Wednesday, May 25, 2011

NetBIOS Domain Name and Fully Qualified Domain Name don’t match

If the NetBIOS domain name and it’s fully qualified name do not match there is additional configuration necessary. This does not effect provisioning, but it will prevent sync from working. You must do the steps below in the correct order, otherwise you will encounter problems with the SyncDB. Do them in the correct order!

Additional Permissions (Do this first)

  • The Synchronization Connection account must have Replicating Directory Changes on the cn=Configuration naming context. You can also perform this using the Advanced Features view of ADUC if you wish.
    1. Start… Run… ADSIEdit.msc
    2. Connect to the Configuration Partition
    3. Right click the configuration partition and choose properties
    4. From the Security tab, add the Synchronization Connection account and give it Replicating Directory Changes permissions

Configure the User Profile Service Application to support NetBIOS names

  • You do this after creating the service application, but before provisioning the UPS Service Instance.
  • Run the following Windows PowerShell:
    1$upsa = Get-SPServiceApplication –Id $upsa.NetBIOSDomainNamesEnabled=1
    3# To get the GUID of the User Profile Service Application run Get-SPServiceApplication.

Now we can go ahead and provision UPS and configure our Synchronization Connections.

Note: the December 2010 Cumulative Update breaks this capability and after setting NetBIOSDomainNamesEnabled, you will not be able to create Synchronization Connections. If you need this capability, do not install the December 2010 CU!

This issue is resolved in the February 2011 CU. Once you have applied the CU and then set the property of the UPA, perform an IIS Reset before attempting to create sync connections.

No comments: