Thursday, August 11, 2011

Repairing & Configuring the SharePoint 2010 User Profile Service

I've been working on and off with SharePoint for a few years now. At the start of this year I had the opportunity to build a "kitchen sink" SharePoint 2010 VM using VirtualBox. At the time I configured most SharePoint features, but one thing I couldn't get working was SharePoint 2010's User Profile Service, which provides data synchronisation between user directories such as Windows Active Directory and the SharePoint user profile store. Earlier this month though I finally needed this feature, so had to revisit my configuration woes and battle through until I could get it working.

First of all, I'm extremely indebted to the following amazing blog posts and articles that helped hugely in rectifying the various ailments my UPS config was suffering from:

  1. Harbar.net: Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization
  2. MSDN: Configure profile synchronization (SharePoint Server 2010)
  3. Clever Workarounds: More User Profile Sync issues in SP2010: Certificate Provisioning Fun
  4. When Technology Works: User Profile Sync provisioning remains in ‘Starting’ status (stops at ULS Eventid 9qh1 ILM Configuration: Configuring Certificate)
  5. Harbar.Net: “Stuck on Starting”: Common Issues with SharePoint Server 2010 User Profile Synchronization
Similar to the circumstances in posts (3) and (4) above, my UPS was stuck in the "Starting" state, with an error in "configuring certificate". What I ended up needing to do was to delete my UPS service application completely and start again. So that I could start with a truly clean slate, I followed the steps in (4) to delete the duplicate certificates that had been created in both the Trusted Root Certification Authorities store and the Personal Certificates store. I then used the PowerShell script in How to reset the Sync Machine Instance to unconfigure the UPS service application, and then deleted the UPS service application from SharePoint Central Administration. I then followed the steps in (1) exactly, and soon had a fully functional UPS! In particular, I found it was important to:

  • Delegate control for "Replicating Directory Changes" in Active Directory Users & Computers.
  • Add the "Allow" right for "Replicating Directory Changes" to the Configuration container in ADSI Edit.
  • Add the "Allow Logon Locally" right for the SharePoint farm service account in group policy.
  • Ensure the SharePoint farm service account is a member of the local Administrators group while configuring the UPS.
I also found that having the ULS Viewer running during configuration of the UPS was VERY informative and let me know that it WAS progressing (as per How to view progress of UPS provisioning).

One last thing I needed to do was to ensure that the FIM services (Forefront Identity Manager Service and Forefront Identity Manager Synchronisation Service) were set to "Delayed Start" in the Services applet.

HTH!