Configure profile synchronization by using

SharePoint Active Directory Import in

SharePoint Server
 02/28/2018
 7 minutes to read


o
o +3

APPLIES TO:  2013  2016  2019  SharePoint in Microsoft 365

You can use the SharePoint Active Directory import option (AD import) as an alternative to
using Microsoft Identity Manager (MIM) to import user profile data from Active Directory
Domain Services (AD DS) in your domain.

Import operations that use AD import are significantly faster than the same operations that use
MIM. However, AD import only works with Active Directory Domain Services (AD DS) and
does not work with other directory services. Additionally, if you choose to use AD Import, MIM
or other external identity managers are not available for connections to other data sources such as
business applications.

You must be a member of the Farm Administrators group to perform the procedures in this
article. You also need domain credentials with synchronization permissions in order to configure
the connection.

 Note

MIM is an external provider only available in SharePoint Server 2016 and SharePoint Server
2019.

Situations unsupported by AD import

Consider the following situations and note what the AD import option does not support when
you determine whether to use this option:

 The AD import option does not perform bidirectional synchronization. That means
changes made to SharePoint user profiles will not be synchronized back to the domain
controller.
 Referential integrity among users and groups is only maintained within a single Active
Directory forest.
 The AD import option lets you configure and use only a single, farm-wide property
mapping.
 The AD import option does not automatically synchronize photos from Active Directory
to SharePoint Server 2016.
 The AD import option does not support generic (non-AD) LDAP sources.
 The AD import option does not support Source Schema Discovery.
 The AD import option does not support multi-Forest scenarios such as:
o If you have a trust between two forests, the trusted forest objects will not be
imported.
o AD import does support importing users from multiple domains provided you
create one synchronization connection per domain. As an alternative, consider using
Microsoft Identity Manager.
 The AD import option does not support Contact objects (also known as cross-object
pointers).
 The AD import option does not support custom object classes besides User and Group.
 The AD import option does not filter user interface to create complex Boolean
expressions.
 The AD import option does not provide object filtering based on object property values
(you must use simple LDAP filters).
 The AD import option does not provide Logon and Resource Forest support. That is,
custom joins of data from multiple sources.
 The AD import option does not support Business Connectivity Services Import.
 The AD import option does not support property mappings for complex types like
pictures and special AD types.
 The AD import option does not support exporting data from SharePoint to Directory
Sources.
 The AD import option does not support Upgrading/Translating FIM based connections or
synchronizing configuration to AD import (or in reverse order).
 The AD import option does not ensure single-master of each object property (currently,
the last writer wins).
 The AD import option does not perform per-tenant property mapping.

Set up SharePoint Active Directory Import

You perform three procedures in Central Administration to configure AD import.
In the first procedure, you configure SharePoint Server to use AD Import instead of an external
identity manager such as MIM.

In the second procedure, you create a synchronization connection to AD DS. The connection
identifies the items to synchronize and contains the credentials that are used to interact with AD
DS.

In the third procedure, you determine how the properties of user profiles in SharePoint Server
map to the user information that is retrieved from AD DS.

To configure SharePoint Server to use AD Import

1. On the SharePoint Central Administration website, in the Application

Management section, click Manage service applications.
2. On the Manage Service Applications page, click the link of the User Profile service
application.
3. On the Manage Profile Service page, in the Synchronization section, click Configure
Synchronization Settings.
4. On the Configure Synchronization Settings page, in the Synchronization
Options section, select the Use SharePoint Active Directory Import option, and then
click OK.

To import profiles, you must have at least one synchronization connection to AD DS. You may
have connections to multiple AD DS servers. Using the following procedure, create a
synchronization connection to each AD DS server from which you want to import profiles. You
can synchronize after you create each connection, or you can synchronize one time, after you
have created all of the connections. Although synchronizing after each connection takes longer,
doing this makes it easier to troubleshoot any problems that you might encounter.

To create a connection to a directory service for import

1. On the SharePoint Central Administration website, in the Application

Management section, click Manage service applications.
2. On the Manage Service Applications page, click the link of the User Profile service
application.
3. On the Manage Profile Service page, in the Synchronization section, click Configure
Synchronization Connections.
4. On the Synchronizations Connections page, click Create New Connection.
5. On the Add new synchronization connection page, type the synchronization connection
name in the Connection Name box.
6. From the Type list, select Active Directory Import.
7. Fill in the Connection Settings section by completing the following steps:
8. In the Fully Qualified Domain Name box, type the fully-qualified domain name of the
domain.
9. In the Authentication Provider Type box, select the type of authentication provider.
 10. If you select Forms Authentication or Trusted Claims Provider Authentication,
select an authentication provider from the Authentication Provider Instance box.

The Authentication Provider Instance box lists only the authentication providers that are
currently used by a web application.

11. In the Account name box, type the name of the account you want the AD import tool to
use to perform the synchronization. Use the form <DOMAIN>\ <UserName>. The
synchronization account must have Replicate Directory permissions at the root of the
forest.
12. In the Password and Confirm password boxes, type the password for the account.
13. In the Port box, type the connection port you want the AD import tool to use to connect
to AD DS when it performs the synchronization.
14. If a Secure Sockets Layer (SSL) connection is required to connect to the directory
service, select Use SSL-secured connection.

 Important

If you use an SSL connection, you must export the certificate of the domain controller
from the AD DS server and import the certificate into the synchronization server if the SSL
certificate is not trusted by the SharePoint server(s).

15. If you want to filter out users that are disabled in AD DS, select the Filter out disabled
users checkbox.
16. If you want to filter the objects that you import from the directory service, in the Filter in
LDAP syntax for Active Directory Import box, type a standard LDAP query expression
to define the filter.
17. In the Containers section, click Populate Containers, and then select the containers
from the directory service that you want to synchronize. All organizational units (OUs) that
you select will be synchronized with their child OUs. There is currently no utility that
allows you to select a parent OU while excluding any of its child OUs from
synchronization.

 Note

Filtering of objects only occurs during the initial import of that object. Changes to the filter post-
import will not impact objects that have already been imported.

9. Click OK.

The newly created connection is listed on the Synchronization Connections page.

 Tip

On the Synchronization Connections page, you can click the name of a synchronization

connection, and then click Edit or Delete to edit or delete the connection.
To map user profile properties

1. On the SharePoint Central Administration website, in the Application

Management section, click Manage service applications.
2. On the Manage Service Applications page, click link for the User Profile service
application.
3. On the Manage Profile Service page, in the People section, click Manage User
Properties.
4. On the Manage User Properties page, click the name of the property that you want to
map to a directory service attribute, and then click Edit.
5. To remove an existing mapping, in the Property Mapping for Synchronization section,
select the mapping that you want to remove, and then click Remove.
6. To add a new mapping, do the following:
7. In the Add New Mapping section, in the Source Data Connection list, select the data
connection that represents the directory service to which you want to map the user profile
property.
8. In the Attribute box, type the name of the directory service attribute to which you want
to map the property.
9. Click Add.

 Note

You cannot add multiple mappings or edit a mapping. To change mapping settings for a
property, you must first remove the existing mapping, and then create a new mapping.

10. Click OK.
11. Repeat steps 4 through 7 to map additional properties.

To start profile synchronization

1. On the SharePoint Central Administration website, in the Application

Management section, click Manage service applications.
2. On the Manage Service Applications page, click the link for the User Profile service
application.
3. On the Manage Profile Service page, in the Synchronization section, click Start
Profile Synchronization.
4. On the Start Profile Synchronization page, select Start Full Synchronization if this is
the first time that you are synchronizing or if you have added or modified any
synchronization connections since the last time that you synchronized. Select Start
Incremental Synchronization to synchronize only information that has changed since the
last time that you synchronized.
5. Click OK.

The Manage Profile Service page is displayed, showing the profile synchronization status

in the right pane.
 See also
Concepts

Manage user profile synchronization in SharePoint Server

Plan profile synchronization for SharePoint Server 2013

Synchronize user and group profiles in SharePoint Server 2013

Schedule profile synchronization in SharePoint Server

Other Resources

Update-SPProfilePhotoStore

Recommended content

Start profile synchronization manually in SharePoint Server - SharePoint Server

Learn how to start profile synchronization manually in SharePoint Server.


Administer the User Profile service in SharePoint Server - SharePoint Server

Learn how to administer the User Profile service in SharePoint Server.


Manage user profile synchronization in SharePoint Server - SharePoint Server

Learn about articles to help you manage User Profile synchronization in SharePoint Server.


Restore-SPSite (SharePointServer)
This cmdlet contains more than one parameter set. You may only use parameters from one
parameter set and you may not combine parameters from different parameter sets. For more
information about how to use parameter sets, see Cmdlet parameter sets. The Restore-SPSite
cmdlet performs a restoration of the site collection to a location specified by the Identity
parameter. A content database may only contain one copy of a site collection. If a site collection
is backed up and restored to a different URL location