Steve Chen [MSFT] Sr. Support Escalation Engineer

...about SharePoint mysteries and related

Blogs

SP2010 - Reset User Profile synchronization

  • Comments 4
  • Likes

 

Sometimes the User Profile Synchronization service may not start properly, stucks in starting mode or simply remains in a "stale" state.
Also it may happen, when you have used a PowerShell Script but with some missing or incorrect settings, which then will cause the sync service to fail as well.

So usually, MS Support suggests in such cases most likely to recreate the entire User Profile Service Application (which BTW is really most recommended when things going wrong that way).

But maybe this is not applicable for you and you may not want to hard delete the UPA. In such cases it might be helpful just to try first a "Reset of the User Profile Synchronization service".

A good resource to start with is the TechNet Post on "Maintain profile synchronization (SharePoint Server 2010)", which contains a lot other useful information as well.

But before you start with the TechNet article "Reset profile synchronization", notice that the article does not contain all steps to be done Winking smile

 

Please see the additional steps below to complete the action!
---------------------------------------------------------------------------------------

clip_image001  Make sure that you logon to the Server that is hosting the user profile synchronization service with an account that has elevated permissions.

  1. Logon to the Server that hosts the User Profile Synchronization Service
  2. Stop the user profile synchronization service via UI. If this fails try using powershell as described below
    1. Run the SharePoint 2010 Management Shell as Administrator
    2. Run Get-SPServiceInstance and copy the id of the User Profile Synchronization service;
    3. Run Stop-SPServiceInstance // e.g. Stop-SPServiceInstance 14ffcb48-bd7e-49c0-915d-24f452286d51
  3. "check" for duplicate certificates; 

 

To clean up the duplicate certificates, please do as follows:

Run the Microsoft Management Console (MMC) and Choose “Add/Remove Snap In” from the File Menu:

clip_image001

From the list of snap ins choose Certificates and then choose “Computer Account”

clip_image002

Now in the list of certificate stores, we need to examine the one that the command refers to:
The Trusted Root Certification Authorities store:

Delete all of the ForefrontIdentityManager certificates from the Trusted Root Certification Authorities.
Click on Personal > Certificates, delete any ForefrontIdentityManager certificates in the store

Once done so far, please go back to the TechNet article  "Reset profile synchronization" and follow all further steps as described there.

NOTE!
After a reset of the Sync DB it may happen, that although you have disabled the MySite cleanup timer job before, that some user profiles are missing from import or got deleted.
Just run 2 FULL-Imports and 1 incremental import and then recheck if all user profiles and groups are back as intended!

 

Clearing some confusions with "Accounts" and its meanings:
-------------------------------------------------------------------------------

- Farm account => This is usually the account that admins using to administer and configure a SharePoint Farm. That's NOT recommended!
  Note!  This is a wide spread misunderstanding and common mistake!   You should think about the "Farm Account" more as a "service identity" used by central admin and the timer service (like OWStimer i.e.).

Must not to be used as your standard "Farm Admin account" for configurations and/or unrestricted access to SharePoint resources!
Best practice here is to use another regular account that is dedicated only to administer/configure SharePoint and its settings and only for that purpose!

- Setup account => This can be a separate account, usually used just to install/deploy SharePoint.
- User profile Services in general => Please see more details for all required permissions on these articles: 

Configure profile synchronization (SharePoint Server 2010)
Plan for profile synchronization (SharePoint Server 2010)

- User Profile Synchronization Account => The Account that is needed while you're starting the User Profile Synchronization service

This is pre-selected by default (you cannot change the account in the UI) and is usually the Server Farm account, which is created during the SharePoint farm setup.

more details are also found here:  Plan account permissions  

- Machine Administrator => elevated permissions when you use the "run as administrator" option.

find more about "the difference between Local Administrator and Machine Administrator" on Joerg Sinemus' post.

 

Other related posts:
--------------------------

http://blogs.technet.com/b/steve_chen/archive/tags/user+profile/

Rational Guide to implement SP 2010 User profile synchronization by Spencer Harbar

 

:-)

 

 (update 2013-02-14  => some corrections and adds to avoid confusions regarding "Accounts" and its meaning)

 

 

Comments
  • I would say its a good blog to know about the details

  • After I read, I got knowledge on this topic.

  • very nice

  • thanks - with regard to the cert deletes, I had to do it for the Service Account as well as My Computer (ie. open MMC, add certificates snapin, choose Service Account, and pick the Forefront Identity Manager Synch Service) there was a bunch of certs for FIM under the same location you indicated above.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment