Trust me, this post is going to save you LOTS of time. Before continuing I’d like to thank all the people out there that have already posted many articles on how to get this working in beta. You know something is an “issue” when even the technet article (referenced later) uses phrases like “Complete IISRESET”, “Wait 5 – 10 minutes”. This operation is clearly complicated and lets not be too hard on Microsoft for this. The product is in beta and as with the previous version, the literature available on blogs, social forums et al is pretty impressive.
At the end of this post, I will post 2 sure-fire links that will get the synchronisation working for you, but for those that have gone ahead without reading every little detail, I’ve decided just to add one or two little workarounds that can be done after the fact. The links that I will add later works for a green field installation, but does not really help the troubleshooting side of things. Here are my favorites:
User Profile Synchronisation Service Stuck on Starting
If this is the case shortly after you have started the service, then simply wait. If you had lunch, 3 coffees and a taco, then you should probably continue reading.
1: Have you installed the hotfix for WCF (KB971831)? This hot fix is for .Net Framework 3.5 SP1 is related to authentication;
2: Add the service account used to manage the service to your local administrators group and restart your server;
3: Manually start the Forefront Identity Manager Service (hail mary, but could work);
4: If “1 / 2 /3″ does not solve the problem, then you need to delete the managed service application, recreate it and then (before starting it) ensure the following:
- Service account is part of local administrators group;
- Service account has Full Control of the managed service application (accessed, by selecting the application and clicking on Administrators in the ribbon;
Service is started, but cannot create domain connection
1: Ensure that all the properties you are required to enter on the Create Connection page are correct. For example, ensure the username + password of the user is correct (noobilicious, but sometimes overlooked);
2: Try typing in the domain controller as opposed to using the auto discover (this could be particularly effective for multinationals with multiple domain controllers);
3: Ensure the correct container is selected within the domain. For example, don’t select ALL items if you just need the user’s group;
4: Some client side issues I’ve read about are related to scripting in IE8 and here is a good forum thread that ensures you get around it with IEDevToolbar – http://social.technet.microsoft.com/Forums/en/sharepoint2010setup/thread/6c79f895-a788-4766-a0cd-25d1fd61b272;
Service is started, connection created, but no user profiles?
If this is the case, then you are pretty close to complete. To get more detailed messaging on what is going on in the background, you can open the Synchronisation Service Manager which can be found here (C:\program files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe). You could have a number of related errors here, but here is the most common I found:
1: “Replication access was denied” – Error code: 8453. This happens when the service account used for the managed service application does not have the Replicate Directory Changes permissions in AD.
2: The management agent “MOSSAD-[ClientName]” failed on run profile “DS_FULLIMPORT_1a1d2b56-2b66-4a11-8f8f-fd97925fd3a5″ because of connectivity issues. This error (found in the event log) is related to the message noted in “1″. At first I was worried that I would need to deep dive into packet troubleshooting the network connections, but thankfully this was not the case and the AD permissions Replicate Directory Changes did the trick.
3: If the above mentioned permission change does not do the trick, then you need to scratch further into Active Directory and more specifically into the Configuration Container as noted in great detail by John Andison in his blog – http://www.johndandison.com/blog/?tag=/sharepoint-2010-rc. As noted in a number of posts, any AD changes will be heavily scrutinized by the people in charge and you better have your ducks in a row when they hit with “But why do we need to grant this access?”. Here is a post that covers some of those questions and gives you amble ammunition to have the conversation – http://blogs.msdn.com/russmax/archive/2010/02/10/active-directory-permissions-required-for-functional-user-profile-service-application-sync.aspx
As noted in the beginning of the post, this piece of functionality has a number of funnies. One thing that is however important is learning when to cut your losses and start over. If you do NOT see any of these symptoms, that stop trying and recreate your farm. When your farm is “so fresh and so clean clean” you can follow any of one of these posts to complete the setup of your profile synchronisation:
- Official Article on Technet: http://technet.microsoft.com/en-us/library/ee721049(office.14).aspx;
- Jie Li’s GeekWorld (Very useful): http://blogs.msdn.com/opal/archive/2009/11/19/user-profile-sync-setup-in-sharepoint-server-2010-beta.aspx;