Step by Step: Active Directory Import for SharePoint 2013

Active Directory Import (AKA Active Directory Direct Import – ADDI) is one of the new features in SharePoint 2013 allowing you to import users from active directory into your SharePoint User Profile Service Application.

Background

In SharePoint 2010, there was only one method allowing you to sync user profiles between your user repository and your SharePoint environment which was essentially a lightweight version of FIM.

With SharePoint 2013, there are now three methods that you to carry out the aforementioned sync operation.

  • SharePoint Profile Synchronization (lightweight FIM)
  • Active Directory Import
  • External Identity Manager (C#)

While the focus of this article is Active Directory Import, the amount of enhancements that have been done especially with regards to the performance of lightweight FIM elicit mentioning.
One of the most important areas of enhancements is regarding how FIM retrieves data from BCS.

In SharePoint 2013, import operations from BCS are done as batches rather than one by one.
Furthermore, indexes were added to user properties that eliminated full table scans. A number of unused provisioning steps were also removed.
The end result? One piece of anecdotal evidence show that 300K users took less than 7 hours for a full import operation, previously it took nearly three weeks.

Active Directory Import

Active Directory Import allows you to import users from active directory into your SharePoint 2013 environment. The logical question would then be what are the pro and cons of ADI and when should I used it over FIM. The table below summarizes these points.

Pros Cons
Extremely fast performance Cannot import from more than one user repository
 Very reliable Cannot import from any other user repository than AD (no LDAP support)
Connect to forests with multiple domains Sync is one way from AD into SharePoint (hence the “import” in the name)

Windows, FBA and claims are all supported

 

I now use ADI for any development/PoC environment. I would also highly recommend it for any production environment that leverages only AD DS and doesn’t require writing back to AD.

Great! How do I enable ADI?

Enabling ADI is done over essentially 4 steps. These 4 steps are done against an instance of the user profile service application with the exception of the first step.

  1. Configure AD DS permissions.
  2. Enable Active Directory Import
  3. Configure the connection properties
  4. Map the user properties between AD and UPSA

1. Configure AD DS permissions

In this step, you grant the security permissions (Replicate Directory Changes permission) to the account that SharePoint uses to connect to AD DS during profile synchronization.

Step by step instructions are provided here: https://technet.microsoft.com/en-us/library/hh296982.aspx (Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013)

2. Enable Active Directory Import

In this step, we select ADI as the import mechanism for the user profile service application instance that we accessing.

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.
  3. On the Manage Service Applications page, click the User Profile service application name.
  4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Settings.
  5. On the Configure Synchronization Settings page, in the Synchronization Options section, select the Use SharePoint Active Directory Import option, and then click OK.

3. Configure the connection properties

The lightweight FIM component that comes with SharePoint 2013 stores its connection configuration in the Sync DB, however ADI stores its connection configuration in the profile DB and therefore on changing the sync mechanism from FIM to ADI the first time, you will need to configure the connection properties for ADI.
These properties include the credentials used to connect to AD DS (these should be the same credentials that were given the permissions in step 1) as well as which items to sync.

On subsequently switching between FIM and ADI the connection properties are retrieved for each respectively.

The complete steps for doing so are provided in “Configure profile synchronization by using SharePoint Active Directory Import in SharePoint Server 2013” https://technet.microsoft.com/en-us/library/jj219646.aspx

4. Map user properties between AD and UPSA.

In this step, you determine how the properties of SharePoint user profiles map to the user information that is retrieved from AD DS.

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
  2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.
  3. On the Manage Service Applications page, click the User Profile service application name.
  4. On the Manage Profile Service page, in the People section, click Manage User Properties.
  5. On the Manage User Properties page, right-click the name of the property that you want to map to a directory service attribute, and then click Edit.
  6. To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove.
  7. To add a new mapping, do the following:
    1. In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the directory service to which you want to map the user profile property.
    2. In the Attribute box, type the name of the directory service attribute to which you want to map the property.
    3. Click Add.
  8. Click OK.
  9. Repeat steps 5 through 8 to map additional properties.

Tips and Tricks

  1. Each time you change the sync mechanism from FIM to ADI the user profile synchronization service is stopped. You will need to restart it if you have switched to FIM.
  2. If you are mapping attributes and are using FIM, all of the attributes from AD are listed in the drop down box. However if you are mapping the attributes using ADI, you will need to type the attributes in the textbox. The drop down is still displayed, however empty. This is not an indication that there is something wrong with your security.
  3. When setting up the connection details, you will be prompted for the FQDN, this doesn’t include the machine name. If you add the machine name to the FQDN you will be presented with a “No containers to display” error message.