Provisioning The User Profile Service Application

July 9 2010 121 comments

As I wrote earlier, SharePoint 2010 ships with a profile synchronization engine from ForeFront Identity Manager. After performing several SharePoint 2010 environment installations, this seems also to be the most fragile part of the SharePoint 2010 architecture especially when using a least privileged accounts install model.

There are lots of content in the blogs and TechNet related to configuring user profile synchronization. In my experience, launching the services has to be done in the order described below. In most of the environments this is enough, but in some places I am still struggling to get this to work. The step 5 seems to be the most critical, as the FIM services create certificates and establish database connections, and there are several error-prone phases in that process.

1. Add the farm account into the local administrators group. This is stated in the TechNet article:

The Server Farm account, which is created during the SharePoint farm setup, must also be a member of the Administrators group on the server where the User Profile Synchronization service is deployed.

There seems to be some conflicting opinions about the correct permissions, as this will cause the SharePoint Health Analyzer to create a warning:

Accounts used by application pools or service identities are in the local machine Administrators group. Using highly-privileged accounts as application pool or as service identities poses a security risk to the farm, and could allow malicious code to execute.

Also grant the Replicate Directory Changes permission for the farm account account used in the synchronization connection. Reboot the server to make sure that all the services using the farm account run with the new privileges.

2. Start the User Profile System Service.

3.  Create User Profile Service Application by using the wizard or PowerShell. Remember that you need to have a site collection for the My Site Host even when you do not plan to use my sites yet.

4. Set the farm account to have full control of the Service Application: select SA from the SA list and use Administrators and Permissions actions in the ribbon.

5. Launch User Profile Synchronization system service. It make take several minutes for the service to move from the starting stated to started state. The system service starts two Windows services with the farm account: first the ForeFront Identity Manager Synchronization Service and then the ForeFront Identity Manager service. While these are launched, monitor the event log to see any errors related to these two services and use the Internet resources to find the answers.

For example if you get a warning event 1004:

Detection of product ‘{90140000-104C-0000-1000-0000000FF1CE}’, feature ‘PeopleILM’, component ‘{1C12B6E6-898C-4D58-9774-AAAFBDFE273C}’ failed. The resource ‘C:\Program Files\Microsoft Office Servers\14.0\Service\Microsoft.ResourceManagement.Service.exe’ does not exist.

grant the Network Service account access to the folder C:\Program Files\Microsoft Office Servers\14.0 as described here.

6. After the system service is in the started state, you should be able to access the SA administration page and configure the profile synchronization according to TechNet. As described in my earlier post, the SharePoint will not update anything in the Active Directory by default even though the synchronization has the export stages as well. Also note that the profile synchronization in SharePoint 2010 takes several minutes compared to 2007 where it was usually a matter of seconds.

As the RTM celebrations are over and Microsoft starts to patch the brand new 2010, I expect the user profile -related binaries to be among the top priority components where the stability and quality should be improved. The first step should be to make the error messages more verbose.

Popularity: 16% [?]

121 comments to “Provisioning The User Profile Service Application”

  1. majox says:

    Hi, thanks for this great article :) I had the same problem today and I am happy that someone resolved the problem the same way :)

  2. Arttu Arstila says:

    I found an interesting and comprehensive step-by-step guide: http://www.harbar.net/articles/sp2010ups.aspx

  3. blueflake says:

    I have a question about step 1:

    Should one really give the “Replicating Directory Changes” permission to the farm account? According to Technet (http://technet.microsoft.com/en-us/library/ee721049.aspx), it is the account that is used when you create a new Synchronization connection that should have those rights. (And that should not be the farm account, if I have understood correctly?)

    Thanks for a great article!

  4. Arttu Arstila says:

    Thanks for the comment! According to harbar.net article I linked above: “To provision the UPS service – we must make the DOMAIN\spfarm account a local administrator of the box hosting the UPS service. Once we are done we can remove this. ” For the actual synchronization connection, the harbar article seems to use a different service account. And that account is given the “Replicating Directory Changes” permissions. So you are correct, thanks for pointing out. I will update the article accordingly.

  5. blueflake says:

    Glad to help! :)

    In step 4, you give the farm account permissions on the SA, which is exactly what MS says you to do (see the TechNet article I linked to above). It’s weird though that Harbar doesn’t seem to mention anything about that?

