3. About me …..
I’m a SharePoint MCP and have been a dedicated
evangelist for SharePoint for the past 6 years, with
experience in design/implementation of all things
SharePoint from small farms to global instances.
What I’m not? Is a SharePoint developer. My focus is on
the back end architecture.
Past IT history:
Worked for multiple consulting companies in projects
ranging from
design, implementation, migration, support for
AD, Exchange, SQL, VMWare, SAN’s, mobile, firewalls, w
ireless, network devices, and more...
4. So, why are we here?
To learn a few things you may not know about the beast Microsoft
calls “User Profile Service” when enhancing the Social experience
by adding tools on top of it.
My goal is to have you walk away from this session knowing what
to ask and what things to consider if you plan to use any additional
tools/software on top of the UPSA, including what issues you may
run in to, and ideas for what to troubleshoot.
5. AGENDA
1. Why should you care?
2. What tools might you consider?
3. How would they “plug in to” SharePoint?
4. What areas could become problematic?
5. My sync stopped working, what do I do?
6. Other
6. Why should you care?
Have you configured the UPSA?
If you have, then most likely you know why you should care.
If you haven’t, highly recommend visiting Harbar’s site, it’s well
worth creating a shortcut to -
http://www.harbar.net/articles/sp2010ups.aspx
http://www.harbar.net/articles/sp2010ups2.aspx
Remember: You only have one UPSA, which cannot be made
redundant. If a UPSA server fails, your social community will be
opening a lot of tickets.
7. What tools might be used to
enhance the UPSA?
- NewsGator Social Sites (www.newsgator.com)
- Bamboo’s Community Central
http://store.bamboosolutions.com/sharepoint-community-
central.aspx?gclid=CKuE0uDu6bcCFQE6QgodpCwA2Q
- Blue Rooster’s Sepulveda
(http://www.bluerooster.com/Pages/Sepulveda.aspx)
- What about your company’s SharePoint development strategy?
SharePoint is a platform, not a product! Be willing to make a good
size investment if you don’t like the OOTB social features and UI.
- What type of tool is it: an internal installation or external service?
Which type addresses your requirements?
NO matter which you choose, you must be aware of how it ties in with
your UPSA configuration, and how it may complicate your life.
8. How would the tool plug in to the
UPSA?
Many spokes in the UPSA wheel:
- Databases
- Connectors
- Synchronization
- Timer Jobs
- Activity streams
- Solution installs
- Permissions
- Development
- email
- and the list goes on……..
9. What areas may become
problematic?
• Databases
• AD Connectors
• Profile fields/mappings and properties
• PII
• Notifications
• Web Application Changes
• Timer Jobs
Let’s look at each of these areas…….
10. Database Considerations
How does a 3rd party tool tie in to UPS databases or does it have own
database (s)?
How do they connect or sync with the UPSA databases?
- RecordID: Every sync’d profile has one. Is your 3rd party tool
dependent upon it?
- “Non-imported objects”: profiles not added via the sync.
Command to find them, then use a purge command to remove them
if necessary to resolve sync issues with 3rd party database (s).
http://technet.microsoft.com/en-
us/library/ff681014.aspx#RemoveObsUsers
11. Database Considerations, cont…
-Bdelete = 1: SQL query will tell you how many objects are set to be
deleted.
- MySite cleanup tool creates them, so compare with 3rd party
database.
-Reset the Sync database: why? May have too much garbage in it to
fix the UPSA. Use if you have a badly broken UPS sync, and cannot
rebuild the UPSA.
http://technet.microsoft.com/en-us/library/ff681014.aspx#resetSync
Commands that are part of this:
Get-SPserviceapplication
Get-SPDatabase
12. Example: UPSA Purge from Database
UPSA Purge Process
SQL stats Prior to running the purge:
User Profile db total =48,761 (includes non-imported objects)
User Profile db total: table “user profile_Full”, “bdeleted = 1” = 0
User Profile database: Purge should mark removal of 25,840 rows. Leaving 22,921 in the table.
