Hello,

I'm attempting to setup the User Profile service and am stuck at the point of getting the "User Profile Synchronization Service" to start.  In the ULS logs, there is a series of entries that seem to suggest that it's close to being started, but then gets rolled back.

Below is the meat of the ULS logs for this sequence of events:

OWSTIMER.EXE (0x0354)	0x08E8	SharePoint Portal Server	User Profiles	erx2	Medium	The service instance User Profile Synchronization Service is successfully provisioned.

OWSTIMER.EXE (0x0354)	0x08E8	SharePoint Portal Server	User Profiles	0000	Medium	SetupSynchronizationService :: Sync DB failover Check :: databaseServerMiis = SP2010DEV-SQL

OWSTIMER.EXE (0x0354)	0x08E8	SharePoint Portal Server	User Profiles	0000	Medium	SetupSynchronizationService :: Sync DB failover Check :: originalSyncConnectionString = Data Source=SP2010DEV-SQL;Initial Catalog="Sync DB";Integrated Security=True;Enlist=False;Connect Timeout=15

OWSTIMER.EXE (0x0354)	0x08E8	SharePoint Portal Server	User Profiles	0000	Medium	SetupSynchronizationService :: Sync DB failover Check::  originalSyncConnectionDataSource = SP2010DEV-SQL

OWSTIMER.EXE (0x0354)	0x08E8	SharePoint Portal Server	User Profiles	0000	Medium	SetupSynchronizationService :: Sync DB failover Check :: new datasource string on connection object = SP2010DEV-SQL

OWSTIMER.EXE (0x0354)	0x08E8	SharePoint Portal Server	User Profiles	0000	High	Exception trying to write the management agent stack size for the Moss MA. System.UnauthorizedAccessException: Access to the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\MOSS-82f7f71e-22fc-4065-8359-e3e8d961633f' is denied.

OWSTIMER.EXE (0x0354)	0x08E8	SharePoint Portal Server	User Profiles	erx9	High	ProfileSynchronizationService: Provisioning TImer Job encountered an exception: System.UnauthorizedAccessException: Access to the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\MOSS-82f7f71e-22fc-4065-8359-e3e8d961633f' is denied.

OWSTIMER.EXE (0x0354)	0x08E8	SharePoint Portal Server	User Profiles	erx5	Medium	Unprovisioning service instance User Profile Synchronization Service.

OWSTIMER.EXE (0x0354)	0x08E8	SharePoint Portal Server	User Profiles	erx6	Medium	The service instance User Profile Synchronization Service is successfully unprovisioned.

Any idea what this means and how to fix it?

Thanks!

• Edited by sdfsda Tuesday, September 27, 2011 7:32 PM

Looks like your Farm Admin (user running owstimer.exe) isn't a Local Administrator on the SharePoint Server.

restart your IIS and try again

Nope, ensure it was added and re-ran, exact same errors.

Did this several times.

how do you check that? Go to Administration > Services and check under which account owstimer service is running. Is it really farm admin account (it may be changed by someone)?

Also open regedit and check that mentioned registry key exists here.

Make sure when you added it to Local Admins you rebooted the server in order for the security token to take effect.

Yes, that's exactly how I confirmed it.  My farm admin account had not been added yet, so I did so, but still same result.  Now attempting a restart also.

Isn't that a security risk adding Farmadmin to the local administrators group? All documentation on installing SP 2010 clearly states that farmadmin should not be a member of local admin group.

http://technet.microsoft.com/en-us/library/ee662513.aspx

It isn't a security risk per se, but it isn't best practice.  However, if you're using a SharePoint backup method to back up a UPA, the Farm Admin (Timer Service) account must remain as a Local Administrator, otherwise the UPSS will not provision properly after the backup of the UPA has completed.

I see - good to know! They don't mention that part in this other article I found.

There they state that you can start up the UPS with Farmadmin in local admin group and then remove it from group once it's started.

http://technet.microsoft.com/en-us/library/gg750257.aspx#farmPerms

Try giving/Check local admin access to Server Farm account on the server where you are trying to start the Profile Sync service:

Server farm account as per https://technet.microsoft.com/en-in/library/cc263445.aspx#Section3

Server farm account

This account is also referred to as the database access account. This account has the following properties: It's the application pool identity for the SharePoint Central Administration website. It's the process account for the Windows SharePoint Services Timer service.