User Profile Synchronization Service stuck at ‘Starting …’

This week I had that nemesis of the User Profile Service, my User Profile Synchronisation Service got stuck at ‘Starting …’.  Now I’ve had this before and resolved it OK.  There are a couple of articles which are key in implementing the User Profile Service which I recommend.  Firstly there is the TechNet article ‘Configure Profile Synchronization (SharePoint Server 2010)’ which is the definitive set of instructions, and then there is Spencer Harbar’s ‘Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization’ which gives some extra background detail and has been updated by Spence to refer to the TechNet article.

Farm Account must be Local Admin during Provisioning

One of the key aspects of setting up the User Profile Synchronization making sure that the Farm account which runs the Forefront Identity Manager (FIM) services has local administrator privileges on  the box which runs the synchronisation service.  This I did and always have done since seeing Spence do his demo at the SharePoint Evolutions Conference last year in London, but in my case this week, I could not get the User Profile Synchronisation service to start properly. I checked and double checked every setting in the TechNet and Spence’s blog and still it didn’t work.

Manually Set the Log on Accounts?

In desperation, I manually set the FIM and FIM Synchronization services to run under the farm account and manually started them and then ran the synchronisation provisioning again and lo and behold, it seemed to work, the User Profile Synchronization Service finished provisioning and said ‘Started’.  Result!  So I thought. 

However I could not get the User Profiles to actually sync.  I rebooted the box and the FIM services refused to start properly again.  Further investigation of the event log said that the Farm Service did not have ‘Log On as a Service’ right. But the Farm account was set to a local administrator, and when I manually set the FIM accounts, I got a dialog saying that the account had  been granted ‘Log On as A Service’.  So what was happening?

Beware Group Policy

It was down to Group Policy.  I checked the ‘Local Security Policy’ and the client’s AD Group Policy overrode the local policy and only allowed users in a certain AD group ‘Log On as a Service’ right.  So I asked for the Farm account to be added to the AD group and voila!  User Profile Synchronisation works perfectly.

Moral of the story? Check Group Policy for ‘Allow Log On Locally’ and ‘Allow Log On as a Service’ when doing this work – it can override your manual changes!

Cheers

Dave Mc

Advertisements

About davemcmahon81
Software Developer & Architect, User Group Leader, Speaker, Writer, Blogger, Occasional Guitarist, Man-made Global Warming Sceptic, Climate Change Believer, General Optimist but most of all proud Husband and Dad ...

3 Responses to User Profile Synchronization Service stuck at ‘Starting …’

  1. Jc CyberPine says:

    I have two SP2010 Farms using the same sevice account. One works, one get’s stuck at starting. I’ve checked everthing, Including that on your list. I have this post explaining my steps in detail.

    http://sharepoint.stackexchange.com/questions/19588/sharepoint-2010-user-profile-syncronization-not-starting-libutils-cpp-cannot

    • Hi,

      You know sometimes, it’s just best to blow away your User Profile Service Application and start again from the beginning. Follow the Technet Article ***precisely*** , and see how that works out for you. I’ve had to do this on a couple of occasions. Also have you checked Group Policy from a point of view of the boxes themselves? Do they exist in the same OU in AD?

      You say you’re using Kerberos – to do what exactly in this scenario? The Synchronisation Service runs on the box, you don’t need any of that stuff set up to get User Profile Sync to work.

      Let me know how you get on.

      Cheers

      Dave Mc

  2. SPAdam says:

    In my case, the problem was: The account I logged-in to configure User Profile Sync was not a Farm Administrator account!

    I followed the troubleshooting guide, which lists all possible causes and solutions at: http://www.sharepointdiary.com/2012/09/user-profile-synchronization-service-stuck-at-starting.html#ixzz2aX7Wz4GQ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: