User Profile Synchronization service which uses the famour FIM (Forefront Identity Manager) has been removed in SharePoint 2016. Microsoft suggest customers to use Active Directory Import to import profiles in SharePoint 2016. Active Directory has limitation so Microsoft has provided Microsoft Identity Manager which is actually next generation of FIM. MIM covers all limitations of Directory Import include multi forest import and profile pictures. In this post we will set it up.
1. First you have to login to your MSDN Subscription and download the tool. If you do not have MSDN subscription, you can download it from your volume licensing site.
2. Then download the following update https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3092179&kbln=en-us Extract it to find the synchronization service hotfix 14 MB.
3. Next you need to create a service account for MIM. I will create MIMService in my contoso domain.
4. Next you need to download the script from github that Microsoft has written to import the MIM management agents for Active directory and SharePoint.
Open https://github.com/OfficeDev/PnP-Tools and click Download ZIP from middle right section. The folder we are interested in is PnP-Tools/Solutions/
5. You need to Download and Install SharePoint Management Agent (SPMA) which is an essential if you need to connect MIM to your SharePoint installation.
http://www.microsoft.com/en-us/download/details.aspx?id=41164
Mount the ISO for MIM. Open Synchronization Service Folder and right click on Setup and choose Run as Administrator. Click Yes on Setup
You would be asked to save the key.
You need to log off and log in again.
Now Install the hotfix update. If you try to runt he setup you will see the following error message.
Now open PowerShell as Administrator and Browse to the location of patch and type its name. It will open.
Go to services and stop the Forefront Identity Manager Synchronization service then click Retry
Now start the Forefront service if it is not started automatically.
Now Let’s Installt he MS Identity Manager SharePoint Connector
Click Install and Finish.
Restart the Forefront Service again.
Let’s run the script for MIM management objects for AD and SharePoint and run a full Synchronization
Copy UserProfi.eMIMSync folder to C Drive. Do not cut. keep the orignal version.
run PowerShell ISE as Administrator by Right Clicking on PowerShell ICON and then right click on PowerShell ISE and choose Run as Administrator. Click New File ICON. Now copy paste or type the following powershell.
Set-ExecutionPolicy unrestricted -Force
Import-Module C:\UserProfile.MIMSync\SharePointSync.psm1 -Force
### Install the SharePoint Sync Configuration
Install-SharePointSyncConfiguration `
-Path C:\UserProfile.MIMSync `
-ForestDnsName contoso.local `
-ForestCredential (Get-Credential contoso\contosoadmin) `
-OrganizationalUnit ‘ou=Users,dc=contoso,dc=local’ `
-SharePointUrl http://sps-app-0:2016 `
-SharePointCredential (Get-Credential contoso\spadmin) `
-Verbose
#Chaneg Forest Name
#Change Forest Credentials (Same Permission applies)
#Change OrganizationUnit
#Change SharePoint Url (Central Admin URL)
#Change SharePoint Farm Account Url
Verbose Output will appear on the screen
Now Open Synchronization Service to confirm that Management agents are imported successfully. Restart the Forefront service.
Click on Management Agents. to Add more containers to the import you must select ADMA and choose properties.
Click on Configure Directory Partitions –> Select your domain.com. do not select configuration.
Click on Containers. You must be asked to enter the credentials.
Select the desired Containers and Click OK and OK Again.
I choose all 🙂 to see what happens
Run the following cmdlet to run full import.
Start-SharePointSync –Verbose
Note
First time I got “Stopped Server” error in Full Import Step of ADMA. For some reason my SharePoint Server was uanble to ping the AD Server so I went to ADMA properties, in Directory Partitions -> I add a Preffered domain Controller as my domain controller name. Then I ran the script again and bingo.
Once Synchronization service manager was able to connect to DC the preferred domain controller option got unchecked automatically.
You can snow see that I have 327 Profiles. But I also have the Directory import Jobs running. So lets disable them.
Click on Configure Synchronization Settings
Select Enable External Identity Manager and Click OK.
Now Notice the change.
Now let’s fix the Containers and run a full sync to remove the unwanted profiles from SharePoint.
You can see that 16 unwanted profiles are now marked for deletion.
We can do lot more with MIM. Trevor Seward has written a series of articles on how to do User Profile property import, export, full and deleta synchronization using Task Schedular. I suggest you check the series out. There is no need to re-write the same thing that he has already done with details.
Microsoft Identity Manager Series by SharePoint MVP Trevor Seward
Part 1: Automating MIM User Profile Synchronization with SharePoint 2016
Part 2: Using MIM to Import Custom Attributes into SharePoint 2016
Part 3: Using MIM to Export Custom Attributes from SharePoint 2016
Part 4: Default MIM to SharePoint 2016 Attribute Mappings
Part 5: Basic MIM Configuration to Support SharePoint 2016
Part 6: Scoping the Active Directory Management Agent in MIM
Here is how the new My Site Looks
The new App Launcher provides access to locations without breaking the User interface.
The new one drive experience in SharePoint on-premises
Next Creating Cloud Search Service Application and crawling content.
Jerry Yasir's Blog 