規劃 SharePoint Server 2013 Preview 的設定檔同步處理Plan profile synchronization for SharePoint Server 2013

摘要:了解如何在 SharePoint Server 2013 中實作設定檔同步處理。Summary: Learn how to implement profile synchronization in SharePoint Server 2013.

設定檔同步處理 (亦稱為 「 設定檔同步處理 」) 可讓您建立使用者設定檔匯入您組織中使用其他系統資訊。閱讀本文之前先了解 < Overview of SharePoint Server 2013 中的設定檔同步處理中導入的概念。設定檔同步處理也用於伺服器對伺服器驗證可代表使用者從另一個伺服器讓伺服器存取和要求的資源。如需詳細資訊,請參閱 < SharePoint Server 的伺服器對伺服器驗證及使用者設定檔Profile synchronization (also known as "profile sync") allows you to create user profiles by importing information from other systems that are used in your organization. Before you read this article you should understand the concepts introduced in the article Overview of profile synchronization in SharePoint Server 2013. Profile synchronization is also used in server-to-server authentication which enables servers to access and request resources from one another server on behalf of users. For more information, see Server-to-server authentication and user profiles in SharePoint Server.

本文說明:This article describes:

  • 如何取得設定設定檔同步處理所需的資訊。How to get the information that you must have to configure profile synchronization.

  • 您需要合作以收集必要資訊的人員。Who you must work with to collect the necessary information.

  • 需要建立的外部內容類型 (若有的話)。The external content types that will have to be created, if any.

本文不會說明如何實作您計劃。同步處理使用者和群組設定檔在 SharePoint Server 2013 中的文章討論的資訊。This article does not describe how to implement your plan. That information is covered in the article Synchronize user and group profiles in SharePoint Server 2013.

開始之前Before you begin

完成本文中的規劃工作之前,您必須:Before you work through the planning tasks in this article, you should already:

  • 了解您想要在 SharePoint Server 2013 中具有設定檔的使用者。Know which users that you want to have profiles in SharePoint Server 2013.

  • 知道什麼屬性使用者設定檔,並填寫使用者設定檔屬性規劃工作表所述的規劃 SharePoint Server 中的使用者設定檔的文章。Know what properties a user profile will have, and fill out the User Profile Properties Planning worksheet as explained in the article Plan user profiles in SharePoint Server.

  • 了解目錄服務的一般概念。Understand general concepts about directory services.

關於規劃設定檔同步處理About planning for profile synchronization

規劃設定檔同步處理的第一個步驟是識別同步處理連線,以及收集建立連線所需的資訊。如果您需要任何外部內容類型,請記載這些外部內容類型的需求、將需求提供給開發人員,然後接收用來指定商務系統同步處理連線的詳細資料。As the first step towards planning for profile synchronization, you'll identify synchronization connections, and collect information that you will need when you create the connection. If you will need any external content types, you'll document the requirements for those external content types, provide the requirements to a developer, and receive the details that you'll use to specify a synchronization connection to the business system.

接著,您將決定如何將使用者設定檔屬性對應至外部系統中的資訊,以進行同步處理。Next, you'll determine how to map user profile properties to information in the external systems so that they can be synchronized.

最後,您將回答較直接的問題;例如,您是否要同步處理群組、您要用來執行同步處理服務的伺服器,以及同步處理設定檔資訊的頻率。Finally, you'll answer more straightforward questions such as whether you'll synchronize groups, which server that you'll use to run the synchronization service, and how often you'll synchronize profile information.

規劃同步處理連線Plan synchronization connections

使用者設定檔中的每個屬性可以來自外部系統。有兩種類型的外部系統: 目錄服務與商務系統。本文中,整個片語商務系統來 mean 不是目錄服務的外部系統。SAP、 Siebel、 SQL Server 及自訂應用程式是所有的範例商務系統。Each property in a user's profile can come from an external system. There are two types of external systems: directory services and business systems. Throughout this article, the phrase business system is used to mean an external system that is not a directory service. SAP, Siebel, SQL Server, and custom applications are all examples of business systems.

注意

如需支援的目錄服務的清單,請參閱設定檔同步處理概觀 (英文)For a list of supported directory services, see Profile synchronization overview.

