User Profile Sync Setup in SharePoint Server 2010 Beta

This is how I setup user profile sync for SharePoint Server 2010 Beta on my machine. You should not take this as an official guide. But the steps may help if you have been drive crazy. 🙂

You should also check out TechNet article and the steps on our team blog first, they are more “official”. And it’s not come from “another MS guy in the wild” like me:)

[Update – we are considering to gather all information and put it back to TechNet article, could be video walkthrough, screenshots, and hope that could help. After that is done, i may remove the content here.]

The following steps in done on Windows Server 2008 R2. But it also applies to Windows Server 2008. The WCF fix for R2 and Win7 is not currently available to public but it will be released in coming days here.

  1. Start with a fresh SharePoint Farm installation, make sure WCF fix (Please refer to my pervious post) is already applied on the machine.

  2. A web application is already created at port 80. A site collection is also created.

  3. Don’t do anything on User Profile Service Application now…If you did, you may need to rebuild the farm. (am i kidding? no… this is beta.)

  4. Click System SettingsManage Services on server.

  5. Start Microsoft SharePoint Foundation User Code Service – this maybe not necessary, but I always do it first.

  6. If you are on Domain Controller, run the following script to make sure User Code Service has the right permission to run.
    $acl = Get-Acl HKLM:\System\CurrentControlSet\Control\ComputerName
    $person = [System.Security.Principal.NTAccount]”Users”
    $access = [System.Security.AccessControl.RegistryRights]::FullControl
    $inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
    $propagation = [System.Security.AccessControl.PropagationFlags]::None
    $type = [System.Security.AccessControl.AccessControlType]::Allow
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
    Set-Acl HKLM:\System\CurrentControlSet\Control\ComputerName $acl

  7. Start User Profile Synchronization Service. After you click the link, it should show something like this:

  8. Although the service is “Starting”, we can check the timer job if it is running properly. Click MonitoringCheck job status. Now you may find a job “ProfileSynchronizationSetupJob” is running. This may take several minutes to finish. If it finished instantly then something is wrong, you may have to rebuild it again.

  9. When it’s finished, the job will disappear from Running category. Now check Services again, user profile sync service should be “Started”.

  10. Time to setup connection! Click Application ManagementManage service applications. Scroll down to find and click User Profile Service Application. (Hint: you can copy the link to this item and add this to Resource links on Central Administration main page to save time in the future. You can do the same to Search and Managed Metadata.)

  11. It is possible that you get an empty status now. It’s okay.

  12. Click Configure Synchronization Connections.

  13. Oh – why I got this? “An error has occurred while accessing the SQL Server database or the SharePoint Server Search Service. If this is the first time you have seen this message, try again later. If this problem persists, contact your administrator.”

  14. Do a IISRESET in cmd line. Refresh the page,  problem solved.

  15. Now, click Create New Connection.

  16. Fill in your domain information. Choose the users or OU you want to import. Click Ok.
    snap0125  snap0126

  17. The connection you just created should be there. If not, you may need to rebuild. (I’m a bad guy, always telling you bad news.)

  18. Now go back to User Profile Service Application, the numbers should be shown on the side.

  19. You can choose to Start Profile Synchronization now. After some time, the number would change. It depends on the size of the OU you just chose.

  20. Click Manage User Profiles, and try to find a user. Yes, he is there!

Jie Li

Technical Product Manager, SharePoint

Comments (20)

  1. B@rney says:

    Hi Jie!

    Some great posts here. I’ve been following your instructions to the dot, but cannot get User Profile Sync to work.

    I have a Hyper-V virtualized server running Win2k8R2 Enterprise as DC, with SQL 2008 Developer, and all the bells and whistles.

    When you suggest to "rebuild farm", what does that actually imply?

    Just to run PSCONFIG and create a new farm?


  2. @Barney

    Rebuild means you need to tun psconfig to remove the server from the farm. In my case, since it was the only server in the farm, it removed the farm. It would be good if you can also run SQL Management studio to delete all the databases related. Then run psconfig again, recreate a farm.

    The reason I suggested this way is because it is hard to troubleshoot problems and fix them when you have a (most likely) corrupted setup. Remove Service Application and recreate would not work, since FIM is already messed up.

    Which account did you use? I suggest to use the domain administrator to avoid possible problems. One of the key steps is, don’t touch User Profile SA before you have user profile sync service fully started. If you didn’t do that, it is highly possible only a rebuild would work.

  3. sosodog says:

    Hi, Buddy

    When I created a user profile application service, I got this error:

    Unrecognized attribute ‘allowInsecureTransport’. Note that attribute names are case-sensitive. (C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14WebClientsprofileclient.config line 34)

    Any idea?

  4. sosodog says:

    one thing more

    The job "ProfileSynchronizationSetupJob" finished, but my profile sync service still be “Starting”.

