This article discusses what needs to be done before configuring the synchronization connections in SharePoint Central Admin and start a synchronization. After setting up a My Site host and creating a User Profile Service Application, there are a few configurations that may be overlooked. Service Account Permissions For the service account for synchronizing user profiles, apart from granting Replicate Directory Changes permission on the domain with which you’ll synchronize, you will need to double check
- If the domain controller is running Windows Server 2003. If yes, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group. For more information, see the “Add an account to the Pre-Windows 2000 Compatible Access group” section of Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013.
- If the NetBIOS name of the domain differs from the fully-qualified domain name. If yes, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container. For example, if the NetBIOS domain name is contoso and the fully-qualified domain name is contoso-corp.com, you must grant Replicate Directory Changes permission on the cn=configuration container. For more information, see the Grant Replicate Directory Changes permission on the cn=configuration container section of the Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013 procedural reference article.
- If you’ll export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) with which you are synchronizing. For more information, see the “Grant Create Child Objects and Write permission” section of Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013.
Enable NetBIOS name on the UPS if necessary. If the NetBIOS name of any domain with which you are synchronizing differs from its fully-qualified domain name, you must enable NetBIOS domain names on the User Profile service application. If all NetBIOS names are the same as the domain names, you may skip this procedure. To enable NetBIOS domain names, you could run the PowerShell below:
$ServiceApps = Get-SPServiceApplication
$UserProfileServiceApp = “”
foreach ($sa in $ServiceApps)
{if ($sa.DisplayName -eq “<UPSAName>”)
{$UserProfileServiceApp = $sa}
}
$UserProfileServiceApp.NetBIOSDomainNamesEnabled = 1
$UserProfileServiceApp.Update()
Reset IIS if applicable. After starting the User Profile synchronization service, you need to reset IIS if the SharePoint Central Administration website and the User Profile synchronization service are running on the same server. Of course, if they are running on different servers, you may skip this procedure. After the configuration above, you could proceed with configuring connections to directories services (usually AD) and finish the rest of the steps for the user profile sync:
- Define exclusion filters (Optional)
- Map user profile properties (Optional)
- Start profile synchronization
Read more from TechNet: Plan profile synchronization for SharePoint Server 2013 Synchronize user and group profiles in SharePoint Server 2013
Blogging Tom 