Select the User Profile Service and click the Manage button on the ribbon. You should see the screen just like the one below.

Default User
Profile Service configuration window after being created

Select Configure
Synchronization Connections in the Synchronization section. Now
click the Create new Connection option, if you see the
pop-up window In that case go back to Manage Services on Server and wait until the service starts.

Pop-Up window when
attempting to create the UPS synchronization connection

In the Add New
Synchronization connection window, we will need to fill-in several fields.

In the Connection Name
field enter a descriptive name of your connection, such as AD Synchronization.

In the Forest name field
enter the FQDN name of your domain (in my example: ad.local). Leave
the Auto discover domain controller option selected.

In the Account name, Password,
Confirm Password,enter credentials for the synchronization account
(sps_ups_sync).

User Profile
Synchronization Connection configuration

Now click the Populate
Containers button and select your AD organizational units you would like to
import. I’ve selected NetPro and Users OU’s where I usually store
all my users.

User Profile
Synchronization Connection – AD Container selection

Click OK and after a
while you should see your newly created connection listed. We can add
additional properties now, to tell the UPS Service that we do not want to import
AD accounts that are disabled. In my experience this is often requested by clients, so I propose
to make it a default for your setups.

Scroll over your connection name
and expand the menu using the black arrow on the right, then select Edit
Connection Filters option.

Edit Connection
Filters option under Synchronization connection name

Right now we need to add
exclusion filter for users that are disabled. You need to choose userAccountControl
attribute with Bit on equals operator with filter value 2.
See the screenshot below for the exact config you should perform.

Exclusion
configuration that would prevent importing disabled user accounts

Click the Add button – you
should see your newly created filter listed now. Click the OK button and
go back to the User Profile Service settings window.

What is SharePoint User Profile Service?

You may be wondering – why do I need SharePoint UPS. Just to make it simple and short – all social features from
SharePoint 2007, including My Site support, User Profile pages, audiences and social tagging is now bundled in the User Profile Service.

Preparing your SharePoint farm for the User Profile Service

If you never updated your SharePoint 2010 farm with cumulative updates (and no, I am not talking about Windows Update) – you will need to do it to enable UPS. SharePoint 2010 RTM version has many issues related to User Profile Service – you will need to update to the newest cumulative update available. Just to keep you informed – if you have December Cumulative Update for SharePoint 2010 then User Profile Service won’t work at all! I will be focusing this guide on the latest February 2011 Cumulative Update.

The best resource to find the latest SharePoint updates is TechNet at http://technet.microsoft.com/en-us/sharepoint/ff800847.

For this walkthrough I will be using the SharePoint Foundation 2010 (KB 2475880) and SharePoint Server 2010 (KB
2475878) updates for the SharePoint farm. These updates are downloadable on-demand. It best practise to make a full server backup before you try any Cumulative Updates to SharePoint (including database-backup), because there is no option to roll-back the update.

After you install both SharePoint Foundation 2010 update and SharePoint Server 2010 update, you should run the SharePoint 2010 Products Configuration Wizard to complete the upgrade. After a successful upgrade you should verify if your SharePoint server is indeed updated. To do this, go to the Central Administration – System
Settings – Manage servers in this farm section. There you can see all your servers that are connected with the SharePoint farm (including smtp servers and SQL Servers).

Manage Servers in the Farm Window

Unfortunately, there is no clear information about the update – just  build number in the Configuration database version variable. In my case it is 14.0.5136.5002 which means I have the February 2011 Cumulative Update installed.
To verify this I usually Google the exact build number to determine the Update details. If you are following my links and you see 14.0.5136.5002 build – you have February 2011 Cumulative Update and you can continue.

One important note: if your build is 14.0.5136.5001 – you also have February 2011 Cumulative Update, but this build contains an error and you should download and reinstall the 5002 build of the February 2011 Cumulative Update to prevent farm issues.

Most of this article is applicable to the original RTM version of SharePoint 2010, but some solutions may not work exactly as described. I know that the UPS Service caused many issues before February 2011 Cumulative Update (and to give you more – the Feb 2001 CU is actually dedicated for UPS Service hotfixes) so I strongly suggest to upgrade – unless you have a strong reason not to.

Verify Managed Metadata Service installation

User Profile Services requires Managed Metadata Service to interact with. The SharePoint Managed Metadata Service (MMS) is a service that publishes a term store and normally some content types that the managed metadata will consume in its services. MMS is the key to the social tags and notes – since it is where where all tags are to be stored. You can create multiple MMS, but for the User Profile Service you will need at least one MMS.

First we will check if there is at least one MMS installed and configured.

