Going through the seventh level of Hell with SharePoint 2010 Profile Import

Posted: August 22, 2011 in SharePoint 2010, Uncategorized

Don’t know what it is with SharePoint 2010 but the profile
import configuration can be a bit touchy. Having gone through this recently, I thought
I would share and maybe just maybe save someone some time. First of all, if you
have not done so, read this (http://technet.microsoft.com/en-us/library/ff182925.aspx)
.

We have
a 6 server (2 WFE, 2 App, SQL A/P cluster) farm with SP 2010 SP1 all running on
a Windows Server 2008 R2 SP1 box. Kerberos configured. Initial configuration
went fine with 1 exception, after CA was deployed the client requested a port
change for it, which was done with the PowerShell command (this does play in
later). User Profile service was configured with its own managed account.

First
thing we saw, Forefront Identity Manager Service and Forefront identity Manager
Synchronization Service were disabled and would not run. They got login errors
when this was attempted. This will effectively block any profile importing or
even access the service through CA.

They were setup to run as local machine.
I also noted when they were started that there was a mention about an audit
failure on a registry in the security log. Turned out this key was at” HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity
Manager\2010\Synchronization Service” and that the identity of the FIMs
services could not access this registry key. I gave the managed account that
the user profile service is running under rights to this key and ensured the
FIMs service was running under this account.

So now
our services start. And there was much joy across the land. Not really. Cause
now when we try to configure a profile sync connection we get errors about our
profile import account being invalid. It won’t even list out any domains. This
was our second fun issue. Despite my request earlier for this account, it was
never given Replicate Directory Changes permissions in AD. So after a slight
battle with the AD administrator this was resolved and we moved on to the next
hurdle.

We hook
up the sync connection and start a full profile import, while contemplating a
trip to the local pub once it is done (that trip ends up being delayed for a
day or 2). It runs for 40 minutes, and imports exactly 0 profiles. Awesome.
Looking at the server running the service app, the application logs are filled
with warning related to the MSI installer service, and the system logs have
DCOM permissions on an APPID “000C101C-0000-0000-C000-000000000046”
and the “network service” account.

So here
I am going to cut to the fixes and save the suspense.

  1. Open regedit, find 000C101C-0000-0000-C000-000000000046,
    it will be at “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}”

    1. Right click,
      properties, security,

i.
Click advanced
ii.
Set the “administrators” group to own the
item.
iii.
Click OK

  1. Give the “administrators”
    group full control of the item.
  2. Click Apply, then
    OK
  3. Now open component
    services
    1. Go to the DCOM config folder under the local machine
    2. Find the 000C101C-0000-0000-C000-000000000046
    3. Right click, properties,
      security Tab
      i.     Custom radio button, edit
  4. Add Network Service with local launch and local activation rights then click OK
  5. Open windows explorer as administrator
    1. Find: C:\Program Files\Microsoft Office
      Servers\14.0, give Network service READ rights to  Tools, SQL, and Synchronization service subfolders.
    2. Now execute “C:\Program Files\Microsoft Office
      Servers\14.0\Synchronization Service\UIShell\miisclient.exe” (I made this
      a shortcut on my desktop)

      1. Click on Management Agents
      2. Find an agent called MOSS_<GUID>, right
        click and view properties
      3. Click on Configure Connection Information, If
        you had to change the port on CA, you will find that your port was likely NOT
        changed in here and still points to the old port. You will need to change this
        to get rid of the connection error in the Event viewer
      4. Verify other connection info and Verify the connection
        info on the other item in the list (should be right below the MOSS_<GUID>
        item). Verify the domain name, the account credentials, and other info.
      5. On more than on occasion in this farm SPS and
        FIM were completely out of sync on configuration. I have done other farms where
        this disconnect did not appear to happen but for some reason here, it did.

So, now that all these mods were made we kicked off a full sync and 40 minutes later we had 50,000 profiles successfully
imported. This fix list looks small but it was a couple days on Bing to sort out. Especially the wonderful gem associated with the port not updating for
FIMs when the Central administration port was changed (I HOPE this is fixed by a SPS CU or SP someday).

That’s all I got for now. I hope this saves some of you folks some time. Please shoot out any other recommendations you got as you troubleshoot these items yourself.

Happy hunting guys!

Some of my reference links(please add more via comments if
you got them):

http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/b25e9176-288e-45ef-ac2b-62b2f1486aac

http://technet.microsoft.com/en-us/library/ff182925.aspx

http://blog.mediawhole.com/2010/09/forefront-identity-manager-service.html

http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/bac36f2b-0d7b-4e88-830b-ebb0a85f111e

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s