SharePoint 2013 Planning User Profile Synchronization With Directory Services (AD DS,Novell, SJSDS)
Determining the synchronization connections as well as identifying the property mappings is important. You will also have to plan for the various aspects of the profiles to be synchronized, but that is very straightforward. Identifying the synchronization server is important.
You will only be able to run one instance of User Profile Synchronization service on a farm. You get to decide which server you wish to use for the creation of the User Profile service application. The provisions of SharePoint Server offers a version of Microsoft called Forefront Identity manager that will be used on that computer for the synchronization to take place.
In order for SharePoint Sever to synchronize the profiles, it uses the network heavily to communicate between the domain controllers and the synchronization server. Selecting a synchronization server that is close in proximity to the domain controllers is a good idea. It reduces the amount of time it takes for the synchronization to occur.
You must run a full synchronization the first time that you synchronize the profile information between external systems and SharePoint Server. From that point on, you will be able to configure the User Profile Incremental Synchronization timer job to schedule incremental synchronization. You get to configure it to your organizational needs. This can be a several times per minute, hourly, daily, weekly, and monthly, etc. You are in control of that part of the process.
Frequent synchronization reduces the number of changes that will process each time. This speeds up the process for synchronization to be completed. If you don’t customize the settings, then it will default to a daily synchronization. It is a good idea to have the scheduled time of day or night be when the network will be used the least.
The synchronization accounts have to be granted specific permissions so that the synchronization service can get the information it needs from the directory service. In the following sections, you will get information to help you identify the permissions that are needed for each type of directory service. You will need to collaborate with the administrator of the directory service to get the accounts the right permissions.
For synchronization to occur with a connection, AD DS must be in place. It must have Replicate Directory Changes permission on the domain for it to synchronize with. The Replicate Directory Changes permission makes it possible for an account to query the changes in the directory. The permission doesn’t allow any account to make any changes in the directory. For the domain controller that is running Windows Server 2003, it needs to be a member of the Pre-Windows 2000 Compatible Access built in group.
If the NetBIOS name of the domain is different from the qualified domain name, the synchronization account has to have Replicate Directory Changes permission on the cn= configuration container. If the NetBIOS domain name is contoso, the fully qualified domain name is contos-corp.com. You must give Replicate Directory Changes permission on the cn=Configuration container.
If you will be exporting property values from SharePoint Sever to AD DS, then the account needs to have Create Child Objects, including this object and all descendants. It also needs to have Write All Properties along with this objective and all descendants for the permissions on the organization unit you are going to synchronize with.
In order for the synchronization account for connection to be Novell eDirectory, the Entry Rights for rights to browse for a specific tree and All Attribute Rights for Read, write, and compare rights for a specific tree permissions must be in place.
In order for the synchronization account for a connection to be Sun Java System Directory Server, read, write, compare, and search permissions to the RootDSE must be configured and incremental synchronization can only be performed if the account also has read, compare, and search permissions to change log. If one doesn’t exist, it has to be created prior to synchronization.
In order for the synchronization account for a connection to be Sun Java System Directory Server, the synchronization account has to be a member of an administrative group.
The farm account is where the User Profile Synchronization occurs. This requires specific permissions for the configuring of the profile synchronization to occur. Only those with administrator rights have the authority to grant this type of permission for the synchronization server.
The account must be a member of the Administrators group on the synchronization sever to do so. You have the option of removing that permission after the User Profile Synchronization service has been successfully configured. The account must be able to log on locally to the synchronization server.
The farm administrator account and the farm account are different from each other. To determine the farm account go to Central Administration and click on Configure Service Accounts, then click on Farm Account. If you want to synchronize the user profiles with a business system, you can do so with an external content type. However, the farm account must have permission to execute operations on the external content type to do so.