I could not find any complete guide for User Profile migration from SharePoint 2010 to SharePoint 2013, so I decided to write it by myself, either for others to use it or for my future reference.
Official guide is in MSDN here. However, it’s not completely accurate, especially when describing exporting and importing MIIS encryption key by using miiskmu.exe tool.
I highly recommend Spencer Harbar’s blog, if you want to go deep into User Profile service application. It’s also very valuable source, if you have problems with provisioning new User Profile service or migration.
1. Consider before migration
a. Patch it up!
- latest service pack should be installed before doing a migration.
- if you are using SQL 2014 as your database server, at least SharePoint 2013 April 2014 CU must be installed!
b. follow general recommendation
- add FARM_ADMIN_ACCOUNT to the local administrators (it is necessary for proper starting User Profile Synchronization service)
- account that will be used for synchronization with Active Directory must have Replicate Directory Changes permission in AD. Recommendation is to use separate account for this.
c. decide what to migrate
- if you do not need to migrate Sync database, then importing and exporting MIIS key is not required. However, you will have to create from scratch all the connections in the User Profile, and set up all the custom mapping for profile properties
d. Migrate dependent service applications
Your current instance of User Profile might use following service applications. These service applications must be migrated before you migrate User Profile!
- Managed Metadata service application
- Secure Store service application
- Business Connectivity Service application
Do not forget to migrate it in correct order. If your BCS application uses Secure Store, then Secure store service must be migrated first.
Description of how to migrate it, it’s in the same MSDN article here.
2. Export MIIS encryption key from FIM
a. log into your current application server of SharePoint 2010 environment as an local administrator (does not have to be farm administrator).
b. Open command prompt and go to location: [drive]\Microsoft Office Servers\15.0\Synchronization Service\Bin\”
c. run: miiskmu.exe
- choose Export key
- specify credentials for farm administrator (account that is running user profile service, usually it is farm administrator account)
Note: If you do not want to migrate Sync database, then exporting (and later importing) of encryption key is not required.
3. Migrate User Profile service application
Note: Some of following procedures can be done by using Central Admin, however, I strongly recommend using Powershell.
a. Start User Profile service
|
Get-SPServiceInstance | Where {$_.TypeName -eq "User Profile Service"} | Start-SPServiceInstance |
b. Create Service Application using existing databases
|
#configuration values $serviceName = "User Profile Service Application" $poolName = "SharePoint Service Application Pool" $profileDbName = "SP2013_Test_Service_UPS_Profile" $socialDbName = "SP2013_Test_Service_UPS_Social" $syncDbName = "SP2013_Test_Service_UPS_Sync" #get service application pool $appPool = Get-SPServiceApplicationPool -Identity $poolName #create new service application using existing databases $upa = New-SPProfileServiceApplication -Name $serviceName -ApplicationPool $app Pool -ProfileDBName $profileDbName -SocialDBName $socialDbName -ProfileSyncDBName $syncDbName #create service proxy New-SPProfileServiceApplicationProxy -Name $serviceName" Proxy" -ServiceApplication $upa -DefaultProxyGroup |
It’s recommended running this script in context of FARM Administrator account. It can be done by logging in as farm administrator or by running script using Run As (thanks to Spencer Harbar). Also see his blog, why running these script under farm administrator is necessary.
|
# Path of UPA Creation PowerShell $ScriptFile = "[PATH]\create_userProfile.ps1" # Get the Farm Account Creds $farmAcct = (Get-SPFarm).DefaultServiceAccount $cred = Get-Credential $farmAcct.Name # Create a new process with UAC elevation Start-Process $PSHOME\powershell.exe -Credential $cred -ArgumentList "-Command Start-Process $PSHOME\powershell.exe -ArgumentList `"'$scriptfile'`" -Verb Runas" -Wait |
c. restart IIS and SPTImer
- iisreset
- restart-service SPTimerv4
d. import encryption key
miiskmu.exe /i [PATH_TO_EXPORTED_KEY] {0E19E162-827E-4077-82D4-E6ABD531636E} /u:[FARM_ADMIN_LOGIN] *
Note:
- use the key you exported in step 2 (it should be miiskeys-1.bin)
- GUID is fixed, do not change it!.
- FARM_ADMIN_LOGIN is the user under which the user profile service will be running (usually it is farm administrator account)
- Asterix at the end means, that you will be prompted for the password for the FARM_ADMIN_LOGIN
- sometimes it has tendency to fail. Usually iisreset and SPTimerv4 restart helps.
- if you are not migrating SYNC database, importing the key is not required!
d. start User Profile Synchronization service
There is a very nice powershell script for starting User Profile Synchronization Service written by Spencer Harbar:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
|
# App Pools $saAppPoolName = "SharePoint Service Application Pool" # we need these to start the UPS Service Instance $farmAccount = "domain\sp_farmAdmin" $farmPassword = "Password1" # UPA/S specifics $upsInstanceName = "User Profile Synchronization Service" $upaName = "User Profile Service Application" # Grab the Appplication Pool for Service Application Endpoint $saAppPool = Get-SPServiceApplicationPool $saAppPoolName Write-Host "Restarting SPTimerV4..." restart-service SPTimerV4 Write-Host "Starting the $upsInstanceName Instance..." $upa = Get-SPServiceApplication | where-object {$_.Name -eq $upaName} Get-SPServiceInstance | where-object {$_.TypeName -eq $upsInstanceName} | % { $_.Status = [Microsoft.SharePoint.Administration.SPObjectStatus]::Provisioning $_.IsProvisioned = $false $_.UserProfileApplicationGuid = $upa.Id $_.Update() $upa.SetSynchronizationMachine($_.Server.Address, $_.Id, $farmAccount, $farmPassword) # this causes update conflicts Start-SPServiceInstance $_ } Write-Host "Waiting on $upsInstanceName to provision..." Write-Host "Baseline time is 180 seconds" [int]$time = 0 $ups = Get-SPServiceInstance | where-object {$_.TypeName -eq $upsInstanceName} while(-not ($ups.Status -eq "Online")){ sleep 10; Write-Host "Still waiting... ($time seconds elapsed)" $ups = Get-SPServiceInstance | where-object {$_.TypeName -eq $upsInstanceName} $time = $time + 10 } $time = $time - 10 Write-Host "$upsInstanceName provisioned, it took $time seconds, resetting IIS..." iisreset Write-Host "UPS Done!" Write-Host "Don't forget to remove the Farm Account from local admins!" |