Provisioning The User Profile Service Application
As I wrote earlier, SharePoint 2010 ships with a profile synchronization engine from ForeFront Identity Manager. After performing several SharePoint 2010 environment installations, this seems also to be the most fragile part of the SharePoint 2010 architecture especially when using a least privileged accounts install model.
There are lots of content in the blogs and TechNet related to configuring user profile synchronization. In my experience, launching the services has to be done in the order described below. In most of the environments this is enough, but in some places I am still struggling to get this to work. The step 5 seems to be the most critical, as the FIM services create certificates and establish database connections, and there are several error-prone phases in that process.
1. Add the farm account into the local administrators group. This is stated in the TechNet article:
The Server Farm account, which is created during the SharePoint farm setup, must also be a member of the Administrators group on the server where the User Profile Synchronization service is deployed.
There seems to be some conflicting opinions about the correct permissions, as this will cause the SharePoint Health Analyzer to create a warning:
Accounts used by application pools or service identities are in the local machine Administrators group. Using highly-privileged accounts as application pool or as service identities poses a security risk to the farm, and could allow malicious code to execute.
Also grant the Replicate Directory Changes permission for the farm account account used in the synchronization connection. Reboot the server to make sure that all the services using the farm account run with the new privileges.
2. Start the User Profile System Service.
3. Create User Profile Service Application by using the wizard or PowerShell. Remember that you need to have a site collection for the My Site Host even when you do not plan to use my sites yet.
4. Set the farm account to have full control of the Service Application: select SA from the SA list and use Administrators and Permissions actions in the ribbon.
5. Launch User Profile Synchronization system service. It make take several minutes for the service to move from the starting stated to started state. The system service starts two Windows services with the farm account: first the ForeFront Identity Manager Synchronization Service and then the ForeFront Identity Manager service. While these are launched, monitor the event log to see any errors related to these two services and use the Internet resources to find the answers.
For example if you get a warning event 1004:
Detection of product ‘{90140000-104C-0000-1000-0000000FF1CE}’, feature ‘PeopleILM’, component ‘{1C12B6E6-898C-4D58-9774-AAAFBDFE273C}’ failed. The resource ‘C:\Program Files\Microsoft Office Servers\14.0\Service\Microsoft.ResourceManagement.Service.exe’ does not exist.
grant the Network Service account access to the folder C:\Program Files\Microsoft Office Servers\14.0 as described here.
6. After the system service is in the started state, you should be able to access the SA administration page and configure the profile synchronization according to TechNet. As described in my earlier post, the SharePoint will not update anything in the Active Directory by default even though the synchronization has the export stages as well. Also note that the profile synchronization in SharePoint 2010 takes several minutes compared to 2007 where it was usually a matter of seconds.
As the RTM celebrations are over and Microsoft starts to patch the brand new 2010, I expect the user profile -related binaries to be among the top priority components where the stability and quality should be improved. The first step should be to make the error messages more verbose.
Popularity: 23% [?]
Hi, thanks for this great article
I had the same problem today and I am happy that someone resolved the problem the same way 
I found an interesting and comprehensive step-by-step guide: http://www.harbar.net/articles/sp2010ups.aspx
I have a question about step 1:
Should one really give the “Replicating Directory Changes” permission to the farm account? According to Technet (http://technet.microsoft.com/en-us/library/ee721049.aspx), it is the account that is used when you create a new Synchronization connection that should have those rights. (And that should not be the farm account, if I have understood correctly?)
Thanks for a great article!
Thanks for the comment! According to harbar.net article I linked above: “To provision the UPS service – we must make the DOMAIN\spfarm account a local administrator of the box hosting the UPS service. Once we are done we can remove this. ” For the actual synchronization connection, the harbar article seems to use a different service account. And that account is given the “Replicating Directory Changes” permissions. So you are correct, thanks for pointing out. I will update the article accordingly.
Glad to help!
In step 4, you give the farm account permissions on the SA, which is exactly what MS says you to do (see the TechNet article I linked to above). It’s weird though that Harbar doesn’t seem to mention anything about that?
From TechNet:
“- The Server Farm account, which is created during the SharePoint farm setup, must also be a member of the Administrators group on the server where the User Profile Synchronization service is deployed.
- The Server Farm account must be able to log on locally to the server where Profile Synchronization will be deployed. This permission can be removed once the User Profile Synchronization service is started.”
The TechNet article never says anything about _removing_ the farm account from local admins, just about removing the log on locally right. Do you think it’s a typo, that it should be the other way around (as Harbar says)?
I have seen some cases where the farm account did not have the farm account permissions as it should have had. In those cases the errors where related to establishing the MIIS encryption keys, profile databases and other issues related to provisioning the service application for the first time.
Presumably the Harbar has tested his instructions. According to my experiences I find it also reasonable, that once ofter setting up the services the normal operations could continue without the farm account having the local admin permissions. At least you can get the SP Health Analyzer to stop nagging about the excess permissions
It is funny that the Health Analyzer rules are contradictory to TechNet instructions.
However, there might be times when massive changes in the farm topology are required. In those cases some of the original UPS service provisioning might be redone, and the local admin permissions could be again required for that purpose. But thisi is only speculation, and I am eager to hear more experience from the SharePoint admins as the time goes by. And I am also eager to see the UPS code quality improved by Microsoft. The June 2010 CU already accessed some problems.
Thanks a lot for your thoughts!
Yes, it will be interesting to see how the UPS stuff develops as the CUs & SPs come along.
Best regards,
bf
All of the information provided here is great a much appreciated. As Arttu mentioned, its funny how the Health Analyzer rules are contradictory to the TechNet Instructions.
After your remove the Farm Account from the local admin group, you stop receiving the Health Analyzer alert from the “Accounts used by application pools or service identies are in the local machine adminstrators group” rule definition.
However, you still get the alert from “Thge Server farm account should be be used of other services” rule definition. I am assuming this is because the Forefront Identity Manager Synchronization Service windows service, which gets started by the User Profile Syncronization Service in SharePoint needs to reference the farm account.
So my question is, is there any way to have the User Profile Service actually work and NOT trigger any of the Server Health Rules?
Thanks
Ken
User Profile Parameter for Sharepoint 2010 component enables access from any DataSource being used in a Data Form WebPart to the User Profile properties collection. Using this tool, the DataSource Parameters can be populated with values available in the logged user profile, such as AccountName, PreferredName, WorkEmail and even custom profile properties. In this way, WebParts can show profile aware values using the user’s profile properties as parameters to make queries to defined DataSources, making development more efficient.
http://www.youtube.com/watch?v=89LoRhFCtTg
I am trying to start my User Profile Syncronization Service but it is not allowing me to change the user account from the Network service Account and it is requiring a password
-Hi, thanks for this great article-
Hi, can you please explain how giving the network service account permission to this folder %programfiles%\Microsoft Office Servers\14.0 helps resolve the issue please?
Beause, i was having this problem where my incremental imports were not running at 1am in the morning…. having given permission to this folder, the incrememnetal imports now run fine at 1am… but i cant seem to figure out why this works?
Can someone please explain?
Thanks
Step 3 is incorrect, you do not require to have a site collection for My Sites in order to get UPS working. You can always edit the UPS to add what the site collection will used for My Sites at a later time. However, the path such as “/personal” cannot be changed once the UPS is created so you need to match that when creating your site collection for My Sites.
My UPS got messed up not i’m not able to delete it also. Its struck somewhere with the status as “Stopping” for many days now
. Also i get this error
n object of the type Microsoft.Office.Server.Administration.ProfileSynchronizationUnprovisionJob named “ProfileSynchronizationUnprovisionJob” already exists under the parent Microsoft.SharePoint.Administration.SPTimerService named “SPTimerV4″. Rename your object or delete the existing object.
Please let me know how I can delete the user profile service.
Thanks for the walkthrough. I’m a little confused by step 2: Start the User Profile System Service. IS this the instance of the User Porfile Service that is on the “Services on Server” page? Do you mean to go into the services.msc on the server and start FIM there? Thanks for clearing up my confusion
Noticed a comment by blueflake that said to remove the farm account for allow log on locally but to keep it in the local admin group, but i just read this technet article http://technet.microsoft.com/en-us/library/gg750257.aspx which seems to indicate the oposite.
“Verify that the farm account has the required permissions
Verify that the farm account has the following permissions:
The farm account has Log On Locally permission to the server on which you are trying to start the User Profile Synchronization service.
The farm account is a member of the Administrators group on the server on which you are trying to start the User Profile Synchronization service.
Note:
This permission is required only to start the User Profile Synchronization service. After the User Profile Synchronization service is started, you can remove the farm account from the Administrators group.
After making changes to the farm account, you must restart the SharePoint 2010 Timer service or restart the server. This ensures that every SharePoint service that is currently running as the farm account is using the latest credentials.”
Wipe cookies from only one web site/domain or purge all your browser cookies permanently from Google Chrome, Web Explorer and Firefox.
You’re so awesome! I do not believe I have read anything like that before. So wonderful to discover someone with unique thoughts on this issue. Seriously.. many thanks for starting this up. This web site is something that is needed on the internet, someone with a bit of originality!
This is a topic that is close to my heart..
. Cheers! Where are your contact details though?
We’re a gaggle of volunteers and opening a brand new scheme in our community. Your website provided us with helpful information to work on. You have performed a formidable activity and our whole community might be grateful to you.
Wonderful goods from you, man. I’ve understand your stuff previous to and you’re just too excellent.
I really like what you’ve acquired here, certainly like what you’re saying and the way in which
you say it. You make it entertaining and you still take care of to keep it smart.
I can’t wait to read much more from you. This is actually a great web site.
There is no denying the fact that purchasing a car can be
a nerve-wracking, stress-filled experience. Before you make
a decision and spend a great amount of money on a vehicle, it
pays to acquire a bit of knowledge on the subject. Keep the tips
that follow close at hand, and you will have what it takes to make an optimal decision.