Home  | Blog  | Careers  | Contact Us | Sitemap 
NGenious Solutions Ltd.
SharePoint 2010 User Profile Sync

The SharePoint 2010 User Profile Synchronization is a very complex component in implementation and very fragile in implementation. We have seen a lot of issues in implementing this functionality in our environment. Following are the steps that we have gone through to successfully start a User Profile Synchronization in our environment and some helpful information to help maintain this in Production environment.


How to start User Profile Synchronization:

We followed this best practices document from Spence Harbar to start the User Profile Synchronization in our environment:



The primary requirements for configuring and starting user profile synchronization are to have:

a.        A service account that has been granted replicate changes permission at the active directory level

b.        Get latest CU for SharePoint 2010. Currently the best CU is August 2010 CU. NOTE: The October CU has some known issues and should not be applied in the environment.


Here is a good diagram on the SharePoint 2010 User Profile Synchronization architecture, once again from Spence Harbars blog site.





The Primary components that build the User Profile Synchronization are:

   i.            ForeFront Identity Manager

  ii.            ForeFront Identity Manager Synchronization

iii.            User Profile Service Application


The above diagram shows how they are related in the architecture.


Active Directory Requirement:

·         Grant the Replicating Directory Changes permission on the domain to the managed account. This account will be used to perform the sync.

·         Right Click the Domain, choose Delegate Control… click Next

·         Add the managed account, click Next

·         Select Create a Custom Task to Delegate, click Next

·         Click Next

·         Select the Replicating Directory Changes permission and click Next

·         Click Finish



We also need to understand where we should start the User Profile Synchronization service. The User Profile Service application is not a load balanced server. It can only connect to one User Profile Synchronization service at any point in time.


This means that if we have 1 User Profile Service Application in our environment, we can have the User Profile Synchronization service running only on 1 server. When you start the service on a server (Ideally on a server that is setup as the application server role), it will prompt you to select the appropriate User Profile Service Application.


NOTE: This service will always run with the FARM administration credentials. You cannot use a service application account to run this service



Start the User Profile Synchronization Service:

·         Identify the server where you want to start service

·         Go to Central administration and Services on the server

·         Select proper server from the drop down list of servers

·         Click start "User Profile Synchronization Service"


NOTE: Be patient. This process can take anywhere from 15- 30 minutes to start service successfully.


Known issues: User Profile Sync service stays in starting state


·         Give it at least 30 minutes before you take any drastic action

·         You can force stop and start the service using PowerShell

o    Get-SPServiceInstance -Server "Servername"

o    Stop-SPServiceInstance -"GUID of Service"

·         Verify if there are errors with FIM services in Event log

o    NOTE:

FIM will generally throw two errors in the event log stating it cannot communicate with SQL Databases. These are expected errors and nothing to worry about.

Perform IIS reset

If necessary, perform reboot and then click on start service again. If it does not repeatedly work, check firewall settings on the server or if you have another server in the farm, try to start service on another server.



Debugging FIM Services issues:

·         Click link to get details on the XML changes for the FIM Debugging: Generate Debug log for FIM in SharePoint 2010



Manage User Profile Service application:


Once the profile synchronization service has started successfully, we can configure connections for profile import and start synchronization. In order to do so, we need to go to "Manage User Profile Service Application".




Creating new profile import connection:



Connecting to Active Directory:



Select the appropriate containers and save connection.

If you have issues during saving connection, verify the following:

·         Do you have latest CU installed in the environment?

·         Are there any firewall rules blocking connection from Central administration server to server running User Profile Synchronization Service. FIM uses port 5725,5726 and SharePoint 2010 Web Services use port 32843, 32844 32845, and 32846


Connection Filters:


Connection filters allow us to filter out unnecessary data from our User profile synchronization. It is very basic in functionality and cannot do complex filtering. 


Start User Profile Synchronization:


Once you have the connection configured properly, you can start full synchronization of profiles. By default, User Profile Synchronization only brings in "USERS" and "GROUPS".


Just click on "Start Profile Synchronization" and select "Full".


Once you have kicked off the synchronization, the FIM client gives a better idea of how Synchronization is proceeding.


There are 6 stages to User Profile Synchronization:


1.        DS_FULLIMPORT - Imports data from Active Directory

2.        DS_FULLSYNC - Synchronizes data internally (First sync, inserts; then synchronizes internally)

3.        MOSS_EXPORT - Exports data to SharePoint Profile Database

4.        MOSS_SYNC - Synchronizes data in the SharePoint Profile Database

5.        DS_DELTASYNC - Perform Delta sync internally

6.        DS_EXPORT - Perform exports to SharePoint


8.     MOSS_SYNC


Soon to follow:


Deep Dive in to the FIM Client



Additional Tips & Tricks:

·         Deleting Connections will delete My Sites

·         Refresh page after starting synchronization

·         Applying security patches / hotfixes may stop User Profile Synchronization Service

·         Applying security patches / hotfixes may “remove” existing connections to directory sources

·         Do not perform backup / recovery from Central administration when synchronization is in progress. It will stop sync and may stop services

·         Cannot authenticate against one source and synchronize profiles from other Source unless using Claims Provider.

·         SharePoint will not be able to merge login with Profile

·         DO NOT STOP / START / REBOOT SQL Server while profile sync is in progress. It stops syncs and starts all over again.

