Recently I was working with a customer to setup their SharePoint 2010 environment and configure user profile service. We have created the service application and both user profile and synch service started successfully. After staring the profile synch from AD we waited for around 30 min but still there was no any user profile imported from AD , the count was showing as zero.
Once we checked the MISSClient.exe (under C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell) we saw that there was an error. It says that “Replication access was denied”.
Also application event log was showing the below message.
The Forefront Identity Manager Service cannot connect to the SQL Database Server.
The SQL Server could not be contacted. The connection failure may be due to a network failure, firewall configuration error, or other connection issue. Additionally, the SQL Server connection information could be configured incorrectly.
Verify that the SQL Server is reachable from the Forefront Identity Manager Service computer. Ensure that SQL Server is running, that the network connection is active, and that the firewall is configured properly. Last, verify the connection information has been configured properly. This configuration is stored in the Windows Registry.
0x1AE0 SharePoint Portal Server User Profiles et8j High UserProfileServiceUserStatisticsWebPart:LoadControl failed, Exception: System.IO.FileLoadException: The located assembly’s manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040) at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager.InitializeIlmClient(String ILMMachineName, Int32 FIMWebClientTimeOut) at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager..ctor(UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID) at Microsoft.SharePoint.Portal.WebControls.UserProfileServiceStatisticsWebPartBase.LoadControl(Object sender, EventArgs e) 639a4bee-e242-43ab-8815-c3339d4453d1
After further research found that the profile synch account must need a special permission in the Active directory , it is documented in our public KB.
Resolution : http://support.microsoft.com/kb/303972
Setting permissions by using the ACL editor
1. Open the Active Directory Users and Computers snap-in
2. On the View menu, click Advanced Features.
3. Right-click the domain object, such as "company.com", and then click Properties.
4. On the Security tab, if the desired user account is not listed, click Add; if the desired user account is listed, proceed to step 7.
5. In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
6. Click OK to return to the Properties dialog box.
7. Click the desired user account.
8. Click to select the Replicating Directory Changes check box from the list.
9. Click Apply, and then click OK.
10. Close the snap-in.
Please refer Spencer’s excellent blog posts about user profile service application configuration here