SharePoint 2010: User Profile Synchronization Service decoded! Part-1
SharePoint 2010: User Profile Synchronization Service decoded:
This blog series will be divided in two Parts which in which we are going to discuss a few basic facts about User Profile Service Application/User Profile Synchronization Service, troubleshooting techniques, different scenarios etc. the blog covers the following:
Contents of Part-1:
- Quick overview on User Profile Service Application (UPA)
- Scenarios where User Profile Synchronization Service (UPSS) is not designed to work
- Do's and Don'ts while working on UPSS
- Starting with troubleshooting UPSS
- Troubleshooting issues after the UPSS has started successfully
1. Quick overview on User Profile Service Application (UPA)
The above image has been taken from www.harbar.net
For a detailed Overview on how the User Profile Service Application you can refer the following links:
https://technet.microsoft.com/en-us/library/ee721049.aspx
https://www.harbar.net/articles/sp2010ups2.aspx
2. Scenarios where User Profile Synchronization Service (UPSS) is not designed to work:
a. Single Server Farm
UPSS is not designed to start/work on a Single Server Farm. How to check this? Check the 'ServerRole' by going to: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\WSS" If the 'ServerRole' says: 'SINGLESERVER' this confirms it is a Single Server Farm
Refer:https://support.microsoft.com/kb/983061
b. SharePoint farm built using SQL Authentication***
You can check on the below registry which is the 'dsn' key, this 'dsn' key will only be created when SharePoint server is connected to a farm Got to the SharePoint Server 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web
Server Extensions\14.0\Secure\configdb' And look for the 'dsn' key
If the 'Integrated Security' says 'False' it means it is a SQL Authentication, for Windows Authentication the 'Integrated Security' will be 'True'
SQL Authentication:
Windows Authentication:
Refer: https://blogs.technet.com/b/sykhad-msft/archive/2011/07/29/building-sharepoint-2010-farm-using-sql-authentication-amp-its-limitations.aspx
***Installing Oct-CU-2012 for SharePoint Server 2010 helps to start User Profile Sync Service even on SharePoint 2010 Farms built using SQL Authentication. The fix was included for this issue was included in Oct-CU-2012 and above Cumulative Updates for
SharePoint Server 2010
Refer- https://support.microsoft.com/kb/2687557/en-us
“Assume that you create a new User Profile Service Application (UPA), and you configure the synchronous database to use SQL authentication by setting up a SharePoint farm as an administrator. In this situation, the UPA creation is successful, but the UPA synchronization service cannot start”
c. When you have Full Fledged Forefront Identity Manager (FIM) installed on the SharePoint 2010 Server:
When you have Full Fledged Forefront Identity Manager (FIM) installed on the same SharePoint Server, where you are trying to start UPSS, ideally Full Fledged FIM should not be installed on any of the SharePoint 2010 Server as this becomes an unsupported scenario.
How to check if this is installed?
- Go to Control Panel on the SharePoint 2010 and check if that’s installed
- Get into Services console, right click on "Forefront Identity Manager Sync Service", check the Path to executable which should ideally be:
"C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\miiserver.exe" however in cases where FIM Client has been installed, the executable path will be shown as:
"C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe"
- Also checked into the below registry:
"HKLM\system\currentcontrolset\services\FIMSynchronizationService", even here the ImagePath will show an incorrect path which is: "C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe"
instead of: "C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\miiserver.exe"
What next? How to fix this?
- Uninstall Full Fledged FIM Client from Control Panel
- You could try the following: correct the ImagePath of the following registry
"HKLM\system\currentcontrolset\services\FIMSynchronizationService" from "C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\miiserver.exe"
to: "C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\miiserver.exe"
- This should correct the Path to executable under the Services Console for the "Forefront Identity Manager Sync Service"
- Hopefully this should resolve, however I have seen cases where even after uninstalling FIM Client & modifying the above registry alone is sometimes not sufficient to start back the UPSS, that's because there are a lot of registry key entries which does not get removed when we uninstall FIM, in such cases an extensive cleanup of manual cleanup of registries is required, I would highly recommend to open up a Support Incident with Microsoft to get this fixed
3. Do's and Don'ts while working on UPSS
a. Don’t-
- Do not delete the old User Profile Service Application (UPA) until and unless you are very sure about it
- Do not modify anything on the MIIS client directly, please refer: https://support.microsoft.com/kb/2517937 to see what is a supported modification and what is not
- Do not start any of the FIM services on Services Console manually
b. Do's-
- Disable MySite Cleanup job
- Take good backup of all the 3-DBs (Profile, Social and Sync DBs)
4. Starting with troubleshooting UPSS:
- Are we logging in with Farm Admin Account? Is this account also a local administrator?
- The SharePoint Timer Service Account, Account running the SharePoint Central Admin Pool, & the account seen when we click start on UPSS should be one and the same, if it is not, then please run the following command to fix this:
On the server that hosts the Central Administration website, type the following line at the command prompt, and then press Enter:
stsadm -o updatefarmcredentials -userlogin DomainName\UserName -password NewPassword
On all other servers in the server farm, type the following line at the command prompt, and then press Enter:
stsadm -o updatefarmcredentials -userlogin DomainName\UserName -password NewPassword -local
Refer: https://support.microsoft.com/kb/934838
Only running the above two commands should be sufficient followed by an IIS reset on all the SharePoint Servers
- Check if we can browse to STS and the successful page should return the below message:
I have a written a detailed blog on this, please go to the below link and get your STS fixed
Until & unless we are able to browse to STS page successfully, there is no point in moving ahead with any other kind of troubleshooting on UPSS
- Restart the UPSS, monitor the progress on ULS viewer by filtering the category as "User Profiles"
A good trace will show the below progress:
- Depending on where the UPSS is failing, looking at the above image, we should carry out the next phase of troubleshooting-
Say for example: if it is failing to create ILM certificates, delete all the Forefront Identity Certificates and re-try Refer: https://support.microsoft.com/kb/2498715
When there is no progress for User Profile category is seen on the SharePoint ULS logs:
There is definitely a Failed One-Time timer job which is causing this, delete this 'One-Time' timer job by going to Central Admin à Monitoring à Review Job Definitions and look for 'One-Time' within column 'Schedule Type'
Part-2 will cover the following:
- Sync DB reset and when does it help?
- Enabling NetBios name on UPA and under what scenarios?
- What happens during Profile Synchronization?
- When to make use of User Profile Replication Engine (UPRE)
- Should I restart UPSS every time I apply cumulative updates/Service Packs for SharePoint Server 2010
Link for Part-2:
Comments
- Anonymous
September 15, 2014
Is there a way to enable UPSS on a single server farm?
thank you for the great tutorial!