table of contents...4. supports active directory ldap only. 5. multi-forest scenarios are not...
TRANSCRIPT
Table of Contents
Table of Contents .......................................................................................................................................... 1
Introduction: ............................................................................................................................................... 2
What is Microsoft Identity Manager? ........................................................................................................... 2
Before Start(Checklist) .............................................................................................................................. 3
Tasks .............................................................................................................................................................. 3
Installation .................................................................................................................................................. 4
Installation of Microsoft Identity Manager ............................................................................................... 4
Install the Update for MIM Server .......................................................................................................... 10
Installing the Forefront Identity Manager Connector for SharePoint User Profile Store ....................... 12
Configure the Synchronization ................................................................................................................... 14
Before Start ............................................................................................................................................. 14
Configure at SharePoint Central admin. ................................................................................................. 15
Install the SharePoint Server Synchronization Configuration File at MIM Server .................................. 16
Run Sync .................................................................................................................................................. 17
Custom Attributes ....................................................................................................................................... 18
Create Property in the UPA ..................................................................................................................... 18
Create a matching property in the Metaverse ....................................................................................... 21
Create the Mapping in the ADMA........................................................................................................... 23
Refresh the Schema for SPMA ................................................................................................................ 25
Create the Mapping in the SPMA ........................................................................................................... 27
Run Full Sync ........................................................................................................................................... 29
Connection Filter ......................................................................................................................................... 30
Adding Extra Domain .................................................................................................................................. 36
Add another domain or domains ............................................................................................................ 36
Update your run profile for each domain(s) ........................................................................................... 38
Full Import ........................................................................................................................................... 39
Full Sync .............................................................................................................................................. 41
Delta Import ........................................................................................................................................ 42
DeltaSync ............................................................................................................................................ 44
Conclusion ................................................................................................................................................... 46
Reference .................................................................................................................................................... 46
Introduction:
This article for the SharePoint IT pros, who are responsible for the installation and configuration of
SharePoint. This article will guide through all the steps from downloading to Installation to the
configuration of MIM for User Profile Service.
What is Microsoft Identity Manager?
Previous versions of SharePoint had a built-in copy of Forefront Identity Manager (FIM) that ran inside
the SharePoint Server product. That version of FIM powered the User Profile Synchronization for
products like SharePoint Server 2010, and 2013. But in SharePoint Server 2016, FIM has been removed
in favor of Microsoft Identity Manager, which is the successor to the FIM technology. MIM is a separate
server technology (not built-in to SharePoint Server). That means, if you have MIM running in your
company, more than one SharePoint Sever 2016 farm can rely upon it.
It's also important to note, here, that Active Directory Import (sometimes called Active Directory Direct
Import) is also included with SharePoint Server 2016, and is a User Profile Synchronization alternative
that will not need a separate server installation. This means that SharePoint Server 2016 offers two
options for User Profile Sync.
Which option is right for you?
Microsoft Identity Management server Active Directory Import
Pros
1. Flexibility allows for customized import.
2. Can be customized for bidirectional flow.
3. Imports user profile photos automatically.
4. Supports non-Active Directory LDAP sources.
5. Multi-forest scenarios are supported.
1. Very fast and performant.
2. Known to be reliable (used by
Office 365).
3. Configurable inside of
SharePoint Central
Administration. (Less complex.)
Cons
1. A separate MIM server is recommended for use with your
SharePoint Server farm.
2. The more customized the more complex the architecture,
deployment, and management.
1. Import is unidirectional
(changes go from Active
Directory to SharePoint Profile).
2. Import from a single Active
Directory forest only.
3. Does not import user photos
automatically.
4. Supports Active Directory
LDAP only.
5. Multi-forest scenarios are not
supported.
Before Start(Checklist)
Make sure Server OS should be Windows Server 2008 R2 SP1 and later
SQL Server 2008 R2 and later for the MIM Sync and MIM Service database
Install account, under which you login on the server and install & Configure the MIM.
Farm Admin account under which you login on the central admin to provision the User profile Service.
You need the Service account (Domain account) and Password under which MIM Sync service
will run. This account should have below permission on the server where MIM will be
installed and run.
o “Log on as a service” o “Run as a service”
A Domain account with replicate permission on the Active Directory, For active directory
connector.
SQL Server Name and Instance or Alias name
Location of Installation files
Download All the required Software and Patches
o Download the Microsoft Identity Manager from Volume Licensing Site / MSDN or
you can download Trial from here: https://www.microsoft.com/en-
us/evalcenter/evaluate-microsoft-identity-manager-2016.
o Also, You need to download the Hotfix and apply in order to properly configured it.
You can download it from the following links.
