Thursday, January 21, 2016

FIM Groups Missing SharePoint UPS (User Profile Service)

Hi There,

Note: This article applies on SharePoint 2010, SharePoint 2013.

Its a brand new server with Windows Server 2012 R2 and SharePoint 2013 with October 2015 CU installed on it. I created the User Profile Service Application and as usual (from past experiences) it didn't start on first attempt and stuck on starting or sometimes User Profile Service stopped after being in Starting state for few minuets. Strange....! But that's another side of UPS issue.

I read many articles including the best ones Harber1 and Harber2. These articles are in very much detail and helps you to fix the UPS Stuck problem. However my problem was, the below FIM Security groups were not present in Local Users and Groups for User Profile Service Application.

FIMSyncBrowse
FIMSyncJoiners
FIMSyncOperators
FIMSyncPasswordSet

In most of the posts on internet regarding this issue (like this) its stated that to check the FIM groups and many people also commented the same issue. But what if they are not preset on your server machine???

Relax guys, here is the inside story i have observed.

The User Profile Service is not dependent on FIM Security Group's creation but the Groups does. You don't need to create these FIM groups manually or syncing with AD... blah blah. Once the User Profile Service is started, it will automatically create the FIM Security Groups. How???

This is done by FIM services running in Services console (Services.msc). If they are disable, you should set them to Automatic (Delayed Start) but not start manually. The User Profile Service uses the services Forefront Identity Manager ServiceForefront Identity Manager Synchronization Service. The FIM Services uses the FIM security groups which they create once they start successfully. Few points i noted during troubleshotting...


1. The account you have configured for FIM services, must be in the local Administrators group.
2. The account for UPS must have Full Control on the service. You can check this from CA > UPS and permissions from top ribbon.
3. While the User Profile Service is in Starting state, check the FIM services. If they are disabled, you should set them to Automatic (Delayed Start) immediately.
4. At the end of any change, you must IISRESET and restart the SharePoint Timer service and sometimes SharePoint Admin service is also required. Specially when you are doing this on the same machine which is hosting the CA site.
5. As stated here i have not added any account to my FIM groups and my service is working fine.
6. Not to worry if FIM groups does not exists. UPS will create them automatically.
7. No need to provide service accounts for FIM services manually in Services console. They normally run under the Farm account you have configured in "Configure Service Accounts".
8. Set the UPS service account to SVCUPS (or any you have specially for UPS) from "Configure Service Accounts" in CA.

Happy SharePointing...!

Leave a comment if you have any issue or find a new workaround.







No comments:

Post a Comment