Archive for the ‘Uncategorized’ Category

SharePoint Distributed Cache Service ….DANGER WILL ROBINSON!!


This is a late night blog so sorry for the brevity and less cohesive thought pattern. I just needed to get this out there as much for my benefit as anyone elses.

So I have to admit. This service has always been a bit of a mystery to me. Simply put, it always worked. Never had to dig. Never had to care. Just a few commandlets and it was running and I went on my merry way. Well I had a recent case where I lost a host and had to dig when it would not come back.

What a scary experience. All these tools to use, the App Fabric cache tool, App fabric cache commandlets, SP commandlets, Services MMC, and multiple CA points to manage it. And then the warnings. If you use the wrong ones, you may need to rebuild your farm. Yes, rebuild the farm. Rebuild a 13 server farm. Can you say Holy crap!

I found a lot of blogs on fixing it, a lot of MSDN and Technet articles on App Fabric cache architecture then I got a virtual and began dissecting it. I looked here ( ) got some great pointers. I looked here and got some good reference material. I found lots of Commandlets on configuring the cluster and manhandling it. Pushing in providers (which they tell you your choices are XML or SQL), and found plenty of hacks. In many areas the lines between SharePoint 2013 and App Fabric blurred and people were unknowingly straying into dangerous areas without realizing it. Then the clouds parted around 2200 after 3 cups of coffee. The answer came to me when I looked at the HKEY_LOCAL_MACHINE -> SOFTWARE\Microsoft\AppFabric\V1.0\Providers\AppFabricCaching registry key. The provider listed was a third…SPDistributedCacheClusterProvider.

The fog lifted

                So for those who want to better understand it. In VERY simple terms. An app fabric cluster is a set of cache hosts tied together through a central point which is a SQL Server DB or a XML file on a file share. Similar to SharePoint and its reliability on a Config Db to help keep all the servers in line. In the case of SharePoint 2013, that cluster is managed through the SharePoint configuration database and the set of Distributed Cache Service instances in the farm. The SharePoint Distributed Cache Service sits on top of it. It manages it. It maintains the App Fabric cluster underneath, and keeps everything in line. This is why you only run SP commandlets to add/remove, etc. It is also why if you use alternate tools like the App Fabric cluster tool you can kill your farm. A SharePoint farms greatest weakness has always been its config DB. It is the 1 point where you can kill the farm. Using another tool risks putting the cache cluster in App Fabric out of sync with the Configuration database in SharePoint. Once that happens, well anything goes. You might be able to recover it, you might never get another DC service ever running on your farm again.

If you want to manage this service then, stick to those commandlets. Stick to the guidance on the Microsoft documents at for maintaining it. Be VERY careful on any mods outside those commandlets. The farm is literally at stake here. It is a very dangerous game and from the blog posts I have seen out there, a lot of folks are hacking in fixes.

Another great article I found which just about laid it out for me was here(I am dense and did not get the simple truth of it right away when I read this):



Office Web Applications 2013 Installation and Configuration


I recently had the chance to do a full 2 server implementation of Office Web Applications (OWA, OWS, WAC, whatever you want to call it). I pulled from this article ( ) which at the time of this writing, will get you just close enough to think you stand a chance but will leave you with a full on semi functional farm (if that), with a case of amnesia when it comes to certificate on the IIS site.

BTW, I am going with WAC. All the updates, patches, installs use it and it just makes it easier to identify them. Besides nobody outside of MS seems to have any clue what it means so it is a little more fun to torture folks.

Installation….wait lets talk SSL

First things first, let’s install the thing. Wait, before you do that, we need to talk certificates as in SSL. If you are thinking about not using them, stop thinking it. WAC lies outside your SharePoint, Outlook, Lync implementation. It is being sent your documents, your corporate IP, your HR forms, your engineering specs, etc etc. You do not want those transmitted HTTP unencrypted over the wire. Whether you are completely inside your firewall or external SSL is not optional. If you think it is, ask your users if they would mind you posting all their documents in SharePoint, Exchange, and Lync on the office walls. This takes your installation out of easy mode but it has to happen this way so deal with it. Sorry for the rant but it is way past time for IT professionals to take security seriously.

So now to your cert. You will need to request one. A lot of places have you do a self-signed one. In a word, NO. Get yourself a cert from either your Domain CA or form whomever you purchase them from. Have your internal and external references to your WAC farm tied to it (the ones SP, exchange, Lync will bind to), AND have it reference your WAC servers by FQDN (i.e., Make sure it has a certificate name AND a friendly name. This will require some lead time in most cases so I include it first.

Get the certificate and have it installed on every server in the WAC implementation.


Now we can install. First Prerequisites:

Install the following software prerequisites:

    • Windows Server 2008 R2 Service Pack 1
    • .NET Framework 4.5
    • Windows PowerShell 3.0 (Part of the Windows Management Framework 3.0 installation)
    • Platform update for Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB2670838)Open the Windows PowerShell prompt as an administrator and run these commands to install the required roles and services.If not prompted, restart the server. A lot of the MS guidance does not list this as mandatory. You just added a ton of stuff to your server, restart it. Lastly, install one of the fun undocumented pre-requisites:
    • Import-Module ServerManager Then, run this command: Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-Support

Assuming you have Windows 2008 R2 server: Update for Windows Server 2008 R2 x64 Edition (KB2592525). This guy ay give you a challenge in installing it. If it does try this guys solution:


Now we will follow the technet link I mentioned word for word in the bits install:


Complete these steps on any servers that will run Office Web Apps Server.

Download Office Web Apps Server from the Microsoft Download Center.

Do one of the following:

For Windows Server 2012 or Windows Server 2012 R2, open the .img file directly and run Setup.exe.

For Windows Server 2008 R2 SP1, use a program that can mount or extract .img files, then run Setup.exe.

On the Read the Microsoft Software License Terms page, select I accept the terms of this agreement and click Continue.

On the Choose a file location page, select the folder where you want the Office Web Apps Server files to be installed (for example, C:\Program Files\Microsoft Office Web Apps) and select Install Now. If the folder you specified doesn’t exist, Setup creates it for you.

When Setup finishes installing Office Web Apps Server, choose Close.

Download and install Office Web Apps Server SP1 (Recommended for Windows Server 2012 and Windows Server 2008 R2 SP1. Required for Windows Server 2012 R2.)

If you are applying Office Web Apps Server SP1 at a later time, follow the directions in Apply software updates to Office Web Apps Server.

Check for the most current Office Web Apps Server updates by reviewing the list on the TechNet Update center for Office, Office servers, and related products.

If you did not install Office Web Apps Server SP1, apply KB2810007.

Step 3: Install language packs for Office Web Apps Server


Office Web Apps Server 2013 Language Packs let users view web-based Office files in multiple languages, whether they’re opened from SharePoint 2013 document libraries, Outlook Web Access (as attachment previews), and Lync 2013 (as PowerPoint broadcasts). Learn more about how the language packs work in Planning language packs for Office Web Apps Server.

To install the language packs, follow these steps.

Download the Office Web Apps Server Language Packs from the Microsoft Download Center.

Run WebAppsServerLP_en-us_x64.exe.

In the Office Web Apps Server Language Pack 2013 Wizard, on the Read the Microsoft Software License Terms page, select I accept the terms of this agreement and select Continue.

When Setup finishes installing Office Web Apps Server, choose Close.

To install language packs after the Office Web Apps Server farm is created, you must remove a server from the farm, install the language pack on it, and then add the server back to the farm.

For a language pack to work correctly, you’ll need to install it on all servers in the farm.


So lastly, Look for and push in any additional updates that are out there for the product at the time you are reading this. It is monumentally easier to install now rather than later.


Configure WAC


Now that the installs are done, it is time to configure. So this is where I advise read this carefully:


You will be using the New-OfficeWebAppsFarm commandlet. Before I mentioned you will be using SSL and you will have your own cert. This is one of those areas the current technet is wrong. Despite the wording that CertificateName is optional, that is not true. I should say, it is not true if you do not want your servers throwing out the SSL bindings to the WAC sites on 80 and 809 and if you do not want your users screaming about 404 errors instead of previews or viewing docs. Also, if you want to avoid manually adding the certificate to each web app on each WAC server on every reboot, and major farm PowerShell command, you will include this value.


