options section, select the Use SharePoint Active Directory Import option, and then click OK.

3. Configure the connection properties

The lightweight FIM component that comes with SharePoint 2013 stores its connection configuration in the Sync DB, however ADI stores its connection configuration in the profile DB and therefore on changing the sync mechanism from FIM to ADI the first time, you will need to configure the connection properties for ADI.
These properties include the credentials used to connect to AD DS (these should be the same credentials that were given the permissions in step 1) as well as which items to sync.

On subsequently switching between FIM and ADI the connection properties are retrieved for each respectively.

The complete steps for doing so are provided in “Configure profile synchronization by using SharePoint Active Directory Import in SharePoint Server 2013” https://technet.microsoft.com/en-us/library/jj219646.aspx

4. Map user properties between AD and UPSA.

In this step, you determine how the properties of SharePoint user profiles map to the user information that is retrieved from AD DS.

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.
  3. On the Manage Service Applications page, click the User Profile service application name.
  4. On the Manage Profile Service page, in the People section, click Manage User Properties.
  5. On the Manage User Properties page, right-click the name of the property that you want to map to a directory service attribute, and then click Edit.
  6. To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove.
  7. To add a new mapping, do the following:
    1. In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the directory service to which you want to map the user profile property.
    2. In the Attribute box, type the name of the directory service attribute to which you want to map the property.
    3. Click Add.
  8. Click OK.
  9. Repeat steps 5 through 8 to map additional properties.

Tips and Tricks

  1. Each time you change the sync mechanism from FIM to ADI the user profile synchronization service is stopped. You will need to restart it if you have switched to FIM.
  2. If you are mapping attributes and are using FIM, all of the attributes from AD are listed in the drop down box. However if you are mapping the attributes using ADI, you will need to type the attributes in the textbox. The drop down is still displayed, however empty. This is not an indication that there is something wrong with your security.
  3. When setting up the connection details, you will be prompted for the FQDN, this doesn’t include the machine name. If you add the machine name to the FQDN you will be presented with a “No containers to display” error message.

Comments

  • Anonymous
    January 01, 2003
    thank you Ahmed , very useful article

  • Anonymous
    January 01, 2003
    Do we need start "User Profile Synchronization Service" now if use AD import?

  • Anonymous
    August 05, 2013
    Congratulations Ahmed. Very good job.

  • Anonymous
    September 05, 2013
    Hello Ahmed, I configured all Sync settings to import users Profilers from a different domain ... Everything is going fine except AD Groups. They were not import properly and I am not able to give permissions to an AD group in my Sharepoint site. Can you help me please ? Best regards !! Luiz

  • Anonymous
    September 27, 2013
    I'm having the same problem as Luiz

  • Anonymous
    November 23, 2013
    If you would like to add those propertymappings programmatically, you have to be aware, that when your connection is of type "ActiveDirectoryImport", the methods of the classic sync-connection won´t work, because Microsoft implemented it in a different way. This is also reflected at msdn.microsoft.com/.../microsoft.office.server.userprofiles.connection.propertymapping.aspx where they state, that the Connection.PropertyMapping property is NULL in case of ActiveDirectoryImport. The great thing about it is, that it got much simpler through the ActiveDirectoryImportConnection.AddPropertyMapping method. Try this: $site = New-Object Microsoft.SharePoint.SPSite <centraladmin-URL> $context = [Microsoft.SharePoint.SPServiceContext]::GetContext($site) $configManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager $context $UPAConnMgr = $configManager.ConnectionManager $Connection = ($UPAConnMgr | select -First 1) if ($Connection.Type -eq "ActiveDirectoryImport"){   $Connection.AddPropertyMapping("streetAddress","SPS-Location")   $Connection.Update() }

  • Anonymous
    December 13, 2013
    I got stuck at the step 3) configure the connection properties. I get an error (NeedsFullImport) and cannot create new sync connection. Any idea?

  • Anonymous
    November 05, 2014
    The comment has been removed

  • Anonymous
    October 18, 2015
    The 3rd tip helped me a lot.
    was frustrated with fqdns and no containers to display error.
    saved my weekend.
    thanks a lot.

  • Anonymous
    December 21, 2015
    I have SharePoint 2013 Server configured in our environment. We are getting newly created users added to environment but we do not have a Synchronization Connection configured. Why is this?

  • Anonymous
    December 22, 2015
    I want to get all user and group from active directory to SharePoint 2013 without add a group in people or group->site setting(sharepoint).
    Plz any one tell the steps and procedure for that

    Thanks in advance:)

  • Anonymous
    December 28, 2015
    Our company have setup a new Sharepoint 2013 on-premise.

    We found many problem during setup the user profile sync to AD. One of the core issue, the AD profile cannot sync to Sharepoint profile. I'm afraid it was because we have set "Use SharePoint Profile Synchronization" at "Configure Synchronization Settings". I have amended the setting to ADI but the "User Profile Service Application" start failed.

    Can anyone give me some advice on this case.

    Many thanks.

  • Anonymous
    February 19, 2016
    How to resolve sync issues with Active Directory Direct Import.

  • Anonymous
    March 08, 2016
    +1 for :
    When setting up the connection details, you will be prompted for the FQDN, this doesn’t include the machine name. If you add the machine name to the FQDN you will be presented with a “No containers to display” error message.

  • Anonymous
    March 21, 2016
    Please, be careful with the ADI configuration, it involves a lot of constraints (see the "before you begin" in this page:https://technet.microsoft.com/en-us/library/jj219646.aspx), like the possibility of import profile pictures from AD, or a better mapping experience with the "user profile properties".

    So, this is a really huge "Cons." that this article doesn't take in consideration!

    Best regards,

  • Anonymous
    April 05, 2016
    The comment has been removed