SharePoint 2010 – Provisioning User Profile Synchronization


This blog is intended to quickly ramp up the reader on requirements and steps to successfully provision a user profile synchronization service. User Profile Service Application setup has been one of the most problematic issues for customers so I hope this will clear up some misconceptions.  I’ll cover some basics including components involved and improvements made in this area (User Profile Synchronization). The user profile service application contains several new and existing features from previous SharePoint build. User Profile Service Application has broken away from the SSP and is now a separate entity. It is no longer tied to an SSP and contains 3 SQL databases that are bound to each User Profile Service Application. User Profile Sync no longer relies on search architecture\crawl. User Profile Sync now relies on Forefront identity manager to facilitate full\incremental synchronization between a SharePoint 2010 User Profile Service Application (UPA) and directory servers like Active Directory. For the remainder of this blog, I’ll refer User Profile Service Application as “UPA”. The basic steps to completely provision a UPA:

1.) Provision a UPA either through the Farm Configuration Wizard or from Manage Service Application page within Central Administrator.

2.) Start the “User Profile Synchronization Service” within Central Administrator\System Settings\Manage services on server

Note: This provisions FIM services

3.) Within Manage Profile page, create a new Sync Connection

4.) Start a full sync

Note: Steps 2 and 3 must meet specific permission requirements for functional UPA.

In the following section, I’ll break down the components involved and permission requirements to successfully provision a User Profile Service Application Synchronization service.

 

 Important:  Provisioning User Profile Synchronization will not work in single server installs with built-in databases.   You must have a full install of SQL…

http://technet.microsoft.com/en-us/library/cc263202.aspx

 

Components

 

Forefront Identity Manager (FIM)

Forefront Identity Manager (FIM), formerly known as Microsoft Identity Integration Server (MIIS), is used to facilitate synchronization between multiple endpoints. For Example: (FIM sits between Active Directory and User Profile Service Application and is responsible for syncing changes between both endpoints. Without a healthy FIM, SharePoint sync isn’t possible and will fail. FIM automatically gets installed when SharePoint 2010 is installed.

One of the UPA SQL databases is called the Sync database by default. FIM utilizes the profile Sync Database to store data. So what components make up FIM?

1. Two Services

  •  
    • Forefront Identity Manager Service
    • Forefront Identity Manager Synchronization Service

         clip_image001

2. Profile Sync database (SQL)

3. MIIS Client.exe used to view progress\troubleshoot sync

4. FIM binaries including the MIIS Client tool are located here:

C:\program Files\Microsoft Office Servers\14.0\Synchronization Service

 

UPA Components

A user profile service application has multiple components including the following:

· Consists of 3 SQL databases (Social, Profile, Sync)

· Admin Page (ManageUserProfileServiceApplication.aspx)

clip_image003

· User Profile Service Application Proxy

· SharePoint Services (User Profile Service and User Profile Synchronization Service)

clip_image005

Note: These services are located in Central Admin\System Settings\Manage Services on server

 

 

Permission Requirements

There are two separate permission requirements that involve running full\incremental profile sync. Specific permissions are required for the account doing either of the following:

1. User Profile Sync account

2. Directory Sync account

 

User Profile Sync Account

The User Profile Sync Account is responsible for provisioning\running the User Profile Synchronization Service. It is the same account that runs both FIM services. This account requires the following permissions for provisioning:

· Farm Account (timer service account)

· Local Admin (for duration of sync provisioning)

· Logged on as the account during provisioning

· Member of Pre-Windows 2k compatibility group

Question:

Q. Why does this account need to be a member of Pre-Windows 2k compatibility group?

A. It needs membership to this group at a minimum because we call some functions like AuthzInitializeContextFromSid which require access to read the TGGAU attribute. The Pre-Window 2k compatibility group has access to read this attribute. See my blog for more details:

http://blogs.msdn.com/russmax/archive/2010/01/20/why-the-tokengroupsglobalanduniversal-tggau-attribute-matters-in-sharepoint-2010.aspx

 

