none
User Profile Synchronization service won't start after farm migration

    Question

  • SharePoint Experts,

    We moved our SharePoint Development farm from one site to another site (different physical location)same forest and domain different sub-domain,  using Virtual Center and Netbackup backup and restore. All servers are Virtual Machines and so all we changed were network settings to point to new location. We kept the same sever name. After moving them, I noticed User Profile Scynchronization was stopped and just stuck on starting when I tried to start it.

    Any ideas? Thanks.

    -Hubble

    Tuesday, September 17, 2013 2:30 PM

Answers

  • Yes, you should remove the farm service account from the local administrators group once the farm configuration is complete (primarily this is for the UPS) . It should not remain a farm administrator.

    Once configured though, the service and accounts will have been properly permissioned. Normally it should be able to start without issue. Perhaps this is related to moving it, as well if you recently applied some SharePoint updates this may be a factor -- some updates require restarting the UPS.

    About the profile DB, the security shouldn't have changed. To confirm however the UPA's service application pool account and your web application application pool service accounts need access to the profile DB. I don't have a SP2010 farm handy at the moment to confirm the specific rights. Temporarily you can grant these accounts dbo permissions to see if the error stops.


    Wednesday, September 18, 2013 3:44 PM

All replies

  • can you see what error shows up in the FIM Client is located at C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe

    you may have to reconfigure the connection to AD. 

    Follow the steps here and see if it solves the issue.

    http://technet.microsoft.com/en-us/library/gg750253(v=office.14).aspx


    HTH
    Nagesh T

    Tuesday, September 17, 2013 2:38 PM
  • Thanks Nagesh. I'm getting error message below:

    Unable to connect to the Synchronization Service.

    Some possible reasons are:

    1. The service is not started

    2. Your account is not a member of a required security group.

    Tuesday, September 17, 2013 2:56 PM
  • Is the SPFarm account in the admins group? It's possible that the service is attempting to re-configure something that requires admin rights. For normal operation it doesn't need it but whenever there's a significant change I believe you need to re-enable it.

    As always, with UPS issues the best source is Spence Harbar's blog. In this case his 'stuck on starting' article seems appropriate:

    http://www.harbar.net/articles/sp2010ups2.aspx


    Tuesday, September 17, 2013 3:10 PM
  • Thanks Alex.

    I wonder if the SPFarm account requires to have admin rights on all SharePoint servers (App, WFE, and DB) in the farm??

    Tuesday, September 17, 2013 4:58 PM
  • It should only need to be elevated (temporarily) on the server that runs the synchronisation process. The other servers should be fine with it as a mere domain account.

    Tuesday, September 17, 2013 6:01 PM
  • We moved our SharePoint Development farm from one site to another site (different physical location)same forest and domain different sub-domain,  using Virtual Center and Netbackup backup and restore. 

    Sorry, this process isn't clear to me. Are you saying you moved the farm (I'm assuming a single server) from one domain to another? Will you please provide some more details on this process?


    Tuesday, September 17, 2013 6:04 PM
  • Thanks Jason for your response.

    We have a dev farm with 3 VM servers (App, Web, DB). We are using Virtual Infrastructure firmwide and xxxx.com domain is accesssible to all sites. Netbackup has feature where you can backup and restore the entire VM from one site or location to another. In our case from one state to another state. Sorry I didn't make it clear, it's actually still same domain just different physical location, so just network settings had to be changed, like IP, DNS, Gateway...

    Hope I made it clear this time :).

    Would it be possible that moving servers from one site to another site would have an impact on service accounts or any accounts?

    Wednesday, September 18, 2013 1:37 PM
  • OK, that makes sense. From SharePoint's perspective nothing changed other than network interface settings. Moving the servers in theory shouldn't have any impact on accounts. If everything is in the same domain and the servers can access domain controllers for authentication I see no issue in this.

    Just to confirm, you've moved all three servers and now they are together in the new location? 

    How did you make out with making the farm account a local administrator on the server that runs the UPS temporarily to set it up?


    Wednesday, September 18, 2013 1:51 PM
  • That is correct, all servers are now in the new location.

