Sometimes the User Profile Synchronization service may not start properly, stucks in starting mode or simply remains in a "stale" state. Also it may happen, when you have used a PowerShell Script but with some missing or incorrect settings, which then will cause the sync service to fail as well.
So usually, MS Support suggests in such cases most likely to recreate the entire User Profile Service Application (which BTW is really most recommended when things going wrong that way).
But maybe this is not applicable for you and you may not want to hard delete the UPA. In such cases it might be helpful just to try first a "Reset of the User Profile Synchronization service".
A good resource to start with is the TechNet Post on "Maintain profile synchronization (SharePoint Server 2010)", which contains a lot other useful information as well.
But before you start with the TechNet article "Reset profile synchronization", notice that the article does not contain all steps to be done
Please see the additional steps below to complete the action! ---------------------------------------------------------------------------------------
Make sure that you logon to the Server that is hosting the user profile synchronization service with an account that has elevated permissions.
To clean up the duplicate certificates, please do as follows: Run the Microsoft Management Console (MMC) and Choose “Add/Remove Snap In” from the File Menu:
From the list of snap ins choose Certificates and then choose “Computer Account”
Now in the list of certificate stores, we need to examine the one that the command refers to: The Trusted Root Certification Authorities store:
Delete all of the ForefrontIdentityManager certificates from the Trusted Root Certification Authorities. Click on Personal > Certificates, delete any ForefrontIdentityManager certificates in the store
Once done so far, please go back to the TechNet article "Reset profile synchronization" and follow all further steps as described there.
Clearing some confusions with "Accounts" and its meanings:-------------------------------------------------------------------------------
- Farm account => This is usually the account that admins using to administer and configure a SharePoint Farm. That's NOT recommended! Note! This is a wide spread misunderstanding and common mistake! You should think about the "Farm Account" more as a "service identity" used by central admin and the timer service (like OWStimer i.e.).
Must not to be used as your standard "Farm Admin account" for configurations and/or unrestricted access to SharePoint resources!Best practice here is to use another regular account that is dedicated only to administer/configure SharePoint and its settings and only for that purpose!
- Setup account => This can be a separate account, usually used just to install/deploy SharePoint.- User profile Services in general => Please see more details for all required permissions on these articles:
Configure profile synchronization (SharePoint Server 2010)Plan for profile synchronization (SharePoint Server 2010)
- User Profile Synchronization Account => The Account that is needed while you're starting the User Profile Synchronization service
This is pre-selected by default (you cannot change the account in the UI) and is usually the Server Farm account, which is created during the SharePoint farm setup.
more details are also found here: Plan account permissions
- Machine Administrator => elevated permissions when you use the "run as administrator" option.
find more about "the difference between Local Administrator and Machine Administrator" on Joerg Sinemus' post.
Other related posts:--------------------------
http://blogs.technet.com/b/steve_chen/archive/tags/user+profile/
Rational Guide to implement SP 2010 User profile synchronization by Spencer Harbar
:-)
(update 2013-02-14 => some corrections and adds to avoid confusions regarding "Accounts" and its meaning)
I would say its a good blog to know about the details
After I read, I got knowledge on this topic.
very nice