Configuring User Profile Service, Starting Synch, and Creating SharePoint Service Applications for SharePoint 2010 or SharePoint 2013

First off, I’d just like to apologize to anyone who used this before it was edited and received an over-privileged farm.  I would then like to point you to the disclaimer page.

This post assumes that you’ve installed the SharePoint binaries and have created a Central administration web site using a SQLAlias named SharePointSQL.  It also assumes that you have created the shared services service application app pool account in active directory.

This post assumes you’ve already installed the SharePoint Binaries (Grey Wizard), and that you are not using the Farm Config Wizard (White Wizard) to set up the farm, and that you’ve read HarbarNet before reading this post.  It also assumes that you’ve patched the install to the most recent cu.

Note:  You don’t have to install everything, you could just take the code in green below, for the managed metadata service, or you could manually do it.

User Profile Synchronization service application configuration doesn’t have to stress you anymore. And most of what you are about to read is adapted from HarbarNet, from the post that is\was located at this URL: http://www.harbar.net/articles/sp2010ups.aspx and from TechNet

Here are the steps adapted from Spence Harbar’s blog and parts of TechNet:

1. Install SharePoint in a whatever farm topology, use a setup user account to run the install, this user is a local admin

2. When you get to the screen that asks for the account that will connect to the back end database, enter the name of the server, not the FQDN. Enter Myserver, not Myserver.mydomain.com

3. Enter the account name for the Farm Account (DOMAIN\My_Farmer). Note: this is not the setup user account,

SharePoint Hosted Services

4. After the farm installs, patch it to the November 2016 cumulative update: http://technet.microsoft.com/en-us/sharepoint/bb735839.aspx, note: this was for SharePoint 2010 RTM, and is not needed in SharePoint 2013

5. After the farm is updated and you’re still logged in with the setup user account, save this text into a file with a .ps1 extension

Click here to watch a video of this script

If doing this for 2013, comment out the section on Web Analytics or deal with the red puke.

Then after you’ve removed that from the below, you’re ready to run for 2013.  Make sure to close your powershell out and re-open, then make sure the excel, visio, and perfpoint cmdlets are present.  if you just run up central admin, and try and use same shell, the visio, excel, and performance point cmdlets wont be there.  You need to close and re-open.

Also, This script rolls everything into one service application pool.

6. Create a two managed accounts, one named for content and used to run your web applications and one named for serviceApps and used to run new Service Applications (e.g. User Profile synch) , Security > configure managed accounts

From this point forward it is all about User Profile Service

7. See the surgeon generals WARNING below: and then navigate to C:\Program files\Microsoft Office Servers\14.0\Synchronization Service\MaData using the farm account and make sure the farm account has at least modify via it’s membership in wss_admin_wpg, on this entire path, and it should because it is a member of the wss_admin_wpg group. If that is not the case, open a management shell and type in add-spshelladmin -user domain\myfarmaccount where myfarmaccount Is the name of the farm account that was input during the install, the setup user account (mydomain\mysetupUseraccount) and farm account (mydomain\myFarmer) should already be members.

WARNING: Don’t modify acl’s unless you’re sure you know it wont hurt sharepoint. http://technet.microsoft.com/en-us/library/cc721637(office.12).aspx

NOTE: The Manager Data folder, MaData, will be empty before you configure the service, and after you start the synch and iisreset (see steps below), you’ll be able to drive into it and see two folders and one file, it is at this time, when you see the folders and the file, that you know you are safe to open the UPS and configure it, continue to step 8.

One of the Harbar net pages gives a good example of using ULS viewer to track the user profile install, you really should check that out, if you haven’t.

8. Add Allow local login to the Farm Account via secpol.msc > Local Policies > User Rights Assignment > Allow Logon Locally,

9. Add the Farm Account to the Local Admins, too (compmgmt.msc > configuration > Local users and groups > administrators)

10. Log the setup user off, log the farm account on and then off, log back on with the setup user account.

11. right click on your domain in Active directory users and computers > click delegate control > next > add your account that will be used to configure the actual user profile service, later (e.g SP_UserProfiles_FarmName) > Create a custom task to delegate > This folder, existing objects in the folder, and creation of new objects… > next > scroll down, check Replicating Directory Changes (don’t check any other boxes, i.e. don’t check property specific, etc.) > next > finish

There is good info on TechNet about step 11 located here: http://technet.microsoft.com/en-us/library/hh296982.aspx

12. Create a Web Application, call it SharePoint – 80, on port 80,use the content account, and when prompted to create a site collection, you can if you want to, but it’s not needed for this exercise, and wont impact whether your ups will work.

