Monthly Archives: April 2014

SharePoint: How to schedule a User Profile Full Synchronization

There is a lot of confusion around SharePoint’s scheduled User Profile Synchronization.  Here is the current truth:  There is no out-of-the-box support for a scheduled full synchronization for SharePoint User Profile Services… only incremental synchronization.  Yes, we know… you can always manually perform a full synchronization from the Central Administration UI.  But where is the fun in that?


Here is how to schedule automatic execution of the User Profile Full Synchronization :

For the purpose of this blog entry, we will assume all scripts are located in a folder at C:\Scripts\.


STEP#1:  Get the name of your User Profile Synchronization Application

  1. Launch the Central Administration UI.
  2. Navigate to Manage Service Applications
  3. Note the name for the User Profile Service
    In the screenshot below, the name is “User Profile Service”.  Your install may vary


STEP#2: Create the PowerShell script
Place the following text into the following file: C:\Scripts\UserProfileSync.PS1

Add-PsSnapin Microsoft.SharePoint.PowerShell
$UPS= Get-SPServiceApplication | where { $_.DisplayName -eq “[UPSName]”}

Important: Be sure to replace [UPSName] with the name of your user profile service from step#1

STEP#3: Schedule the task

  1. Launch Task Scheduler from Administrative Tools
  2. Right click and select Create New Task
  3. Fill out the General tab
    Important: Verify Run whether user is logged on or not and Run with highest privileges are both checked
  4. Configure the Triggers as appropriate for your organization
  5. Create an Action to be fired when triggered
    Important:  You must setup the Action to launch PowerShell and point to the script via the parameters field
  6. Configure all other parameters as appropriate for your organization


That’s it!  Simple!

SSL Certificates, SharePoint, and User Profile Synchronization… OH MY!

SharePoint is complex!  Add in User Profiles and FIM Synchronization with SSL and SharePoint can become a administrator’s worst nightmare.  Our latest “really?” moment recently occurred when MySite (User Profile) details stopped replicated back to Active Directory in our of our installs.

A quick review of recent Events yield the following nuggets:

Event 6801 FIMSynchronization Service

The extensible extension returned an unsupported error.
The stack trace is:
“System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.


Event 8311, SharePoint Foundation

An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=*.ARMGASYS.COM, OU=Domain Control Validated\nIssuer Name: CN=Go Daddy Secure Certificate Authority – G2, OU=, O=”, Inc.”, L=Scottsdale, S=Arizona, C=US\nThumbprint: ABCDEF123456790\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority..

Awesome, yet another SharePoint SSL issue (Only Microsoft Lync is more painful when it comes to SSL)

The Solution:  Add the SSL certificate chain to the SharePoint trust

Step#1: Download the SSL certificate and related chain

  1. Open IE and navigate to the SharePoint site in question
  2. Click on the padlock and view the certificate for the site
  3. Click the Certification Path tab
  4. For each certificate authority listed in the chain, perform the following:
    1. Select the certificate (I.E. Go Daddy Root Certificate Authority – G2)
    2. Click View Certificate.  A new windows for the certificate will be displayed
    3. Click the Details tab
    4. Click Copy to File
    5. This will launch the “Certificate Export Wizard”
    6. Follow the wizard taking all defaults.  Save the .CER file to an accessible location
  5. Copy the .CER files to your SharePoint server or a location where you have access to SharePoint Central Administration.
  6. Launch SharePoint Central Administration and Navigate to Security –> Manage Trust
  7. For each .CER file, perform the following:
    1. Click New on the Manage Trust screen (located in upper left corner)
    2. Give the certificate a usable name
      HINT: We like to include the month and year… just in case (I.E. GODADDY LEVEL 1 CERT MAR2014)
    3. Browse for the .CER file
    4. Click OK


Happy encrypting!