    From TechNet:

    “- The Server Farm account, which is created during the SharePoint farm setup, must also be a member of the Administrators group on the server where the User Profile Synchronization service is deployed.

    - The Server Farm account must be able to log on locally to the server where Profile Synchronization will be deployed. This permission can be removed once the User Profile Synchronization service is started.”

    The TechNet article never says anything about _removing_ the farm account from local admins, just about removing the log on locally right. Do you think it’s a typo, that it should be the other way around (as Harbar says)?

  6. Arttu Arstila says:

    I have seen some cases where the farm account did not have the farm account permissions as it should have had. In those cases the errors where related to establishing the MIIS encryption keys, profile databases and other issues related to provisioning the service application for the first time.

    Presumably the Harbar has tested his instructions. According to my experiences I find it also reasonable, that once ofter setting up the services the normal operations could continue without the farm account having the local admin permissions. At least you can get the SP Health Analyzer to stop nagging about the excess permissions :) It is funny that the Health Analyzer rules are contradictory to TechNet instructions.

    However, there might be times when massive changes in the farm topology are required. In those cases some of the original UPS service provisioning might be redone, and the local admin permissions could be again required for that purpose. But thisi is only speculation, and I am eager to hear more experience from the SharePoint admins as the time goes by. And I am also eager to see the UPS code quality improved by Microsoft. The June 2010 CU already accessed some problems.

  7. blueflake says:

    Thanks a lot for your thoughts!

    Yes, it will be interesting to see how the UPS stuff develops as the CUs & SPs come along. :)

    Best regards,

    bf

  8. Ken says:

    All of the information provided here is great a much appreciated. As Arttu mentioned, its funny how the Health Analyzer rules are contradictory to the TechNet Instructions.

    After your remove the Farm Account from the local admin group, you stop receiving the Health Analyzer alert from the “Accounts used by application pools or service identies are in the local machine adminstrators group” rule definition.

    However, you still get the alert from “Thge Server farm account should be be used of other services” rule definition. I am assuming this is because the Forefront Identity Manager Synchronization Service windows service, which gets started by the User Profile Syncronization Service in SharePoint needs to reference the farm account.

    So my question is, is there any way to have the User Profile Service actually work and NOT trigger any of the Server Health Rules?

    Thanks
    Ken

  9. User Profile Parameter for Sharepoint 2010 component enables access from any DataSource being used in a Data Form WebPart to the User Profile properties collection. Using this tool, the DataSource Parameters can be populated with values available in the logged user profile, such as AccountName, PreferredName, WorkEmail and even custom profile properties. In this way, WebParts can show profile aware values using the user’s profile properties as parameters to make queries to defined DataSources, making development more efficient.

    http://www.youtube.com/watch?v=89LoRhFCtTg

  10. Greg says:

    I am trying to start my User Profile Syncronization Service but it is not allowing me to change the user account from the Network service Account and it is requiring a password

  11. para kazanma says:

    -Hi, thanks for this great article-

  12. Bronyx says:

    Hi, can you please explain how giving the network service account permission to this folder %programfiles%\Microsoft Office Servers\14.0 helps resolve the issue please?
    Beause, i was having this problem where my incremental imports were not running at 1am in the morning…. having given permission to this folder, the incrememnetal imports now run fine at 1am… but i cant seem to figure out why this works?
    Can someone please explain?

    Thanks

  13. Rob says:

    Step 3 is incorrect, you do not require to have a site collection for My Sites in order to get UPS working. You can always edit the UPS to add what the site collection will used for My Sites at a later time. However, the path such as “/personal” cannot be changed once the UPS is created so you need to match that when creating your site collection for My Sites.

  14. Dhyan says:

    My UPS got messed up not i’m not able to delete it also. Its struck somewhere with the status as “Stopping” for many days now :-) . Also i get this error
    n object of the type Microsoft.Office.Server.Administration.ProfileSynchronizationUnprovisionJob named “ProfileSynchronizationUnprovisionJob” already exists under the parent Microsoft.SharePoint.Administration.SPTimerService named “SPTimerV4″. Rename your object or delete the existing object.