在 SharePoint Server 2013 > 中的同步處理連線是一種來取得使用者設定檔資訊從外部系統。若要從其中一個支援的目錄服務匯入設定檔,您建立目錄服務的同步處理連線。若要從商務系統匯額外的設定檔屬性,您可以建立外部內容類型將資料從商務系統移入 SharePoint Server 2013,然後建立外部內容類型的同步處理連線。下列各節將說明如何收集您將需要每個同步處理連線的相關資訊。In SharePoint Server 2013, a synchronization connection is a way to obtain user profile information from an external system. To import profiles from one of the supported directory services, you create a synchronization connection to the directory service. To import additional profile properties from a business system, you create an external content type to bring the data from the business system into SharePoint Server 2013, and then create a synchronization connection to the external content type. The following sections explain how to collect the information that you will need about each synchronization connection.

目錄服務的連線Connections to directory services

每一個您想要在 SharePoint Server 2013 中有一個設定檔的使用者必須具有 identity 目錄服務中。(如果使用者未顯示在目錄服務中,您無法同步處理使用者設定檔。)識別的目錄服務包含這些使用者的相關資訊。除非您可以自行存取目錄服務,您也應該識別目錄服務的管理員。您將需要此人說明收集部分將會建立同步處理連線所需的資訊。Each user who you want to have a profile in SharePoint Server 2013 must have an identity in a directory service. (If users are not represented in a directory service, you can't synchronize user profiles.) Identify which directory services contain information about these users. Unless you can access the directory service yourself, you should also identify an administrator of the directory service. You will need this person's help to collect some information that will be needed to create synchronization connections.

連線規劃工作表包含您需要收集每一種連線的資訊的範本。每個範本是它所套用的目錄服務提供者的名稱會標示為不同] 索引標籤中。建立您已識別每個目錄服務的索引標籤。將的目錄服務類型的範本複製到新的索引標籤。然後完成下表根據每個新項目] 索引標籤上的資訊。The Connection planning worksheet contains templates for the information that you need to collect for each type of connection. Each template is in a separate tab that is labeled with the name of the directory service provider to which it applies. Create a tab for each directory service that you identified. Copy the template for the type of directory service into the new tab. Then complete the information on each new tab according to the following table.

工作表中的列名稱Row name in worksheet 套用至連線類型Applies to connection type 指示Instructions
同步處理連線名稱Synchronization connection name
全部All
選擇一個容易記住的目錄服務連線名稱。Choose a name that will help you remember which directory service this is a connection to.
連線類型Connection type
全部All
目錄服務的連線類型。The type of directory service that this is a connection to.
已在每個索引標籤中填入此資訊。This information is already filled in on each tab.
樹系Forest
AD DSAD DS
目錄服務樹系的名稱。The name of the directory service forest.
網域控制站Domain controller
AD DSAD DS
偏好的網域控制站名稱。如果樹系中有多個網域控制站,且您想與特定網域控制站進行同步處理,才需要指出該網域控制站。The name of the preferred domain controller. You only have to identify the domain controller if there are multiple domain controllers in the forest and you want to synchronize with a specific domain controller.
驗證提供者類型Authentication provider type
全部All
驗證 SharePoint Server 2013 的類型應用於連線至目錄服務。這是下列其中一項:The type of authentication SharePoint Server 2013 should use to connect to the directory service. This is one of the following:
Windows 驗證Windows authentication
表單型驗證Forms-based authentication
宣告式驗證Claims-based authentication
系統架構師必須可提供此資訊。The systems architect should be able to provide this information.
驗證提供者Authentication provider
全部All
如果使用表單型驗證或宣告式驗證,請填入信任提供者的名稱。系統架構師可提供此資訊。Windows 驗證不需要驗證提供者。If forms-based authentication or claims-based authentication will be used, fill in the name of the trusted provider. The systems architect should be able to provide this information. An authentication provider is not needed for Windows authentication.
同步處理帳戶Synchronization account
全部All
用來連線至目錄服務的帳戶,包括網域。目錄服務管理員可能會建立用於同步處理的帳戶。The account, including the domain, that will be used to connect to the directory service. It is likely that the directory service administrator will create an account to be used for synchronization.
注意: 此主題的規劃帳戶權限」 一節所述的同步處理帳戶必須具備的權限。Note: The permissions that the synchronization account must have are described in the Plan account permissions section of this topic.
同步處理帳戶密碼Synchronization account password
全部All
同步處理帳戶的密碼。The password for the synchronization account.
附註: 您必須知道同步處理帳戶的密碼。我們建議您不要在工作表中記錄密碼。Note: You must know the password for the synchronization account. We recommend that you do not record the password in the worksheet.
連線連接埠Connection port
全部All
用來連線至目錄服務的連接埠。The port that will be used to connect to the directory service.
使用 SSL?Use SSL?
AD DSAD DS
是否要使用 SSL 安全連線來連線至目錄服務。AD DS 的連線僅支援 SSL。Whether to use an SSL-secured connection to connect to the directory service. SSL is only supported for connections to AD DS.
目錄服務伺服器Directory service server
Tivoli、Sun、eDirectoryTivoli, Sun, eDirectory
目錄服務伺服器的名稱。The name of the directory service server.
使用者名稱屬性Username attribute
Tivoli、Sun、eDirectoryTivoli, Sun, eDirectory
目錄服務中用作各個設定檔之唯一識別碼的屬性名稱。在大多數情況下,"uid" 的預設使用者名稱屬性正確。The name of the attribute in the directory service that serves as the unique identifier for each profile. In most cases, the default user name attribute of "uid" is correct.
容器Containers
全部All
目錄服務容器的名稱 (又稱為組織單位 (OU)),包含要同步處理的設定檔。The names of the directory service containers, also known as organizational units (OU), that contain the profiles to synchronize.
使用者的篩選Filter for users
全部All
請參閱 <關於排除篩選> 一節中的詳細的指示。See the detailed instructions in the section About exclusion filters.
群組的篩選Filter for groups
全部All
請參閱同步處理群組 >一節。See the section Synchronizing groups.

