So I keep smashing my head into this and it drives me nuts. So I am going to try to throw together some quick nuggets. I have gotten this to successfully work about a dozen times so I have hopefully seen all of the craziness. I have also worked with Todd Klindt to compile some of these notes.
The first one is for goodness sakes read this TechNet article. http://technet.microsoft.com/en-us/library/ee721049.aspx If you read it slowly and do everything it says you can do very little wrong. But no one wants to read it so here are my notes.
The farm account HAS TO BE A LOCAL ADMINISTRATOR. I am sorry but there is no way around this right now so quit trying to avoid it. Having a problem figuring out what account is your farm account? I can help with that.
- Central Admin > System Settings > Manage services on server
- Scroll down and find the User Profile Synchronization Service and click Start
- You will see an account listed. This is the account that must be a local administrator account
- If you are adding this account to the local administrators group for the first time right now you should reboot your server after you finish. If you don’t you will get some nasty DCOM errors that will not go away until you are a local admin and reboot.
- The farm account has to be able to logon as a service. By default a local administrator can but just in case you have locked down your server extra tight this might come up as it did for Todd the other day.
- This same farm account has to have the Replicate Directory Changes permission in active directory. This is also not optional. I also ran into an issue when the forest functional level in active directory was still 2000 but I cannot find the notes on that. Something about this Replicate Directory Changes not being possible.
- An oddity I don’t really understand but have seen once. In one case I had to log onto the server as the farm admin account one time before I was able to get the service to start. Most of the time this is the case but once it was. Very odd. This blog post had the same issue.
- If you get the service started and then try to manage the user profile service application and get some silly error pop up you just need to do an IISRESET.
A couple of MSDN forum posts and other stuff that I looked at along the way:
- If you are getting goofy DCOM issues check out this blog post for getting rid of them.
- There are two Forefront Identity Manager (FIM) services that get installed as Windows services by SharePoint. If you are troubleshooting profile imports and see FIM errors they are related to your problem. Don’t try to manipulate these services manually.
- If you have a multi-server farm you only need to start the service on the server you want it running on, not all of them.
- (Added 10/18/2010) You can manually launch the ForeFront client by C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe.
The quick steps
- Make sure your farm account has all those super permissions, domain admin might be easiest
- If you had to update your farm account permissions reboot now and save yourself the headache
- Start the User Profile synchronization service, yes it will take 5 to 10 minutes to start the service
- Do an iisreset
- Go to manage your user profile service application
- Click on Configure Synchronization Connections
- Create a new connection to your domain
- Fill in all the info and then select what OUs you want to import and click OK
- From the manage profile service screen click on Start Profile Synchronization
- Cross your fingers and be patient. It takes a while
So hopefully my cheat sheet of issues helps you on your quest. I promise to make updates to this cheat sheet as I find them. Heck, I am guessing as soon as Todd gets back from lunch he will remind me of something else we had to figure out. If you run into something you think should be added leave it in the comments. I will try to work those back up into the main blog post and give you the fame and glory you deserve.
Shane – SharePoint Consulting