Wednesday, January 4, 2012

The Quick and Dirty Guide to Recreating the User Profile Service


It's no secret that the User Profile Service is probably the most fragile aspect of a SharePoint Server 2010 installation. It's been my experience that you either get it right the first time - or you have a difficult road ahead of you. 

It goes without saying that when implementing the User Profile Service, you should read, re read and then follow Spencer Harbar's definitive  Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization

However, in my work I often encounter client installations that were done improperly or the environment itself has issues. In that case I've found that it is often quicker and easier to simply delete the User Profile Service and recreate rather than attempt to troubleshoot it. 

What follows is my quick and dirty guide to deleting and recreating it. 

When deleting and recreating the User Profile Service the following steps should be performed:

  • Stop the User Profile Synchronization Service from within Central Administration.
  • Stop the User Profile Service within Central Administration.
  • Check the Timer Jobs and make sure that the setup synchronization job is not hung. If so delete it.
  • Open the MMC and add the certificates snap in as detailed here
  • Delete all Forefront Identity management certificates you can find. They are under the Trusted Root, Trusted People and one other place. Delete them all.
  • Make sure both FIM services are disabled in the services console.
  • Create a new User Profile Service.
  • Make sure that you create a new application pool each time you create the service!
  • Make sure it is running under the farm account, and that the farm account is a member of the admin group on the server.
  • Go to 'Manage Services on Server' in Central Administration.
  • Start the User Profile Service in Central Administration.
  • Start the User Profile synchronization service in Central Administration.
  • Open the Services console and watch and see if the 2 FIM services change state. 
  • Open the certificate snap in and make sure certs have been created properly.
  • Wait a long time.
  • When the User Profile Synchronization Service shows 'started' instead of 'starting', open the services console and make sure that both FIM services show enabled and automatic.
  • Do an IIS reset.
  • See if you can now open and manage the User Profile Service. 

3 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Excellent quick and dirty guide! This and Harbar's is all you need to get UPS working.

    ReplyDelete
  3. Problem is how do you prevent UPS from creating new Forefront Identity management certificates? Every time our server reboots, UPS creates new certificates and hangs.

    ReplyDelete