UPS Checklist

Setting up the User Profile Sychronization Service - those steps in brief:

Have you ever set up a SharePoint User Profile Service, going step-by-step through the information on Technet or Spencer Harbar's guide? Then a little later you did it again from memory, but you missed a step, or didn't do it quite right? Then you spent hours troubleshooting? UPS is just a little too complicated to do from memory, even if you have done it a few times before. There is too much to remember when you come round to doing this again a few weeks or months later.

What you need is this "pilot's checklist" for going through setting up UPS. Of course, you need to understand how to do this first - this is not a complete guide and does not contain all the information you need. But it is handy to have beside you when you are going through the steps, and to make sure you don't miss anything, and to make sure the rudder is working before you get airborne.

Assumptions:

Set up User Profile service and start UPS:

1. From Services on Server, start User Profile Service on the server you want to use to host UPS
2. Create the UPS service application (leave MySites location blank for now, but may need to set the machine to run UPS "Profile Synchronization Instance" as default may not be correct)
3. In AD, create a user sp_UPS
4. On UPS host server, temporarily add the farm account (e.g. sp_farm) to the local administrators group (Computer Management->System Tools->Local Users and Groups->Groups->Administrators)
5. On UPS host server, set sp_farm as having the Log on Locally privilege (Start-->Administrative Tools-->Local Security Policy-->Security Settings->Local Policies->User Rights Assignment->Allow Logon Locally)
6. Restart the SharePoint Timer Service either from Administration->Services, or using the PowerShell command restart-service SPTimerV4 (this is required for the changes to sp_farm to take effect). Alternatively you can simply reboot the UPS host server.
7. In Services on Server, start the User Profile Synchronization Service and supply the sp_farm account password (this will take several minutes - move on to next step in the meantime)

Set up MySites (if needed)

1. Create DNS to my.foo.com or whatever
2. Create a new Web Application to host the MySites at my.foo.com
3. Add managed paths: personal (wildcard inclusion), my (explicit inclusion)
4. Create site collection on the my.foo.com web app, with root site of type My Sites Host (may fail on first attempt, and need to re-do)
5. Enable Self-Service Site Creation (Manage web apps: ribbon)
6. From UPS service application management page (not the Properties page!), go to My Site Settings and set my sites hosts to the new web application created above.

Check User Profile Synchronization Service is running

1. Check User Profile Synchronization Service has started
2. Remove the farm account (sp_farm) from the local administrators group (but keep Log on Locally privilege)
3. If you get an "Unexpected Error" when you navigate to your UP administration page you can do an IISRESET to clear it, although if you are patient this will go away.

Setting up profile import from AD

1. On the DC machine, AD Users and Computers, right-click domain, select Delegate Control... Grant sp_UPS the Replicating Directory Changes permission (Next, Add sp_UPS, Next, Create a custom task radio button, Next, Next, Check Replicating Directory Changes, Next, Finish)
2. Go to the UPS service application management page in CA and Configure Synchronization Connections. Create a new connection, type Active Directory, forest name, and use DOMAIN\\sp_UPS as the account name. Click on Populate Containers and be sure to select required OUs (e.g. Users) and NOT the domain as a whole or Select All! Click OK.
3. From UPS service application management page, click on Start Profile Synchronization (this takes ages, go to next step, while monitoring progress in RH column of UPS management page).

"Two-way" synchronization

1. On the DC, grant sp_UPS Create Child Objects and Write permissions on the OU using ADU&C. On the View menu enable Advanced Features. Then right-click on the OU or object (e.g. Users) and select Properties, then the Security tab. Select sp_UPS user (may need to add it) and check read, write and create, delete chid objects permissions (I just check then uncheck full control to allow these permissions). While still in this dialog box click on Advanced button, in the Advanced Security Settings dialog find the sp_UPS entry that is marked as <not inherited>, and Edit it. In the Permission Entry dialog box change the Apply to: listbox to "This object and all descendant objects", and make sure Write all properties and Create all child objects are checked. OK your way out of the dialog boxes.
2. Go to the UPS management page in CA and go to Manage User Properties and select Edit from the ECB menu of the property you want to export to AD. Scroll down to the Property Management Synchronization section. Your options are to import from an attribute in AD or export to one or more AD attributes (you can't do both, i.e. you can't have a two-way sync. of a single field). If you are already importing you first need to delete this mapping by clicking on the Remove button. Than you can use the Add New Mapping section to add a mapping to an attribute with the direction set to Export. Click OK when done.
3. To test, edit a user profile that has been setup for export and start a profile synchronization in the UPS management page. Wait for the synchronizaton process to complete. Verify that attribute in AD is updated.