The call goes like this:


New-OfficeWebAppsFarm -InternalUrl “” -ExternalUrl “” –EditingEnabled –CertificateName “certname”


So I left of the SSL Offloading command. Why? Again, documents..plain text..bad. Even if it is JUST from your load balancer to the server. Even if you get a compelling argument about how much more efficient it is on the NLB. How it is designed for it. Bad. You are most likely running virtualized, beef up your WAC boxes or add more but SSL on the WAC box.


Test your farm creation by hitting your machines discovery URL (HTTP and HTTPS) from another server/workstation. This url is your internal URL parameter + “hosting/Discovery”. In the example call I provided this would be . If this gives you a 404, or does anything but give you a shiny pile of XML, then your farm is either not sucessfully created or you have a networking issue. Do not add any additional servers or attempt to link SharePoint, Exchange, or Lync to it until you resolve this.


Add additional Servers


So now you are ready to add additional servers to the WAC farm. You will use the New-OfficeWebAppsMachine commandlet. You will run this on the machine you are adding to the farm, not the ones that are already in the farm. The new server will reach out to the server specified in the “MachineToJoin” parameter. That’s right. You are not specifying the machine that is joining the farm (you do that by executing the command ON the machine you are trying to join to the farm). You are specifying the machine that your are going to join to. For this reason MachineToJoin much be your FQDN for that machine. As an example:


New-OfficeWebAppsMachine -MachineToJoin “”


You should get a confirmation that the server was added successfully. You can double check this by using the Get-OfficeWebAppsFarm commandlet if your servers are not all listed in the farm, then you have an issue.




So I could (and probably will) write an entire post on troubleshooting. So this is just a quick heads up. Get Fiddler. It is the best way to trace HTTP errors within your farm. I would not leave it on a production server long term but for troubleshooting, use it.


WAC ULS logs. My least favorite feature of this app. The logs are “hidden” in c:\programData\Microsoft\OfficeWebApps\Data\Logs\ULS. This is a hidden folder. You will need to either type in that location manually or set your explorer to show hidden files and folders. (Many thanks to: for the ULS location).


Note: While in that folder set you may notice a few xml files. This is where WAC keeps a lot of it configuration information (it does not have a SQL box like SharePoint to use). There are numerous posts that send you into these files to edit them. Don’t. Best case, WAC will overwrite them. Worst case, you will mess up your WAC configuration and get to tear it down and do it all over again.


Event Viewer is you next best friend. Check Setup, Security, and Application logs for issues. I found WAC loves to send some very scary message there. It once loaded mine with Kerberos SPN errors when I misspelled the server name in the New-OfficeWebAppMachine command. Don’t freak on the error, just carefully analyze them. A WAC farm is really a pretty simple beast once you get to know it.


Wrapping it up


So that’s it. Hopefully, this gave you some useful information. I tried to include the things I wish I knew going into it. The certificate name feature and the cert settings were my favorite sticking point. Good luck and please feel free to post any additional pointers in the comments section. WAC is an awesome capability.

     I felt compelled to write this series after I downloaded the sample office apps from MSDN (all of them) and descended into the 7th level of hell trying to get it to work. The goal was to create an office apps to implement a Word task pane app to allow insertions of bindings, pushing bindings/tags to a SPS 2013 List, and access the SPS taxonomy to allow for tagging of bindings within a Word document. Seems simple enough. I had a pile of samples, a mess of MSDN and TechNet links, I was ready to go or so I thought.

There is actually a good deal of documentation on the Apps for Office, some good MSDN samples, and some great videos. You can certainly go through these and get a pretty good base level of knowledge on Apps for Office. When you take it to a complex solution though, you quickly find some serious gaps which hopefully will be plugged and render this post pointless. This is especially true when your intention is to self-host your apps and use a local app catalog for the manifest. This series is about the gaps I encountered which hopefully will help someone else out.

As I state throughout this series, I am really in the midst of ramping into this area and even through the course of the project the documentation has been changing. So please chime in if you have any additional info to share or questions.