關於排除篩選About exclusion filters

SharePoint Server 2013 會同步處理所有來自您識別除非您選擇要使用的篩選器中排除設定檔的容器設定檔。例如,您可能會建立篩選器來排除已停用之帳戶的使用者。SharePoint Server 2013 will synchronize all of the profiles from the containers that you identify unless you choose to exclude profiles by using a filter. For example, you might create a filter to exclude users whose accounts are disabled.

篩選包含一組子句,以及聯結子句的連接子。每個子句可分為三部分:A filter consists of a set of clauses and the connector to use to join the clauses. Each clause has three parts:

  • 屬性:要比較的目錄服務屬性。Attribute: The directory service attribute to compare.

  • 值:比較屬性的值。Value: The value to compare the attribute to.

  • 運算子: 的比較類型。Operator: The type of comparison.

您可以使用兩種方式加入排除篩選的子句:There are two ways to join the clauses of an exclusion filter:

  • 全部套用 (AND):如果所有子句適用,則帳戶符合篩選。All apply (AND): An account matches the filter if all of the clauses apply.

  • 任何套用 (OR):如果任一子句適用,則帳戶符合篩選。Any apply (OR): An account matches the filter if any clause applies.

您無法在篩選內混合 And 和 Or。You can't mix ANDs and ORs in a filter.

例如,假設將開頭為 "T-" 的 Active Directory 帳戶指定給組織中的臨時員工。您想同步處理未停用帳戶之所有永久 (非臨時) 使用者的設定檔。您可以建立使用下表中之子句的篩選。For example, assume that temporary employees in your organization are given Active Directory accounts that begin with "T-". You want to synchronize profiles for all permanent (non-temporary) users whose accounts are not disabled. You could create a filter that uses the clauses in the following table.

注意

篩選會有任何變更之後,完整同步處理,則需要。After any changes are made to a filter, a full synchronization is required.

屬性Attribute 運算子Operator Value
sAMAccountNamesAMAccountName
starts withstarts with
T-T-
userAccountControluserAccountControl
bit on equalsbit on equals
22

篩選會使用任何套用 (OR) 加入子句。The filter would join the clauses by using Any apply (OR).

注意

在 AD DS userAccountControl是代表有關狀態的使用者帳戶的實用的數個層面位元遮罩。如需您可以使用userAccountControl屬性建立更常用於篩選的部分的清單,請參閱如何使用 UserAccountControl 標幟來管理使用者帳戶的屬性In AD DS, userAccountControl is a bitmask that represents several useful aspects about the status of the user account. For a list of some of the more frequently-used filters that you can create by using the userAccountControl attribute, see How to use the UserAccountControl flags to manipulate user account properties.

您無法建立目錄服務群組,例如通訊群組清單成員資格為基礎的篩選。替代方式來匯入根據群組成員資格的使用者,請參閱無法匯入根據群組成員資格的使用者You can't create a filter that is based on membership in a directory service group, such as a distribution list. For alternatives to importing users based on group membership, see Inability to import users based on group membership.