·         Review Firewall settings between servers, especially if they are on different subnets. FIM uses port 5725, 5726. SharePoint Web Services use port 32843, 32844, 32845, 32856

·         After you create active directory connection and start profile synchronization, the resulting page has an “&” in the query string part of the URL. DO NOT CLICK ON REFRESH PAGE WITHOUT REMOVING THE “&”. OTHERWISE IT KICKS OFF SYNCHRONIZATION FROM SCRATCH AGAIN.




Avoid My Site Deletions:


·         Deleting Directory connection marks all My sites associated with service application for deletion.

·         Timer job: My Site Cleanup job will run and delete all My Sites

·         Disable My Site Cleanup job to prevent my sites from getting deleted

·         Create new directory connection.

·         Run Full Sync

·         It will re-create profiles and associate to My Sites.

·         It will unmark sites from deletion. If needed, enable My Site cleanup job

NYC Techstravaganza!!!
The New York City Techstravaganza is a one day grassroots technical conference for IT Pros that is being brought to you by a few of the local community groups in cooperation with Microsoft.  We appreciate your interest in the event and we look forward to sharing more info with you as it becomes available.  We highly recommend that you subscribe to the RSS feed or via WordPress subscription to ensure that you receive updates as they come through.  This is a completely free event that you will not want to miss
SharePoint 2010 Ignite Training
SharePoint 2010 "Ignite" is a 5-day Instructor-led training program for SharePoint 2007 SI partners. This is an invitation-only event and is free of charge* for attendees.
I am glad to announce that we were invited to attend the training. This shows our commitment to Microsoft and Sharepoint technologies.
I attended the first day of training today and it was awesome. There is a lot to look forward to and I can't wait for the official beta to release at the SharePoint Conference in October, so we can all start talking about it.
More to come soon.
Nilesh Mehta
Nilesh Mehta Presenting at SharePointSaturday - Project Server 2007 Integration with MOSS 2007
SharePointSaturday team is organizing it's event in New York on February 21st 2009 at the Microsoft Office on 1290 Avenue of Americas.
It is going to be a full day of training sessions on SharePoint technologies from some of the most reputed industry experts.
Nilesh Mehta from NGenious Solutions, Inc. will be presenting a topic on integrating Project Server 2007 with Microsoft Office SharePoint Server 2007.
Look forward to seeing you all there.
Microsoft Office PerformancePoint Server Roadmap Update
Microsoft has announced the Performance Point 2007 roadmap update. This great utility from Microsoft will now be blended in to SharePoint to provide better reporting capabilities. This is a great move from Microsoft to still enhance an already awesome product - Microsoft Office SharePoint Server 2007. Here is the original blurb from the Microsoft site:
The Microsoft business intelligence (BI) strategy is to use the tools found in Microsoft Office SharePoint Server and Microsoft Office Excel —and the scalable Microsoft SQL Server business intelligence platform —to deliver BI to anyone in any organization. This strategy enables customers to deploy complete BI solutions through existing investments in these three key Microsoft products.
Based on customer feedback, Microsoft has decided to consolidate Microsoft Office PerformancePoint Server scorecard, dashboard, and analytical capabilities into Office SharePoint Server Enterprise as PerformancePoint Services. This consolidation will enable you to deliver capabilities to your customers at a lower total cost of ownership. You can be confident that supporting Planning customers remains a top priority for Microsoft. In mid-calendar-year 2009, Microsoft will release Office PerformancePoint Server 2007 Service Pack 3 (SP3), which will include updates to the current product’s Planning module; thereafter Microsoft will not make further investments in stand-alone versions of Office PerformancePoint Server."
MOSS - Large File Limits

Recently at one of our customer sites, we were running in to issues with downloading large files from MOSS Windows Explorer View. Users had been able to upload a large file to a SharePoint document library using the upload file features of a Document Library. However, when trying to download the same file using Windows Explorer view, they were getting errors. NOTE: They could still download the same file using right-click save-as option or the send to menu on a file in the document library.

Upong opening a case with Microsoft, we found that it is because during download from a Windows Explorer view, the protocol that is being used required a "Contiguous" chunk of memory that is twice the size of the file that is being downloaded. On a 32-bit OS, there is a limit of 2GB per application pool. Our application pools were always running around 700MB or so and hence after that for some reason, it was not able to find a contiguous chunk of memory that might be about 500 MB or so (Large files 200MB or more). This would cause downloads to fail.

Microsoft has mentioned this to be dependant on how the code was writtten and would possibly be fixed with the next version of SharePoint. Unfortunately, there is no immediate fix available.

The only option that they have suggested at this point is to migrate to a 64-bit OS and maybe 64-bit MOSS.

Not sure how it is going to work out, but hopefully this information helps someone.


Starting Search Service forcefully
If you ever ran into a situation where some of your SharePoint did not start properly in a timely manner, you could forcibly start the sites using the stsadm -o provisionservice command in the following manner.
stsadm -o provisionservice -action start -servicename OSearch -servicetype "Microsoft.Office.Server.Search.Administration.SearchService,Microsoft.Office.Server.Search, Version=, Culture=neutral,PublicKeyToken=71e9bce111e9429c"
The -servicename is what will be key for you. You need to make sure you have a list of all service names. The ideal way to do this would be to use the following command from a fully functional server and it gives you a list of all service names
stsadm -o enumservices
Copyright © 2013 NGenious Solutions. All rights reserved.
Follow us   facebook   twitter   linkedin