Clarification on terminology

               So before I go too far, I want to clarify a couple things on the terms I use. There are 2 parts to a deployment. First, you are pushing your manifest to a catalog. Second, you are deploying the actual app functionality somewhere. When I refer to deployment in this series, I am referring to the deployment of the functionality not the manifest. I will specifically call out the manifest deployment when that is what I am referring to.

Hope you like client side code

If not, you are probably going to have a bad day. Office apps first and foremost are client side focused. They utilized JavaScript, and JQuery, pulling in libraries from the Office.js, JQuery.js, and Microsoft Ajax just to start with. If you do not understand these technologies and the concepts around coding them, you need to. There are some very subtle (and not so subtle) paradigm shifts you need to be in the know on. A good example, cross site calls. When server side, you can have your server side app call services and references all across your enterprise and possibly even the web. On the client, this is called cross site scripting, and is viewed as a security violation and will be blocked in most cases. This is for good reason. Imagine JavaScript you would write on your website just to make a simple call to a SPS farms web service API to get some info for the current user. Well that would be a client side call, made from the browser, using that individual user’s security context, from that user’s box. It would not be a stretch to write code to go all over the internal sites, maybe some real bad external ones, pulling down inappropriate information, modifying documents in SPS, etc. and it would all look like the end user did it.

Additionally, client side code is blocked from doing most modifications to the local machine. It runs in its own special little area, and is tightly controlled from what it can do to protect people from malicious code. This plays a large role in the architecture you decide to use for your application and how you code it.

Not just client side code

So the good news for server side coders, as I mentioned, the office app is a web site. So that means, you can code it as an ASP.Net site, and enjoy all the wonders of server side code as well. The solution we wrote did in fact use a god deal of C# code to make some calls and save some information. Also, for the types of calls we needed to make, a server side web service call to SharePoint was needed. So you do not need to have server code but you can have it if there is a need. Another good reason may be to run confidential business logic. That way, you are not exposing it through client side code.

Understand the model

               There are some key things to understand. An office task pane app, is running within a task pane in the word client. It is essentially a little browser winder of its own. It is given SOME access to the document through the Office.js that is inherited. That is a key concept. The app accessed the DOCUMENT not the Word client. Bearing in mind that the Word client is running on the OS under the security context of the end user, there is a serious potential security risk in allowing a Word task pane app to manipulate the Word client. If you open the door for that, you run the risk of allowing a task pane app to make malicious calls to the local OS and file system. For this reason a lot of things you would like to do that involve changing Word state, are going to be blocked. Get to know the JavaScript API for Office Task pane apps to better understand it. As you can see, the calls focus on the document not the Word client application.

In the sample I was building, another key was your app catalog is in SharePoint, your app is not. Meaning the SharePoint SP.js library and its supporting libraries are not there for you to use. If you want to work with SPS, you will need to make some web service calls. As I noted before, these likely will involve cross site scripting. So now you need to work around that. For our solution, we knew we would need to make a series of calls to the asmx and svc APIs in SPS 2013, on multiple applications. For some of these calls we could use a JSON call to bypass the cross site scripting issue, and there are plenty of good examples of that in the MSDN coding samples but not all of them. What we decided to do was use the example in the MSDN Sample code and build a controlled class which could make the server side calls for us. In this model, the Office app JavaScript makes a service call back to itself, and then the server side calls out to the SharePoint farm web services and returns data back to the client. It allowed for a good deal of flexibility for our service calls and opened the door for hitting SPS to modify anything we wanted to, and retrieve data. This ended up being pretty easy

There is a way around the missing Sp.Js and SharePoint context. I found a solution in MSDN that had a task pane app embedded in a SharePoint app. This gave me the ability to simplify the deployment, to get access to the SP.Js and all its references, to capture SPS Context info on the client side and do some real easy coding. However, it does deploy to an App tenant in SPS 2013, and there are implications to that. Additionally, when you do this, it is only going to allow client side code. This may not matter, but bear it in mind.

Plan your deployment

               While coming up with the design know how you intend to deploy this app. Will it be hosted in SPS? Will it be part of an SPS App? Will it be on an IIS server? Azure? This decision can have a very big impact on what is possible. As an example, if I am deploying to a SharePoint App, or to a SharePoint site, I am deploying typically client side code only. Meaning no compiled dlls, but my code will have access to SP context on the client and Sp.js. If I am going to IIS Server, I will be able to code whatever I want on the backend/server side, I will not have direct access to SP context or SP.Js (assuming I care for this app).

For each deployment model I will also need to consider security and user context unique to that situation as well as infrastructure considerations, firewall rules, etc.

Watch your JavaScript and CSS References

               One extremely common newbie mistake (and of course one I made repeatedly) was not being mindful of my JavaScript and CSS references. In the Home.html file generated by VS when creating an office app they link to the online ones (for JQuery and Office) and local references for the css and some other JavaScript used for the app. They have commented out lines to use a local version of these files. When running on a development virtual, that may or may not have access to the web, your first time you will undoubtedly not realize this and your apps will fail when trying to run and import these files. When using the local files and relative links, you will probably run into an issue along your testing where it cannot find them because of where your app is running. This is an extremely common mistake so when you work with an office app and are moving through development, and testing and code stops working despite not being changed, this is the first place I would look.

Testing can be painful

               So while in VS 2012 or 2013, I can run this in debug mode, it all pops up in a word doc and everything is great. However, take away you VS debug ability and you are in trouble. Office task pane apps do not allow for “Alert” functions or many other functions you would commonly use to pop up state information while walking JavaScript to see what is wrong. But hey, why would I care? I got VS debugging. So a couple reasons. First VS debugging is about the perfect scenario. VS.Net is tied directly to the local IIS and it kicks off Word and inserts the app for you. In the real world, when you go to test and deploy the app, all these tools are not there. Your Office app is running elsewhere. Your manifest is in an app catalog on yet another server, and Word is running on yet another client machine. So now you have 3 separate servers running code, oh and the example I was building called out to yet another SPS farm. Your office app is running in a task pane and is secured by IE security settings, plus ones specific to Office Apps in Word, plus any additional GPOS in your Org. You are needing to ensure open and secure communication between Word, the Office app, and any other systems you are needing to hit. You need to consider the identity each communication channel is using. A lot of those failure are silent in your word application. For example, a security setting/GPO that blocks the JavaScript from loading and/or executing when calling a remote system can create silent failure which is tough to debug. An authentication issue may be silent. Tools like fiddler can help some but very often you need to really be methodical and not assume anything. IMO, the tools have not really caught up to this technology to make the testing as easy as it should be. To be honest, I am still developing my methodology on adequately testing and debugging these systems.


  1. Apps for Office Training videos –
  2. Apps for Office Samples –
  3. Apps for Office Task Pane App JavaScript API – (
  4. How to: Create an app for SharePoint that contains a document template and a task pane app –
  5. Fiddler –

              Let me say it, I love PowerShell. For building out predictable, repeatable configuration, installation, and maintenance processes, nothing beats it. So like many others, I have built up a large PowerShell script library. I have ones for full farm config, for site provisioning, Site collection configuration, and many, many more.

              Sort of scary I never came across this before but while working with a client, we combined a script that provisioned some site collections, turned on some features, installed/activate some custom features, set a custom page layout and content type to be the default on the pages library, and removed all other content types and page layouts from that library. This script failed halfway through the process, while activating a custom feature that had been installed in the previous step. It returned the error: “the feature is not a farm level features and is not found in a site level defined by the URL…”. So this was confusing as in central admin I could see the feature was there, was installed, and was at the correct scope. After Binging this for a while, I found very little useful information as it seemed most of these issues were related to incorrectly entering the name of the feature. We had the GUID in there and it definitely matched. Also, we could re-run the offending line of script in the PowerShell window and it would run fine the second time around.

              So after a little tinkering we found that by chunking up the PowerShell script and running it in pieces, it all ran to completion without error. So we found out how to get the script to work but not really why it erred out to begin with. I run many large scripts without issue. The key was in the install/activate code. This is because adding a WSP to a farm and deploying it is an asynchronous process. A really fast one for many solutions but it runs asynchronously, nonetheless.  The script we had ran so fast that it would attempt to execute the feature before it was fully installed. So we would get the error message that it could not be found.

              So lesson learned, PowerShell is fast and effective, sometime too much so. When you run a large script and encounter strange errors that appear to make no sense (at the time), try breaking it up or executing it in chunks. It also helps to analyze your code to be sure you fully appreciate which parts are running asynchronously and which are not. This may help you avoid this frustrating error.

So like many SharePoint guys using Windows 8, I LOVE having Hyper-V. It has been a long while since we had a Microsoft 64 bit virtualization technology built-in or otherwise for our non server OS’. In that time I have used Oracle’s virtualization app and of course VMWare player.

So flash forward to Windows 8 Pro, got my Hyper-V working and I have a huge library of VMWare virtuals. So ok, surely there is something to convert these built into Hyper-V on Windows 8 right? Well that is where you would be wrong. A quick Bing for this information pulled up a pile of free/share ware that either gave me a 404 or when found would attempt install spyware or some other garbage and then of course would not even work. Frustration did not being to describe the feeling and the dark vocabulary that I spewed at such a gap in capability.

In my preparation for having to uninstall Hyper-V from Win 8 and go back to VMWare, I came across a tool I had not heard of called the “Microsoft Virtual Machine Converter” (located here: ). Dare I say, this little nugget was the answer to my prayers. Simply install it, and you are good to go.

Now, in my case I just wanted to convert the VMDK to a VHD. So no reason to launch the UI at all, simply open a command prompt (the .exe is installed at “C:\Program Files (x86)\Microsoft Virtual Machine Converter Solution Accelerator: by default) and run a command “MVDC.EXE <source VMDK> <target VHD>:” and whammo. Good to go!

There is a lot of capability in this little tool beyond my simple case but as I have been hit by many expletive laden comments on just simply wanting to convert a VMDK to VHD, I thought I would share with the internets. Good luck everyone!

Lookup field issues in SharePoint 2010

SPS version: SharePoint 2010 Enterprise – CU Dec 2011   

Lookup fields are great but they have some serious limitations sometimes. Through the UI you can set them to a link a field in one list to another list on the same web. This allows to say set values that would be shown in a dropdown similar to how you would do it with term sets in the Managed Metadata service. The plus with the lookup fields is that you can assign a non-techie to administer that single list values.  They are also good if your lookup values are not to be available globally to any web app in a proxy group.

Now, when you want your lookup field to exist on a different web than the current web. Then you will need to turn to code. This is something, that is readily done using a custom content type and the list schema field element (

<Field Type=”Lookup” DisplayName=”Something” Required=”TRUE” ShowField=”Lookupfieldname” UnlimitedLengthInDocumentLibrary=”FALSE” Group=”Real cool code group” ID=”{fe685707-c198-45db-baf3-d8cd92a9f4f6}” SourceID=”; StaticName=”LookupFieldStaticName” Name=” LookupFieldName” Customization=”” ColName=”int1″ RowOrdinal=”0″ />

The idea being you can set this on a base content type, and from that point forward the inheritance chain takes care of it.

In my scenario, I had a set of 3 lists on a root site collection that served as lookup source for a set of 4 libraries that appeared on dozens of subwebs, each library with half a dozen custom content types assigned to it. The libraries were all created by a custom feature that was activated when the sub webs were created. They were generated using a custom list def (Schema.xml) and a list instance built into the feature.

In MOSS 2007, this worked like a charm on a number of deployment I did. In 2010 for some reason, I followed the same methodology and found my lookups were all broken. It took some troubleshooting but what I found was that the content type inheritance was broken. I had a base content type, another set that inherited from that type, and a 3rd level that was used at the lists (Company base CT à Project base CT à SpecificList CT). The lookup settings were kept all the way through these content types. When you create the list and assign the content type there is a new content type that is a copy of the “SpecificListCT”. I found that when SPS 2010 created that copy, it discarded the lookup field list settings. No matter how I set it up, this continued to happen.

A bit of a pain, and from what I could tell a flaw in SPS 2010. I was finally able to overcome this by removing the lookup from the List schema.xml file and in the event receiver for the FeatureActivated event, going in and adding the lookup fields using “SPList.Fields.AddLookup(LISTCOLNAME, SourceLookuplistID, false” ( ).