商務系統的連線Connections to business systems

從商務系統匯入內容,您必須將此屬性值從外部系統整合到 SharePoint Server 2013 的外部內容類型。本文未涵蓋如何建立外部內容類型。該任務通常由開發人員。本文說明您必須收集並授與開發人員、 資料及將會告訴您如何處理收到的資訊。開發人員資訊,請參閱在 SharePoint 2013 中的外部內容類型To import properties from a business system, you will need an external content type that brings the property value from the external system into SharePoint Server 2013. This article does not cover how to create an external content type. That task is usually done by a developer. This article describes the data that you must collect and give to the developer, and tells you what to do with the information that you receive. For developer information, see External content types in SharePoint 2013.

您可以使用外部內容類型規劃工作表的指定要建立的外部內容類型。移到您完成時請閱讀下列文章規劃 SharePoint Server 中的使用者設定檔的使用者設定檔屬性規劃工作表。[外部內容類型規劃工作表中建立一個資料列是來自商務系統的每個使用者設定檔屬性。填入根據下表中的指示每一個資料列的前三個欄。You can use the External content type planning worksheet to specify the external content types to be created. Go through the User Profile Properties Planning worksheet that you completed when you read the article Plan user profiles in SharePoint Server. In the External Content Type Planning worksheet, create one row for each user profile property that comes from a business system. Fill in the first three columns of each row according to the instructions in the following table.

工作表中的欄Column in worksheet 指示Instructions
商務系統Business system
您選擇以識別包含屬性之商務系統的名稱。A name that you choose that identifies the business system that contains the property.
項目Item
商務系統中對應至屬性的資料。請儘可能明確。例如,如果商務系統是資料庫,請提供已知的表格和欄名稱。The data in the business system that corresponds to the property. Be as specific as possible. For example, if the business system is a database, provide the name of the table and column, if known.
可能的識別碼Possible identifiers
可唯一識別使用者之使用者設定檔屬性的清單。A list of the user profile properties that could uniquely identify a user.

填入每列的前三欄之後,請將工作表提供給外部內容類型開發人員。開發人員應遵循下列步驟,然後傳回工作表:After you have filled in the first three columns of each row, give the worksheet to the external content type developer. The developer should follow these steps, and then return the worksheet:

  • 建立提供工作表所述之外部系統資料的外部內容類型。Create external content types to provide the external system data that is described in the worksheet.

  • 選擇適用於每個外部內容類型的識別碼。Choose an appropriate identifier for each external content type.

  • 如果使用者設定檔與外部內容類型項目具有一對一關係,請建立特定尋找工具方法。包含使用者生日的外部內容類型即為一對一關係範例。每個使用者設定檔會符合其中一個外部內容類型項目。If user profiles will have a one-to-one relationship with items of the external content type, create a specific finder method. An external content type that contains a user's birthdate is an example of a one-to-one relationship. Each user profile will match one item of the external content type.

  • 如果使用者設定檔的外部內容類型項目具有一對多關係,請建立尋找工具方法和比較篩選。包含使用者擁有之車輛牌照的外部內容類型即為一對多關係範例。使用者可以擁有多台車輛,因此每個使用者設定檔可能會符合多個外部內容類型項目。If user profiles will have a one-to-many relationship with items of the external content type, create a finder method and a comparison filter. An external content type that contains the license plate of a vehicle the user owns is an example of a one-to-many relationship. A user might own multiple vehicles. Therefore, each user profile might match more than one item of the external content type.

  • 更新工作表以說明建立的外部內容類型。Update the worksheet to describe the external content types that were created.

連線規劃工作表 (使用者設定檔屬性與設定檔同步處理規劃工作表) 包含商務系統連線] 索引標籤。當您收到資訊後從外部內容類型開發人員時、 群組共用相同的外部內容類型的所有使用者設定檔屬性。每個外部內容類型、 連線規劃工作表中建立] 索引標籤,並將資訊從商務系統] 索引標籤複製到每個新的索引標籤。您所建立的每個索引標籤上的完整根據下表中的指示資訊。The Connection Planning worksheet (User profile properties and profile synchronization planning worksheet) contains a tab for a connection to a business system. When you receive the information back from the external content type developer, group all user profile properties that share the same external content type. Create a tab in the Connection Planning worksheet for each external content type, and copy the information from the Business systems tab to each new tab. On each tab that you created, complete the information according to the instructions in the following table.

