Comments (20)

  1. B@rney says:

    Hi Jie!

    Some great posts here. I’ve been following your instructions to the dot, but cannot get User Profile Sync to work.

    I have a Hyper-V virtualized server running Win2k8R2 Enterprise as DC, with SQL 2008 Developer, and all the bells and whistles.

    When you suggest to "rebuild farm", what does that actually imply?

    Just to run PSCONFIG and create a new farm?


  2. @Barney

    Rebuild means you need to tun psconfig to remove the server from the farm. In my case, since it was the only server in the farm, it removed the farm. It would be good if you can also run SQL Management studio to delete all the databases related. Then run psconfig again, recreate a farm.

    The reason I suggested this way is because it is hard to troubleshoot problems and fix them when you have a (most likely) corrupted setup. Remove Service Application and recreate would not work, since FIM is already messed up.

    Which account did you use? I suggest to use the domain administrator to avoid possible problems. One of the key steps is, don’t touch User Profile SA before you have user profile sync service fully started. If you didn’t do that, it is highly possible only a rebuild would work.

  3. sosodog says:

    Hi, Buddy

    When I created a user profile application service, I got this error:

    Unrecognized attribute ‘allowInsecureTransport’. Note that attribute names are case-sensitive. (C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14WebClientsprofileclient.config line 34)

    Any idea?

  4. sosodog says:

    one thing more

    The job "ProfileSynchronizationSetupJob" finished, but my profile sync service still be “Starting”.

  5. @aleck,

    allowinsecuretransport only happens when you didn’t apply WCF fix on Windows Server 2008 R2…

  6. shope928 says:

    Great Post.  Quick Question.  How can I map the picture property URL to an existing site.  I used to use a url in a text field to map to in 2007 but it doesn’t seem to work in 2010.  Any clues would be appreciated.

  7. donal.conlon says:

    Thanks Jie.

    I have manged to get this working with AD (eventually).  But am stumped with LDAP.

    First I’m trying with ADLDS, adn then with Sun One.

    Cannot figure either out.  Any pointers?

  8. Matt Stratton says:

    For the life of me, I cannot get this to work for a domain trust scenario.

    In our example, all user accounts are in forest x ( is the domain). Our farm (and all servers) are in forest y ( trusts

    When I set up the profile sync to pull from, it works fine. But when I put in, when I go to enumerate containers, it says "the object does not exist".

    This works great in the exact same setup in MOSS 2007. I can’t believe that we are the only people in the world who have an account forest and a resource forest.

    Any suggestions as to how to configure SPS2010 with this type of a setup? We’re dead in the water in our testing without being able to actually have user accounts, you know?

  9. Kutz13 says:

    Just evaluating this for possible use in our organisation – very impressed so far with what I’ve seen.

    User profile import is still giving me issues though. When I go to configure a connection I’m informed that the user profile sync job is running and to wait until its finished. Nothing showing in the monitoring section as running. Still there after disabling the timer job completely and iisreset/server re-boots…

  10. nist says:


    At #13 “An error has occ…" iisrestet isnt solving that issue for me, are there any tips for that issue?

    thx in advice;]

  11. ewohmot says:

    CRITICAL STEP Between steps 10 and 11:

    go to Manager Service Applications / User Profile Admin / Administrators —

    Add the valid local and domain users to give full control permissions.  This solved all my problems and allow Jet li’s instructions to work flawlessly.

    See this link:

  12. ewohmot says:

    CRITICAL STEP (CORRECTION) — NEED To do the previous post between step 9 and 10.  

    Once that is completed you will be able to create the connection without permission errors.  After that everything else works fine.

  13. ewohmot says:

    OK, well after starting all over and going through all the steps again, just to prove to myself that the above process is consistently repeatable, I found out that it seems that it is necessary to add the local machine admin account to the ‘User Profile Application’ administrators.  Why? I have no idea, but as we know, it is Beta.

  14. Raj_RK says:

    Jet I followed the steps, however not succeed in setting profile syncronisation. Win2k8R2 Enterprise as DC, on which Sharepoint is installed. I am facing issue with FIMSyncronisationService in log it states–

    The service encryption keys could not be found.

    User Action

    Verify that the service account has permissions to the following registry key:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftForefront Identity Manager2010Synchronization Service

    If the problem persists, run setup and restore the encryption keys from backup.

  15. Neel says:

    I have followed your steps in entirety, my sync with AD is working fine except it is not pulling the pictures in the AD.

    Here is my issue, we have photos of all employees stored as xyz.jpg in the custom attribute (emp_pics_2001) with type string, but the picture url type is url (is this the culprit type change), I am using the custom attribute to map the field in the Sharepoint 2010 miis client.

    I am using the below url to do the set up:…/setting-up-pictureurl-user-profile.html

    i did check the profile db picture url field is NULL, i have all the other values for person except the picture.. I do not why Microsoft is making harder in few small things like this, I have already wasted more than 2 days in figuring this out

    If i just get xyz.jpg pulled to sharepoint, then i can prefix a url in front of it using powershell

    I am using a full trusted service account with full permissions to the domain

    please help me out..

    thank you


  16. blog city says:

    User Profile Service Configuration in SharePoint 2010

  17. Al says:


    Do steps 5 and 6 still apply to the non-beta version?

    We do not have a service named:  Microsoft SharePoint Foundation User Code Service  

    We are on a domain controller.


  18. ehabzag says:

    I am doing a SharePoint user profile sync from AD, the process is working fine, from "Synchronization service manager" 2373 profiles were added.

    but only 9 were added to SharePoint.

    i checked AD and found that the 9 accounts have type "USER" and others have "inetOrgPerson". How can i add these marked as "inetOrgPerson" to SharePoint user profile??

    please advice

  19. Ankit Sharma says:

    Great article sir!!

    but what about the Form Auth User? these users are from active directory. i want to view my fba form auth user profiles that contain i:0#.f|myprovidername|username. go manage user profiles then find profiles it shows the active directory user. but i want to LDAP fba user profiles. because when i set up FBA Using Ldap provider after login in site and click my profiles then it shows user not found error because fba auth user not sync with in the user profile database.

    so let me know sir how can i sync a LDAP fba user profile in user profile synchronization… Plz Help sir!!!

  20. TheStaceMeister says:

    Since it is very naughty to set up SharePoint on a domain controller, I thought I'd offer up how I setup UPS on a non-domain controller:…/configuring-user-profile-synchronization-service