SharePoint 2010 User Profile Service is using FIM to sync AD
and we have experienced not only performance issues but also stability issues
caused by window security patches. SharePoint
2013, there are now three methods. Active Directory Import is one of the new
features in SharePoint 2013 allowing you to import users from active directory
into your SharePoint User Profile Service Application as described in the
following picture.
There
are many benefit when you use Active Directory Import feature.
- No dependency on FIM so will not vulnerable to Window security patches
- Extremely fast performance in comparison to the FIM approach
- No need to configure User Profile Synchronization Service
- get up and running quickly and easily, especially to enable key “social” scenarios in SharePoint 2013
- Windows, FBA and claims are all supported
- Other benefits are listed in harbar.net
You
could follow the procedure published by Microsoft to configure SharePoint 2013
Active Directory Import feature for SharePoint User Profile Service Application.
Before you start to leverage this
new feature, you would need to understand the limitation listed here.
- Does not process links across forests via the AD contact object
- Mapping multi value to single value or vice versa is not supported
- Mapping to system SharePoint properties is not supported - those that begin with “SPS-”
- Mapping two different AD attributes to the same SharePoint property is not supported
- It does not support importing additional user properties from BDC
- Cannot import from any other user repository than AD (no LDAP support)
At this
time, one showstopper for us is we are not able to import thumbnailPhoto
from AD to SharePoint using Active Directory Import feature. This is similar to issue reported by others. This is as deigned by Microsoft and you need to find different ways to syn pictures.You could leverage the exchange picture and sync the pictures to SharePoint as described in different blog.
As a result, my suggestion is you should leverage new SharePoint
2013 Active Directory Import feature if you do not need to import pictures or
have different process to import pictures. Otherwise, you should still need to
use SharePoint User Profile Service Application through FIM to sync AD as in
SharePoint 2010. We are switching to SharePoint
2013 Active Directory Import and sync the pictures from exchange.
There is an issue that AD import does not clean up the deleted users/groups. This has been reported by Microsoft support. The workaround is to run powershell commands to purge deleted users and groups.
Another tip is you could verify the synced users in UPS_Profile database table UserProfile_Full and groups from table MemberGroup.
You may add filter to filter out computers and system accounts like.
(&(|(objectclass=user)(objectclass=group))(!cn=HealthMailbox*)(!cn=SQLAgent*)(!objectclass=computer))
There are some issue on the selection of the AD from UI. You would need to close and reopen the AD selection session to verify whether the selection is persist.
There is an issue that AD import does not clean up the deleted users/groups. This has been reported by Microsoft support. The workaround is to run powershell commands to purge deleted users and groups.
Another tip is you could verify the synced users in UPS_Profile database table UserProfile_Full and groups from table MemberGroup.
You may add filter to filter out computers and system accounts like.
(&(|(objectclass=user)(objectclass=group))(!cn=HealthMailbox*)(!cn=SQLAgent*)(!objectclass=computer))
There are some issue on the selection of the AD from UI. You would need to close and reopen the AD selection session to verify whether the selection is persist.
Hi Harry,
ReplyDeleteHas Microsoft gotten back to you about the AD import of thumbnailPhoto issue yet?
Ditto, any word on the AD Import and thumbnailPhoto import issue being resolved?
ReplyDelete