工作表中的資料列Row in worksheet 指示Instructions
同步處理連線名稱Synchronization connection name
選擇一個容易記住的商務系統連線名稱。Choose a name that will help you remember which business system this is a connection to.
連線類型Connection type
"Business Data Connectivity""Business data connectivity"
已填入此資訊。This information is already filled in.
Business Data Connectivity 實體Business data connectivity entity
外部內容類型的名稱。The name of the external content type.
一對一或一對多對應One-to-one or one-to-many mapping
可能符合指定使用者設定檔之外部內容類型的項目數。視需要輸入「一對一」或「一對多」。The number of items of the external content type that might match a given user profile. Enter "one-to-one" or "one-to-many" as appropriate.
比對的設定檔屬性Profile property to match against
對應至外部內容類型識別碼的使用者設定檔屬性名稱。The name of the user profile property that corresponds to the external content type's identifier.
比較篩選Comparison filter
比較篩選的名稱。The name of the comparison filter.
一對多對應只需要一個篩選。A filter is only required for one-to-many mappings.

識別屬性對應Identify property mappings

若要指出使用者設定檔屬性是來自外部系統,您可以將屬性對應至外部系統的特定屬性。根據預設,會對應某些使用者設定檔屬性。您可以僅將設定檔屬性對應至其資料類型與屬性的資料類型相容的屬性。例如,您無法將SPS HireDate使用者設定檔屬性對應至homePhone Active Directory 屬性,因為SPS HireDate是日期與homePhone為 Unicode 字串。清單之使用者的設定檔屬性資料類型不相容的 AD DS 資料類型,請參閱SharePoint Server 2013 中的使用者設定檔屬性資料類型To indicate that a user profile property comes from an external system, you map the property to a specific attribute of the external system. By default, certain user profile properties are mapped. You can only map a profile property to an attribute whose data type is compatible with the data type of the property. For example, you can't map the SPS-HireDate user profile property to the homePhone Active Directory attribute because SPS-HireDate is a date and homePhone is a Unicode string. For a list of which user profile property data types are compatible with which AD DS data types, see User profile property data types in SharePoint Server 2013.

同步處理設定檔資訊,以及從外部系統匯入設定檔屬性時您也可以撰寫資料回至目錄服務。您無法寫入資料回商務系統。若要表示 SharePoint Server 2013 應匯出使用者設定檔屬性,您屬性對應及匯出設定的對應的方向。每個屬性只能在一個方向對應。您不能同時匯入及匯出相同的使用者設定檔屬性。匯出的資料會覆寫任何可能已經存在的目錄服務中的值。這也是多重值屬性,則為 true,則匯出的值未附加至現有的值,它會加以覆寫。When you synchronize profile information, in addition to importing profile properties from external systems, you can also write data back to a directory service. You can't write data back to a business system. To indicate that SharePoint Server 2013 should export a user profile property, you map the property, and set the direction of the mapping to Export. Each property can only be mapped in one direction. You can't both import and export the same user profile property. The data that is exported overwrites any values that might already be present in the directory service. This is true for multivalued properties also—the exported value is not appended to the existing values, it overwrites them.

檢查您完成為在您閱讀規劃 SharePoint Server 中的使用者設定檔主題的使用者設定檔屬性規劃工作表。其值將會從外部系統匯入每一列 (屬性),填入最後三欄根據下表中的指示。Examine the User Profile Properties Planning worksheet that you completed as you read the Plan user profiles in SharePoint Server topic. For each row (property) whose value will be imported from an external system, fill in the final three columns according to the instructions in the following table.

工作表中的資料列Row in worksheet 指示Instructions
方向Direction
「 匯入 」,表示屬性將會匯入至 SharePoint Server 2013。"Import", indicating that the property will be imported into SharePoint Server 2013.
同步處理連線Synchronization connection
提供此屬性之同步處理連線的名稱。The name of the synchronization connection through which this property will be provided.
屬性Attribute
提供使用者設定檔屬性值之外部系統元素的名稱。The name of the external system element that will provide the value of the user profile property.
如果同步處理連線至目錄服務,這會是目錄服務屬性的名稱。If the synchronization connection is to a directory service, this is the name of the directory service attribute.
如果同步處理連線至商務系統,這會是外部內容類型的欄名稱。If the synchronization connection is to a business system, this is the name of the column in the external content type.

