Configuring profile import in SharePoint 2010

So I keep smashing my head into this and it drives me nuts. So I am going to try to throw together some quick nuggets. I have gotten this to successfully work about a dozen times so I have hopefully seen all of the craziness. I have also worked with Todd Klindt to compile some of these notes.

The first one is for goodness sakes read this TechNet article. If you read it slowly and do everything it says you can do very little wrong. But no one wants to read it so here are my notes.

  1. The farm account HAS TO BE A LOCAL ADMINISTRATOR. I am sorry but there is no way around this right now so quit trying to avoid it. Having a problem figuring out what account is your farm account? I can help with that.
    1. Central Admin > System Settings > Manage services on server
    2. Scroll down and find the User Profile Synchronization Service and click Start
    3. You will see an account listed. This is the account that must be a local administrator account
    4. If you are adding this account to the local administrators group for the first time right now you should reboot your server after you finish. If you don’t you will get some nasty DCOM errors that will not go away until you are a local admin and reboot.
  2. The farm account has to be able to logon as a service. By default a local administrator can but just in case you have locked down your server extra tight this might come up as it did for Todd the other day.
  3. This same farm account has to have the Replicate Directory Changes permission in active directory. This is also not optional. I also ran into an issue when the forest functional level in active directory was still 2000 but I cannot find the notes on that. Something about this Replicate Directory Changes not being possible.
  4. An oddity I don’t really understand but have seen once. In one case I had to log onto the server as the farm admin account one time before I was able to get the service to start. Most of the time this is the case but once it was. Very odd. This blog post had the same issue.
  5. If you get the service started and then try to manage the user profile service application and get some silly error pop up you just need to do an IISRESET.
  6. A couple of MSDN forum posts and other stuff that I looked at along the way:
    1. Post 1
    2. Post 2
    3. Blog post
    4. Blog post from Twitter
  7. If you are getting goofy DCOM issues check out this blog post for getting rid of them.
  8. There are two Forefront Identity Manager (FIM) services that get installed as Windows services by SharePoint. If you are troubleshooting profile imports and see FIM errors they are related to your problem. Don’t try to manipulate these services manually.
  9. If you have a multi-server farm you only need to start the service on the server you want it running on, not all of them.
  10. (Added 10/18/2010) You can manually launch the ForeFront client by C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe.
  11. The quick steps
    1. Make sure your farm account has all those super permissions, domain admin might be easiest 😉
    2. If you had to update your farm account permissions reboot now and save yourself the headache
    3. Start the User Profile synchronization service, yes it will take 5 to 10 minutes to start the service
    4. Do an iisreset
    5. Go to manage your user profile service application
    6. Click on Configure Synchronization Connections
    7. Create a new connection to your domain
    8. Fill in all the info and then select what OUs you want to import and click OK
    9. From the manage profile service screen click on Start Profile Synchronization
    10. Cross your fingers and be patient. It takes a while

So hopefully my cheat sheet of issues helps you on your quest. I promise to make updates to this cheat sheet as I find them. Heck, I am guessing as soon as Todd gets back from lunch he will remind me of something else we had to figure out. If you run into something you think should be added leave it in the comments. I will try to work those back up into the main blog post and give you the fame and glory you deserve.

Shane – SharePoint Consulting

11 thoughts on “Configuring profile import in SharePoint 2010”

  1. additionaly:

    at the first run of SharePoint Configuration Wizard, when you specify SQL Server host, you _have_to_ type netbios name instead of fqdn, otherwise user profile sync service does not start (without any error messages).

  2. Hi,

    when i start my user profile sync features,
    it kind of hang there. i can’t stop it as well.
    reboot the Server many times but still can’t get it to work.

    i checked the running job and there is nothing.
    the service is just marked as ‘starting’

    i am using Domain admin account as the service account.please help shed some lights…

  3. Ok. This has got to be a newby ?, but ….

    # Central Admin > System Settings > Manage services on server
    # Scroll down and find the User Profile Synchronization Service and click Start

    the User Profile Synchronization Service is not there. Ideas on how to remedy this short of reinstalling?

  4. i get the users from AD but the sycnronization fails.
    when i check in miisclient,i see the error that occured is stop-extension-dll exception…..

  5. Shane,

    Thanks for the great post! I’m wondering if you might have seen this error before…

    In my Event Viewer Application Logs I get EventID 6050:
    The management agent “MOSSAD-User Profile Synchronization Connection” failed on run profile “DS_DELTAIMPORT” because of connectivity issues.

    Now, I’ve got the User Profile Service Application created, as well as the Synchronization configured. The service is started in “Manage Services on Server”. After starting the synchronization, I get numerous failures in the synchronization log (click the “Synchronizing” link after starting the sync…not sure what that log is called). It results in 15 or so failures before it goes back to “Idle”.

    Now, I went and ran miisclient.exe to view the management agents, and the AD DS agent showed up (“MOSSAD-User Profile Synchronization Connection”).

    I went to practice some Google-Fu, and found this blog post:

    However, I don’t see anything wrong with the partitions listed under “Configure Directory Partitions” (Right click management agent, view properties, left click Configure Directory Partitions).

    Now (still in the properties window), it has my forest name listed as “”, has my user name and password, and then has the domain listed as “aaa”. However, when I created the synchronization connection, I entered my full domain name which is “”.

    Does this make a difference, having the “aaa” ‘Domain Name’ being taken off of the ‘Forest Name’ (“”)? I assumed that this was the correct functionality, however when following the blog post that I linked above (since it all seemed correct) I did not change anything.

    There’s something going on, but I’m really not sure what it is…and UPS and MySites aren’t set up on this new corporate farm yet. I’ve never had this issue in the past 10 farms that I’ve built (I’m still new, hehe), so kind of clueless and haven’t found much else about it other than the same re-hashed info.

    BTW, the account is a local administrator, and has RDC permissions in AD.

    Thanks! – Ken

  6. Do you know why there is a Title and a Job Title field in the UserProfile. Having 2 fields with such similar names is confusing, and I am trying to learn there intended usage.

  7. When i try to start User Profile Sunchronization service from central admin it is throwing error. what may be the problem ?? which is causing this

  8. Thanks for this information, it’s wonderfully useful. Of course, I’ve run into an odd problem.

    I followed the instructions to the letter, and everything works as described. I created the connection to the domain, and I know it’s working because when I hit the ‘Populate Containers’ button, I see the tree with all my users names present. I run the Profile Synchronization, it runs for a couple minutes, then finishes. No errors, no warnings. Except that there are no Profiles. Nothing gets pulled over from the AD. What could possibly be missing?

    Thank you for whatever insight you might have into this head-banging problem.

Leave a Reply

Your email address will not be published. Required fields are marked *