Directory Sync Account

The directory sync (dir sync) account is responsible for authenticating\enumerating against a directory server in order to sync changes. This account requires specific permissions to a directory server in order to read and “sometimes” write to a directory. In this example, I’ll be using Active Directory as my directory server because it will be the most widely used directory server. Where\How do you set this account in SharePoint 2010? This account is specified as part of step 3 above which is during the creation of a Sync connection. The permission requirements depend on the following:

  • Domain netbios name is the same as the FQDN domain name
  • Domain netbios name is different than the FQDN of the domain.
  • Syncing changes from AD to SharePoint/Syncing changes from SharePoint to AD

 

Permission requirements: Domain netbios name is the same as the FQDN of the domain

This is the easiest scenario and nothing must be done other than granting directory changes permission to each import domain NC. In a multi domain scenario where a root domain and child domain exists. If users reside solely in the child domain, then the only requirement is to grant the dir sync account replicate directory changes permission on the child domain NC. The dir sync account requires “no” permission within the root domain in order to successfully sync to\from the child domain.

The following permissions are required for functional full sync between UPA and Active Directory. The Directory Sync account needs the following:

· Replicate directory changes permission to each import domain NC

The following article describes how to set this:

How to grant the “Replicating Directory Changes” permission for the Microsoft Metadirectory Services ADMA service account

 

 

Permission requirements: Domain netbios name is different than the FQDN of the domain

This is not the easiest scenario and requires some explanation. When the domain netbios name is different than the FQDN of the domain, that is the domain netbios name is different than the first portion of the FQDN. For Example:

Domain netbios name: Contoso

FQDN of Domain: rootdomain.local

When domain naming scheme is set in this manner, the requirements are the following:

  1. Enable the NetBiosDomainNamesEnabled property to true for the UPA
  2. Grant Replicate Directory Changes perms to each import Domain NC
  3. Grant Replicate Directory Changes perms to the Config NC

Note: A walkthrough of each step is detailed below

 

NetBiosDomainNamesEnabled

NetBiosDomainNamesEnabled is a property that is set on every UPA. By default, this value is set to false which means that you must set it to true in the scenario where the domain netbios\FQDN names are different. PowerShell can be used to drop the UPA into a variable and set this property to true.

For Example:

1.) Get-SPServiceApplication

a. Note: This will output every service application specifically the User Profile Service Application

2.) $var = Get-SPServiceApplication –Identity 00a380ed-2e99-4de3-ae22-dbe8c1b03bab

Note: the identity is the GUID associated with the User Profile Service Application which was retrieved and copied from running the Get-SPServiceApplication cmdlet

3.) $var.NetBiosDomainNamesEnabled

Note: if this is true then it’s enabled and you can skip directly to step 7

4.) $var.NetBiosDomainNamesEnabled = “True”

Note: Here you are setting the property to True

5.) $var.update()

Note: This is simply running update method against the variable which officially updates the property

6.) $var.NetBiosDomainNamesEnabled

Note: This confirms the steps were run correctly as the output will display True instead of False

7.) To utilize the domain Netbios name, a new sync connection must be created and used. Yes, this means you cannot use an existing sync connection and expect it to work. Create a new sync connection via the UI:

Central Admin\Application Management\Manage Service Applications\User Profile Service Application\Configure Synchronization Connections

 

Grant Replicate Directory Changes perms to each import Domain NC and Config NC

For the Domain NC: Utilize the same step described in the “Permission requirements: Domain netbios name is the same as the FQDN of the domain” section.

For the Config NC:

1. Launch ADSI Edit

2. Right click ADSI Edit and hit connect to

3. Under, “Select a well known Naming Context”, choose Configuration and hit OK:

clip_image007

4. Expand Configuration object and (right click + properties) on the configuration container which should be in a DN format like the following:

CN=Configuration, DC=Contoso,DC=com

5. Select Security tab and hit add the Dir Sync account and grant Replicate Directory Changes (This object only)

For Example, Bill is my dir sync account:

clip_image009

6. Click OK

Note: The account used to access the Configuration NC via ADSI Edit must be a member of Enterprise Administrators group to perform this operation.

