16 thoughts on “Overcoming Frustrations with the SharePoint 2013 User Profile Service and that Annoying Add-SPProfileSyncConnection Cmdlet”

  1. Hey Sean,

    Nice Article. I tried this script but I am getting a error. This is the stack trace I was able to retrieve.

    at Microsoft.Office.Server.UserProfiles.ADImport.UserProfileADImportMappingCollection.GetProtectedKey(UserProfileApplication upa)
    at Microsoft.Office.Server.UserProfiles.ADImport.UserProfileADImportMappingCollection.Add(Guid dcId, String connectionName, String dcName, String rootDn, String filter, Boolean useSSL, Boolean useDisabledFilter, String domainName, String userName, SecureString password, Byte[] syncCookie)
    at Microsoft.Office.Server.UserProfiles.ActiveDirectoryImportConnection.UpdateInternal()
    at Microsoft.Office.Server.UserProfiles.ConnectionManager.AddActiveDirectoryImportConnection(ConnectionType type, Guid dcId, String displayName, String server, Boolean useSSL, Boolean useDisabledFilter, String ldapFilter, String accountDomain, String accountUsername, SecureString accountPassword, List`1 namingContexts, List`1 filterOutUnlicensed, String spsClaimProviderTypeValue, String spsClaimProviderIdValue, String adClaimIDMapAttribute)
    at Microsoft.Office.Server.UserProfiles.ConnectionManager.AddActiveDirectoryImportConnection(ConnectionType type, Guid dcId, String displayName, String server, Boolean useSSL, Boolean useDisabledFilter, String ldapFilter, String accountDomain, String accountUsername, SecureString accountPassword, List`1 namingContexts, String spsClaimProviderTypeValue, String spsClaimProviderIdValue, String adClaimIDMapAttribute)

    Used the exact script you have in this blog. This is the inpiut

    .\Add-ADSyncConnectionOrg.ps1 -userProfileApp $upa `
    -displayName “Domain Users” `
    -forestName “abc.xyz.com” `
    -syncOU “OU=Admins,DC=domain1,DC=domain2,DC=com” `
    -useDisabledFilter `
    -ldapFilter “(&(objectCategory=person)(objectClass=user))” `
    -domain “domain” `
    -username “account” `
    -password “something”

    Verified the $upa that being passed is not null.

    Can you let me know what I am doing wrong? Or any place I should be looking to possibly resolve this issue? Thanks!

    1. Hi Senthil,

      Have you verified that your account has Full Control connection permission to UPA instance as described in the article? Even if you’re a farm administrator and/or management shell admin, you won’t have this permission until you explicitly grant it to your account. Without that permission, the script will throw an exception at the point at which it attempts to create a new object of type Microsoft.Office.Server.UserProfiles.UserProfileConfigManager.

      If you’re getting past that point, verify that you don’t already have an established connection to the domain or that is called “Domain Users” (to use your example). AD Import only supports one connection per domain, I believe, so you may be getting a collision if it already sees a connection there. The script doesn’t include detection logic to avoid the collision, but it wouldn’t be too hard to build that in if you chose to do so.

      I hope that helps!

      – Sean

  2. Hello,
    Thanks for sharing us this useful article and pretty well explained :D.
    First I check that the account which launch the script have full permissions on the User profile.
    I have such an issue when trying to use it.
    When I tried to use it I got this error :

    ProvisionDirectSyncConnection : Exception calling Invoke with 2 argument (s): Object reference is not set to an instance of an object.
    At C:\CreateADConnection\Add-SPProfileDirectSyncConnection.ps1:119 : 1
    + ProvisionDirectSyncConnection $userProfileApp $displayName $forestName $syncOU $ …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,ProvisionDirectSyncConnection

    I managed to get the full StackTrace :

    $ex.Exception.InnerException.StackTrace
    à Microsoft.Office.Server.UserProfiles.ADImport.UserProfileADImportMappingCollection.GetProtectedKey(UserProfileApplication upa)
    à Microsoft.Office.Server.UserProfiles.ADImport.UserProfileADImportMappingCollection.Add(Guid dcId, String connectionName, String dcName, String rootDn, St
    ring filter, Boolean useSSL, Boolean useDisabledFilter, String domainName, String userName, SecureString password, Byte[] syncCookie)
    à Microsoft.Office.Server.UserProfiles.ActiveDirectoryImportConnection.UpdateInternal()
    à Microsoft.Office.Server.UserProfiles.ConnectionManager.AddActiveDirectoryImportConnection(ConnectionType type, Guid dcId, String displayName, String serv
    er, Boolean useSSL, Boolean useDisabledFilter, String ldapFilter, String accountDomain, String accountUsername, SecureString accountPassword, List`1 namingCon
    texts, List`1 filterOutUnlicensed, String spsClaimProviderTypeValue, String spsClaimProviderIdValue, String adClaimIDMapAttribute)
    à Microsoft.Office.Server.UserProfiles.ConnectionManager.AddActiveDirectoryImportConnection(ConnectionType type, Guid dcId, String displayName, String serv
    er, Boolean useSSL, Boolean useDisabledFilter, String ldapFilter, String accountDomain, String accountUsername, SecureString accountPassword, List`1 namingCon
    texts, String spsClaimProviderTypeValue, String spsClaimProviderIdValue, String adClaimIDMapAttribute)

    Do you have an idea to solve that issue ?

    Thanks a lot :)

      1. Same for me, but I am running the script in SP2010/Powershell 2 environment. I amended the script to make it working with SP2010 (the signature of AddActiveDirectoryImportConnection is different) but then I can’t go past this error. Any advice?

      2. Andy: this is the latest version of the script; I haven’t touched it since it was released a year and a half ago. If there’s a bug in it, I haven’t seen it surface in my usage. I’m sorry.

      3. Micky: If you’re attempting to use this script in SharePoint 2010, then I can pretty much guarantee that you’re going to have more than a few issues. Active Directory Import mode doesn’t exist in SharePoint 2010; you’re *required* to provision synchronization connections through FIM, so this script isn’t going to be of much use to you. Sorry.

      4. Sean, thanks for your reply. Actually I am using FIM in the background, but the Add-SPProfileSyncConnection cmdlet exists in SP2010, and it uses the same methods. It doesn’t have the LDAP filter and the disabled filter but it should be able to configure a connection anyway which is my goal. I would like to be able to replicate my profile sync connection in all the environments I have, without using that terrible UI

      5. I follow what you’re saying, Micky. Although there’s a single cmdlet to provision the sync connection, the underlying implementation is very different for FIM vs. Active Directory Import mode; they’re very different code paths if you use something like Reflector to look under-the-hood. I suspect you’ll need to do some deeper diving to see what needs to change from a method calling and supplied parameters perspective. I’m sorry that I don’t have any guidance to provide in this regard, but I wish you the best of luck!

    1. Hey Ben! As best as I’ve been able to tell, the “unsupported” qualifier doesn’t exist for the *-SPProfileSyncConnection cmdlets any longer. If you check TechNet (http://technet.microsoft.com/en-us/library/jj219677.aspx), for example, you won’t see any warning called out. While that’s not the same as coming out and saying “fully supported,” I take the lack of a warning to mean that they’re probably okay to use.

      Now, whether or not you’d want to use the cmdlets is another case entirely. Given some of the limitations and internal hacks I’ve seen and described (based on reflecting into the cmdlets and their supporting methods), it’s best to understand what you’re getting into and assuming before use – especially with the Add-SPProfileSyncConnection. In the scenario I described in this post, there were some clear gaps between what I needed to do and how the cmdlet operated. If those gaps didn’t exist, would I have chosen to use the cmdlets? Probably. I’m not a fan of re-inventing the wheel, so I like to use out-of-the-box (OOTB) where possible. When OOTB doesn’t cut it, though, I end up working around the limitations – and writing blog posts like this one, of course :-)

  3. Hi,

    The connection type is for ActiveDirectoryImport.

    Can we set up filters when the connection type is ActiveDirectory.

    I have the farm configured to Full sharepoint config connections.

    Thanks,

    Ankit

    1. In all honesty, Ankit, I don’t know. I get the sense that some folks have read this post and are trying to use this script to either (a) provision a connection on SharePoint 2010, or (b) provision an Active Directory (not an Active Directory Import, or “AD Direct”) connection that goes through FIM. That’s not what this script was built to do, and I can all but guarantee that there will be issues with the script as-is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s