Microsoft Identity Manager Series
Part 1: Automating MIM User Profile Synchronization with SharePoint 2016
Part 2: Using MIM to Import Custom Attributes into SharePoint 2016
Part 3: Using MIM to Export Custom Attributes from SharePoint 2016
Part 4: Default MIM to SharePoint 2016 Attribute Mappings
Part 5: Basic MIM Configuration to Support SharePoint 2016
Part 6: Scoping the Active Directory Management Agent in MIM
This blog post will walk you through the basic MIM configuration to support SharePoint 2016. Microsoft Identity Manager is a relatively easy installation. We will need a service account, and if you want to follow how the previous servers ran, you can of course use the Farm Administrator, however you may want to consider using a separate account due to the security we will put in place on that account.
You will need the following software:
Microsoft Identity Manager ISO (MSDN, VLSC, etc.)
SQL Server 2008 R2, 2012, or 2014
SQL Server 2008 R2 or 2012 Native Client from the SQL 2008 R2 or 2012 Feature Pack, if MIM is not running on the SQL Server
UserProfile.MIMSync – you can go up to the “PnP-Tools” level to download a zip containing this solution
Hotfix Rollup 4.3.2064.0 for MIM – KB3092179
Security
Secure the Domain User service account running MIM. In the Local Security Policy, add the user to the following User Rights Assignment:
- Deny users access to log on as a batch job
- Deny users access to log on locally
- Deny users access to log on by using Terminal Services
- Deny users access to this computer from the network
Installation
If MIM is not installed on a SQL Server, install the appropriate SQL Native Client from the Feature Pack, otherwise the MIM installation will fail. Next, validate the user running the MIM installation is a sysadmin on the SQL Server.
You will only be installing the MIM Synchronization Service. This service is provided as part of a Windows Server license. The installation bits are located on the ISO at X:\Synchronization Service\setup.exe. Start the installation.
Specify the SQL Server name and instance.
Next, specify the Domain User which will run the MIM service. This is not the user who will be connecting to Active Directory and/or SharePoint.
Leave the group names as default. These are local groups. Enable RPC firewall rule if Windows Firewall is enabled. Once install has completed, you will be prompted to save the encryption key for MIM. When prompted to log off and back on again, do so.
Install the MIM hotfix. The hotfix download will contain many files, but the only file we need is FIMSyncService_x64_KB3092179.msp. Open an elevated Command Prompt or PowerShell console. Use net stop FIMSynchronizationService or Stop-Service FIMSynchronizationService. This is to prevent the need to restart after the patch is installed. The service will be started automatically when the patch has completed installation.
Install the SharePoint Connector. Run SharepointConnector.msi and agree to the license terms, then complete the installation.
Configuration
The next step is to create the Active Directory and SharePoint Management Agents via the UserProfile.MIMSync project download. Extract the contents to a folder, such as C:\SharePointSync. Using PowerShell, navigate to the folder. You will need two credentials, the synchronization account credential that has Replicate Directory Changes/All on the Domain as well as Configuration container, and the Farm Administrator account (or an account delegated Farm Administrator rights with Full Control on the UPSA as well as write rights on the Web Application where pictures are stored, if importing pictures).
First, import the module.
|
1 |
Import-Module .\SharePointSync.psm1 |
In my example, s-sp2016sync is the user with Replicate Directory Changes, and s-sp2016farm is the Farm Administrator of the SharePoint 2016 farm. Nauplius.local is the DNS name of my forest, and I’m choosing to scope the Active Directory Management Agent (ADMA) to my entire domain using “DC=nauplius,DC=local”, although you can scope it lower (e.g. “OU=Employees,DC=nauplius,DC=local”). My Central Administration URL is “https://centraladmin.nauplius.local” and I’m choosing to export my pictures from Active Directory to SharePoint. Note that you don’t have to type all of that out, you can use the tab key to auto complete that switch.
|
1 2 3 4 |
$syncAccount = Get-Credential -UserName "NAUPLIUS\s-sp2016sync" -Message "Sync Account" $farmAccount = Get-Credential -UserName "NAUPLIUS\s-sp2016farm" -Message "Farm Admin" Install-SharePointSyncConfiguration -Path C:\SharePointSync -ForestDnsName nauplius.local -ForestCredential $syncAccount -OrganizationalUnit "DC=NAUPLIUS,DC=LOCAL" -SharePointUrl https://centralAdmin.nauplius.local -SharePointCredential $farmAccount -PictureFlowDirection "Export only (NEVER from SharePoint)" |
During installation of the Management Agents, there will be a warning that the Active Directory Management Agent password must be set prior to first run. Using the Synchronization Service application (miisclient.exe), click on the Management Agents tab. Double click on the ADMA.