注意

您不能使用商務系統連線將二進位屬性對應到實作Stream存取子方法的屬性。You can't use a connection to a business system to map a binary property to a property that implements the Stream accessor method.

針對包含匯出至目錄服務之值的每列 (屬性),根據下表中的指示填入最後三欄。For each row (property) whose value will be exported to a directory service, fill in the final three columns according to the instructions in the following table.

工作表中的資料列Row in worksheet 指示Instructions
方向Direction
「 匯出 」,表示屬性將會匯出從 SharePoint Server 2013,至目錄服務。"Export", indicating that the property will be exported from SharePoint Server 2013 to a directory service.
同步處理連線Synchronization connection
匯出此屬性之同步處理連線的名稱。僅可為目錄服務的連線。The name of the synchronization connection through which this property will be exported. This can only be a connection to a directory service.
屬性Attribute
目錄服務屬性的名稱,其值應以使用者設定檔屬性值更新。The name of the directory service attribute whose value should be updated with the value of the user profile property.

同步處理群組Synchronizing groups

根據預設,SharePoint Server 2013 將它進行同步處理使用者設定檔時同步處理群組,例如通訊群組清單。您可以關閉此從管理中心的 [設定同步處理設定] 頁面的功能。AD DS 僅支援同步處理群組。By default, SharePoint Server 2013 synchronizes groups, such as distribution lists, when it synchronizes user profiles. You can turn off this functionality from the Configure Synchronization Settings page of Central Administration. Synchronizing groups is only supported for AD DS.

如果您的使用者除了群組進行同步處理、 SharePoint Server 2013 匯入群組以及相關的使用者群組的成員的相關資訊。同步處理群組不會建立群組的設定檔,並會造成要建立的任何其他的使用者設定檔。在 SharePoint Server 2013,群組僅用來建立對象及顯示訪客具有通用人員非常人員之 「 我的網站的成員資格。If you synchronize groups in addition to users, SharePoint Server 2013 imports information about the groups and about which users are members of the groups. Synchronizing a group does not create a profile for the group, and causes no additional user profiles to be created. In SharePoint Server 2013, groups are only used to create audiences and to display which memberships a visitor has in common with the person whose My Site the person is visiting.

如果您決定要同步處理群組、 SharePoint Server 2013 將匯入的所有群組存在於除非您選擇要使用的篩選器中排除群組同步處理目錄服務容器中的資訊。雖然兩者遵循相同格式從排除的使用者的篩選器不同排除群組的篩選。If you decide to synchronize groups, SharePoint Server 2013 will import information about all of the groups that exist in the directory service containers that you are synchronizing unless you choose to exclude groups by using a filter. The filter for excluding groups differs from the filter for excluding users, although both follow the same format.

返回連線規劃工作表並填入 [群組的篩選] 儲存格。Return to the Connection Planning worksheet and fill in the Filter for groups cell.

規劃同步處理伺服器Plan for the synchronization server

除了決定同步處理連線及識別屬性對應之外,您還必須規劃同步處理設定檔更直接的觀點。第一點是識別同步處理伺服器。In addition to determining the synchronization connections and identifying the property mappings, you also have to plan for the more straightforward aspects of synchronizing profiles. The first of these is identifying the synchronization server.

您只可以在伺服器陣列上執行一個使用者設定檔同步處理服務的執行個體。使用者設定檔同步處理服務執行所在的電腦會呼叫同步處理伺服器。當您建立 User Profile service 應用程式時指定同步處理伺服器。SharePoint Server 2013 佈建參與同步處理此電腦上的版本的 Microsoft Forefront Identity Manager (FIM)。You can only run one instance of the User Profile Synchronization service on a farm. The computer on which the User Profile Synchronization service runs is called the synchronization server. You specify the synchronization server when you create the User Profile service application. SharePoint Server 2013 provisions a version of Microsoft Forefront Identity Manager (FIM) on this computer to participate in synchronization.

SharePoint Server 2013 進行同步處理設定檔、 時它會大量使用通訊之間的同步處理伺服器和網域控制站的網路。選擇符合實體接近網域控制站的同步處理伺服器將會降低同步處理所需的時間。When SharePoint Server 2013 synchronizes profiles, it makes heavy use of the network to communicate between the synchronization server and the domain controllers. Choosing a synchronization server that is physically close to the domain controllers will reduce the time that is required to synchronize.