KB3092179https://support.microsoft.com/en-us/kb/3092179
o Download the SharePoint Management Agent(SPMA) https://www.microsoft.com/en-
us/download/details.aspx?id=41164
Tasks
We will perform the following tasks:
1. Installation of MIM
2. Install the Update for MIM Server
3. Installation of SharePoint Connector for MIM
4. Creation of User Profile Service
5. Add Custom Attributes
6. Add Additional Domains
Installation Let’s start with the Installation tasks in the order as motioned
Installation of Microsoft Identity Manager During this, we will install the MIM Sync engine for user profile service.
Mount the en_microsoft_identity_manager_2016_x64_dvd_6818274.iso and browse to the
Synchronization Service and Click on Synchronization Service.MSI
Click Next on the Welcome Screen
Accept the License Agreement and click Next
Select Microsoft Identity Manager Synchronization and Click Next
Select the SQL Server location(Remote or Local) and Instance Name( Default or
Named). Click Next
Provide the details of the Service Account under which MIM Sync service will
run. Click Next
Provide the Group name and click Next
If firewall enabled on your Server then enable the rule, otherwise keep it unchecked.
Click Next
Click Install
Click Ok for the warning!
Now Save the Encryption Key, Select the location where the key will be saved.
Click Finish
Click Yes to logoff and relogon, So that security Group Membership take effect.
This will Install the Microsoft Identity Manager Synchronization Module.
Install the Update for MIM Server
Now we will install the Update for the MIM Server 2016, Otherwise configuration command will not
work
Double Click on 488603_intl_x64_zip.exe
Click Continue
Select the location, where the extracted files will be stored.(select a drive which has atleaset
250MB free Space)
Browse to extracted folder and Double Click on FIMSyncService_x64_KB3092179.msp.
Click update and wait
Click Finish.
Installing the Forefront Identity Manager Connector for SharePoint User Profile Store
Now, we will install the SharePoint Management Agent. It should be on the same server where
the MIM is installed.
Double click on the SharepointConnector.msi
Click Next
Accept the License Agreement and Click Next
Click Install
Click Finish
This will complete the installation of Microsoft Identity Manager for User Profile Service in SharePoint
2016. Next, We have to configure the Synchronization for the User Profile Service.
Configure the Synchronization
After Installing the Microsoft Identity Manager 2016 and ForeFront Identity Manager Connector for SharePoint User
Profile Store, now we have to configure the Synchronization for SharePoint Server 2016. Please see my article on
installing the MIM on SharePoint Server
In the Previous version of SharePoint, we control the User Profile sync from the Central admin but in SharePoint 2016
it is the different story. This is kind of manual process but simple, in which you have to setup couple Schedule Task to
run Full and Incremental Sync. You can create these task using the Script available Github site collection.
Before Start
Microsoft Identity Manager 2016 Sync engine and ForeFront Identity Manager Connector for SharePoint
User Profile Store Installed.
You Should login on SharePoint Server with Farm Admin account with local admin rights. Without Local
admin, you will not able to run the sync.
Domain Account which has SharePoint access Make sure Following AD Details are ready:
o ForestDnsName: This is the DNS name of the Active Directory forest to be synchronized. i.e
krossfarm.com
o ForestCredential: This is the username and password of the account that will be used to read
objects from Active Directory. This account must have Replicate-Directory-Changes permissions in
the Active Directory that is to be synchronized. This is the same kind of account which we used in
the previous version of SharePoint. i.e. Krossfarm\KFadSyncAccount
o OrganizationalUnit: This is the distinguished name of the Active Directory container to be
synchronized. You can add more containers after the configuration is loaded. To add more
containers, use the Synchronization Service Manager GUI interface to modify the ‘AD’ management
agent.
Make Sure Following SharePoint Connection Details are ready:
o SharePointUrl: This is the URL of the SharePoint Server running the User Profile Service application,
this is Central Admin URL. for example, http://KFAppServer:1234.
o SharePointCredential: The username and password of the account used to connect with
SharePoint User Profile. this account will read and write the object in SharePoint User Profile Store
DBs.I.e krossfarm\KFUPAdmin
· Download the following Solutions File, which is available at GitHub. https://github.com/OfficeDev/PnP-
Tools/tree/master/Solutions/UserProfile.MIMSync
o SharePointSync.psm1 - Windows PowerShell module for deploying and starting the
synchronization solution.
o MA-AD.xml - This is the MIM management agent for Active Directory.
o MA-SP.xml - This is the MIM management agent for SharePoint Server.
o MV.xml - This XML file contains additional User Profile Synchronization configuration.
Place the all downloaded files on MIM server i.e c:\SharePointSynchronization
User Profile Service is properly and External Identity Manager Enabled Option selected under the
Configure Synchronization Settings.
Configure at SharePoint Central admin.
In order to configure the MIM sync with the User Profile Service, we have to configure the Synchronization settings.
