Recreate SharePoint 2010 User Profile Service

  • Article

I recently had to recreate the User Profile Service in my SharePoint 2010 test farm due to a bad PowerShell script to add permissions to the USP.   The USP was hosed.  I was getting an invalid claim error when calling Get-SPServiceApplicationSecurity or when clicking on the Permission button in Central Admin.  So I decided to recreate the USP to retain the existing profile data (90,000 users), synchronization filters and the managed metadata hookups.  I was successful in doing so.  Here are the steps I took:

  1. Log in to the server that is hosting the User Profile Synchronization Service. Launch command prompt as administrator. Change directory to \Program Files\Microsoft Office Server\14.0\Synchronization Service\Bin.  Backup the MIIS encryption key by running miiskmu.exe /e <Key file name and path>.  Please note that you may have to log in as the farm account when doing this (you will need to add the farm account back in the Local Administrator group anyway to reproision the synchronization service).
  2. Backup the Profile, Social and Sync databases.
  3. Stop the User Profile Service.
  4. Delete the user profile service application by either PowerShell or via Central Admin.  Do not choose the option to delete data.
  5. Delete the Sync database.
  6. Create the user profile service application with the same database names.
  7. Restore the Sync database backup over the one that was just automatically created.
  8. Log in to the server that was running the User Profile Synchronization Service.  Launch command prompt as admin.  Navigate to the same place as above.  Run miiskmu.exe /i <Key file name> {0E19E162-827E-4077-82D4-E6ABD531636E}.  Again, you may have to login as the farm account.
  9. Start the User Profile and User Profile Synchronization services. Again, the User Profile Synchronization Service may take some time to start up.  Note: I had to restart the server one time after waiting 30 min+ on the first.
  10. Check Central Admin to see whether the profiles are still there and whether the synchronization connections are still there.  If the synchronization connections disappear, try restarting the FIM Connection Manager service.   
  11. Test the synchronization service by running an incremental import.
  12. Reassign the administrators and permissions (content access account, web application pools in remote farms, etc.)