none
User Profile info not getting imported from AD

    Question

  • I have 1 (WFE + App) server + 1 DB server. SharePoint 2010 enterprise patched upto December 2011 CU. I have migrated a portal site and a host of MySites from 2007 to this above environment.

    User MySites come up fine. Profile Import is scheduled on nightly basis at 1 AM. When I do a full import is shows success.

    However, no new data from AD is getting reflected in the profile. For example if an employee has a change in phone number in AD, that information is not in his profile.

    To test, I deleted one users profile entirely. From that time his MySite stopped working. When I did a profile import, his profile does not get recreated. Would appreciate any advise to troubleshoot this further.

    User Profile Service Application, User Profile Service, User Profile Sync Service, FIM service and FIM sync service all of these are created and looks ok when checked.


    Thanks, Soumya | MCITP, SharePoint 2010


    • Edited by Soumya B Thursday, March 22, 2012 8:54 PM Added information.
    Thursday, March 22, 2012 8:53 PM

Answers

  • I saw this at a client's site recently.  Double check the AD permissions assigned to the service account running the import.  If they don't have the right permissions for the objects in AD they may not be able to synch any of the data.  You can check the appropriate permissions here:

    http://technet.microsoft.com/en-us/library/ee721049.aspx


    Paul Stork SharePoint Server
    MVP Chief SharePoint Architect: Sharesquared
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    • Marked as answer by Soumya B Friday, March 23, 2012 9:33 PM
    Thursday, March 22, 2012 11:12 PM
  • Hi,

    It was a case of wrong OU selected in the Synchronization Connection. The intended users were not a part of the OU selected. Obviously nothing was getting imported. Once the right OU was selected, the users started being migrated from AD to SharePoint.


    Thanks, Soumya | MCITP, SharePoint 2010

    • Marked as answer by Soumya B Friday, March 23, 2012 9:33 PM
    Friday, March 23, 2012 9:33 PM

All replies

  • I saw this at a client's site recently.  Double check the AD permissions assigned to the service account running the import.  If they don't have the right permissions for the objects in AD they may not be able to synch any of the data.  You can check the appropriate permissions here:

    http://technet.microsoft.com/en-us/library/ee721049.aspx


    Paul Stork SharePoint Server
    MVP Chief SharePoint Architect: Sharesquared
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    • Marked as answer by Soumya B Friday, March 23, 2012 9:33 PM
    Thursday, March 22, 2012 11:12 PM
  • Thanks. So I have to double check AD permissions assigned to the service account running the import.

    In user profile two accounts are involved. One is the pool account of the User Profile Service Application. The other is the account used for the Synchronization Connection. Which account are you specifically talking about. I would presume that you are talking about the Synchronization Connection account. This is the account that needs "Replicate Directory Changes" permission, right?

    I knew it has it. I will double check this.  

    So I have to check the following:

    The synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:
     It must have Replicate Directory Changes permission on the domain that you will synchronize with. For more information, see the Grant Replicate Directory Changes permission on a domain section of the "Grant Active Directory Domain Services permissions for profile synchronization" procedural reference article.

     If the domain controller is running Windows Server 2003, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group. For more information, see the Add an account to the Pre-Windows 2000 Compatible Access group section of the "Grant Active Directory Domain Services permissions for profile synchronization" procedural reference article.
     If the NetBIOS name of the domain differs from the fully qualified domain name, the synchronization account must have Replicate

    Directory Changes permission on the cn=configuration container. For example, if the NetBIOS domain name is contoso and the fully qualified domain name is contoso-corp.com, you must grant Replicate Directory Changes permission on the cn=configuration container.


    Thanks, Soumya | MCITP, SharePoint 2010


    • Edited by Soumya B Friday, March 23, 2012 8:46 PM Added more information
    Friday, March 23, 2012 8:42 PM
  • Hi,

    It was a case of wrong OU selected in the Synchronization Connection. The intended users were not a part of the OU selected. Obviously nothing was getting imported. Once the right OU was selected, the users started being migrated from AD to SharePoint.


    Thanks, Soumya | MCITP, SharePoint 2010

    • Marked as answer by Soumya B Friday, March 23, 2012 9:33 PM
    Friday, March 23, 2012 9:33 PM