I recently had my first experience configuring User Profile Synchronization Service in SharePoint 2010. This seems to be a common pain point for SharePoint Admins, but it seemed to go fairly smoothly for myself. I did encounter a couple of issues however, so I wanted to document my first walk-through on the process here.
First off, I did not start off blindly. I attempted to use the following article as a walk-through:
I must admit that I did some searching for the best reference resource I could find, and this above article seemed to go into detail that others left out, and I found it fairly easy to follow, although I did deviate slightly.
As mentioned in the article, you will need a User with Domain Admin privileges. Since this was a client environment that the Admin had attempted to configure this previously on; they already had created this User. Therefore, I was able to skip right ahead to attempting to start the service. I say attempting, because it did not work.
Instead, the service remained in a “starting” state. I later found out that this service will attempt to start an absurdly large amount of times before it actually errors out and stops. This can take a long, long, time. I didn’t have time to wait and figured after a few minutes that the service was not going to be starting. This left me in the always awkward position of now having to manually stop the service; which usually leads to feeling like you are now working backwards.
Not to fear! If/when this happens to you, just stop the service using PowerShell. To do so, I opened PowerShell ISE, and ran the following:
This adds the correct snap-in.
This will show you a list of your services, and the Globally Unique Identifier (GUID) of each. Take note of the GUID for User Profile Synchronization Service.
Stop-SPServiceInstance ‘GUID of User Profile Sync Service’
Where ‘GUID of User Profile Sync Service’ = the GUID we took note of previously.
Now that we have once again stopped the service, it was time to find out what was wrong. The end result was a permissions problem that I resolved by checking the following:
- Ensured the User in charge of User Profile Sync was a dbcreator in SQL, and added to the Full Read Policy in Central Administration.
- I then ensured that the account had remote access to the Web Front End, SQL, and Active Directory Servers, (this can be accomplished by adding the User as a Domain Admin).
- Lastly, it is worth double-checking the permissions in the User Profile Service and ensuring the account has appropriate permissions within the service itself.
- With this out of the way, I decided to be proactive and performed an IIS Reset as well as reset the password for the account running the Profile Sync Service. I then started the service in Central Administration and was successful.
Once the service was started, I navigated to the User Profile Service in Manage Service Applications. I immediately stopped the Synchronization Job that was in progress, (you can do this with the link on the right hand side of the page), as you cannot edit any settings while this is attempting to sync, and the sync will fail without editing the settings.
Now, click on the Configure Synchronization Connections link, and Create New Connection.
From this page you will set the location and properties of the synchronization connection. Most of these are pretty self-explanatory, and will be dependent on the setup of your environment. For my setup in particular, I just simply ensured that I could resolve the name of the AD server by using Ping, and used that name in the “Specify a domain controller:” option. I was also able to use Windows Authentication, as this was the authentication method already in place; and use the default port 389 since communication was happening internally, (behind the firewall). I then kicked off a synchronization job.
You will also notice that on the main configuration page are statistics for the synchronization job. These statistics can be a bit misleading, or in other words, the numbers do not match. This is because it can take quite a long time to fully synchronize your Users, especially the first time through. This can appear to be “stuck” or “hung” at times because of this. How long exactly will be dependent on several factors in your AD structure, but will sync much more quickly after the first run through. Another caveat is depending on the schedule of your sync job, changes may not sync immediately.
This has been a quick walk-through on my experience with configuring User Profile Synchronization for the first time. I was lucky and this went rather smoothly. However, you may run into additional difficulties if you are utilizing Claims Based Authentication or your AD server is located externally.
*I would like to add that User Profile Sync depends on the FIM service, which seems to cause a lot of problems. In cases such as this, being familiar with and using ULSViewer.exe is extremely helpful for deciphering the SharePoint Logs to see what is happening behind the scenes.
As always, thanks for reading!