 

Questions and Answers:

Q. My domain netbios name is different than the FQDN. My AD administrator refuses to grant replicating directory changes permission to the Configuration Container without an explanation.

A. This is a read only permission and will not write to the Configuration NC. Also, the dir sync account requires this permission to the Config NC because that’s where Domain NetBios names are stored.

Q. My domain netbios name is different than the FQDN. My AD administrator refused to grant the dir sync account replicating directory changes permission against Configuration NC. The dir sync account was only granted replicating directory changes permission on the domain NC. This appears to work okay and I can view all my users profiles in SharePoint after a full sync? I don’t get it?

A. It’s not that it won’t work if appropriate permissions are missing on the Config NC. The problem is that it will be an undesirable result in that the SAM account name will show up with the first portion of the FQDN as the domain name instead of the netbios domain name of the domain. This has many potential implications which are mostly unknown at this point. This is the reason why this setup will not be supported by Microsoft.

Q. My domain netbios name is different than the FQDN. How can I validate that the permission was properly set on the Config NC for the dir sync account after a full sync?

A. This question assumes that the questioner doesn’t have access to AD/ADSI edit to validate the dir sync account has appropriate permissions. Two ways to validate permissions are correct.

1. Go to Central Admin\Application Management\Manage Service Applications\User Profile Service Application Management page\Manage User Profiles and search by the netbios name of the domain name and ensure all user profiles appear.

2. Access the User Profile database within SQL and inspect some rows within the UserProfile_Full table. The NT column should display the domain name in CAPS for the netbios name of the domain.

 

Permission requirements: Syncing changes from AD to SharePoint/Syncing changes from SharePoint to AD

This is a major improvement to SharePoint 2010 sync in that now changes can go both ways. Instead of only syncing changes from AD to SharePoint, SharePoint changes can now sync to and update AD. The permission requirements already listed above meet the requirements for syncing changes from AD to SharePoint. However, additional permissions are required for the dir sync account to sync changes from SharePoint to AD:

· Create all child objects (This object and all descendants) to each export domain NC

· Write (This object and all descendants) to each export domain NC

 

Validation

Great, so permissions are now setup properly and it’s time to follow the original steps which are:

1.) Provision a UPA either through the Farm Configuration Wizard or from Manage Service Application page within Central Administrator.

2.) Start the “User Profile Synchronization Service” within Central Administrator\System Settings\Manage services on server

Note: This provisions FIM services

3.) Within Manage Profile page, create a new Sync Connection

4.) Start a full sync

I will discuss validating Step 2 and 3 in sections below.

 

Validating User Profile Synchronization Service Provision

After a User Profile Service Application is provisioned, the User Profile Sync Service must be started if the UPA will be used for syncing. As stated previously, starting the service provisions FIM so really two ways to validate successful provisioning.

1.) The service will be listed as started within Central Admin

clip_image010

2.) FIM service and FIM Sync service is started

clip_image001[1]

3.) Timerjob status page displays success

clip_image012

In some cases due to lack of permission or some other issues, the User Profile Synchronization Service will get stuck in a Starting state and may never come out of it. This is when validation should include real time monitoring. I recommend using ULS viewer which can be downloaded here:

http://code.msdn.microsoft.com/ULSViewer

Using ULS Viewer, open the current ULS log and filter on category User Profile:

clip_image014

 

Validating a new Sync Connection

One way to validate a Sync Connection is valid besides a quick visual in Central Administrator is to use the MIIS tool and ensure a third management agent (MA) is present.

clip_image016

 

 

More Information

http://technet.microsoft.com/en-us/library/ff182925(office.14).aspx

 

http://technet.microsoft.com/en-us/library/ee721049(office.14).aspx

 

– Russ Maxwell, MSFT


Comments (22)

  1. Jeff Pope says:

    Worked great, except now in Sharepoin2010 I can't search any name. They all show up under the user profiles in Central Admin, but the managers' names are incorrect. They show up as originaldomainusername in the listing. When I try to change them to Netbiosnameusername, it says that the name is invalid. Even search finds nothing. Any advise?

