I just came back from a weekend full of fun, learning and connecting again with great SharePoint experts.
SharePoint Saturday Toronto was a great success. It is always good to see the SharePoint community forgetting about the nice weather outside, but instead, gathering at Ryerson University to learn and talk SharePoint.
Kudos to the organizers who put a great event together, to the volunteers who made the day go by very smooth, to the speakers who presented awesome topics, and of course, last but not least to users who attended; without the users, we can never have a successful event like this.
Thank you everyone for attending my session. The feedback and attendance were great. You can review my presentation here:
While you are provisioning UPA, you may run into issues starting the User Profile Synchronization Service (UPSS), or the UPSS is stuck on “starting”.
There are few article that greatly explain on how to create UPA and UPSS, such at this TechNet article, or many great articles to debug issues with UPA such as this article: http://www.harbar.net/articles/sp2010ups2.aspx.
In my case, I have configured many UPSS and I have ran into some issues where I was able to resolve. The latest issue I encountered was pretty puzzling, and it took me few days to resolve it.
My UPSS will stop couple of minute after starting it. I will always get the Certificate creation errors:
I have tried everything, including this great post http://henrikfromsweden.blogspot.ca/2011/01/solving-configuring-certificate-hang.html, but nothing worked.
In my case, I am not using any SQL named instances, I have deleted all the FIM certificates, deleted the UPA, restarted the server, and gone through the possible steps detailed in many articles with no luck.
Finally, I noticed the farm account has not been added to the WSS_WPG and WSS_Admin_WPG groups, even though the steps of adding them have been successfully completed based on the ULS logs. This triggered a good question. I tried manually adding the farm account to the groups, but sure enough few seconds later they disappeared. AHA!!! There was an AD policy preventing any configuration service or user to add any account to a local group. After a quick modification to the AD policy, I deleted all the certificates, deleted the UPA, restarted the server and recreated UPA and UPSS and sure enough everything worked without hiccups.
If you run into similar issues and you have exhausted all the possible fixes, double check your AD and GPO policies to make sure they are not reverting back changes made by the timer services job.