The UPS Sync Service is a wild beast. So if it (again) does what it wants instead of synchronizing your user profiles smoothly here are a few ideas how to narrow down what causes the issue.
Recommended Steps for Troubleshooting
- Be aware that a SharePoint backup stops the sync service. It will be restarted after the backup. But any running sync job will probably be aborted. Depending on your backup strategy you might have more backup jobs than only the DPM or AvePoint Farm backup – i.e. to back up your service application configurations.
- Analyze the windows event log for clues. As a starting point try filtering for „Source=FIMSynchronizationService“
- Check the ULS Log specifically at the time where you observe event log entries for FIM. Additionally you might want to filter for „category contains user profile“
- Check the miisclient.exe (C:\program files\Microsoft Office Servers\15.0\Synchronization Service\UiShell) for more information what went wrong.
- Check whether sync service is running in windows services. Ensure that it’s running using the farm account. The farm account MUST be in the local administrators group. This is necessary even though Microsoft states in some technet articles that you should remove the farm account from local admin group – this statement is invalid according to Microsoft support and also to my own experience.
- In CA look for running jobs. There might be a hanging/pausing user profile setup job or sync job which prevents the sync service from starting. If there is a pausing job, enable the User Profile Service Application – User Profile Incremental Synchronization Job. The pausing job should be reactivated then. If this is not the case delete it before trying any new actions in sync service.
Personally Known Issues
- If you have more than just the standard active directory connectors – i.e. you have a second one importing data from a BDC data source, implement only the ad connector first and run a full import twice. If this works out without having trouble setup your second connector and run a full sync.
- Events 6803 and 6110 might be caused by invalid self signed certificates. To fix this open a msc console and add certificate snap-in for local computer and for service account which runs FIM. On root folder search for „forefront“, select all certificates found and delete them. Afterwards open C:\program files\Microsoft Office Servers\15.0 and validate that your service account has full control privileges on the Tools folder.
- Be aware that you cannot delete mapped profile properties as long as there is a connector mapped and a sync job is running.
- To delete or edit a connector the sync service must be started.
- Microsoft does not support to change any connector properties directly in miisclient – except for Import Exclusion Filters. If you need a complex filter you might be forced to abondon CA and configure the filter in miisclient. Microsoft officially acknowledges that this is all right for SharePoint 2010 and 2013 ( http://support.microsoft.com/kb/2517937). As alternative you might want to consider using a separate (full license) FIM server http://technet.microsoft.com/en-us/library/dn511003(v=ws.10).aspx