The steps below will walk you through the steps to setup external MIM synchronization service to synchronize your User Profiles from Active Directory to your SharePoint 2016 or 2019 farm.
Pre-requisites A SharePoint 2016 or 2019 farm with a UPA service application configured. You can install the MIM sync services on its own server or on the SQL server that hosts the User Profile service application's databases but its not recommended to put it on a production SharePoint server. Download the following applications below to the server that you choose to use.
Install the sync engine on the MIM server in your farm.
A - Log in to the MIM server with a user that has administrator access to the server. B - Mount the 'Microsoft Identity Manager 2016 with Service Pack 1' ISO file. C - Navigate to the 'Synchronization Service' folder on the mounted drive. D - Right click on the setup file to 'Run as administrator' to install the sync engine.
E - At the Microsoft Identity Manager 2016 Welcome window click 'Next'.
F - Accept the 'End Users License Agreement' and click 'Next'.
H - Specify the SQL server location and instance and click 'Next'.
I - Click 'OK' on the SQL version warning.
J - Enter the SharePoint farm Admin credentials for the MIM Synchronization Service and click 'Next'.
K - Leave the default MIM groups and click 'Next'.
L - If you have the OS's firewall enabled on the server, check the box to 'Enable firewall rules for inbound RPC communications'. Otherwise click 'Next'.
M - Click 'Install' to install the MIM Synchronization Service.
N - Click 'OK' for the for the sync service account warning.
O - Monitor the progress of the install.
P - Click 'OK' to back up the encryption key.
Q - Give your encryption key file a name and location and click 'Save'.
R - Click 'Finish'.
S - Click 'Yes' to reboot your server to complete the installation.
Install the SharePoint connector on to the MIM server.
A - Double click on the 'SharepointConnector.msi' file to start the installation and click 'Next'.
B - Accept the license Agreement and click 'Next'.
C - Click the 'Install' button.
D - Click the 'Finish' button.
E - Using Windows Explorer, Navigate to the following path 'C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\UIShell' and run the 'miisclient' application to start the MIM client.
Note - For easy access, Pin the 'Miisclient' to the taskbar by right clicking on the file and selecting 'Pin to Taskbar' before you run it.
F - Verify that the MIM client opens.
Configure the setup script to setup the SharePoint management agents on the MIM server.
A - Create a folder on the C drive of your MIM server called 'C:\SyncSupport' using Windows Explorer.
B - Extract the files inside the 'PnP-Tools-master.zip' file to a different folder. Then Navigate to the
C - Select all the files in the 'UserProfile.MIMSync' folder and copy them to the new 'C:\SyncSupport' folder that you created. We want to preserve a original copy of these files just in case we need to start over.
D - Copy the below PowerShell script to your favorite editor and update the Path, Forest name, Sync account, Central Admin URL, Farm account, and Organization Unit variables.
E - Execute the PowerShell script and you will be prompted for the password for the Sync and farm accounts.
First prompt - Sync account
Second prompt - Farm account
F - Next you will be prompted to with a security warning, select 'R' to continue.
G - The output of the script should look something like below.
Step 4 Refresh the Management Agents using the MIM client.
A - Go to the MIM client to refresh the Management Agents by clicking on 'Actions' button on the ribbon and clicking 'Refresh'. You should see the two MA's - ADMA and SPMA.
B - Double click on the 'ADMA' management agent, then select "Connect to Active Directory Forest" on the left pane and enter the password for the Sync account. Click 'OK' to continue.
C - To create a sync filter to filter out disabled accounts from Active Directory. Click on 'Select Attributes' from the left side menu. On the Right side search for 'userAccountControl' and check the box next to it.
D - Next Click on 'Configure Connector Filter' from the left side menu and highlight the 'user' data source object in the center top window. Then click the 'New' button at the bottom of the window.
E - Select the appropriate values for each menu using the values below and select the 'Add Condition' button to create the filter. Click 'OK' when finished.
Data source attribute = 'userAccountControl'
Operator = 'Bit on equals'
Value = '0x2'
F - Now you have created a filter for disabled users from Active Director. Click 'OK' to exit the management agent.
G - Now we need to refresh the SharePoint MA (SPMA) by double clicking on the SPMA management agent.
H - Once inside the SPMA, click 'OK' to continue to the 'Connectivity' menu.
I - On the 'Connectivity' window, enter the farm account credentials and click 'OK'.
J - Continue to click the 'OK' button to exit the SPMA management agent to complete the refresh of the agent.
K - Access the SharePoint farm's Central Admin site and navigate to the User Profile service application.
Step 5 Running your first full synchronization.
A - Now you can run a full sync by running the following PowerShell script.