Lots of people are looking at or in the process of migrating to SharePoint 2013, but there are still lots of SharePoint 2010 systems that still need maintenance.
In the world of SharePoint, the function of moving user information from AD to SharePoint is usually referred to as “User Profile Synchronization”
We recently had an issue with a client who had a problem with the UPS in SharePoint 2010 and needed some help to get it working again.
A little bit of background, this client had extended their Active Directory Schema with some custom attributes, which were mapped into SharePoint, also when a new employee started they added information into a SharePoint profile that was stored in the Profile Database and nowhere else, so a key requirement was to ensure we could get the UPS working again with no data loss.
Within the SharePoint platform a number of components are used to provide this function, some are in the ‘core product’, some are outside of the ‘core product’ but are still key to the function.
Within the ‘core product’ there is:
User Profile Service Application – This is the container within SharePoint for everything to do with Users and profiles
The Synchronization Connection – This tells SharePoint which AD to connect to and allows for the credentials of the AD Sync Account to be entered
The User Profile Service – Deals with internal SharePoint requests for user profile information.
The User Profile Synchronization Service – Deals with the flow of profile information from and potentially to AD
The FIM (Forefront Identity Manager) Windows Services – these deal with the actual talking to AD.
The FIM Client Tool –or manager tool can be used to review the sync Logs
Outside of the ‘core’ product we have the User Profile and Synchronization databases
AD Sync Account – The account is configured with special permissions within Active Directory allow the profile sync to work.
Looking at SharePoint we could see that all the components in SharePoint are running, but the sync log was showing connection failures when trying to talk to AD with the error “Invalid Credentials”
Which means “Authentication is not possible using the supplied credentials.”, This suggests that the AD sync account credentials need to be refreshed in the AD connection string.
When trying to open the AD connection we are getting the following, no AD connection is showing.
We used information in the original Design Document to create a new AD connection
Trying to Save the connection gave this error, and the connection was not saved.
Generally this means that the Windows Forefront Identity Manager Service is not running, but it was in this instance, so we restated this service but received the same error.
The next step is to re-provision or redeploy the FIM configuration, this is simply a case of stopping and starting the User Profile Synchronization Service, starting this service is a common problem and it often gets stuck in either the “stopping” or “starting” status, As a precaution we deleted all the Forefront certificates from the local certificate store as this is a common restart problem as new certs will be added by the FIM tool.
The User Profile Synchronization Service failed to restart (Provision the FIM) the following is the ULS Log showing the failure, the FIM will have 4 retries then stop.
The matching error in the event log seems to be this
Referring to the article below, step 13 appears to be failing, trying to update the Management Agents that have been created in the Sync database.
This indicates that the we need to reset the Sync database, I used this article http://technet.microsoft.com/en-us/library/ff681014(v=office.14).aspx#resetSync
To reset the Sync database, this has allowed the User Profile Synchronization Service to re-provision
Trying to create new AD connection gives this error
An IIS Reset brought the screen back.
We were now able to create a new connection and kick off a Sync.