Go to Central Admin > Application Management > Manage Service Application > Click on User Profile
Service.
On manage Profile Service Page, click on Configure the Synchronization Settings.
Make Sure Enable External Identity Manager is Selected, Click Ok
Install the SharePoint Server Synchronization Configuration File at MIM Server
Now we will install the solutions files and configure the sync. Please place all downloaded solutions file in the same
directory.
Place all downloaded solutions file in a directory.
Open the PowerShell Console(Run as Administrator).
In Powershell Window, 1st import the SharepointSync.psm1 file
o ### Load the SharePoint Sync Module
o Import-Module C:\SharePointSync\SharePointSync.psm1 -
Force
Now install the SharePoint configuration Sync using the information which you collected initially.
o ### Install the SharePoint Sync Configuration
o Install-SharePointSyncConfiguration `
-Path C:\SharePointSync `
-ForestDnsName krossfarm.com `
-ForestCredential (Get-Credential
Krossfarm\KFadSyncAccount) `
-OrganizationalUnit 'ou=employee,dc=krossfarm,dc=com'
`
-SharePointUrl http://KFAppServer:1234 `
-SharePointCredential (Get-Credential
krossfarm\KFUPAdmin) `
-Verbose
Open the NotePad, Copy the script with your values and Save the File as Sync.ps1
Now run that File.
It will ask you password for the both account ( ForestCredential and SharePointCredential)
SharePoint Sync Configuration is Completed. Now time is the move to run the Sync.
Run Sync If you want to see the impact of this synchronization, like what will be imported, you can
preview it using the –WhatIF parameter with sync command.
To start the Full Sync run the following command
To start the Incremental / Delta Sync run the following command
Note: if you close the PowerShell windows, then you have to import the Sync Module
Import-Module "C:\SharePointSync\SharePointSync.psm1"
Note: if you will not use the -Confirm:$false parameter in your command then you
have to make sure that watch the windows so that you can Press Y to allow the import
Start-SharePointSync -WhatIf -Verbose
Start-SharePointSync -Confirm:$false
Start-SharePointSync -Delta -Confirm:$false
of profile in SharePoint, Otherwise import will not
complete.
Custom Attributes
In our company, we have a couple of custom attribute which we want to
import and display in SharePoint 2016.In this example, we will use the
employeeNumber property which is already created by our Active Directory
Admin( I am not covering here). Employee Number will be String type with a
size of 100.
To import custom AD attribute we have to perform the following steps:
Create the New User Profile Property in the User Profile Service
Create a matching property in the Metaverse Designer
Map the Custom Property in the ADMA
Refresh the Schema for SPMA
Map the Custom Property in the SPMA
Run Full Sync
Create Property in the UPA
Please log in on the central admin with Farm administrator account
Go to Central Admin > Application Management > Manage Service Application
> Click on the User Profile Service. On this Page, click on the Manage User
Properties
Click on the New
On this Page please enter the following information
Name : employeeNumber
Display Name: Employee Number
Type: String(Single Value)
Length: 100
Sub-type of profile: check this
User Discerption:
Policy Settings: select the value as per your requirement
Click Ok, Now You will see the new property
Create a matching property in the Metaverse
Click Start windows and Click Synchronization Service
Click on the Metaverse Designer(1) then Click On Person(2) then Click on Add
Attribute(3)
Click on New Attribute(1)
On this Enter the
Attribute name
Attribute type
I selected Index
Click Ok.
Create the Mapping in the ADMA
On the Synchronization Service manager, Click on Management Agents(1) then
ADMA(2) then click on Properties(3)
Click on Select Attribute(1) then Check the Show All(2) then Check the
Employee Number(3) then Click Ok.
Reopen the ADMA Properties
Select the following information
1. Click Configure Attribute Flow
2. Data source object Type : User
3. Data Source Attribute : employeeNumber
4. Mapping type: Direct
5. Flow Detection: Import
6. Metaverse Object Type: Person
7. MetaVerse Attribute employeeNumber
8. Click New.
Now You will see new mapping Under the Configure Attribute Flow like fig
below.
Now you need to refresh the Schema for the SPMA, in order to see the
employee Number.Whenever you create / map a brand new property in the
ADMA or User profile, you have to refresh Schema in order to see that
attribute.
Refresh the Schema for SPMA
On the Synchronization Service manager, Click on Management Agents(1) then
SPMA(2) then click on Refresh Schema(3)
Click Ok on the Refresh Schema Pop-Up
Now you have to enter the password for the account which we configure during
the configuration of MIM. Click Ok.
You will see the message” The New Schema Has Been committed to the server”.
Click Close
Create the Mapping in the SPMA
On the Synchronization Service manager, Click on Management Agents(1) then
SPMA(2) then click on Properties(3)
Click on Select Attribute(1) then Check the Show All(2) then Check
the Employee Number(3) then ClickOk.
