Check List for User
Profile Synchronization Service Hanging issue on Start / Stop & for proper
UPS Service configuration
Below are some major causes of User Profile Service hangs on
start or stop and also if any of these checks fail then user won’t be able to
provision User Profile Service.
1.
If User Profile Synchronization (UPS) Service is
in the state of “Starting” or “Stopping”, user below Power Shell commands to
bring it in Stopped mode.
Get-spserviceinstance
Stop-spserviceinstance <GUID> Where
GUID is the service id of UPS Service
2.
Now, UPS Service is in Stopped mode. Make sure
that the UPS Service account is Farm Account and is in local admin group of the
server having log on locally rights.
To check this follow below steps.
To do this, go to Central Administration
> Security > Configure service accounts:
·
Make sure that the Service account is a Farm account.
·
The Service account on the server should be the Local Administrator.
·
The Service account should have log on locally user rights on the
server.
3.
To check user has log on locally rights, follow
below steps.
·
Go to the Start menu and select > Run > secpol.msc
·
From the Local Security Policy window, select Security
Settings > Local Policies > User
Rights Assignment > Allow log on
locally.
·
Right-click Allow log on locally and select Properties
to add a user
4.
Start
menu and select > Run >
gpupdate
5.
Also, make sure SharePoint Timer Job is running
with same account i-e Farm Account with which you are running UPS Service.
6.
Now, make sure user has Full Control permissions
on User Profile Service Application. Follow
below steps to make sure this.
·
Go to Central
Administration and select Application
Management > Manage Service Applications
> User Profile Service Application
·
From the Administrators
for User Profile Service Application menu, check the appropriate Permissions
for user checkboxes.
·
Click OK.
·
From the Connections
Permissions for User Profile Service
Application menu, check the appropriate Permissions for user checkboxes.
·
Click OK.
7.
Set the FIM Services to run as Local System
·
Start -> Run -> services.msc
·
Locate the two FIM Services: Forefront Identity Manager Service, Forefront Identity Manager Synchronization
Service.
·
Edit properties and set it to run as Local System account.
8.
Once all of the above has been completed and
verified, you will be able to start the User
Profile Synchronization Service.
9.
If still you are unable to proceed perform step
1 to bring UPS service in “Stopped” mode and perform below check and try again.
10 Check the Certificates store on the server that
runs the User Profile Synchronization
Service and delete all the ForefrontIdentityManager
certificates.
·
Start -> Run -> mmc
·
File -> Add
/ Remove Snap-in
·
Select Certificates -> Computer Account -> Finish -> Local Computer -> Finish -> OK
·
Expand Certificates -> Personal -> Certificates
·
Delete all ForefrontIdentityManager
certificates (if you have tried to provision the UPS unsuccessfully several
times, you will see more than one certificate).
·
Expand Certificates -> Trusted Root Certification Authorities -> Certificates
·
Delete all ForefrontIdentityManager certificates (if you have tried to
provision the UPS unsuccessfully several times, you will see more than one
certificate).
Good Luck. Hope this will
help you get rid of UPS Service issues. Trust me 90% of UPS Service issues are
just because of improper rights assigned to UPS Service Accounts.
No comments:
Post a Comment