2011-02-21

Starting the User Profile Synchronization Service

Hello my friend!
Me and you obviously have something in common; we've experience the joy of configuring SharePoint 2010's User Profile Synchronization Service.
You've read all the other blog post's and now you're here. There isn't much I can tell you that you probably haven't read... most of the issues are caused by not following Microsoft instructions: http://technet.microsoft.com/en-us/library/ee721049.aspx#StartUPSSProc, and the fact that Forefront Identity Manager (FIM) is a PoS :)

One of the most important lines is: After the User Profile Synchronization service is started, the farm account is no longer required to be an administrator on the synchronization server. To improve the security of your SharePoint Server installation, remove the farm account from the Administrators group on the synchronization server. 

That means the account HAS to be in the local Administrators group before you can start it.

Other things to take in to consideration:


  1. In a multi-server farm "Network Service" and SP account which is starting the User Profile Synchronization Service should also have (Component Services) Local Launch and Activation rights on:
    1. Forefront Identity Manager Controller Object {36574FCB-E5F2-4C55-AA06-146B2B8FBD95}
    2. Forefront Identity Manager Management Agents {10B6A600-6EE8-44F3-AC02-2CA42B08A2B5}
    3. Forefront Identity Manager Script Host Loader {76032766-22CF-497D-BA0D-4F0583F05D15}
    4. Forefront Identity Manager Synchronization Service {835BEE60-8731-4159-8BFF-941301D76D05}
  2. A quick way to make sure your account has rights to launch FIM Synchronization Service is to login using the account and run C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe
  3. Verify there is only 1 ForefrontIdentityManager Trusted Root Certificate
    Winows Key + R (run): mmc > Ctrl + M > Certificates > Add > Computer Account > Local
    If there are more delete ALL of them and restart the service from Central Admin.
  4. Verify that both ForeFront Identity Manager services are set to Automatic and the Log On As identity is your SP account.
  5. Make sure the SP account is an owner or at the very least FIM_SynchronizationService of  the User Profile Sync DB's
  6. Give the "Network Service" account read/execute rights to "C:\Program Files\Microsoft Office Servers\14.0" directory.
  7. Check the Application Pool is running and/or Recycle it.
    It will be the App Pool which is running "C:\Program Files\Microsoft Office Servers\14.0\webservices\Profile"
  8. Try reinstalling FIM it's in your SP2010 install
    SPS2010\Global\Ppl\pplwfe.msi
    There's an update in the December 2010 CU "pplwfe-x-none.msp"
  9. If you have set NetBiosDomainNamesEnabled on the User Profile Service application to True you may get Error: Unable to process Create message when you try a new Configure Synchronization Connection if you installed the SP2010 December 2010 CU; in this case you're stuffed and it's broken until MS release the Feb 2011 CU.
    To enable netbios names read: http://blogs.msdn.com/b/spses/archive/2010/04/01/sharepoint-2010-provisioning-user-profile-synchronization.aspx
  10. User Profile Synchronization Service suck on "Starting"
    Try running the "ProfileSynchronizationSetupJob" timer job, then check the Timer Job Status page... chance are the Progress is 0%
    I've had this issue and I went home came back the next day and it was done.
  11. ProfileSynchronizationSetupJob is stuck on "Pausing"... Delete the Timer service cache.
    Read: 
    http://support.microsoft.com/kb/939308/en-us
  12. If you've tried all of the above it's now time to do what you've been holding out on... yup trawl through the damn logs.
    1. Read: http://blogs.msdn.com/b/spses/archive/2010/12/02/guide-to-user-profile-service-application-upa-part-2-setting-up-the-user-profile-service-application.aspx
    2. Enable verbose logging for the Microsoft.ResourceManagement.Service.exe and SharePoint Portal Server > User Profiles
  13. Don't be afraid of restarting the server... with any luck it might all just work after.