I am running Windows Server 2010 Enterprise with SQL Server 2008 Enterprise, SharePoint 3.0, and FIM 2010. I just finalized the installation of FIM 2010 and am able to access the FIM Portal just fine. When I go to Start -> All Programs -> Microsoft Forefront Identity Manager -> Synchronization Service, I receive the following error: Unable to connect to the Synchronization Service. Some possible reasons are: 1) The service is not started. 2) Your account is not a member of a required security group. See the Synchronization Service documentation for details. I am trying to work through the Post-Installation and Configuration Guide at http://technet.microsoft.com/en-us/library/ff608272(WS.10).aspx. I am assuming the shortcut I referenced above is the Synchronization Service Manager. I have verified that both the Forefront Identity Manager Service and the Forefront Identity Manager Synchronization Service are running. I verified that the groups have been set up properly as domain groups. I have also tried logging in to the server and running Synchronization Service Manager as the FIMService domain user and receive the same error. Group memberships are correct as best as I can tell from the documentation. Any ideas on how I should proceed in getting FIM up and running? Thanks!

Hi The account you are logged in with and try to start Synchronization Service must be member of the local Windows group FIMSyncAdmins, this is not a domain group it's on the local server where Synchronization Service is running. /Mikael

How did you setup the domain groups exactly? Did you manually configure them before install? Or did the setup wizard created them for you? Just a sanity check, which type of groups are the FIM groups exactly? (Security? Domain Local? How did you configure the FIM Sychronization service account? Which accounts are members of which FIM groups? And which accounts are you (normally) trying to logon with? Did you add your administrator account to the FIMSyncAdmins group? Kind regards, Peter Peter Geelen - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Unable to connect to the Synchronization Service. Some possible reasons are: 1) The service is not started. 2) Your account is not a member of a required security group. See the Synchronization Service documentation for details. "Your account" means in this context the account YOU are logged on with - the account that tries to start the Synchronization Service Manager. Make sure that this account is a member of the FIMSyncAdmins group (you have to logoff / logon if this is your current account), and then try starting Synchronization Service Manager again. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Mikael, just a correction: yes, the FIM security groups can be domain groups. It's explained in the FIM 2010 install guide (Installing the FIM 2010 server components, section "To install the FIM Synchronization Service"), it's perfectly possible to use the FIM groups in the domain, without having them created locally on the FIM server. So, it's NOT always a local Windows group. Kind regards, PeterPeter Geelen - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Thanks for all the replies. Here is the information everyone has requested: Domain groups were pre-configured as specified in the FIM 2010 Installation Guide. They are all Domain Security Groups. Group names and memberships are: FIMSyncAdmins (Group): FIMService My Personal Account FIMSyncBrowse (Group): My Personal Account FIMSyncJoiners (Group): My Personal Account FIMSyncOperators (Group): My Personal Account FIMSyncPasswordSet (Group): FIMService My Personal Account I have created 3 domain user accounts for FIM: FIMService, FIMServiceMgtAgent, and FIMSyncService. FIM is configured to use each account appropriately. Please let me know if more information is needed. Thanks, Adam

So, your account is a member of FIMSyncAdmins - right? I assume, your account is an admin. Have you logged off / on yet? You need to make sure that the group membership is in your access token... Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Markus, Yes that is correct. My Personal Account is a member of FIMSyncAdmins and it is also a Domain Admin member. I have logged off and back on and also rebooted the server and I still get the same error message. I attempted logging in with the 3 FIM accounts I mentioned above (FIMService, FIMServiceMgtAgent, FIMSyncService) and even when logged in as these accounts I could not run the Synchronization Service Manager. Is there a way that I can verify that the correct group memberships are in my access token? Thanks, Adam

To troubleshoot this issue, the other accounts are irrelevant. These are service accounts and they should not even be able to be used to logon to your FIM computer. During setup, you should have seen a related warning. You have already verified that the service is running (did you also do this after the reboot?) - the problem is now just to fix the issue with accessing the Synchronization Service Manager. To get the content of your access token, open the command prompt, and then type "whoami /groups". Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Taylor, do you see anything special, related to FIM (Sync) in your event viewer? Kind regards, PeterPeter Geelen - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Hi Markus, Thanks for the info. I did verify that the service is running both before and after the reboot. I checked the content of my access token and I am a member of all of the FIM domain groups. Thanks, Adam

Although, I don't really like this way of troubleshooting, there is one thing that has worked in the past - and nobody really knows why... Recreate the required groups as domain local groups, and then reconfigure FIM sync (Control Panel/Programs and Features, Change) to use these groups. Add YOUR account to the FIMSyncAdmins, and then logoff/logon again. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

this is my step-by-step FIM installation - finally all works http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/bd2dc478-0c32-49d7-8e8c-17b2cc30d2bc

Here is my current status: I recreated all domain groups as domain local groups, reconfigured FIM sync to use these groups (I specified them in the format <DOMAIN>\<GROUP>), ensured that my account is a member of FIMSyncAdmins, and logged off/on. I am still receiving the same error. Thanks, Adam

FighterZP, Thanks for the reply, but my error is different, so I don't think the same solution will work for me. I am not even able to launch the Sync Service Manager. Thanks, Adam

I just noticed the post from Peter...there is nothing related to FIM in the event logs. Thanks, Adam