    Please let me know how I can delete the user profile service.

  15. Rich says:

    Thanks for the walkthrough. I’m a little confused by step 2: Start the User Profile System Service. IS this the instance of the User Porfile Service that is on the “Services on Server” page? Do you mean to go into the services.msc on the server and start FIM there? Thanks for clearing up my confusion :)

  16. john-rock says:

    Noticed a comment by blueflake that said to remove the farm account for allow log on locally but to keep it in the local admin group, but i just read this technet article http://technet.microsoft.com/en-us/library/gg750257.aspx which seems to indicate the oposite.

    “Verify that the farm account has the required permissions
    Verify that the farm account has the following permissions:

    The farm account has Log On Locally permission to the server on which you are trying to start the User Profile Synchronization service.

    The farm account is a member of the Administrators group on the server on which you are trying to start the User Profile Synchronization service.

    Note:
    This permission is required only to start the User Profile Synchronization service. After the User Profile Synchronization service is started, you can remove the farm account from the Administrators group.

    After making changes to the farm account, you must restart the SharePoint 2010 Timer service or restart the server. This ensures that every SharePoint service that is currently running as the farm account is using the latest credentials.”

  17. Wipe cookies from only one web site/domain or purge all your browser cookies permanently from Google Chrome, Web Explorer and Firefox.

  18. clear says:

    You’re so awesome! I do not believe I have read anything like that before. So wonderful to discover someone with unique thoughts on this issue. Seriously.. many thanks for starting this up. This web site is something that is needed on the internet, someone with a bit of originality!

  19. workout plan says:

    This is a topic that is close to my heart..
    . Cheers! Where are your contact details though?

  20. We’re a gaggle of volunteers and opening a brand new scheme in our community. Your website provided us with helpful information to work on. You have performed a formidable activity and our whole community might be grateful to you.

  21. Wonderful goods from you, man. I’ve understand your stuff previous to and you’re just too excellent.

    I really like what you’ve acquired here, certainly like what you’re saying and the way in which
    you say it. You make it entertaining and you still take care of to keep it smart.
    I can’t wait to read much more from you. This is actually a great web site.

  22. cars says:

    There is no denying the fact that purchasing a car can be
    a nerve-wracking, stress-filled experience. Before you make
    a decision and spend a great amount of money on a vehicle, it
    pays to acquire a bit of knowledge on the subject. Keep the tips
    that follow close at hand, and you will have what it takes to make an optimal decision.

  23. Jasmin says:

    It is the best time to make some plans for the future
    and it’s time to be happy. I have read this post and if I could I desire to suggest you some interesting things or advice. Perhaps you can write next articles referring to this article. I want to read more things about it!

    Also visit my site: Jasmin

  24. Woah! I’m really loving the template/theme of this blog. It’s simple, yet effective.
    A lot of times it’s very hard to get that “perfect balance” between usability and visual appeal. I must say you’ve
    done a fantastic job with this. In addition, the blog loads extremely fast for me on Opera.
    Excellent Blog!

  25. You actually make it appear so easy along with your presentation but I to find this topic to be actually one
    thing which I believe I’d never understand. It sort of feels too complicated and extremely large for me. I am taking a look ahead on your next put up, I’ll attempt to get the
    grasp of it!

  26. Mens Diet says:

    I am sure this article has touched all the internet
    visitors, its really really good piece of writing on building
    up new website.

  27. Buy Phen375 says:

    Located one of the better areas for slimming capsules, they may be reduced and also fantastic assistance

  28. Hey there! I’m at work browsing your blog from my new apple iphone! Just wanted to say I love reading through your blog and look forward to all your posts! Carry on the outstanding work!

  29. Good day I am so thrilled I found your web site, I really
    found you by mistake, while I was browsing on Google for something else, Anyways I
    am here now and would just like to say thank you for a tremendous post and a all
    round exciting blog (I also love the theme/design), I don’t have time to read it all at the minute
    but I have saved it and also included your RSS feeds, so when
    I have time I will be back to read a lot more, Please do keep up the superb jo.

