Tuesday, May 11, 2010

SharePoint 2010 RTM User Profile Synchronization

I have been struggling with starting the User Profile Synchronization Service on SharePoint 2010 RTM build. I am using a virtual machines for my test:

- Server 1: AD and SQL 2008 role on Windows 2008 R2
- Server 2: IIS and SharePoint 2010 on Windows 2008 R2

The first test was to run the configuration wizard to configure all services and see if I can start the User Profile Synchronization Service. To my surprise I managed to start the service successfully. I have used a Farm Account to provision all services. So, to double check I went and clicked on User Profile Service Application under  Managed Service Applications


and I got the following error:



Checking the application log found errors related to Forefront Identity Manager Service indicating it cannot connect to SQL:

Log Name:      Application
Source:        Microsoft.ResourceManagement.ServiceHealthSource
Date:          5/11/2010 10:12:31 AM
Event ID:      22
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      sp2010.domain.local
Description:
The Forefront Identity Manager Service cannot connect to the SQL Database Server.

The SQL Server could not be contacted. The connection failure may be due to a network failure, firewall configuration error, or other connection issue. Additionally, the SQL Server connection information could be configured incorrectly.

Verify that the SQL Server is reachable from the Forefront Identity Manager Service computer. Ensure that SQL Server is running, that the network connection is active, and that the firewall is configured properly. Last, verify the connection information has been configured properly. This configuration is stored in the Windows Registry.

But this was not the only error related to Forefront Manger  I got other errors:

Log Name:      Application
Source:        Forefront Identity Manager
Date:          5/11/2010 10:13:03 AM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      sp2010.domain.local
Description:
.Net SqlClient Data Provider: System.Data.SqlClient.SqlException: Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 2.
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
   at System.Data.SqlClient.SqlDataReader.get_MetaData()
   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader()
   at Microsoft.ResourceManagement.Data.DataAccess.UpdateRequest(RequestType request, IEnumerable`1 updates)

So, I went ahead and disabled the Windows Firewall (just in case) and rebooted my server (I don't think I reboot is required, but you never know). After the server had rebooted, I opened the Central Administration page and clicked on User Profile Service and viola it worked, I was able to get to the page:

 I clicked on Configure Synchronization Connections to create a new connection and that worked fine and I was able to configure the server. In order to complete the test I had to Start Profile Synchronization  and I got the following error in the application log:

 Log Name:      Application
Source:        FIMSynchronizationService
Date:          5/11/2010 12:10:02 PM
Event ID:      6050
Task Category: Management Agent Run Profile
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      sp2010.domain.local
Description:
The management agent "MOSSAD-ADAccount" failed on run profile "DS_FULLIMPORT" because of connectivity issues.
 
 Additional Information
 Discovery Errors       : "0"
 Synchronization Errors : "0"
 Metaverse Retry Errors : "0"
 Export Errors          : "0"
 Warnings               : "0"

Ok, I went ahead and disabled firewall on my domain controller, since I am not sure if it's a firewall or something had to do with the account I am using (I am using my farm service account). Also, I had to stop the sync process and started a full .profile sync and that failed. So, I tried a different account (Administrator account) and that worked by clicking on the Synchronization link:


I did get a great deal of useful information from this Blog, I would highly recommend reading this Blog, it does contain a great information. I have used the previously mentioned Blog to configure my SharePoint account to run the User Profile Synchronization and that worked fine. Note that I got the following warning in my applicattion log:

Log Name:      Application
Source:        FIMSynchronizationService
Date:          5/11/2010 12:28:10 PM
Event ID:      6126
Task Category: Management Agent Run Profile
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      sp2010.domain.local
Description:
The management agent "MOSS-5d867c01-cc0d-40cb-be0d-37b4739c97aa" completed run profile "MOSS_DELTAIMPORT_469b85e3-5b1a-4015-82b9-a438c1ca4aed" with a delta import or delta synchronization step type. The rules configuration has changed since the last full import or full synchronization.
 
 User Action
 To ensure the updated rules are applied to all objects, a run with step type of full import and full synchronization should be completed.


However, the real test is to use the manual configuration method where we can use the Microsoft best practices on using the least privilege administration. So, I uninstalled SharePoint 2010 RTM and re-installed it again, but this time the plan is to use Least Privileged Administration method instead of using a single account.

Here are the steps I took to install and configure the farm:
  1. Installed and ran SharePoint Products Configuration Wizard.
  2. Manually provisioned search.
  3. Created a new web application and create a site collection based on Team Template.
  4. Started Managed Metadata Web Service and created Managed Metadata Service Application.
  5. Defined an explicit inclusion managed path for My Site and site collection that used My Site  Host template.
  6. Create User Profile Service Application and started  User Profile Service.
  7. Tried to start the User Profile Synchronization Service and it remained on Starting

I had to stop the service by using PowerShell Command:

  1. Launched  SharePoint Management Shell
  2. Typed the Get-SPServiceInstance to get the Id of User Profile Synchronization 
  3. Typed Stop-SPServiceInstance to unprovision the service.
Tried to start the service one more time to no avail (note: I am logged to the server using my farm admin account). I had to stop the service one more time, then I went ahead and deleted the  User Profile Service Application, ran IISRESET then ran the Farm Configuration Wizard and selected farm admin account as the service account to provision User Profile Service Application. After the wizard had completed the configuration, I tried to start the User Profile Synchronization Service and that worked.

Now, I am thinking it could be the account. I had used a different account to manually provision  User Profile Service Application. So, the next logical path was to stop the User Profile Synchronization Service and delete User Profile Service Application and then use the farm service account to create User Profile Service Application  and then see if we can start User Profile Synchronization Service

  1. Stopped  User Profile Synchronization Service.
  2.  Deleted User Profile Service Application.
  3.  Manually created User Profile Synchronization Service using Farm Service Account (Note: this account is used by default for User Profile Synchronization Service).
  4.  Started User Profile Synchronization Service and it worked.
I did the following test:
  1. Uninstalled SharePoint 2010 and rebooted the machine.
  2. Deleted all SharePoint databases from SQL 2008.
  3. Deleted unused site (SITE_2) from IIS.
  4. Installed SharePoint 2010 RTM
  5. Added the service account that is used for User Profile to the local Administrators group (in my case I created SPUserProfile_svc account)
  6. Manually provisioned: search, managed metadata, and create site collection for My Sites and Team site.
  7. Manually provisioned User Profile Service Application (Note: used a different account from the farm service account as mentioned in step 5).
  8. Started User Profile Service. (Note: you might need to restart the SharePoint Timer service to get to the User Profile page)
  9.  Started the User Profile Synchronization Service this time it worked.
  10. Clicked on Configured Synchronization Connection to create a new connection. (Note: if you get any errors, restart the SharePoint Timer Service) 
  11. Started a full profile synchronization and it worked.
At the end of this post, I have learned that in order to successfully start the User Profile Synchronization Service using Least Privilege Administration method, the account used to provision the User Profile Service Application must be in local Administrators group on the server. Maybe it is mentioned in Microsoft documentation somewhere. I hope Microsoft will start updating their SharePoint 2010 soon.

That's it for now.

No comments:

Post a Comment