Go to Central Administration – Application Management – Manage Service Applications and look for the Managed Metadata Service. If you used Configuration Wizard on your farm (which is what I would personally would recommend), you will probably have one MSS.

Managed Metadata Service in the Service Applications window

If you don’t have one, from the ribbon select the icon New and choose Managed Metadata Service. Then you will have to setup some MMS properties – which you also need to verify when you actually had one MMS before (then you have to mark the Managed Metadata Service and click on the properties icon in the ribbon).

Managed Metadata Service properties window – top
Continues…

In General Settings for the SharePoint site set the Browser File Handling to Permissive. You then need to restart IIS for the changes to have effect.

Note that the Browser File Handling setting is specific to each site and so this procedure must be repeated for all sub-sites which need to display PDFs.

In this article I will cover the SharePoint authentication methods, which closely mirror Windows Server 2008 R2 authentication scenarios since both SharePoint relies on Windows Server for much of its security. I will start with an overview of  the primary authentication methods and then I will demonstrate  how to configure authentication.

SharePoint Authentication Methods

There are three general types of authentication for SharePoint. The first two base types of authentication modes in SharePoint 2010 are Claims Based Authentication (which is new in SharePoint Server 2010) and Classic Mode Authentication.

Authentication selection window during SharePoint application setup.

Classic Mode Authentication

This is the native, classic type of authentication for Windows systems. There are several methods of Windows Authentication:

• Anonymous Authentication: this method allows external and unauthorized users to access the resources. No credentials are required in this method. This method is mostly used for Internet-enabled sites in SharePoint for Internet Sites licensing.
• Basic Authentication: This is an inherently insecure method and I recommend not using it. The authorization credentials are sent in clear-text, without any encryption which nowadays is extremely easy to snoop by attacker. This type of authentication should only be used in case of compatibility issues (with browsers, web proxies or firewalls) and only with a secure SSL certificate which encrypt the  sensitive network traffic (see SharePoint SSL Authentication). Sometimes, old software deployed in the enterprise requires using Basic Authentication (such as old monitoring software) – if you encounter these situations, try to use SSL with Basic Authentication to encrypt the traffic “manually”.
• Digest Authentication: This is similar to Basic Authentication, but it provides greater security since the credentials are encrypted and there is no way to intercept the credentials along the way in the traffic route.
• Certificate Authentication: This method offers the public key certificate mapping authorization. SSL encryption is used for this authentication method. It is not recommended to use this type of authentication over internet traffic.
• NTLM Authentication: This is the native authentication method for most Microsoft applications (including SharePoint), this method is secure and encrypts credentials before they are sent over the network. If you want to move your entire network authentication to Kerberos, you will have to disable NTLM because on most systems it is default authentication method.
• Negotiate Authentication: You can use it this with either NTLM or Kerberos authentication (with Kerberos is the default). On the client side you have to provide SPN (Service Principal Name) and UPN (User Principal Name) for the account.

Configuring Classic Mode Authentication for SharePoint

The configuration of classic mode authentication for SharePoint is very straightforward.

The first step is to choose  Classic or Claims authentication mode. You can select this when creating a new web application in Central Administration:

Create New Web Application window – Authentication section.

Select Classic mode and on the next sections enter the site name and port for our new application.

IIS Web Site section in SharePoint 2010 New Application window

The next section is important from a security perspective.  We can decide to use SSL for our new application, allow or disallow anonymous access to the application, and choose the authentication provider (Windows native NTLM provider or Negotiate – Kerberos provider). For the purposes of our sample SharePoint application, we will use SSL, with default settings for NTLM and anonymous access.

Security Configuration section in SharePoint 2010 New Application Window

The rest of the sections is out of the beyond the scope of this article – simply select a new application pool with some domain account as the application pool account (or select one of default applications pools already created), give your content database a descriptive name (I’ve named my web application – wss_content_classicauthtest) and click OK to create your new application. The last step for creating a new site is to create some site collection within our new web application. Just select whatever you like – Team Site would be fine.
Continues…

SSL certificates certainly add to the cost of a SharePoint site but you can use your own Certificate Authority or even use self-signed certificate from   IIS Server 7. This will be marked as untrusted in the client browsers, but at least you will have encryption enabled. So let’s try to enable SSL on a test site, with the Self-Signed Certificate .

Open IIS Manager and look for Server Certificates icon in Features View of your IIS Server.

IIS Manager v7.5 with Server Certificates icon selected

Double click the Server Certificates icon and select Create Self-Signed Certificate from the Actions menu on the right:

Server Certificates Window with highlighted option to Create a self-signed certificate

Now specify a Friendly name of the Certificate. This will be used as an identifier and I strongly suggest you use the actual domain name you will be using. So for the site http://sps2010   it will be sps2010.

Self Signed Certificate creation – Friendly Name window

Click on OK button and you are done. You have a SSL certificate that you can now use with a SharePoint site. Now we need to bind this certificate with our application. To do this, expand the Sites tree view in IIS Manager and select the SharePoint website.

IIS Manager with my Example app site highlighted

Now click on the Bindings option on the action pane on the right side of the screen.

Site Bindings window with default settings for typical SharePoint application

Here you can add the SSL (HTTPS) authentication for this site, so let’s go ahead and click Add button. Next you need to specify the binding type , so select HTTPS and then you will need to specify the certificate, so from the SSL Certificate field choose our newly created self-signed certificate called sps2010 and click OK.

Add site binding window
Continues…

Example Managed Accounts configuration

On the screen above you can see the accounts I’ve created for my SharePoint test farm. Even though this is just a local SharePoint farm used only for my own purposes and training, you can see that I’ve done pretty adhered the least-security privilege. Why? It is best to have a security habit deep in your blood – and using the security rules everywhere including your test environment is just good practice.

Now let’s click on one of the Edit icons – I’ve chosen the adsp_setup account as an example.

In the Credential Management section you can see the option to change the password immediately this is useful if you want to access the services or reconfigure something and you need to know the current password (since SharePoint managed accounts will generate random passwords at a schedule you’ll set).

Managed Accounts Credential Management section

The next section is Automatic Password Change. We can enable automatic password change here and setup the schedule directly. You can setup the schedule corresponding to the password expiry policy in Active Directory, so for example SharePoint will change the managed account password 2 days before the password will expire. You can also setup the e-mail notifications just before password of one of your managed account expires – in our example it is set to 5 days before password expiration.

Managed Account configuration – Automatic Password Change section

In the last section of Managed Account editor you can see specific Account information – which is primarily what is used by the account we are currently setting up.

Managed Account configuration – Account Information section

For technologies such as SharePoint, PowerShell uses snap-ins which are .NET Framework assemblies that contain custom PowerShell cmdlets. The SharePoint 2010 snap-in for PowerShell contains over than 500 cmdlets which can be used to perform a wide variety of SharePoint admin tasks. This PowerShell SharePoint snap-in is loaded automatically when the SharePoint 2010 Management Shell is run. If you
start the standard PowerShell console, you will need to manually load the snap to access the SharePoint cmdlets. Two native PowerShell cmdlets can assist with this: the Get-PSSnapin cmdlet retrieves info about all the snap-ins registered in the system, and the Add-PSSnapin cmdlet actually loads the snap-ins into the current PowerShell session.

The below example uses the Get-PSSnapin cmdlet with the switch parameter Registered to return the name of the SharePoint 2010 snap-in:

PS > Get-PSSnapin -Registered
Name : Microsoft.SharePoint.PowerShell
PSVersion : 1.0
Description : Register all administration Cmdlets for Microsoft Share- Point Server

The below example shows how to add the snap-in using the Add-PSSnapin cmdlet:

PS > Add-PSSnapin Microsoft.SharePoint.PowerShell

Once the SharePoint snap-in has been added, you can access all the SharePoint cmdlets. The PowerShell console and the SharePoint 2010 Management Shell differ in how threads are created and subsequently used. The standard PowerShell console runs each pipeline (as demarcated by a press of the “Enter” button), function, or script on its own thread, in contrast the SharePoint 2010 Management Shell runs each line, function, or script on one single thread. When using the SharePoint object model with PowerShell, running code on numerous different threads can result in memory leaks, in contrast, commands which run on the same thread have a lower chance causing leaks. This is because several SharePoint objects are still using unmanaged code.
The threading model which is used is determined by the the ThreadOptions property value of each PowerShell runspace (every PowerShell console window is a runspace). The SharePoint 2010 Management Shell utilizes the ReuseThread option set in the SharePoint.ps1 file which is executed every time the shell is started from the SharePoint 2010 menu group. However, the standard PowerShell console, does not have this option configured by default and therefore uses UseNewThread.Continues…

The perfect setup of a SharePoint farm should involve using as many accounts as possible. Let me show you my typical account plan for a small-sized SharePoint 2010 Enterprise farm. Keep a note that this list isn’t the same as the one proposed by Microsoft, I have modified it using my own experiences and thoughts and I think you all should do the same and so take the example lists only as a reference.

Remember the main purpose  of the Least Security Privilege is to  give the user or service account the minimum required permission level they need to perform the assigned tasks. As long as you plan this correctly you can consider yourself relatively secure.