  2. Russ Maxwell says:

    When you say you can't search any name are you talking about from the User Profile management page or from the People search page?  For people search to work from the People search page, you must perform an incremental crawl via the associated Search Service Application Admin page.   You would fire it off from the content source hosting SPS3…

    Also, are the managers members of the same domain as the users that were imported?

    -Russmax

  3. Russ Maxwell says:

    Note:  Any further post that I deem inappropriate will immediately be deleted so please don't waste your time or mine…

  4. Yogesh says:

    I am trying to Import UserProfile data using BCS. And while FullSynch..am getting following error :

    Microsoft.MetadirectoryServices.NoSuchObjectTypeException: No such object type "user". at Microsoft.MetadirectoryServices.Impl.TypeDescriptionCollectionImpl.get_Item(String Name) at Microsoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportExtension.Microsoft.MetadirectoryServices.IMAExtensibleFileImport.GenerateImportFile(String fileName, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fFullImport, TypeDescriptionCollection types, String& customData) Forefront Identity Manager 4.0.2450.5

  5. Gustavo says:

    Are there any tools out there that we can use to verify that all the permissions are set correctly?

    The reason I ask is this:

    I have gone through the user profile application service deletion and creation process several times (at least 30) over the last week.  I've done this using several different account permission settings.  

    I've tried this as domain admin as well.  I've set the sync AND farm accounts to replicate directory changes in the configuration schema.  My test environment is this (all VMs):

    2 domain controllers all 2008 R2 with forest in 2008 R2 mode.

    The netbios domain name is different than the FQDN

    1 SQL server 2008 R2 all patches applied.

    1 2008 R2 sharepoint 2010 with December CU applied and nothing else installed (no office web apps and no sites created)

    Farm account matches the required permissions as set in this document and MS technet.

    Sync account (tried using a specific sync account with the required permissions and also the farm account as the sync account).

    These are the issues I've discovered:

    1. I can create User profile service app and pool without issue. (if i delete the service app, the next time i try to create it i get a named pipes error – but then if I immediately try to create it again, it works fine)

    2. before starting the server service I set the NetBiosDomainNamesEnabled flag to 1 and update().  If I do this, I cannot create the sync connection ever -more on this in a second.  If I don't enable netbiosdomainnames on the service app, I can create the connection without issue, but when i sync the links to the profile pages done work (they link to domainx/user instead of domainy/user) and the managers don't resolve correctly.

    -With netbiosdomainnamesenabled=1 the error i get when creating the connection is "Unable to process Create message".  Remember, using the same exact credentials, this works fine without netbios names enabled.  So I'm wondering if something isn't updating in adsi edit correctly when I set the permissions on the schema.  I've gone through and tried rebooting between changing and resetting permissions and each actual functional step.

    It just seems like a bug where netbios names breaks the connection functionality.  The exact process that is broken is the following:  

    MIISRCW.IMMSMAUtility.UIGetData

    Microsoft.ResourceManagement.SyncConfig.TryGetSchema

    Event Viewer: EventID 3 Forefront Identity Manager

    ————————-

    MIISRCW: System.NullReferenceException: Object reference not set to an instance of an object.

      at MIISRCW.IMMSMAUtility.UIGetData(String pszRequestInformation, Int32& pfSuccess, String& ppszResult)

      at Microsoft.ResourceManagement.SyncConfig.TryGetSchema(String maType, String initializationString, String& returnString)

      at Microsoft.ResourceManagement.ActionProcessor.SyncConfigActionProcessor.Create(String typeName, IList`1 createParameters, Guid creator, Guid cause)

      at Microsoft.ResourceManagement.ActionProcessor.SyncConfigActionProcessor.ProcessInputRequest(RequestType request)

      at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)

      at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)

      at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)

      at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey)

      at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)

      at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)

    ————————–

    MIISRCW: System.Runtime.InteropServices.COMException (0x80230808): Exception from HRESULT: 0x80230808

      at MIISRCW.IMMSMAUtility.UIInitialize(String pszMAType, String pszInitString, Int32& pfSuccess, String& ppszResult)

      at Microsoft.ResourceManagement.SyncConfig.GetMAUtilityObject(String maType, String initializationString, String& errorMessage)

    ————————–

    Believe me, I've googled the crap out of this…

    Any thoughts?  Do you think this might be a bug?

