User Profile in SharePoint 2010 is the most important service application. You have to set up it very first so you can configure import filter AD accounts, synchronize, and manage user properties/information. But the configuration for this service application is not an easy task, I guest you have some problems at least when you try to config it.

One popular issue, when you setup in development environment, you usually run in Windows Server 2008 Active Directory, but in production the server will be Window Server 2003, and it easy to forgot and many problems have to solve when you try to start The Forefront Identity Manager Service. Some time, you unable to start User Profile sync service from Central administration site ->system settings->Services on server. The service stand at “starting” but never start.

I would list out some common error message below

Event ID:      234
Description:
ILM Certificate could not be created: Cert step 2 could not be created: C:\Program Files\Microsoft Office Servers\14.0\Tools\MakeCert.exe -pe -sr LocalMachine -ss My -a sha1 -n CN=”ForefrontIdentityManager” -sky exchange -pe -in “ForefrontIdentityManager” -ir localmachine -is root

Event ID:      234
Description:
ILM Certificate could not be created: netsh http error:netsh http add urlacl url=http://+:5725/ user=Domain\spfarm sddl=D:(A;;GA;;;S-1-5-21-2972807998-902629894-2323022004-1104)

Event ID:      22
Description:
The Forefront Identity Manager Service cannot connect to the SQL Database Server. The SQL Server could not be contacted. The connection failure may be due to a network failure, firewall configuration error, or other connection issue. Additionally, the SQL Server connection information could be configured incorrectly.
Verify that the SQL Server is reachable from the Forefront Identity Manager Service computer. Ensure that SQL Server is running, that the network connection is active, and that the firewall is configured properly. Last, verify the connection information has been configured properly. This configuration is stored in the Windows Registry.

Event ID:      0
Description:
Service cannot be started. System.Data.SqlClient.SqlException: Cannot open database “Sync DB” requested by the login. The login failed.
Login failed for user domain\sp_farm’.

Event ID:      2
Description:
The Forefront Identity Manager Service could not bind to its endpoints.  This failure prevents clients from communicating with the Web services.
A most likely cause for the failure is another service, possibly another instance of Forefront Identity Manager Service, has already bound to the endpoint.  Another, less likely cause, is that the account under which the service runs does not have permission to bind to endpoints.
Ensure that no other processes have bound to that endpoint and that the service account has permission to bind endpoints.  Further, check the application configuration file to ensure the Forefront Identity Manager Service is binding to the correct endpoints.

If you have to face one of above errors, at first, you should consider what version of Windows running on Domain Controller.

If it’s Windows Server 2003, you need to configure some steps below on Active Directory

  1. Add “Replicate Directory Changes” permission
    1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
    2. In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
    3. On the first page of the Delegation of Control Wizard, click Next.
    4. In the Users or Groups page, click Add.
    5. Type the name of the synchronization account, and then click OK.
    6. Click Next.
    7. In the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
    8. On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.
    9. On the Permissions page, in the Permissions box, select Replicate Directory Changes, and then click Next.
    10. Click Finish.
  2. Add account to “Pre-Windows 2000 Compatible Access” group
    1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
    2. In Active Directory Users and Computers, expand the domain, expand Builtin, right-click Pre-Windows 2000 Compatible Access, and then click Properties.
    3. In the Properties dialog box, select the Members tab, and then click Add.
    4. Type the name of the synchronization account, and then click OK.
    5. Click OK.
  3. Grant Replicate Directory Changes permission on the cn=configuration container
    1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
    2. In ADSI Edit, if the Configuration node is not already present, select ADSI Edit, on the Action menu click Connect to, in the Connection Point area of the Connection Settings dialog box select Select a well known Naming Context, select Configuration from the drop-down list, and then click OK.
    3. Expand the Configuration node, right-click the CN=Configuration… node, and then click Properties.
    4. In the Properties dialog box, select the Security tab.
    5. In the Group or user names section, click Add.
    6. Type the name of the synchronization account, and then click OK.
    7. In the Group or user names section, select the synchronization account.
    8. In the Permissions section, select Replicating Directory Changes (select Replicate Directory Changes on Windows Server 2003), and then click OK.

See more at http://www.jppinto.com/2011/04/configure-active-directory-ad-synchronization-for-sharepoint-2010/

If you still can not start Forefront Identity Manager Service, try to delete all self signed certificate is created for the Computer Account added to the Trusted People certificate store. To do so, run “mmc.exe” and Run dialog and then Add Certificates console as below

if you are on the SharePoint Server that is running the User profile service, choose “Local Computer”.

Repeat all above steps for “My User” and “Computer Account” as well to ensure that you got definitely all duplicated certificates!
Next, Expand each node and check for any Forefront certificates and delete the Forefront certificates

Then restarting the Network Location Awareness (NLA) service. Setting the services to ‘automatic (delayed)’ and granting the Network Service permissions to the ‘C:\Program Files\Microsoft Office Servers\14.0\*’ directory

The problems should be fixed.

Hoang Nhut Nguyen
Email: nhutcmos@gmail.com
Skype: hoangnhut.nguyen