How to Configure Profile Synchronization Using Active Directory Import SharePoint 2013

With SharePoint 2013, there are now three methods that you to carry out the aforementioned sync operation.

• SharePoint Profile Synchronization (lightweight FIM)
• Active Directory Import
• External Identity Manager (C#)

You can use the new SharePoint Active Directory Import option (AD Import) as an alternative to using SharePoint Profile Synchronization to import user profile data from the Active Directory Domain Services (AD DS) in your domain. Use of this option to configure profile synchronization (or profile sync) involves the following two steps:

1. Selecting the option
2. Creating or editing a connection.

This tool works only with Active Directory Domain Services (AD DS) and does not work with other directory services.

In this article I am not covering User Profile Service provisioning.

The following prerequisites are required to configure it:

• You must be a member of the Farm Administrators group.
• You must know the credentials to the domain controller with sync rights.

Configure SharePoint active directory import by using Central Administration

In the first procedure you will select the new SharePoint Active Directory Import (AD Import) option to import user profile data from Active Directory Domain Services. This option improves the performance of the import process and is simpler to use. However, AD Import is not as flexible as the SharePoint Profile Synchronization method. You should consider the following when deciding whether to use this option:

• Import operations performed using this option are significantly faster than the same operations than when using SharePoint Profile Synchronization.
• This option does not do bidirectional synchronization. That means that changes made to the SharePoint user profiles will not be synchronized with the domain controller.
• Referential integrity among users and groups is only maintained within a single Active Directory forest.
• This option allows only a single, farm-wide property mapping to be configured and used.

In the second procedure, you create a connection to a directory service. The connection identifies the items to synchronize and contains the credentials that are used to interact with the directory service. To import profiles, you must have at least one synchronization connection to a directory service. You may have connections to multiple AD DS servers. During this phase, you create a synchronization connection to each AD DS server that you want to import profiles from. You can synchronize after you create each connection, or you can synchronize one time, after you have created all of the connections. Although synchronizing after each connection takes longer, doing this makes it easier to troubleshoot problems that you might encounter.

1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
2. On the Central Administration Web site, in the Application Management section, click Manage service applications.
3. On the Manage Service Application page, select the User Profile Application and then click Manage.
4. In the Synchronization section, click Configure Synchronization Settings.
5. On the Configure Synchronization Settings page, in the Synchronization Options section, select the Use SharePoint Active Directory Import option and then click OK.

1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
2. On the Central Administration Web site, in the Application Management section, click Manage service applications.
3. On the Manage Service Applications page, select the User Profile service application.
4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.
5. On the Synchronizations Connections page, click Create New Connection.
6. On the Add new synchronization connection page, type the synchronization connection name in the Connection Name box.
7. From the Type list, select Active Directory Import.
8. Fill in the Connection Settings section using the following procedure:
   
   
   • In the Domain controller name box, type the Fully Qualified Domain Name of the domain.

   • In the Authentication Provider Type box, select the type of authentication provider.

   • If you select Forms Authentication or Trusted Claims Provider Authentication, select an authentication provider from the Authentication Provider Instance box.
     
     The Authentication Provider Instance box lists only the authentication providers that are currently used by a web application.
     

   • In the Account name box, type the synchronization account. The synchronization account must have Replicate Directory permissions or higher on the root OU of the Active Directory.

   • In the Password box, type the password for the synchronization account.

   • In the Confirm Password box, type the password for the synchronization account again.

   • In the Port box, type the connection port.

   • If a Secure Sockets Layer (SSL) connection is required to connect to the directory service, select Use SSL-secured connection.

9. In the Containers section, click Populate Containers and then select the containers from the directory service that you want to synchronize. All OUs selected will be synchronized with all of their child OUs. There is currently no utility to allow a parent OU to be selected with any of its child OUs excluded from synchronization.
   
   
10. Click OK.