    Thanks in advance!

  6. Gustavo says:

    By the way, I just tried this whole process again as the domain admin (the creation of the service app and pool and all that).  Same error as before with netbiosdomainnames enabled.

    The sync account was the farm account which was a domain AND enterprise admin (used the same account for everything in this process with full permissions – I want to rule out that it's a permissions issue).  Something is buggy, either with AD or with Sharepoint… not sure how to pin point but am willing to TS if you are….

  7. I've SharePoint 2010 site, all users on this site are in domain domain1.net.au (e.g. domain1.net.auuser1).

    I've configured the user profile import but after import the user account names in user profile service are different from the ones on sharepoint site.

    E.g.:

    1) In User profile service: domain1user1

    2) On sharepoint site: domain1.net.auuser1

    So the question is how to configure User Profile service so it imports users with domain domain1.net.au?

    Thanks,

    David

  8. Marc says:

    Hi,

    i can acknowledge that gustavo´s problem exsists after installing CU dec 2010. Prior i could sucessfully synchronize AD where netbios name differs from FQDN. After installating the CU i had to reestablish the UPA (thx 4 the bug @MS). The activation of netbios domain names fails with the error gustavo describes.

  9. Amit Phule says:

    Hi,

    Thank you for this grate post…

    But i am facing one problem, we are using Three-Tire farm(1 DB,1 APP.SERVER,2 WFS) for SharePoint 2010 Deployment with User Profile Service Configured and Synchronization, all are working file (I can search and update user profiles from central admin).

    We try to access User profile property from Custom WebPart it’s through an exception that “No User Profile Application available to service the request. Contact your farm administrator.”

    Exception Log details:

    Area     : SharePoint Portal Server

    Category : User Profiles

    Level    : High

    EventID  : cm6y

    Message  : User Profile Application Proxy failed to retrieve partitions from Us

              er Profile Application: Microsoft.Office.Server.UserProfiles.UserPro

              fileApplicationNotAvailableException: No User Profile Application av

              ailable to service the request. Contact your farm administrator.

               at Microsoft.Office.Server.Administration.UserProfileApplicationPro

              xy.get_ApplicationProperties()     at Microsoft.Office.Server.Admini

              stration.UserProfileApplicationProxy.get_PartitionIDs()     at Micro

              soft.Office.Server.Administration.UserProfileApplicationProxy.IsAvai

              lable(SPServiceContext serviceContext)

  10. Russ Maxwell says:

    Hello Marc and Gustavo,

    Sorry for the late reply but I think you'll find my latest blog post of interests:

    blogs.msdn.com/…/provisioning-user-profile-synchronization-with-december-cu.aspx

    Thanks,

    Russ

  11. Hi Jeff Pope. I have the same problem. The managers' names are incorrect. This field show the login name of manager and in a workflow with action "Get Manager of User" occurs error, because it can't find the name of manager. Example: User Jeff, with manager John. In profile the manager field is contosojohn and not John. How I can fix it???? Thanks.

  12. Linda says:

    Most SharePoint people do not have access to Active Directory to even VERIFY whether the AD person did EVERYTHING correctly. Can you please include instructions how a regular user can verify ALL proper settings in AD were changed. Thank you.

  13. Sardar guljar says:

    Whenever I start full synchronization I am getting this error

    My farm version is Hotfix for Microsoft Office Server (KB2598151)

    14.0.6105.5000 and I have different Netbios name. And I got all the permission. Any help is appreciated.

    The extensible extension returned an unsupported error.