Steps for Purge:
1. Disable the MySite Cleanup job.
2. Disable User Profile sync Jobs.
3. Backup all User Profile databases (profile, social, sync).
4. Run Purge powershell command (completes fairly quickly, just a few minutes).
Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true | Out-File -filepath “M:PurgeNonImportedObjects.txt”
SQL Stats:
Select COUNT(*) from [UPS_DB].[dbo].[UserProfile_full]
where bdeleted =1
(No column name): 25839
Select COUNT(*) from [UPS_DB].[dbo].[UserProfile_full]
(No column name): 48761
5. Run MySite Cleanup job to remove the accounts from the UPSA.
Note: analysis showed processing about 1000 profiles/min
SQL results:
Select COUNT(*) from [UPS_DB].[dbo].[UserProfile_full]
22922
Select COUNT(*) from [UPS_DB].[dbo].[UserProfile_full] where bdeleted =1
0
6. Enable User Profile sync Job.
7. Run a FULL people search.
13. AD connector
What if you have to rebuild it? What is affected?
Outline your AD Connector rebuild process step by step:
Keeping in mind: order of activity with 3rd Party tool on top of UPSA.
Contact your vendor and discuss before you delete it!!!
If not rebuilt in the right order, you could end up with duplicates or
failed sync.
NetBios Naming: if applying this, you must delete and rebuild the
connector.
Sync failure: domain changes could affect the sync, requiring rebuild.
14. AD connector, cont….
Review SQL: check for any bdelete objects in SQL, your 3rd party
tool may not see them as deleted and cause duplicates to be
created (non-imported objects).
Review UPSA sync status via FIMS prior to any reset of a Sync
database to verify status.
C:Program FilesMicrosoft Office Servers14.0Synchronization
ServiceUIShellmiisclient.exe
NOTE: Always DISABLE the MySite clean up job prior
to any connector rebuild to prevent unwanted emails.
15. UPSA Field mappings/properties
As you develop your Social experience, you may find a requirement to
modify and/or delete various profile fields, the property of a field, and
their order.
- Social UI designers: ask them to document field change
requirements, this will help verify them for future DR.
- Be prepared: time consuming process to modify the field properties.
If you do have custom field properties, how will they be affected by an
AD connector rebuild?
- Found the custom fields retained, but may need to remap some of
them along with some default fields. Your documentation will help
here.
- Field reordering is painfully slow process: highly recommend using
this Codeplex tool for reordering the profile fields, and save yourself
a lot of frustration and time:
http://mossprofileordering.codeplex.com/
17. Notifications
Activity Stream Alerts (instant and daily digest) are critical to a positive
Social experience.
Does the 3rd party tool send alerts?
SharePoint Inbound Email: are you already configured? Are you using
DMS?
-Verify what your 3rd party tool requires and what they need configured.
When in multiple environments (dev/test/qa/prod) and using DMS, a 3rd
party tool may create lists and contacts, and if not modifiable, you cannot
use DMS in other environments.
Alert notification settings: watch your profile alert settings, or you could
inadvertently mass email your company.
Recommend: use Exchange Block Rules to drop any notification emails
while you are testing.
18. Notifications cont….
My Site Suggestions Email Job – review if the business wants this
notification?
Who has notifications enabled within their profile?
(can use a powershell script to find out)
Does the business require all users to have notifications
enabled?
19. Web Application changes
Rename your MySite web app:
- backup all SharePoint Social and vendor databases.
- Perform process in correct order when using 3rd party tool to
sync up the databases .
- Not a small task, and pending how many profiles you have in
the database could take an entire weekend to complete!
NOTE: Pictures Library URL will not be updated – you can use a
script to update them.
http://mysite.domain.com/User%20Photos/Profile%20Pictures/domain_cwalby_MThumb.jpg
- Pre-populate MySites: if you plan for 15K+ users to access, prepare
for it. Run script to prepopulate the MySite site collections to reduce
performance hit. Work with your storage team!
20. Web Application changes
Issue with claims: after the MySite renaming process was
completed, found some web parts would error out with Access denied. Fix was to
swap out the MySite web application account, then change back, to reset claims
permissions.
Be sure to verify all Claims services are started (also important for BI related
configuration using kerberos)
TIP: What if you find you cannot create a site collection using a 3rd party
template?
Try disable/enable of the 3rd party features within the web application.
Solution Files: what gets installed and how can it be
uninstalled?
21. Timer Jobs
Ask if any timer jobs installed and what do they do?
How do they correlate with SharePoint’s native Social
timer jobs?
MySite Cleanup job: useful, but know what it does!
