[cross-post from www.kathyhughes.com/blog/]
Note: I've added the necessary links relating to SharePoint Server 2010 prerequisites, along with instructions for configuring the user profile synchronization service, at the end of this post.
Now that Beta 2 is out many of you will be installing and setting up new SharePoint 2010 environments and getting to know the product intimately ;-) However, I've seen a number of posts around issues when attempting to setup and configure the User Profile Service or User Profile Synchronization Service. I too had some issues with this service during my installation so I thought I'd share my experience here and also my eventual workaround so that it may help others.
First off, my environments consists of several physical and virtualized servers. I never use a standalone installation since that's not a fair indication of how people will use the product out in the real world and I need to fully test things like authentication scenarios. So in my initial test setup, I had x4 servers. All servers are running Windows 2008 R2 and the domain is Windows 2008 R2 (Windows 2008 R2 functional level). Server one is my DC/Exchange 2010/DNS/DHCP, etc; server 2 is SQL 2008 (patched as per pre-requisite requirements on Ji Lie's blog); server 3 is my main application server, including SharePoint Server 2010 and Visual Studio 2010 B2; server 4 is currently where I have a number of legacy systems.
I initially ran my 2010 install under my domain admin account. However, I'd set up a separate farm account in my AD and given that account the necessary replication permissions (per Dave Pae's instructions) and subsequently added that account as the farm account during install. The installation had an issue toward the end, where it couldn't fully deploy the user profile service. The error message suggested a timeout issue, but I wasn't convinced that it had completely failed.
Next, while still logged in as the domain admin account, I started the User Profile Synchronization Service on the Manage Services on server page in Central Administration. But the service hanged in the status of 'starting'. When I checked my Windows Services console, I could see that both the Forefront Identity Manager Service and Forefront Identity Manager Synchronization Service were set to 'Started'. So then I checked my Windows Application log and it was full of errors. I won't repeat those errors here, but you can see similar errors experienced by others in various posts on the 2010 forums, like this one started by Jeremy -http://social.msdn.microsoft.com/Forums/en-US/sharepoint2010general/thread/8fffb030-c118-4e36-94ab-8601b25f3a97.
Next, I checked the account under which both the Forefront services were running and of course it was the farm account I'd added during initial installation. So my next attempt was to stop the User Profile Synchronization service which was stuck at a status of 'starting'. To do this, I used the PowerShell cmdlet stop-spserviceinstance [guid]. For those reading this post unfamiliar with PowerShell, you'll need to firstly discover the GUID for the user profile synchronization service before being able to stop it. To do this use the get-spserviceinstance cmdlet first to enumerate and access all the service GUIDS. I used:
get-spserviceinstance >file.txt to save them to a file on my local drive for convenience.
Next, locate the GUID for the user profile synchronization service (it'll probably show a status of 'provisioning' in PowerShell) and use the following command:
stop-spserviceinstance [userprofilesynchronizationservice GUID]
This will eventually stop the service and the status of the service on the SharePoint Manage services on server page will show a status of 'stopped'.
Also, the two Forefront services in the Windows Services console should be set back to a status of disabled.
Next I logged in as the farm account I'd assigned during install and the same account under which the Forefront services was running. I then attempted to start the user profile synchronization service using this account, but once again the service got stuck on a status of 'starting'. And my Windows application event log was full of Forefront errors once again along with some additional SQL access errors.
I think what happened was that by initially using my domain admin account to start the service confused everything along with the encrypted key used by the Forefront services.
So, next I decided to reinstall SharePoint Server 2010 but this time I used the domain admin account and I also installed it on my SQL box. This time, everything mostly worked though I still had a timeout error toward the end of my installation. But, I could then successfully start my user profile synchronization service and import user profiles from my domain.
IMPORTANT: once you've successfully started your user profile synchronization service you may still see a message on the User Profile Service Application page under Configure Syncrhronization Connections that the server is unable to connect to SQL or Search Service, etc. Make sure you have started your Search service back on the Manage services on server page and then do an IISRESET. Dave Pae mentions the IISRESET bit on his blog post. Once you've done this then all should be good to go and you should then be able to Configure Synchronization Connections and Start Profile Synchronization.
Finally, because the user profile service hadn't completely installed using the SharePoint wizard, once I had everything configure including services started and profiles imported, I needed to go back to my Web application and add my user profile service into the available Service Connections.
To do this, go to your Web application and click Service Connections in the ribbon. In the Configure Service Application Associations dialog you'll notice the checkboxes greyed out. To make them editable, from the dropdown at the top of the dialog select [custom] and then go check the User Profile Service Application (or whatever you've named your user profile service app) and click OK.
I realize using the domain admin account isn't best practice, but if you need to get things working in your dev or test environments then it worked for me. I'll be doing some further investigation but for now my user profile synching is working. Another thought is around which authentication protocol you're using. Initially I used NTLM. I've now switched to Kerberos. But I'm not convinced that switching to Kerberos in the beginning would have resolved my initial issue.
My only problem now is that my organizational browser isn't rendering properly with or without Silverlight so that's the next thing to tackle...oneday! ;-)
Here are some relevant postings:
Dave Pae has posted some instructions on the SharePoint team blog
http://blogs.msdn.com/sharepoint/archive/2009/11/18/path-to-user-profile-synchronization-success-in-sharepoint-2010-beta.aspx
Ji Lie posted some great instructions here http://blogs.msdn.com/opal/archive/2009/11/19/user-profile-sync-setup-in-sharepoint-server-2010-beta.aspx
plus
Beta 2 installation instructions
http://blogs.msdn.com/opal/archive/2009/11/16/installation-notice-for-sharepoint-2010-public-beta.aspx (great post and it also includes links to other great resources on his blog including a list of all the pre-requisites (important for isolated environments) - http://blogs.msdn.com/opal/archive/2009/10/25/sharepoint-2010-pre-requisites-download-links.aspx.
Importantly if you're running Windows 2008 standard SP2 then you'll need to install the hotfix at http://code.msdn.microsoft.com/Project/Download/FileDownload.aspx?ProjectName=KB971831&DownloadId=7285
if you're running Windows 2008 RC2 then you'll need to install the hotfix at http://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=23806