    We have a group in AD that has local admin rights to a server, and we made that farm account a member of that group. Hope that makkes sense. Thanks.

    Wednesday, September 18, 2013 2:00 PM
  • I'm assuming that when you moved the VMs you had first shut them down? The error about the service not being started could be related to this section from Troubleshoot User Profile Synchronization Service start issues (SharePoint Server 2010):

    User Profile Synchronization service cannot start after a server restart

    If you have a single-box deployment where Active Directory Domain Services (AD DS), SQL Server, and SharePoint Server are all installed on a single server, timing issues may prevent the User Profile Synchronization service from starting. For example, in order to start the two FIM services, SQL Server must be started and be responding to connections. If SQL Server is not up and running when the FIM services are started, the FIM services will not start.

    To avoid this issue, you can use the Services Microsoft Management Console to change the start-up behavior of the FIM services from Automatic to Automatic (Delayed Start).

    If the FIM service isn't started on the server that should be running the UPS, try setting the FIM services to be Automatic (Delayed Start) and start it up.


    Wednesday, September 18, 2013 2:10 PM
  • Interesting! Yes we had to shut them down, and yes FIM services were disabled and we had to manually start them after the migration.  So that article is definitely related to that issue. But even after the FIM have been started, UPS still wouldn't come up.

    I assume FIM services only need to be up on App Server, right? Thanks.

    Wednesday, September 18, 2013 3:00 PM
  • The FIM services should be running on the server that runs the user profile synchronization (UPS) service.

    There can be only one server in the farm per user profile service application (UPA) that runs the sync (i.e. the UPS does not have high availability because it can run on only one server in the farm by design).

    In Central Administration, to see which server should be running the UPS go to: Application Management -> Manage Service Applications -> Select the User profile service application (don't click into the service, just highlight the row) -> In the Ribbon click Properties -> Check out the setting for Profile Synchronization Instance



    • Edited by Jason WarrenMVP Wednesday, September 18, 2013 3:06 PM left a word
    Wednesday, September 18, 2013 3:05 PM
  • Thanks Jason, I checked and yes it's using the App server for Profile Synch process.

    BTW, I gave farm account admin rights (joined it the group with admin rights) and rebooted servers. That seems to clear the UPS starting issue.I didn't set up this dev farm but from what I heard this DEV Farm account got admin rights when setting up UPS then removed admin rights after, as it is recommended by MS I think. So when servers got moved and they had this FIM and UPS issues, and UPS wont restart again without having Admin rights to the server. That's just my theory.

    Anyway, found another issue that maybe related to migration. I get error below when opening documents from Library.

    Error: An unexpected error has occured

             Trouble shoot issues with Microsoft SharePoint Foundation

              Correlation ID:XXXXXXXXXXXXXX

    I checked the logs and matched correaltion ID and found this entry "Cannot open database "Dev_Profile_DB" requested by the login. The login failed. Login failed for user 'xxxx-xxxx\SpAppxxx'

    Seems like some permissions got screwed after the migration. We will be doing the SP Prod Farm migration soon and I'm concerned this might happen again. Any ideas will be appreciated.

    Wednesday, September 18, 2013 3:33 PM
  • Yes, you should remove the farm service account from the local administrators group once the farm configuration is complete (primarily this is for the UPS) . It should not remain a farm administrator.

    Once configured though, the service and accounts will have been properly permissioned. Normally it should be able to start without issue. Perhaps this is related to moving it, as well if you recently applied some SharePoint updates this may be a factor -- some updates require restarting the UPS.

    About the profile DB, the security shouldn't have changed. To confirm however the UPA's service application pool account and your web application application pool service accounts need access to the profile DB. I don't have a SP2010 farm handy at the moment to confirm the specific rights. Temporarily you can grant these accounts dbo permissions to see if the error stops.


    Wednesday, September 18, 2013 3:44 PM
  • Okay, thanks. I'll check with our SQL guy if he can check or add permissions to this  service account. Thanks again.
    Wednesday, September 18, 2013 3:57 PM