Sign in
 
HomeOnline20132010Other VersionsRelated ProductsLibraryForumsGallery
TechCenter >
SP 2010 cannot start user profile synchronization service

Locked SP 2010 cannot start user profile synchronization service

Locked

  • Wednesday, May 05, 2010 7:04 AM
     
     
    Sign In to Vote
    0

    Hi.

    I'm trying to setup a SP2010 farm. I've run Sharepoint products configuration wizard and the Farm config wizard and try to configure and start user profile import service.

    When I enter the user profile service management site, I receive the red messeage :

    This User Profile Application's connection is currently not available. The Application Pool or User Profile Service may not have been started. Please contact your administrator.

    When I try to start it from Central Administration->Services on server it tries to start and stops.

    I find the following message in the application eventviewer:

     

    Critical    2010-05-05 08:49:22    SharePoint Foundation    6398    Timer

    Log Name:      Application
    Source:        Microsoft-SharePoint Products-SharePoint Foundation
    Date:          2010-05-05 08:49:22
    Event ID:      6398
    Task Category: Timer
    Level:         Critical
    Keywords:     
    User:          domain\admin
    Computer:      MOSS.domain

    Description:
    The Execute method of job definition Microsoft.Office.Server.Administration.ProfileSynchronizationSetupJob (ID ead37eb4-bd99-4d66-b822-4880cee3e0dd) threw an exception. More information is included below.

    An update conflict has occurred, and you must re-try this action. The object UserProfileApplication Name=User Profile Service Application was updated by domain\admin, in the OWSTIMER (1964) process, on machine MOSS.  View the tracing log for more information about the conflict.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
        <EventID>6398</EventID>
        <Version>14</Version>
        <Level>1</Level>
        <Task>12</Task>
        <Opcode>0</Opcode>
        <Keywords>0x4000000000000000</Keywords>
        <TimeCreated SystemTime="2010-05-05T06:49:22.682748800Z" />
        <EventRecordID>2224</EventRecordID>
        <Correlation ActivityID="{59355C8B-BE4C-4D50-B186-543A2E1442AE}" />
        <Execution ProcessID="1964" ThreadID="4044" />
        <Channel>Application</Channel>
        <Computer>MOSS.domain</Computer>
        <Security UserID="S-1-5-21-2130315122-1282278428-530207130-17498" />
      </System>
      <EventData>
        <Data Name="string0">Microsoft.Office.Server.Administration.ProfileSynchronizationSetupJob</Data>
        <Data Name="string1">ead37eb4-bd99-4d66-b822-4880cee3e0dd</Data>
        <Data Name="string2">An update conflict has occurred, and you must re-try this action. The object UserProfileApplication Name=User Profile Service Application was updated by domain\admin, in the OWSTIMER (1964) process, on machine MOSS.  View the tracing log for more information about the conflict.</Data>
      </EventData>
    </Event>

     

    • Moved by Mike Walsh FIN Wednesday, May 05, 2010 8:08 AM 2010 questions all go to a suitable 2010 forum. A suitable 2010 forum is not one with "pre-SharePoint 2010" in the Title of the Forum. (From:SharePoint - Setup, Upgrade, Administration and Operation (pre-SharePoint 2010))
    •  
       

    All Replies

    • Wednesday, May 05, 2010 9:06 AM
       
       
      Sign In to Vote
      0
      I'm having the same problem in my farm...
         
      • Wednesday, May 05, 2010 2:09 PM
         
         Answered
        Sign In to Vote
        0
        Is the account under which the sync is running local administrator on the farm? This was my problem.
           
        • Thursday, May 06, 2010 5:39 AM
           
           Proposed
          Sign In to Vote
          0
          Is the account under which the sync is running local administrator on the farm? This was my problem.

          Yes, it is, but..

          I've registered another service account and set the "Windows Service - User Profile Synchronization Service" to use it. But when I want to start the service, I receive a prompt to enter the passwd of the farm admin account, and the account name is grayed out - no change allowed.

          • Proposed As Answer by Derek.Wilkes Friday, September 17, 2010 8:41 PM
          •  
             
          • Thursday, May 06, 2010 4:58 PM
             
             Proposed
            Sign In to Vote
            1
            Is the account under which the sync is running local administrator on the farm? This was my problem.

            Yes, it is, but..

            I've registered another service account and set the "Windows Service - User Profile Synchronization Service" to use it. But when I want to start the service, I receive a prompt to enter the passwd of the farm admin account, and the account name is grayed out - no change allowed.

            Are you trying to run the local service as a different user vs the "farm account"?  The Farm account is used for the Timer service will run the User Profile Sync Timer job, which i think is why the option is grayed out. I believe you should still be able to specify a separate account to query AD with once you configure a new Profile Service Connection...i haven't verified this though

            Verify that the farm account and identity your logged in as (setup administrator?) have permissions to the User profile Service Application.  Also ensure that the Farm Account is in the local administrators group on the server which the service will run (this is where i got snagged).  Adding the Farm Account to the local admins group will require a Timer service restart to take affect btw

               
            • Thursday, May 06, 2010 9:20 PM
               
               Proposed
              Sign In to Vote
              0

              I had this same issue. Believe it or not the solution is to stop the owstimer service, restart it and try starting the User Profiles Sync service again.

              It will take about 5-10 mins after you do this for the service to change from 'starting' to 'started'.

              Max

              • Proposed As Answer by Alpesh NAKAR Wednesday, May 12, 2010 2:33 AM
              •  
                 
              • Tuesday, May 11, 2010 10:02 AM
                Moderator
                 
                 Answered
                Sign In to Vote
                7

                I had the same issue, and it was fixed by adding the Farm Admin account (the account for the OWSTimer ) into the Local Administrators group of the server to run the profile synchronization service and then restart the server (maybe I just need to restart the OWSTimer).

                 

                See what follows from: http://technet.microsoft.com/en-us/library/ee721049(office.14).aspx

                 

                To start the User Profile Synchronization service

                1.     Verify that you have the following administrative credentials:

                ·         The Server Farm account, which is created during the SharePoint farm setup, must also be a member of the Administrators group on the server where the User Profile Synchronization service is deployed. For more information, see Account permissions and security settings (SharePoint Server 2010).

                ·         The Server Farm account can log on locally to the server where Profile Synchronization will be deployed.

                ·         If you are using a Windows Server 2003 AD DS forest, the Service Administrator account must be a member of the Pre-Windows 2000 Compatible Access group for the domain with which you are synchronizing. For more information about adding accounts to the Pre-Windows 2000 Compatible Access group, see Some applications and APIs require access to authorization information on account objects (http://go.microsoft.com/fwlink/?LinkId=179420).

                • Proposed As Answer by Alpesh NAKAR Wednesday, May 12, 2010 2:33 AM
                • Marked As Answer by manolo102 Wednesday, May 12, 2010 7:06 AM
                •  
                   
                • Wednesday, May 12, 2010 12:24 AM
                   
                   
                  Sign In to Vote
                  0

                  Hello All,

                  I used to have the same issue, since I was trying to configure SharePoint 2010 manually without the wizard using Least Priviledge Administration method. I have documented all the steps in my Blog ( I apologize for the lenghty Blog, but I had to document everything for my reference). I would strongly recommned looking at this Blog, it provided me with great information.

                  Hope that helps,

                  Yassar

                     
                  • Wednesday, May 12, 2010 5:54 AM
                     
                     
                    Sign In to Vote
                    1

                    I would also highly recommend this blog from Harbar for detailed steps on setting up User Profile Synchronization

                    Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization

                    http://www.harbar.net/articles/sp2010ups.aspx

                       
                    • Wednesday, May 12, 2010 7:07 AM
                       
                       
                      Sign In to Vote
                      0

                      I had the same issue, and it was fixed by adding the Farm Admin account (the account for the OWSTimer ) into the Local Administrators group of the server to run the profile synchronization service and then restart the server (maybe I just need to restart the OWSTimer).

                       

                      See what follows from: http://technet.microsoft.com/en-us/library/ee721049(office.14).aspx

                       

                      To start the User Profile Synchronization service

                      1.     Verify that you have the following administrative credentials:

                      ·         The Server Farm account, which is created during the SharePoint farm setup, must also be a member of the Administrators group on the server where the User Profile Synchronization service is deployed. For more information, see Account permissions and security settings (SharePoint Server 2010) .

                      ·         The Server Farm account can log on locally to the server where Profile Synchronization will be deployed.

                      ·         If you are using a Windows Server 2003 AD DS forest, the Service Administrator account must be a member of the Pre-Windows 2000 Compatible Access group for the domain with which you are synchronizing. For more information about adding accounts to the Pre-Windows 2000 Compatible Access group, see Some applications and APIs require access to authorization information on account objects (http://go.microsoft.com/fwlink/?LinkId=179420).

                      Thanks GuYuming - your solution has worked. I've added the Farm Account to the local admins, and restarted the Profile Service and then started the Sync Profie Svc. It took a few mins to start, but it succeeded.