Reopen the ADMA Properties
Select the following information
1. Click Configure Attribute Flow
2. Data source object Type : User
3. Data Source Attribute : employeeNumber
4. Mapping type: Direct
5. Flow Detection: Export, Allow Nulls
6. Metaverse Object Type: Person
7. MetaVerse Attribute : employeeNumber
8. Click New.
Now You will see new mapping Under the Configure Attribute Flow like fig
below.
Click OK.
Run Full Sync
Now time to Run the Full Sync.This step will validate our effort and also import
the values from AD into the User profile. Please run the full Synchronization
using the Start-SharePointSync.
Connection Filter
A lot of companies having their policies that don’t pull everything from Active
Directory and Sync with SharePoint User Profile. I.e If you have service
account in your AD and you don’t want to sync with AD, or some companies
have certain employee type which they don’t want import or want to exclude
the disable users from the synchronization.
To exclude certain users from syncing to SharePoint, we have to apply the
connection Filter in the MIM(ADMA). In our scenario, we want to exclude the
Temporary Employees (which employee type is equal to T and Disabled
Users). Let’s Start.
Click Start windows and Click Synchronization Service
Click on the Managment Agents int the Ribbon then Double Click on the ADMA
On the Properties POP Up, Under the Management Agent Designer Click on the
Select Attributes and In the Select Attributes check the required Attribute
(Employee Type and UserAccessControl). Now Click on the OK.
This will close the ADMA agent, Now Reopen the Properties of it.
Now Select the Configure Connector filter(1) then Select the User(2) then Click
on the New(3)
On the Filter for User window, In data Source Attribute click on Employee
Type(1), then under the Operator select Equals(2), then under Value put the value
T(3) and now Click on the Add Condition(4).
Now Repeat the same for the userAccountControl and Click
Ok(5)
On the Properties Page, you will see both exclusions added. click on the OK.
Now run Full Syncnorazation (Start-SharePointSync). Once it will be completed
successfully, you will see that all disabled user and all temporary employees
excluded.
You can apply the single filter or multiple filters as per your requirement.
Adding Extra Domain
large corporate having this thing, where they have more than one domain in
their environment. In order to bring users from all domains into SharePoint, we
have to configure each additional domain in the MIM (ADMA management
Agent).
This is 2 step process
1. Add the Domains in the ADMA management agent
2. Update the Run Profile for the each added domains.
Add another domain or domains
Open the Synchronization Service Manager.
In the Management Agents tab(1), select the ADMA management agent(2) >
Properties(3) > Actions.
On this Properties Page:
1. In the Properties dialog box > Configure Directory Partitions.
2. Check the Show All check Box
3. Click Refresh. It will ask you for the password for the ID ADMA
4. Now, You will see all the connected domains. In the list of directory
partitions, select any domain you want to synchronize (and remember that
credentials for these domains may be required).
5. Click OK to save the management agent properties.
This will add the domains in the ADMA Management Agent.
Update your run profile for each domain(s)
Each run profile for the ADMA management agent must be updated for each
domain that was added. To update your profiles, do the following:
1. In the Management Agents tab(1) > select ADMA Management agent (2)> select
Configure Run Profiles(3).
Full Import
1. Select FullImport(1) run profile > New Step(2).
2. Choose a step type of Full Import (Stage Only) > Next.
3. Choose the partition that matches the domain you just added and click Finish.
4. Now you will see an entry for the Full Import like this. The run profile should
now have two steps.
Full Sync
1. Select the FullSync run profile next > New Step.
2. Choose a step type of Full Synchronization > Next.
3. Choose the partition that matches the domain you just added > Finish.
4. Now you will see same 2 steps for the Full Sync Run Profile.
Delta Import
1. Click DeltaImport in the run profiles next > New Step.
2. Choose a step of type Delta Import (Stage Only) > Next.
3. Choose the partition that matches the domain that was just added > Finish.
4. The run profile should now have two steps.
DeltaSync
1. Select the DeltaSync run profile > New Step.
2. Choose a step of type Delta Synchronization > Next.
3. Choose the partition that matches the domain that was just added > Finish.
4. The run profile should now have two steps.
5. Click Apply to save all the run profile changes > OK.
Conclusion
This conclude our chapter on step by step installation of MIM for SharePoint 2016. We learned this
chapter, Installation of MIM, Configuration of MIM, Map the custom Attribute, Apply the connection
filters and add additional domains.
Reference
Please Check the below articles for more details.
Install Microsoft Identity Manager for User Profiles in SharePoint Server 2016
Deploy a new Microsoft Identity Management (MIM) server for User Profile Sync in SharePoint
2016
Http://krossfarm.com