    Also visit my site; car insurance for college students (cactusomania.ru)

  30. I don’t know whether it’s just me or if everybody else encountering issues with
    your blog. It seems like some of the written text in
    your posts are running off the screen. Can someone else please comment and let me know
    if this is happening to them too? This could be a problem with my web browser because I’ve had this happen before.
    Many thanks

  31. Thanks for sharing your thoughts about muscle building exercises.
    Regards

  32. I like looking through an article that will make people think.
    Also, thanks for allowing me to comment!

  33. callier says:

    Independent motion picture producers are demonstrating the fact that the large companies do not will be the sole judges of what people would like. Once you add to that distribution on the web, headlines, web pages, from gossip to whole movies. It’s a really brand new world. Some of it great, some not.

  34. Hello to every one, the contents existing
    at this web page are genuinely awesome for people experience, well,
    keep up the nice work fellows.

  35. Jorge says:

    Hi, i think that i saw you visited my website thus i came to “return the favor”.I’m attempting
    to find things to enhance my site!I suppose its ok
    to use some of your ideas!!

  36. Marquis says:

    Hello to all, how is the whole thing, I think
    every one is getting more from this site, and your views
    are nice in support of new viewers.

  37. web site says:

    Fantastic items from you, man. I’ve be aware your stuff previous to and you are just extremely fantastic.
    I really like what you’ve obtained right here, certainly like what you are stating and the
    way in which you say it. You’re making it enjoyable and
    you still take care of to keep it wise. I cant wait to read far more from you.
    That is really a wonderful site.

  38. webuycar says:

    Have you ever thought I’d like to sell my car for
    cash?
    There are plenty of options, so it can be daunting unless you are
    shown who you can trust.

    my web page … webuycar

  39. Have you thought I’d like to sell my car for free?
    There are lots of options, so it may be daunting unless you are shown who you can trust.

    Also visit my web site buy new keys for my car

  40. Attractive section of content. I just stumbled upon your web site and in accession capital to assert that
    I get actually enjoyed account your blog posts.
    Any way I’ll be subscribing to your augment and even I achievement you access consistently fast.

  41. Lose Fat says:

    Every weekend i used to go to see this site, because i wish for enjoyment, since this
    this web page conations actually pleasant funny information too.

  42. Wow that was strange. I just wrote an extremely
    long comment but after I clicked submit my comment didn’t appear.
    Grrrr… well I’m not writing all that over again. Anyway, just wanted to say fantastic blog!

  43. Great weblog you have. Do you update it often?

  44. Fantastic site уou have here, a good deal of info.
    Make ѕuree you maintain posting!

  45. Shelton says:

    Hello! I could have sworn I’ve been to this web site before but after browsing through
    many of the articles I realized it’s new to me. Nonetheless, I’m certainly delighted I found it and
    I’ll be bookmarking it and checking back regularly!

    Feel free to visit my blog; motorcycles offroad – Shelton -

  46. You probably have just now seen your credit score and surmised on how you could develope it. Understanding what is used in the estimation of your credit score is the early step. While the exact formula used in the computation of the score is fix, there are some known things.

  47. todokatemoss says:

    I visited multiple web sites however the audio feature for audio songs
    present at this site is truly excellent.

  48. Cultural & National Components

    wizard101 crown generator incorporates a significant part within National Tradition.
    Many people is usually observed doing activities related to
    wizard101 free crowns. This really is partially simply because people of most ages can be
    engaged as well as individuals are generally brought collectively by simply this
    kind of. Commonly someone whom exhibits their detest intended
    for wizard101 free crowns could be thought to be the outcast.

    Economical Aspects

    It is not widespread process in order to relate economics together with wizard101 free crowns.
    Typically, wizard101 crown generator can be thought to have
    no effect on your economic situation, but there have been several outcomes.

    Your revenue market associated with wizard101 free crowns
    is a a couple of. 3 billion $ 12 months marketplace in
    addition to developing each year. The engages just about one hundred and
    fifty, 000 people in the usa on it’s own. It would be safe and
    sound to convey that wizard101 crown generator perform
    a crucial function throughout National economics as well as shouldn’t
    be taken for granted.

  49. Appreciate thе recommendation. Let me try іt out.

    my site – cardio workout

  50. Wow! This blog looks excactly like my old one! It’s
    on a entirely different topic but it has pretty much the same pagee layout and design.
    Great choice off colors!

Leave a Reply