                       

                         
                      • Tuesday, June 08, 2010 8:13 AM
                         
                         
                        Sign In to Vote
                        1

                        Hi

                        Thanks for the solution. Finally it worked!
                        But adding the server farm account to the local admin group gives following Health Warning:

                        Log Name:      Application
                        Source:        Microsoft-SharePoint Products-SharePoint Foundation
                        Date:          6/8/2010 12:00:03 AM
                        Event ID:      2138
                        Task Category: Health
                        Level:         Warning
                        Keywords:     
                        User:          <farm account user>
                        Computer:      <computername.account>
                        Description:
                        The SharePoint Health Analyzer detected a condition requiring your attention.  Accounts used by application pools or service identities are in the local machine Administrators group.
                        Using highly-privileged accounts as application pool or as service identities poses a security risk to the farm, and could allow malicious code to execute.  The following services are currently running as accounts in the machine Administrators group:  SharePoint Central Administration v4 (Application Pool)
                         FIMSynchronizationService(Windows Service)
                         SPTimerV4(Windows Service)
                         WebAnalyticsService(Windows Service)

                        Browse to http://<servername:portcentraladmin>/_admin/FarmCredentialManagement.aspx and change the account used for the services listed in the explanation. For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=163445".

                        Event Xml:
                        <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
                          <System>
                            <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6fb7e0cd-52e7-47dd-997a-241563931fc2}" />
                            <EventID>2138</EventID>
                            <Version>14</Version>
                            <Level>3</Level>
                            <Task>8</Task>
                            <Opcode>0</Opcode>
                            <Keywords>0x4000000000000000</Keywords>
                            <TimeCreated SystemTime="2010-06-08T07:00:03.621Z" />
                            <EventRecordID>1344</EventRecordID>
                            <Correlation ActivityID="{A26DB898-2496-4149-879C-2DFC9D62D34D}" />
                            <Execution ProcessID="5352" ThreadID="5688" />
                            <Channel>Application</Channel>
                            <Computer>Computer</Computer>
                            <Security UserID="S-1-5-21-1049629045-689772303-932725714-4520" />
                          </System>
                          <EventData>
                            <Data Name="string0">Accounts used by application pools or service identities are in the local machine Administrators group.
                        Using highly-privileged accounts as application pool or as service identities poses a security risk to the farm, and could allow malicious code to execute.  The following services are currently running as accounts in the machine Administrators group:  SharePoint Central Administration v4 (Application Pool)
                         FIMSynchronizationService(Windows Service)
                         SPTimerV4(Windows Service)
                         WebAnalyticsService(Windows Service)

                        Browse to http://<servername:portcentraladmin>/_admin/FarmCredentialManagement.aspx and change the account used for the services listed in the explanation. For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=163445".
                        </Data>
                          </EventData>
                        </Event>

                        The farm account should indeed also be used for the timer service etc. , like explained in the previous given link Account permissions and security settings (SharePoint Server 2010) . Or is there a difference between Server Farm account and Farm Service account and if so, detailed explaination would be greatly appreciated.  

                        Thank you for any responses!

                        • Edited by Sjokke Friday, November 19, 2010 2:23 PM
                        •  
                           
                        • Friday, June 18, 2010 1:20 PM
                           
                           
                          Sign In to Vote
                          0

                          After you added the account to the local admins group as i also described in my post above, you can take it out again. It needs to be an admin for initial setup part to have the right permissions for creating local groups on the server. Fimjoiners etc. etc.

                             
                          • Tuesday, October 26, 2010 5:02 PM
                             
                             
                            Sign In to Vote
                            0
                            I was able to resolve this by adding the farm administrator login to the local administrators group on the wfe
                               
                            • Saturday, February 26, 2011 7:47 AM
                               
                               
                              Sign In to Vote
                              0
                              I believe this post will be helpful. http://sharepoint-2010-world.blogspot.com/2011/02/configure-user-profile-sync-in.html
                                 
                              • Wednesday, April 20, 2011 7:33 PM
                                 
                                 
                                Sign In to Vote
                                0

                                Thanks the third one fixed it for me.

                                The change was made in ADUC but NOT in ADSIEdit, causing the service to not start.

                                I had to go to Start > Run on my Domain Controller computer and type ADSIEDIT.msc

                                Then I right clicked on the group on the left and went to Properties. I added my SP_userProfile account as Replicating Change = Allowed and rebooted my Application server.

                                Thanks!

                                   
                                • Wednesday, May 11, 2011 12:16 PM
                                   
                                   
                                  Sign In to Vote
                                  0
                                  I also having the same problem the account for starting User Profile synchronization service is 'NT AUTHORITY\NETWORK SERVICE' (I dont know from where it came) but I want to change it to farm account but its grayed out. Can anyone tell me how to change it to farm account.
                                     
                                  • Friday, August 12, 2011 4:11 PM
                                     
                                     
                                    Sign In to Vote
                                    0
                                    I had the same issue. some how my service account was there on farm administrators group. then i removes that account from farm administrators group. it worked for me.
                                       
                                    • Thursday, June 14, 2012 11:27 AM
                                       
                                       Proposed
                                      Sign In to Vote
                                      1

                                      If you find that the user name and password for nt authority\networkservice is appearing greyed then you need to

                                      Central Admin -> Security -> General Security -> Configure Service Accounts -> Select Farm Account and then Your own Login name (Farm Admin and not the network service one). Apply and now your account name will appear when you will start the synchronization service.