13. Now let’s create, a Metadata UPS Mysite Hub web application.  Create another web application, call it SharePoint metadata hub – 9094, or pick a better more professional name, say UPS AD DS Sync, but put it on port xxxx (where xxxx is a number greater than 1024), not on port 80. And run it with the content account, not the farm account.
Note: Metadata UPS Mysite Hub, is not the technical term for it, and some people might laugh at you if you call it that. This Hub, so to speak, is where I roll up the UPS and Metadata site collections. They don’t have to be together, but you do need the metadata site collection and the ups/enterprise mySite site collections up, before you can get UPS to synch up nicely.

PLEASE NOTE:  some sites have you create just one site collection, you will eventually split them out as they grow.

14. Once the Web application, is created, create an enterprise mySite Host Site collection in the root, name it after the UPS service Synch (or choose your own nameology).
steps to create the site collection for UPS: Application Management > Site Collections > Create Site Collections > choose the Metadata UPS hub web app that runs on port xxxx > name it, give it an account for the site collection admin, use the same content account that you used when you created the web app, if you want.

15. Create another site collection in the Metadata hub web app, locate this one under a managed path, that you created or under /sites/Meta. Note: You could name the url portion of the site anything you want. Use the Publishing portal site template for this site collection.

16. Open this newly created site, http://myserver.mydomain.com/sites/meta and navigate into site collections features and the site features
(http://myserver.mydomain.com/sites/meta/_layouts/managefeatures.aspx) and insure that content organizer and Metadata navigation and filtering features are activated, copy the url to your metadata hub site. (e.g. http://myserver.mydomain.com/sites/meta)

17. Navigate to Central Admin > Application Management > Service Applications > Manage service applications and click to the right of the Metadata Web Service so that you get an illuminated properties icon in the ribbon, scroll down to the content type hub box and paste in the url to your metadata hub site.

Ok, back to Central Admin, Application Management > Service Applications > manage Services on server > Start the User Profile Service and ask yourself this question “Have I patched this 2010 RTM farm to the most current CU?”

18. While still on the manage service applications page, click new > user profile service application > name it > Run it in a new application pool, name the new app pool > it runs under the farm account > the default databases are ok > Paste in the url to your MySite Host site collection, since you created it in the root, this url looks just like the url to the web application, just the protocol, servername and the port (e.g. http://2010SP:9094), click OK.
Note: I’ve had better success if I make sure to leave the / behind the my site host url, and remove it from the My Site managed path, so say no to (/Personal) and say yes to (Personal)
Click Ok,

19. Make sure those permissions for allow local login, local admins, and the path to the Manager Data are correct. Which brings up one more thing about permissions, the account that you’ll use to configure user profile synch after you get through setting it up, the userProfile account need replicate directory changes.

20. Moved in front of 18 – used to be here – process works way better if is started before provisioning the service application.

21. Start the User Profile Synchronization service, while it is still saying its starting, or after 10 minutes, run IISRESET.

21a.  Give Network Service the default rights to C:\Program Files\Microsoft Office Servers

22. Navigate to C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\MaData Refresh this folder, wait, grab a copy of War and Peace, or Slaughterhouse 5, start reading, have a smoke if you smoke, or just go to bed. Either way wait until you see, a folder named ILMMA, MOSS- and a file named UpdateFile

23. Navigate to Manage Service Applications and click on User Profile Service Application.

24. Configure the synchronization connection using the account you gave the replicate directory changes permission. click create new connection and just fill in the form. use the sp_userprofile account, you’re logged into the server at this time with the setup user account because you’re still setting it up.

25. click on configure synch settings choose users only for the first synch, then after you synch just users go back and synch users and groups.

One Response

Leave a Reply