Following my previous post regarding the User Profile services (SharePoint 2010 – User profile synchronization still ‘starting’) – many other have also the issue, here is an update.
After a lot of time of work to make it work, here is what I did:
- after the first initialization (which failed), I delete the SA instance (with all data) for the synchronization services – which stopped the 2 related services
- I double checked the permission for the service account on AD to allow Read on Replicating Directory Changes All. I don’t know why but I had only Replicating Directory (maybe a wrong click). Anyway, there should be an understandable error message about this; moreover this was not the only thing.
- Then I tried to create a new instance, with a new name, new DB’s but reuse previous application pool created. This still failed with real information. After a reboot, I had a more detailed information; the service was looking for the previous instance DB’s (which were deleted).
- So I re deleted the instance, rebooted and try again by naming the instance DB’s with the same first instance name. Still failed; this time, the services wanted to use the DB’s from the second try. But I had also another event logged which said there may be a wrong username/password or ‘log as batch’ right for the service account used by the application pool. No problem with the local right and while trying to reset the password using the Central Administration I had an error related to password policy (while the password policy was/is really free [no previous password remembered, no complexity…]).
- I create a new service account, register it and try again to provision the synchronization service with no luck.
- Finally, I found something which said the service account has to be Local administrator.
After a manual registry key cleaning and granting Local administrator right to the service account, I make the synchronization service works.
I also found an interesting thing: ForeFront Identity Manager included in SP 2010 is still in beta (Release Candidate). To check this, launch the FIM console (c:\program files\microsoft office servers\14.0\synchronization service\uishell\miisclient.exe) and watch the splash screen.
To conclude, before trying to provision the synchronization service do the following:
- Double check you provide the Read permission to the service account for Replicating Directory Change All
- Grant local administrator rights to the service account
- If the provision failed, clean the registry (see below for registry key and value to be deleted)
Registry keys and values to be deleted in case of unprovisionning:
- HKLM\Software\Microsoft\ForeFront Identity Manager\2010\Synchronization Service – delete the registry key named like a GUID
- HKLM\System\CurrentControlSet\services\FIMService – delete the value stored in CertificateThumprint, Databasename, ObjectName, ServiceAccountSid, SynchronizationAccount and SynchronizationAccountSid
- HKLM\System\CurrentControlSet\services\FIMSynchronizationService – delete the value stored in ObjectName
- HKLM\System\CurrentControlSet\services\FIMSynchronizationService\Parameters – delete the value stored in DBName