With that code in place the Lookup fields all started working and life was bliss once again. As with the custom Display/Edit/Add controls, this is a fairly easy way to get this capability into your farm, but it SHOULD be much easier.

Don’t know what it is with SharePoint 2010 but the profile
import configuration can be a bit touchy. Having gone through this recently, I thought
I would share and maybe just maybe save someone some time. First of all, if you
have not done so, read this (

We have
a 6 server (2 WFE, 2 App, SQL A/P cluster) farm with SP 2010 SP1 all running on
a Windows Server 2008 R2 SP1 box. Kerberos configured. Initial configuration
went fine with 1 exception, after CA was deployed the client requested a port
change for it, which was done with the PowerShell command (this does play in
later). User Profile service was configured with its own managed account.

thing we saw, Forefront Identity Manager Service and Forefront identity Manager
Synchronization Service were disabled and would not run. They got login errors
when this was attempted. This will effectively block any profile importing or
even access the service through CA.

They were setup to run as local machine.
I also noted when they were started that there was a mention about an audit
failure on a registry in the security log. Turned out this key was at” HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity
Manager\2010\Synchronization Service” and that the identity of the FIMs
services could not access this registry key. I gave the managed account that
the user profile service is running under rights to this key and ensured the
FIMs service was running under this account.

So now
our services start. And there was much joy across the land. Not really. Cause
now when we try to configure a profile sync connection we get errors about our
profile import account being invalid. It won’t even list out any domains. This
was our second fun issue. Despite my request earlier for this account, it was
never given Replicate Directory Changes permissions in AD. So after a slight
battle with the AD administrator this was resolved and we moved on to the next

We hook
up the sync connection and start a full profile import, while contemplating a
trip to the local pub once it is done (that trip ends up being delayed for a
day or 2). It runs for 40 minutes, and imports exactly 0 profiles. Awesome.
Looking at the server running the service app, the application logs are filled
with warning related to the MSI installer service, and the system logs have
DCOM permissions on an APPID “000C101C-0000-0000-C000-000000000046”
and the “network service” account.

So here
I am going to cut to the fixes and save the suspense.

  1. Open regedit, find 000C101C-0000-0000-C000-000000000046,
    it will be at “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}”

    1. Right click,
      properties, security,

Click advanced
Set the “administrators” group to own the
Click OK

  1. Give the “administrators”
    group full control of the item.
  2. Click Apply, then
  3. Now open component
    1. Go to the DCOM config folder under the local machine
    2. Find the 000C101C-0000-0000-C000-000000000046
    3. Right click, properties,
      security Tab
      i.     Custom radio button, edit
  4. Add Network Service with local launch and local activation rights then click OK
  5. Open windows explorer as administrator
    1. Find: C:\Program Files\Microsoft Office
      Servers\14.0, give Network service READ rights to  Tools, SQL, and Synchronization service subfolders.
    2. Now execute “C:\Program Files\Microsoft Office
      Servers\14.0\Synchronization Service\UIShell\miisclient.exe” (I made this
      a shortcut on my desktop)

      1. Click on Management Agents
      2. Find an agent called MOSS_<GUID>, right
        click and view properties
      3. Click on Configure Connection Information, If
        you had to change the port on CA, you will find that your port was likely NOT
        changed in here and still points to the old port. You will need to change this
        to get rid of the connection error in the Event viewer
      4. Verify other connection info and Verify the connection
        info on the other item in the list (should be right below the MOSS_<GUID>
        item). Verify the domain name, the account credentials, and other info.
      5. On more than on occasion in this farm SPS and
        FIM were completely out of sync on configuration. I have done other farms where
        this disconnect did not appear to happen but for some reason here, it did.

So, now that all these mods were made we kicked off a full sync and 40 minutes later we had 50,000 profiles successfully
imported. This fix list looks small but it was a couple days on Bing to sort out. Especially the wonderful gem associated with the port not updating for
FIMs when the Central administration port was changed (I HOPE this is fixed by a SPS CU or SP someday).

That’s all I got for now. I hope this saves some of you folks some time. Please shoot out any other recommendations you got as you troubleshoot these items yourself.

Happy hunting guys!

Some of my reference links(please add more via comments if
you got them):