    The stack trace is:

    "System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> Microsoft.SharePoint.SPException: The trial period for this product has expired.

      at Microsoft.Office.Server.UserProfiles.ProfileManagerBase.ValidateLicensing()

      at Microsoft.Office.Server.UserProfiles.ProfileManagerBase..ctor(UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID)

      at Microsoft.Office.Server.UserProfiles.ProfileManagerBase..ctor(UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID, Boolean ignorePrivacy)

      at Microsoft.Office.Server.UserProfiles.ProfileManagerBase..ctor(UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID, Boolean ignorePrivacy, Boolean isWithinProfileSync)

      at Microsoft.Office.Server.UserProfiles.UserProfileManager..ctor(UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID, Boolean IgnoreUserPrivacy, Boolean isWithinProfileSync)

      at Microsoft.Office.Server.UserProfiles.ProfileManagerInstance.GetProfileManager(UserProfileApplicationProxy applicationProxy, String objectClass, Guid PartitionId)

      at Microsoft.Office.Server.UserProfiles.ProfileImportExportService.RetrieveProfileChangeDataDelta(Int64 importExportId, String objectClass, String[] propertyList, String changeToken, Int32 pageSize, Guid partitionId)

      — End of inner exception stack trace —

      at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)

      at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)

      at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)

      at Microsoft.Office.Server.WebServiceDirectProxy.WebMethodInfo.Invoke(Object webServiceInstance, Object[] args)

      at Microsoft.Office.Server.WebServiceDirectProxy.Invoke(String methodName, Object[] args)

      at Microsoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportDirect.RetrieveProfileChangeDataDelta(Int64 importExportId, String objectClass, String[] propertyList, String changeToken, Int32 pageSize, Guid partitionId)

      at Microsoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportExtension.Microsoft.MetadirectoryServices.IMAExtensibleFileImport.GenerateImportFile(String fileName, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fFullImport, TypeDescriptionCollection types, String& customData)

    Forefront Identity Manager 4.0.2450.47"

  14. dmcmillan says:

    Why are these changes made (seen in the SQL log):

    Setting database option PARAMETERIZATION to FORCED for database User Profile Service Application_SyncDB

    Setting database option COMPATIBILITY_LEVEL to 90 for database User Profile Service Application_SyncDB

    Thanks.

  15. Great Work, Russ!

    I'm concidering to have one central FIM server to synch all identities in our environment. I'm talking about 10-12 different integrations between SharePoint and other systems, where HR is the master data.

    1) Is it possible to use the Build in UAP instead of a separate FIM server?

    2) May I disable the UAP service in SharePoint and let my FIM server do the synch between our Active Directory and SharePoint envirnoment?

  16. Somasekhar Akiri says:

    Nice Article Russ….

    Many things explained about user profile service in single article..

    once again great work….

    Thanks,

    Somasekhar Akiri

  17. Tom McCallum says:

    I have the issue that people have started personalizing their MySite, but I now need to fix the fact that some accounts are nbnameuserid and others are domainuserid. How do I keep what they've added and or changed and put it on their new UserProfile? Any ideas? Great stuff by the way.

    -Tom

  18. tonym says:

    great article!!! I have my UPS working. Is there a way of getting these accounts into the Site(s) User Information List without using the name picker? Is their code to do a mass import to the UIL once you have this in place? Thanks

  19. Francis says:

    Hi,

    We are using ILM and have XMA for SharePoint user profile service. It is working fine when we run delta import. But when i run Full Import, it runs for few minutes and then exits throwing the following error. we tried few times, but same behavior.  Any idea?

    "The extensible extension returned an unsupported error in MIIS.

    The stack trace is:

    ""System.Net.WebException: Unable to connect to the remote server

    —> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted 00.00.00.000:80

    at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

    at System.Net.Sockets.Socket.InternalConnect(EndPoint remoteEP)

    Thanks

    Francis.

  20. Steve says:

    As I understand, User Profile Sync Account need "Log on Locally" permission. May I know why we need that permission?

  21. Rickey says:

    Very helpful site:

    I have a question regarding SharePoint, AD and Visio.

    Is it possible for these three programs to work using synchronization with AD, Visio and SharePoint to create an organizational structure diagram with names, titles and departments and those changes be automatically updated into a SharePoint site?

  22. Muhammad Liaquat says:

    I followed under given URL which saved lot of my time. It is a very detailed article which also provided information about the user registration on Active Directory too. Hope this might help someone else to same few minutes.

    http://www.windowstechupdates.com/user-profile-synchronization-service-not-starting-in-sharepoint-2013

Skip to main content