Troubleshoot User Profile Synchronization Service start issues (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010

This article contains tips for solving problems that you may encounter when you attempt to start the User Profile Synchronization service.

The User Profile Synchronization service interacts with Microsoft Forefront Identity Manager (FIM) to synchronize profile information with external systems such as directory services and business systems. The two FIM services, Forefront Identity Manager Service and Forefront Identity Manager Synchronization Service, are provisioned when you start the User Profile Synchronization service. Being unable to start the User Profile Synchronization service is the most common profile synchronization (profile sync) issue that administrators encounter.

The User Profile Synchronization service can take up to ten minutes to start. The User Profile Synchronization service is successfully started when:

  • The User Profile Synchronization service has a status of Started on the Services on Server page in Central Administration.

  • The Forefront Identity Manager Service and the Forefront Identity Manager Synchronization Service have a status of Started in the Services Microsoft Management Console. Both services run using the farm account.

    Important

    Do not start the FIM services manually in the Services Microsoft Management Console. Starting the FIM services manually or changing the FIM service configuration is not supported.

If a long time has passed since you started the User Profile Synchronization service and the Services on Server page shows a status of either Starting or Stopped, review the following sections to learn more about problems that can cause User Profile Synchronization service start issues.

Note

The Services on Server page does not refresh automatically. You must manually refresh the page to see updated information.

In this article:

  • Incorrect permissions on the farm account

  • Default schema for the farm account in the synchronization database is not set correctly

  • User Profile Synchronization service cannot start because Central Administration Web site uses Secure Sockets Layer

  • User Profile Synchronization service cannot start after a server restart

Note

Microsoft periodically releases software updates to fix reported problems. If you do not see your issue described in this article, review the list of software updates to see whether there is a software update that resolves your issue. To see the latest software updates, see Updates for SharePoint 2010 Products (https://go.microsoft.com/fwlink/p/?LinkId=160585).

Incorrect permissions on the farm account

The farm account is used to start the User Profile Synchronization service. The Forefront Identity Manager Service and the Forefront Identity Manager Synchronization Service also run under the farm account. To resolve this issue, do the following:

  1. Determine the farm account

  2. Verify that the farm account has the required permissions

Determine the farm account

Some people confuse farm administrators with the farm account. Farm administrators are user accounts that are members of the Farm Administrators group. The farm account is the account that was specified when you installed and configured SharePoint Server. The farm account was used to create and access the configuration database. It also acts as the application pool identity account for the SharePoint Central Administration application pool, and it is the account under which the Microsoft SharePoint Foundation Workflow Timer service runs. To determine the farm account, from Central Administration, click Configure service accounts, and then click Farm account. This is the account that is used to start the User Profile Synchronization service and it must be granted the appropriate permissions.

Note

Do not use the Service Accounts page to change the account that the User Profile Synchronization service runs under. This is not supported.

Verify that the farm account has the required permissions

Verify that the farm account has the following permissions:

  • The farm account has Log On Locally permission to the server on which you are trying to start the User Profile Synchronization service.

  • The farm account is a member of the Administrators group on the server on which you are trying to start the User Profile Synchronization service.

    Note

    This permission is required only to start the User Profile Synchronization service. After the User Profile Synchronization service is started, you can remove the farm account from the Administrators group.

After making changes to the farm account, you must restart the SharePoint 2010 Timer service or restart the server. This ensures that every SharePoint service that is currently running as the farm account is using the latest credentials.

Default schema for the farm account in the synchronization database is not set correctly

The default schema for the farm account in the synchronization database is not set correctly if you used Windows PowerShell to create the User Profile Service application and you were not logged on as the farm account when you created the User Profile Service application. The following error is reported in the Universal Logging System (ULS) log:

Failed to configure ILM, will attempt during next rerun. Exception: System.Data.SqlClient.SqlException: Specified collection 'StringSchemaCollection' cannot be dropped because it is used by object '<farmaccount>.GetObjectCurrent'.

Note

We do not recommend logging in as the farm account.

To resolve this issue, delete the User Profile Service application and re-create it by using Central Administration or a Windows PowerShell script. The following procedures show examples of how to use a Windows PowerShell script to create a User Profile Service application.

The server on which you are trying to start the User Profile Synchronization service might have User Account Control (UAC) disabled or enabled. You use one of the two following procedures depending on whether UAC is disabled on the server or UAC is enabled on the server.