規劃同步處理排程Plan the synchronization schedule

第一次同步處理 SharePoint Server 2013 與外部系統之間的設定檔資訊必須執行完整同步處理。之後,您應設定週期性排程執行累加同步處理使用者設定檔累加同步處理計時器工作。您可以設定計時器工作每小時、 每天、 每週或每月執行每隔幾分鐘。使用每小時、 每天、 每週及每月的選項,您可以指定當您想要啟動的計時器工作。The first time that you synchronize profile information between SharePoint Server 2013 and external systems, you must run a full synchronization. After that, you should configure the User Profile Incremental Synchronization timer job to perform an incremental synchronization on a recurring schedule. You can configure the timer job to run every few minutes, hourly, daily, weekly, or monthly. By using the hourly, daily, weekly, and monthly options, you specify when you want the timer job to start.

同步處理計時器工作的執行頻率愈頻繁,所要同步處理的變更便愈少,因此工作愈快完成。預設頻率為 [每天]。建議您排程在網路使用量較低時啟動同步處理。The more often the synchronization timer job runs, the fewer changes there will be to synchronize, and the quicker the job will finish. The default frequency is daily. We recommend that you schedule synchronization to start at a time when the network is lightly used.

如需如何設定 「 使用者設定檔累加同步處理計時器工作的指示,請參閱 < SharePoint Server 中的排程設定檔同步處理For instructions about how to configure the User Profile Incremental Synchronization timer job, see Schedule profile synchronization in SharePoint Server.

規劃帳戶權限Plan account permissions

在連線規劃工作表中,您為每個目錄服務提供了同步處理帳戶名稱。您必須將特定權限授與這些同步處理帳戶,同步處理服務才可以取得所需的目錄服務資訊。下列各節識別每種目錄服務類型所需的權限。請與目錄服務管理員合作,以授與帳戶適當權限。In the Connection Planning worksheet, you provided the name of a synchronization account for each directory service. These synchronization accounts must be granted specific permissions so that the synchronization service can obtain the information that it needs from the directory service. The following sections identify which permissions are needed for each type of directory service. Work with the administrator of the directory service to grant the accounts the appropriate permissions.

Active Directory 網域服務 (AD DS)Active Directory Domain Services (AD DS)

連線至 Active Directory 網域服務 (AD DS) 同步處理帳戶必須具備下列權限:The synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:

  • 在與您要同步處理的網域必須擁有複寫目錄變更權限。It must have Replicate Directory Changes permission on the domain with which you'll synchronize.

    「複寫目錄變更」權限可讓帳戶查詢目錄中的變更。此權限禁止帳戶在目錄中進行任何變更。The Replicate Directory Changes permission allows an account to query for the changes in the directory. This permission does not allow an account to make any changes in the directory.

  • 如果網域控制站執行 Windows Server 2003、 同步處理帳戶必須是 Pre-Windows 2000 Compatible Access 內建群組的成員。If the domain controller is running Windows Server 2003, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group.

  • 如果 NetBIOS 網域名稱與完整網域名稱不同,同步處理帳戶必須具有複寫目錄變更權限在 cn = configuration 容器。例如,如果 NetBIOS 網域名稱為 contoso 的完整網域名稱為 contoso corp.com,必須授與複寫目錄變更權限 cn = configuration 容器。If the NetBIOS name of the domain differs from the fully-qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container. For example, if the NetBIOS domain name is contoso and the fully-qualified domain name is contoso-corp.com, you must grant Replicate Directory Changes permission on the cn=configuration container.

  • 如果您將會匯出從 SharePoint Server 2013 的屬性值至 AD DS、 同步處理帳戶必須具備 (此物件及所有子代) 的建立子物件和寫入所有內容 (此物件及所有子代) 權限的組織單位 (OU) 與以您同步處理。If you'll export property values from SharePoint Server 2013 to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) with which you are synchronizing.

Novell eDirectory 8.7.3 版Novell eDirectory version 8.7.3

連線至 Novell eDirectory 所使用的同步處理帳戶必須具備下列權限:The synchronization account for a connection to Novell eDirectory must have the following permissions:

  • Entry Rights:指定樹狀目錄的「瀏覽」權限。Entry Rights: Browse rights for the specified tree.

  • All Attributes Rights:指定樹狀目錄的「讀取」、「寫入」及「比較」權限。All Attributes Rights: Read, Write, and Compare rights for the specified tree.