  5. @aleck,

    allowinsecuretransport only happens when you didn’t apply WCF fix on Windows Server 2008 R2…

  6. shope928 says:

    Great Post.  Quick Question.  How can I map the picture property URL to an existing site.  I used to use a url in a text field to map to in 2007 but it doesn’t seem to work in 2010.  Any clues would be appreciated.

  7. donal.conlon says:

    Thanks Jie.

    I have manged to get this working with AD (eventually).  But am stumped with LDAP.

    First I’m trying with ADLDS, adn then with Sun One.

    Cannot figure either out.  Any pointers?

  8. Matt Stratton says:

    For the life of me, I cannot get this to work for a domain trust scenario.

    In our example, all user accounts are in forest x ( is the domain). Our farm (and all servers) are in forest y ( trusts

    When I set up the profile sync to pull from, it works fine. But when I put in, when I go to enumerate containers, it says "the object does not exist".

    This works great in the exact same setup in MOSS 2007. I can’t believe that we are the only people in the world who have an account forest and a resource forest.

    Any suggestions as to how to configure SPS2010 with this type of a setup? We’re dead in the water in our testing without being able to actually have user accounts, you know?

  9. Kutz13 says:

    Just evaluating this for possible use in our organisation – very impressed so far with what I’ve seen.

    User profile import is still giving me issues though. When I go to configure a connection I’m informed that the user profile sync job is running and to wait until its finished. Nothing showing in the monitoring section as running. Still there after disabling the timer job completely and iisreset/server re-boots…

  10. nist says:


    At #13 “An error has occ…" iisrestet isnt solving that issue for me, are there any tips for that issue?

    thx in advice;]

  11. ewohmot says:

    CRITICAL STEP Between steps 10 and 11:

    go to Manager Service Applications / User Profile Admin / Administrators —

    Add the valid local and domain users to give full control permissions.  This solved all my problems and allow Jet li’s instructions to work flawlessly.

    See this link:

  12. ewohmot says:

    CRITICAL STEP (CORRECTION) — NEED To do the previous post between step 9 and 10.  

    Once that is completed you will be able to create the connection without permission errors.  After that everything else works fine.

  13. ewohmot says:

    OK, well after starting all over and going through all the steps again, just to prove to myself that the above process is consistently repeatable, I found out that it seems that it is necessary to add the local machine admin account to the ‘User Profile Application’ administrators.  Why? I have no idea, but as we know, it is Beta.

  14. Raj_RK says:

    Jet I followed the steps, however not succeed in setting profile syncronisation. Win2k8R2 Enterprise as DC, on which Sharepoint is installed. I am facing issue with FIMSyncronisationService in log it states–

    The service encryption keys could not be found.

    User Action

    Verify that the service account has permissions to the following registry key:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftForefront Identity Manager2010Synchronization Service

    If the problem persists, run setup and restore the encryption keys from backup.

  15. Neel says:

    I have followed your steps in entirety, my sync with AD is working fine except it is not pulling the pictures in the AD.

    Here is my issue, we have photos of all employees stored as xyz.jpg in the custom attribute (emp_pics_2001) with type string, but the picture url type is url (is this the culprit type change), I am using the custom attribute to map the field in the Sharepoint 2010 miis client.

    I am using the below url to do the set up:…/setting-up-pictureurl-user-profile.html

    i did check the profile db picture url field is NULL, i have all the other values for person except the picture.. I do not why Microsoft is making harder in few small things like this, I have already wasted more than 2 days in figuring this out

    If i just get xyz.jpg pulled to sharepoint, then i can prefix a url in front of it using powershell

    I am using a full trusted service account with full permissions to the domain

    please help me out..

    thank you


  16. blog city says:

    User Profile Service Configuration in SharePoint 2010

  17. Al says:


    Do steps 5 and 6 still apply to the non-beta version?

    We do not have a service named:  Microsoft SharePoint Foundation User Code Service  

    We are on a domain controller.


  18. ehabzag says:

    I am doing a SharePoint user profile sync from AD, the process is working fine, from "Synchronization service manager" 2373 profiles were added.

    but only 9 were added to SharePoint.

    i checked AD and found that the 9 accounts have type "USER" and others have "inetOrgPerson". How can i add these marked as "inetOrgPerson" to SharePoint user profile??

    please advice

  19. Ankit Sharma says:

    Great article sir!!

    but what about the Form Auth User? these users are from active directory. i want to view my fba form auth user profiles that contain i:0#.f|myprovidername|username. go manage user profiles then find profiles it shows the active directory user. but i want to LDAP fba user profiles. because when i set up FBA Using Ldap provider after login in site and click my profiles then it shows user not found error because fba auth user not sync with in the user profile database.

    so let me know sir how can i sync a LDAP fba user profile in user profile synchronization… Plz Help sir!!!

  20. TheStaceMeister says:

    Since it is very naughty to set up SharePoint on a domain controller, I thought I'd offer up how I setup UPS on a non-domain controller:…/configuring-user-profile-synchronization-service

Skip to main content