Sue Hernandez's SharePoint Blog

SharePoint and Related Stuff

Monthly Archives: May 2012

SharePoint 2010 User Profile Service Sync Woes

So I’ve been working on a new install of SharePoint 2010, and I finally got my User Profiles to import.  I’m going thru some pain, so I thought I’d share.

  1. Do NOT use the Configuration Wizard to create your User Profile Service.  If you do, you’re most likely runing with your Setup account (you know, for SP 2010 we have a Setup Account, a Farm Account, a SQL Account, and one or more Service Application accounts).  I personally have found, and someone else in the blogosphere confirmed, that you actually need to be LOGGED IN to the local machine as the FARM account, as well as logged in to Central Admin as the Farm account, at the time when you actually CREATE the SERVICE APPLICATION.   If you do not do this, you can’t start the synchronization service later.  Some Other things to think about:
    1. Your Farm account needs to be a member of the local Administrators group.  I have found articles describing how you can switch accounts after setup and provisioning is complete, but apparently every update and any re-provisioning will need the Farm account again in the administrators group.
    2. I do not know if the Farm account needs to be the Service Application owner, probably not, but if all else fails at least try that.  Make sure that when you select the Service Application (click to the right of the link, don’t click the link) in the Ribbon make sure Administrators and Permissions both show full control of the Service Account Owner.
  2. Set up your Farm account as the account used for the sync service.  You do this through Security –> Configure Service Accounts and pick Windows Service – User Profile Synchronization Service.
  3. Start the Sync Service.  Go to System Settings –> Manage Services on Server and find the User Profile Synchronization Service.  Start it, and make sure the Farm account is selected and input the password for the Farm account.
    1. Wait.  And Wait.  It takes anywhere from 10 minutes – 30 minutes to provision this service.  One way to know it’s working eventually, is to look under Services on your machine and look for the 2 Forefront services.  They should both have been turned on (don’t manually touch them at all).  If your service shows “Stopped” again after a while, something’s wrong with the permissions and you might have to start from scratch.
  4. Set up your synchronization connections.  If you’re going to Active Directory, choose an account, known later in this post as the Sync Account, that has rights to your Active Directory.
    1. Here’s where it got tricky.  You need to add Replicate Directory Changes to your SYNC account – NOT your Farm account or otherwise Service Application account.  The one you put in when you set up the A/D connection.  Please see below for a link on how to do this.
    2. If your A/D is running on Windows Server 2003, you also have to add the Sync account to the members of the Pre-Windows 2000 Compatible Access group.  That’s a built-in group.
    3. Find out from your administrator what your domain’s NetBIOS name is – I’m not too sure how to get this, other than maybe Properties of the domain.  IF YOUR NET BIOS NAME IS NOT THE SAME as your Fully Qualified Domain Name, you have more work to do.  You will have to give Replicate Directory Changes to the cn=configuration container.
    4. That’s it unless you want to replicate changes BACK to A/D FROM SharePoint.  If you do, there is more setup involved.  But again, the article below spells that out.
  5. Finally you can start a profile sync – however
    1. There’s also the problem with the MySites.  If you have run the configuration Wizard in the beginning of your setup, and you let it create your Root Collection for you, then you probably have your MySites in the wrong place – in a Managed Path called /my off of the SAME web application as your Root site.  You generally want these in isolation in their own Web App.

Here’s some links to help you through getting started with your User Profile and your My Sites.

Also, not remembering where I found it, but to troubleshoot your user profile sync process, there’s an application installed in the Program Files that monitors the steps.  This is in C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe.

Happy User Profile Hunting