Sun Java System Directory Server 5.2 版Sun Java System Directory Server version 5.2

連線至 Sun Java System Directory Server 所使用的同步處理帳戶必須具備下列權限:The synchronization account for a connection to a Sun Java System Directory Server must have the following permissions:

  • RootDSE 的「讀取」、「寫入」、「比較」及「搜尋」權限。Read, Write, Compare, and Search permissions to the RootDSE.

  • 若要執行累加同步處理,同步處理帳戶還必須具備變更記錄 (cn=changelog) 的「讀取」、「比較」及「搜尋」權限。如果變更記錄不存在,您必須予以建立再進行同步處理。To perform incremental synchronization, the synchronization account must also have Read, Compare, and Search permissions to the change log (cn=changelog). If the change log does not exist, you must create it before synchronizing.

IBM Tivoli 5.2 版IBM Tivoli version 5.2

連線至 IBM Tivoli 所使用的同步處理帳戶必須具備下列權限:The synchronization account for a connection to IBM Tivoli must have the following permission:

  • 此同步處理帳戶必須是管理群組的成員。The synchronization account must be a member of an administrative group.

伺服器陣列帳戶The farm account

User Profile Synchronization Service 會以伺服器陣列帳戶的身分執行。伺服器陣列帳戶需要特定權限,才可以設定設定檔同步處理。具有同步處理伺服器之管理員權限的人員才可以授與這些權限。The User Profile Synchronization service runs under the farm account. The farm account requires specific permissions to configure profile synchronization. A person with administrator rights on the synchronization server can grant these permissions.

  • 此帳戶必須是同步處理伺服器上的管理員群組成員。您可以在設定 User Profile Synchronization Service 之後移除此權限。The account must be a member of the Administrators group on the synchronization server. You can remove this permission after you have configured the User Profile Synchronization service.

  • 此帳戶必須能夠從本機登入同步處理伺服器。The account must be able to log on locally to the synchronization server.

    注意

    從伺服器陣列管理員帳戶不同的伺服器陣列帳戶。以決定伺服器陣列帳戶,從管理中心,按一下 [設定服務帳戶],然後按一下 [伺服器陣列帳戶The farm account differs from the farm administrator account. To determine the farm account, from Central Administration, click Configure service accounts, and then click Farm account.

如果您將使用同步處理使用者設定檔商務系統的外部內容類型、 伺服器陣列帳戶也必須具備外部內容類型執行作業的權限。伺服器陣列管理員可以使用 「設定權限的外部內容類型」 的程序授與伺服器陣列上的帳戶執行 」 權限與您要同步處理每個外部內容類型。If you'll synchronize user profiles with a business system by using an external content type, the farm account must also have permission to execute operations on the external content type. A farm administrator can use the procedure "Set permissions on an external content type" to give the farm account Execute permission on each external content type with which you'll synchronize.

後續步驟Next steps

若要實作您的設定檔同步處理計劃,請遵循文章同步處理使用者和 SharePoint Server 2013 中的群組設定檔中的指示。您在設定設定檔同步處理並同步處理設定檔資訊的第一次之後,實作同步處理排程排程設定檔同步處理 SharePoint 中的文章所述的程序伺服器To implement your profile synchronization plan, follow the instructions in the article Synchronize user and group profiles in SharePoint Server 2013. After you have configured profile synchronization and synchronized profile information for the first time, implement the synchronization schedule by following the procedure that is described in the article Schedule profile synchronization in SharePoint Server.

工作表Worksheets

若要下載連線規劃工作表、 外部內容類型規劃工作表及使用者設定檔規劃工作表移至使用者設定檔屬性與 SharePoint Server 2013 的設定檔同步處理規劃工作表To download the connection planning worksheet, the external content type planning worksheet, and the user profile planning worksheets, go to User profile properties and profile synchronization planning worksheets for SharePoint Server 2013.

另請參閱See also

概念Concepts

在 SharePoint Server 2013 中的設定檔同步處理概觀Overview of profile synchronization in SharePoint Server 2013

規劃 SharePoint Server 中的使用者設定檔Plan user profiles in SharePoint Server

同步處理 SharePoint Server 2013 中的使用者與群組設定檔Synchronize user and group profiles in SharePoint Server 2013

管理 User Profile service in SharePoint ServerAdminister the User Profile service in SharePoint Server

User Profile service 概觀User Profile service overview