Caveat: if the MySite web app is configured for Claims, it will not send
email to the mgr. If not claims how do you manage the emails sent to
managers?
Check out Joel’s excellent article (includes purging):
http://www.sharepointjoel.com/Lists/Posts/Post.aspx?List=0cd1a63d%2D183c%2D4fc2%2
D8320%2Dba5369008acb&ID=532
http://technet.microsoft.com/en-us/library/ff681014.aspx
22. Timer Jobs cont…
Code deployments: - Verify timer jobs that are running prior
to a deployment! Some may cause deployment to fail.
- Remember, when you save a change to the web.config file, the
Web application in Internet Information Services (IIS) 7.0
automatically gets recycled.
Use caution: clearing of SharePoint file system cache.
(you may want to stop your 3rd party timer jobs that are scheduled for short time
intervals (1 min – 5 min, while you perform clearing of file system cache).
IIS Reset is your friend: I can’t tell you how many times just
running an IIS Reset on ALL of the SharePoint servers resolved
various custom code related issues.
23. Your UPSA Sync has Stopped or
Filters not working
- Check FIMS: when was the last time it ran?
C:Program FilesMicrosoft Office
Servers14.0Synchronization ServiceUIShellmiisclient.exe
- Are you using SCCM?
check WMI, may have removed the
“MicrosoftIdentityIntegrationServer”
Start>run>wmimgmt.msc
(there is a fix, but check before you run wmi service
stop/start, as it will want to restart the following as well:
SMS Agent Host, VMware Tools Service, IP Helper
Forefront Identity Manager Synchronization Service)
s
24. Your UPSA Sync has Stopped or
Filters not working, cont….
- AD Changes? has the AD Team made any domain changes or
modified the UPS AD connector account? (or removed domains, OU
moves, etc..), depending how you configured your connector.
- ULS Viewer
Use it and filter using category “User Profiles”.
Watch the ULS Viewer after you kick off a sync to locate errors.
Set verbose logging:
Set-sploglevel -tra verboseex
Set-sploglevel -tra medium
"User Profiles" | Set-SPLogLevel -TraceSeverity Verboseex
"User Profiles" | Set-SPLogLevel -TraceSeverity medium
s
25. Other areas….
- Code related gotchas:
If the CAS policy does not correctly reflect claims it will
fail.
Using web analytics: be sure your code takes in to
account the number of user count difference between
non-prod and prod (prod will have more hits).
- What if you have users moving between child
domains?
- Performance issue? Look at implementing blob
caching, but use caution for MySites, users won’t see
their upload for what ever max-age time you specify.
http://technet.microsoft.com/en-us/library/gg576965(v=office.14).aspx#section3
http://technet.microsoft.com/en-us/library/gg576965(v=office.14).aspx#section3
26. Other areas….
- Planning to use any custom site templates? Do you
want to allow them to be used for MySite sub-sites?
Could cause them to show up in a central listing for
communities (disable “Create Subsites” under the Use
Permissions for the web app).
- MS Fix: If you see this ULS log error:
"The site with ID b2c3034f-e80c-4fb1-8327-
fedd17816d2e cannot be synchronized due to an
unprovisioned root web“
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2597150,
27. Take Aways…
- Do your homework to review/document your
environment (especially if you didn’t build it!).
- Get in-depth with the vendor for specifics.
- Test the tool against your non-production environment.
- Do what you can to prep your MySite and UPSA in
advance.
- Verify if you have to rebuild AD connector prior to
implementing a 3rd party tool.
29. THANK YOU for attending this
session!!!
cwalby@pangressive.com
twitter: @cinsps
Member of Silicon Valley SharePoint Users Group
(SVSPUG occurs 3rd Thurs each month at VTA building in Santa Clara)
30.
31. Join us right after the event at the Firehouse Grill!
Socialize and unwind after our day of learning.
1765 E. Bayshore Road
East Palo Alto, CA
Hinweis der Redaktion
The concepts and information within this presentation apply to SP2010, but could also apply to SP2013.
FIMS stands for: Forefront Identity Manager Synchronization Service.FIMS should not be started (or restarted) via Windows services.
Thanks to all of our sponsors, please visit their booths. Without them, the wonderful and FREE SharePoint knowledge sharing events couldn’t happen.