Active Directory Import (ADI) in SharePoint 2013


Many of us are glad to see the return of the AD direct import function for creating and maintaining user profiles in SharePoint 2013. In my own experience, it enabled a quick and clean setup of profile sync that currently has the pleasant side-effect of allowing one to apply the recent March (KB 2767999) and April (KB 2726992) CUs without FIM issues.

Using Spencer Harbar’s great blog, and doing some digging, I discovered that the FIM bits in SP 2013 RTW were once again (remember UPS in 2010) not real current. Indeed, I found that is was not easy or possible maybe to get the User Profile Sync windows service running once again after the application of the March/April CUs.

Hum…where have I seen that before…

Suffice it to say that the 2013 farm installation I was using was hosted on Server 2012 rather than 2008 R2, and I am now quite certain this was part of the root cause of the issue.

Except for the few cases where FIM might actually be required, this is a moot point for anyone who can use ADI to create and update profiles. If you need FIM to work correctly, wait a while and it may happen. However, presenters at TechEd said that FIM was probably going to be deprecated from SharePoint at some point.

Back to ADI itself, a nice addition to the profile sync timer job executing is that ULS entries are created as a trace of what transpired during the operation; these entries are prefixed with this text below.

UserProfileADImportJob:ImportDC

Use can just search the ULS log file for this string and find all the entries – nice! In addition, if you look at the Usage Log settings in Central Administration, you should see that an entry for User Profile ActiveDirectory Import Usage has been checked for inclusion in the Usage logs. Unfortunately, this cannot be reported via Usage Reports (read this post by Joel Oleson), nor is any detail about the ADI sync readily available.

Is it asking too much to have a log of detailed ADI results for debugging the import process?

Advertisements

About generation12

I am a SharePoint/.NET consultant in the twin cities.
This entry was posted in SharePoint 2013, Today's Disenchantment. Bookmark the permalink.

2 Responses to Active Directory Import (ADI) in SharePoint 2013

  1. Lance Rose says:

    You seem fairly well connected to the User Profile Sync process. I appreciate your insights. I am looking to have a Sharepoint group built form AD. Is there a technet site I can more info on best practices. I appreciate your time and efforts in sharing with the community.

    • generation12 says:

      Thanks for the kind words Lance. I would say I have scars due to UPS and know what ‘not to do’ with it certainly. In SP 2013, you can (and I recommend) go back to the simpler AD sync process where UPs get created or destroyed based on what is in AD. As far as best practice goes for 2010/2013, using AD groups and mapping these to a Role at the Site Collection level is what is most often done.

      The drawback in SP is that while the user maintenance is in AD, the breadcrumb trails of a user removed from AD cannot really be removed because each list item (document) is connected in the content DB to that identity, as a domain or an FBA user. This is not an unusual problem in software in general though. Microsoft, or you as a developer, could create a timer process that changes these left behind user footprints to the SharePoint System identity, but most end users (or customers) do not like this and prefer the original user name be left alone.

      So other than some housekeeping issues such as the one I described, maintaining users in AD or FBA directory stores, is generally the best practice. What you want to discourage is the practice of granting permissions for users directly in SharePoint, i.e. under a role directly, by user id. There can be real world reasons for doing this, but generally it creates a huge maintenance issue months and years later and the security management vendors like AvePoint and Axceler sell into this situation by offering UI’s to better manage the ‘all over the place’ security changes that exist.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s