To create a User Profile Service application by using Windows PowerShell if UAC is disabled on the server

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. Copy the following code and paste it into a text editor such as Notepad:

    $sb = {
      Add-PSSnapin Microsoft.SharePoint.PowerShell
    
      $saAppPool = Get-SPServiceApplicationPool "SharePoint Web Services Default"
      $dbServer="<DBServer>"
      $upa = New-SPProfileServiceApplication -Name "<UPSAppName>" `
      -ApplicationPool $saAppPool `
      -ProfileDBName "<ProfileDBName>" `
      -ProfileDBServer $dbServer `
      -SocialDBName "<SocialDBName>" `
      -SocialDBServer $dbServer `
      -ProfileSyncDBName "<SyncDBName>" `
      -ProfileSyncDBServer $dbServer `
      -ErrorAction SilentlyContinue -ErrorVariable er
      }
    $cred = Get-Credential "<FarmAccount>"
    $job = Start-Job -Credential $cred -ScriptBlock $sb | Wait-Job
    

    Where:

    • <DBServer> is the name of the database server where the profile databases will be created.

    • <UPSAppName> is the name of the User Profile Service application to create.

    • <ProfileDBName> is the name of the profile database to create.

    • <SocialDBName> is the name of the social database to create.

    • <SyncDBName> is the name of the sync database to create.

    • <FarmAccount> is the farm account.

  3. Save the file, naming it Create-UPSApp.ps1.

    Note

    You can use a different file name. However, you must save the file as an ANSI-encoded text file whose extension is .ps1.

  4. On the Start menu, click All Programs.

  5. Click Microsoft SharePoint 2010 Products.

  6. Click SharePoint 2010 Management Shell.

  7. Change to the directory where you saved the file.

  8. At the Windows PowerShell command prompt, type the following command:

    ./Create-UPSApp.ps1
    
  9. When prompted, type the farm account password, and then click OK.

For more information, see New-SPProfileServiceApplication.

To create a User Profile Service application by using Windows PowerShell if UAC is enabled on the server

  1. Verify that the farm account is a member of the Administrators group on the local server computer on which you want to run the Windows PowerShell commands, and verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. Copy the following code and paste it into a text editor such as Notepad:

    Add-PSSnapin Microsoft.SharePoint.PowerShell
    New-SPProfileServiceApplication -Name "<UPSAppName>" `
      -ApplicationPool $saAppPool `
      -ProfileDBName "<ProfileDBName>" `
      -ProfileDBServer $dbServer `
      -SocialDBName "<SocialDBName>" `
      -SocialDBServer $dbServer `
      -ProfileSyncDBName "<SyncDBName>" `
      -ProfileSyncDBServer $dbServer `
      -ErrorAction SilentlyContinue -ErrorVariable er
    

    Where:

    • <UPSAppName> is the name of the User Profile Service application to create.

    • <ProfileDBName> is the name of the profile database to create.

    • <SocialDBName> is the name of the social database to create.

    • <SyncDBName> is the name of the sync database to create.

  3. Save the file, naming it Create-UPSApp.ps1.

    Note

    You can use a different file name. However, you must save the file as an ANSI-encoded text file whose extension is .ps1.

  4. On the Start menu, click All Programs.

  5. Click Microsoft SharePoint 2010 Products.

  6. Click SharePoint 2010 Management Shell.

  7. Change to the directory where you saved the file.

  8. Create a new process that runs as an administrator on the local server computer. At the Windows PowerShell command prompt, type the following commands:

    # Get the farm account credentials
    $farmAcct = (Get-SPFarm).DefaultServiceAccount
    $cred = Get-Credential $farmAcct.Name
    
    # Create the User Profile Service application 
    $ScriptFile = "Create-UPSApp.ps1"
    
    # Create a new process with UAC elevation
    Start-Process $PSHOME\powershell.exe -Credential $cred -ArgumentList "-Command Start-Process $PSHOME\powershell.exe -ArgumentList `"'$scriptfile'`" -Verb Runas" -Wait
    

    The User Account Control window appears. Click Yes.

  9. When prompted, type the farm account password, and then click OK.

For more information, see New-SPProfileServiceApplication.

User Profile Synchronization service cannot start because Central Administration Web site uses Secure Sockets Layer

There was an issue with profile synchronization when the Central Administration Web site is configured to use Secure Sockets Layer (SSL). This issue is fixed in the Microsoft SharePoint Server 2010 October 2010 Cumulative Update. For more information about the cumulative update, see https://support.microsoft.com/kb/2394320.

User Profile Synchronization service cannot start after a server restart

If you have a single-box deployment where Active Directory Domain Services (AD DS), SQL Server, and SharePoint Server are all installed on a single server, timing issues may prevent the User Profile Synchronization service from starting. For example, in order to start the two FIM services, SQL Server must be started and be responding to connections. If SQL Server is not up and running when the FIM services are started, the FIM services will not start.

To avoid this issue, you can use the Services Microsoft Management Console to change the start-up behavior of the FIM services from Automatic to Automatic (Delayed Start).

Acknowledgements

The SharePoint Server 2010 Content Publishing team thanks Spencer Harbar, Enterprise Architect, for contributing to this article. His blog can be found at http://www.harbar.net.

See Also

Concepts

Configure profile synchronization (SharePoint Server 2010)
Plan for profile synchronization (SharePoint Server 2010)
Troubleshoot profile synchronization configuration issues (SharePoint Server 2010)