Click on Connect to Active Directory Forest, and enter the password for the synchronization service account. Click OK to close the ADMA.
At this point, you’re ready to start the initial full synchronization. To do so, go back to the PowerShell command prompt. In the command prompt, start the synchronization process.
|
1 |
Start-SharePointSync |
This will begin the full sync process. You will be prompted during the run if you want to continue to export the objects to SharePoint. You can bypass this by using Start-SharePointSync -Confirm:$false
These runs are also visible in the Synchronization Service Manager, under the Operations section. This will provide you with additional information on any warnings or errors.
That completes the installation of MIM and initial run!
Can I install MIM on a Single Development Server running everything (AD, SQL, SP2016) ? Apparently I can’t get past the “Group Names” dialog Box. “The groups entered do not all exist or cannot be found”
I’d suggest starting up a thread on SharePoint StackExchange or TechNet so we can get more information. The MIM Sync Service is supported on a DC. SharePoint isn’t (still), but in dev it is considered OK.
Hi Trevor, as you have MIM and SP2016 running could you please tell me if your “Manager” and “Assistance” attributes flow through into SharePoint 2016 User Profiles? We have tried a number of times to get this working and even have a call open with Microsoft for 2 weeks to no avail.
It appears that SharePoint does not understand what to do with the Reference (DN) type attributes of Manager and Assistant so they end up being empty. The values exist in the MIM Metaverse though. Looks like they somehow need to be converted to [domain]\[username] for SharePoint.
Have you tried the following: https://thesharepointfarm.com/2016/04/sharepoint-server-2016-audiences-mim/
Hi Trevor, is it ok to use MIM with SP2013.
Yes, it is!
Would setup be the same for SP2013 as it is for SP2016?
Also can it be used with SharePoint 2013 Enterprise. The little I have found points to SharePoint Foundation.
The setup is the same. It can’t be use with SharePoint Foundation as Foundation does not have a User Profile Service.
Hi Trevor, So I saw this article about being SharePoint 2013 Foundation https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/prepare-server-sharepoint and wanted to research more if this can be used with SharePoint 2013 Enterprise?
That is for the MIM Portal, a separate product that runs on top of SharePoint. MIM Portal is licensed on a per-user basis.
Trevor, this is fantastic. It worked like a charm. However, after a month we were forced to migrate to a new SQL server and modify the domain name. We did the ContentDB attach method to get the SP up and running. Unfortunately, the SPMA gives an error. “DN is unavailable” “read-error”
The Central admin/WFE server never changed, just the SQL. What could be the issue?
Pingback: MIM 2016 Issues and Essentials | SharePoint Gossip
Hi,
I am getting the following error in the Event Log when running the SPMA.
The management agent controller encountered an unexpected error.
“BAIL: MMS(3152): extensible.cpp(2341): 0x8023134b (A newer version of the extension assembly was detected. Please visit the Connector properties to upgrade.)
BAIL: MMS(3152): export.cpp(382): 0x8023134b (A newer version of the extension assembly was detected. Please visit the Connector properties to upgrade.)
BAIL: MMS(3152): ..\cntrler.cpp(9848): 0x8023134b (A newer version of the extension assembly was detected. Please visit the Connector properties to upgrade.)
BAIL: MMS(3152): ..\cntrler.cpp(8569): 0x8023134b (A newer version of the extension assembly was detected. Please visit the Connector properties to upgrade.)
Forefront Identity Manager 4.4.1302.0”
Please can you assist?
Thanks
Hi Trevor,
Can we use one instance of MIM for multiple farm or multiple user profile service application? Or do we need separate instances like we do for FIM in SharePoint 2010/2013? I have been trying to configure additional management agent for “SharePoint Profile Store” in MIM and I am not getting objects in “Full Synchronization” for it.
Thanks
Getting the same error as Raj and the files I downloaded were from last week.