Rule 1 : Never open anonymous connections from the Internet to your local network unless necessary.

Opening your SharePoint site for anonymous access is an open invitation to script kiddies and hostile bots/worms that are designed to track you down and load your site with spam and trojans. In the title I  said “unless necessary” – which really means NEVER EVER. Of course, there are still SharePoint sites and services available from the internet for regular, anonymous users – but they just need to be opened to the world using a more complex setup (see Rule 2).

Rule 2 : For Internet-enabled SharePoint sites, use a dedicated Web-Front SharePoint server that will be placed in Demilitarized Zone (DMZ).

A DMZ Zone is a network segment that is directly connected to the firewall. This is a more secure way of sharing a SharePoint application with the world. It’s still not a perfect solution, but at least you are not opening up your entire local network. For more on the using SharePoint in a DMZ please refer to this article.
This solution is still vulnerable to Denial of Service (DoS) attacks but placing SharePoint in a DMZ Zone limits the surface area of any attack.

Rule 3 : If you are opening a SharePoint site to the public internet – use  Microsoft TMG Firewall as a proxy.

This should be considered a golden rule for all deployments of corporate sites.  Microsoft Forefront TMG’s primary security feature  is a firewall which  inspects network traffic and filters out malware, attempts to exploit security vulnerabilities and content which does not match a predefined security policy.
TMG can also boost performance through compression and caching.

Rule 4 : Use SSL for all Extranet Sites, consider SSL for Intranet Sites.

In the past using SSL with IIS was a tricky and involved a large performance penalty. These issues have largely been addressed in IIS7  (see Install an SSL Certificate on IIS 7 for details on how to get started).

SSL ensures that your data is encrypted  when it is sent from the end-user to SharePoint Front-End. Although it can be overkill in some circumstances (since 100% of the data is encrypted when all you may want is to prevent a packet sniffer hijacking a user’s account)  SSL is still the primary protection against nefarious users accessing user data which is transmitted over the internet.

Rule 5 : Ensure all Updates and Patches are Applied the OS.

The recent ASP.NET security vulnerability may have highlighted this issue, but it has always been a security best practice to ensure that the OS and any parts of the stack that SharePoint runs are fully patched with the latest updates. For more on security of ASP.NET check out ASP.NET Security Best Practices.

• Hardware Bottlenecks: You should constantly monitor  system resources on SharePoint Servers and SQL Servers –  CPU, Memory and Disk I/O should all be monitored if any of these are showing signs of strain you should consider upgrading your hardware.
  In most cases – Disk I/O on  SQL Server  is the bottleneck for SharePoint performance and ironically it is often a neglected issues and is frequently not included in performance monitoring.
  One strong tip for SQL Server I/O is to split your databases into dedicated RAID systems, for example: store Content Databases of your application on 4 SAS/SCSI storages in Raid10 mode, and the Search, TempDB (these two are the most I/O consuming) on the even better and faster dedicated storage. Avoid keeping all the databases in one physical hard drive/matrix.
• SQL Indexing – Keep your indexing parameters optimized in your SQL Server Databases. Create and run at least once a week SQL Server job with “Rebuild Indexes” and “Update Statistics” tasks. You can view your indexation and defragmentation state by running ODBC_CHECKDB on the content databases.
• Warm Up your IIS Server – After pool recycling, restarting your IIS Server etc., the front end servers will lose their cached data and all site elements will need to be reloaded resulting in slow performance. Usually the first main page rendering is extremely slow, but there is a way to avoid that. Use Application Warm-Up.
  The Application Warm-Up extension can be deployed in a IIS 7.5 environment (Windows Server 2008 R2 native). This extension pre-loads all the site content before the first user-requests a page from IIS. By preloading the web application, the IIS worker processes reduce the time needed to render the site and respond to the first request. The IIS Application Warm-Up can be downloaded at http://www.iis.net/download/applicationwarmup
• Content Compression – Ensure that Dynamic Compression and Static Compression in IIS 7/7.5 is enabled. This can greatly reduce the network bandwidth requirement which is especially important in WAN wide networks.
• Move extensive farm services to dedicated servers – If you are experiencing slow performance, and you need to improve it at any cost – add more servers to a farm. If you currently have Front-End role and Query, Indexing, Office Web Apps role on one physical machine, It likely that you will experience slow performance on SharePoint sites. In this circumstance you should choose the path to split the extensive roles to dedicated servers, so that the Search Query, Search Indexing, Front End and Office Web Apps will be stored on separate physical machines.

I hope I covered most of the performance tips you can deploy in your farm. Please let us know if you have any additional tips you would like to contribute.