Configuring Active Directory Import for a SharePoint 2013 User Profile Service Application using PowerShell

Writing an IT PRO focussed blog post on any aspect of the User Profile Service in SharePoint is tough as there is a good chance that someone like  will come along and write a better/more informed one. However, whilst configuring a new SharePoint 2013 environment today I found myself wondering how one automates configuration of the “new” Active Directory Import mode – there doesn’t appear to be much out there on Technet. I figured a quick post would be useful in the absence of more detailed information.

Active Directory Import is similar to the Profile import mechanism we had back in SharePoint Server 2007. It’s an awful lot easier and quicker to configure than “SharePoint Profile Synchronisation”, AKA “User Profile Synchronisation Service” (in services on server) AKA ForeFront Identity Manager (FIM) for SharePoint Server 2010. The profile import itself is also very fast in comparison but there is not feature fidelity between the two options – one significant drawback, for example is that it isn’t possible to export properties from SharePoint to AD. Anyway, I suggest you read through the other  out there on AD Import as this post isn’t meant to be an introduction to the capability.

Note that I have heard that changing from/to AD Import mode after user profiles have been imported is not a good idea. I haven’t explored the detail of this yet so for now my suggestion is “assume it’s a pain to change later”.18/04/2013 Update: although you can switch between the two different import modes via Central Admin, it will appear that any existing Sync connections are lost. This is because Sync connections are stored in either the UPA Sync database (if using “FIM” import mode), or in the UPA Profile DB (if using Active Directory Import). AFAIK there is no supported means of migrating Sync connections between the two databases, meaning that the upshot of all this is that you will need to re-create any existing Sync connections when switching import modes. This could be a pain if you have a “complex” Sync connection config – perhaps you have very granular AD OU selections for a large domain – especially given that  (and still is AFAIK).

​Import mode DB that stores Sync Connections​
SharePoint Profile Synchronisation (FIM)​ ​UPA Sync
AD Import​​ UPA Profile​

To illustrate this, here is the Synchronisation Connections screen after switching import modes. As this is the first time I have used SharePoint Profile Synchronisation in this case, I don’t have any connections:

EmptySyncConnections.PNG

…if I switch back to AD Import, I get my Sync connection back (the connection was not deleted – it’s just that Sync connections created in AD Import mode are stored in the Profile DB, and connections created in “FIM” mode are stored in the Sync database):

PopulatedSyncConnections.PNG

Here is the Sync connection in the ADImportDCMapping table of the UPA Profile DB (used if you are in AD Import mode):

ProfileDBSyncConnection.PNG

…and in case you are wondering, here is a Sync connection in the mms_management_agent table of the UPA Sync DB (used if you are in FIM mode):

SyncDBSyncConnection.PNG

One other little nugget I can offer is that your Synchronisation Connections will not appear if the User Profile Synchronisation Service is stopped whilst in SharePoint Profile Synchronisation​ / FIM mode. This is because stopping the UPS deprovisions the synchronisation service, but does not delete any data in your UPA databases. To get your connections back, you will need to re-provision (start) the User Profile Synchronisation Service if in FIM mode.

24/04/2013 update: having reviewed a SPC 2012 session entitled “Working with User Profiles in SharePoint Server 2013” presented by Sheyi Adenouga and KC Cross Rowley​, it appears that you may also need to run the Set-SPProfileServiceApplication cmdlet with the parameter to clear up any discrepencies that may exist after switching import modes (using PowerShell):

​​​Set-SPProfileServiceApplication $upa -GetNonImportedObjects $true
Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true​

Note that I haven’t tested this extensively, and the original point still stands – switching import modes is a bit of a pain and you should therefore plan accordingly by ensuring the selected import mode meets your requirements.

Enabling AD Import mode can be achieved via SPCA following UPA creation within “Configure Synchronization Settings”. You can happily change the setting in the UI (although I have had occasional issues with the relevant JavaScript not firing):​

 

However, setting the option via PowerShell does not appear to be well documented. I scanned the properties of my UPA and stumbled upon “NoILMUsed”. The top search result for that () stated in essence that the property is for Microsoft internal use only (in the context of SP2010). Not a good start.

However, looking a little further I found this article:

Although the context of this support article in itself is quite interesting – it looks as though removing sync connections whilst in Active Directory Import mode is problematic – there is a gem sat within the “More information” section. According to that article, the following script snippet can be used to enable AD Import mode in SharePoint Server 2013:

$upa=Get-SPServiceApplication -Name “UserProfileServiceAppName”$upa.NoILMUsed=$true$upa.Update()

I added this in to my UPA creation script (which is a modified version of that provided in  ) and have since successfully tested the cmdlet a handful of times in SP2013 RTM.

Oh, and in case you are wondering, the “User Profile Synchronization Service” does not need to be started when using AD Import (hoorah!):

 

Ben