Print | posted on Monday, May 10, 2010 5:58 PM
Since I published my article, Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization, I’ve been deluged with email on the topic. All good, it shows me that I chose the right content to post, and that the content has relevance.
However one key aspect keeps coming up over and over again both in these emails and on IM etc. Lots of people after attempting to provision the UPS Service from Services on Server, need to reboot the server before the service is provisioned correctly.
If you are running the UPS Service instance on the machine hosting Central Administration, you MUST do an IISRESET. Even if you aren’t i would recommend this step. As a friend of mine, Todd Carter says, “you can never have enough IISRESETs with SharePoint”.
However, this doesn’t explain the restart requirement. Well, it’s not a requirement. And the answer is very simple. It’s also a fundamental concept of Windows Security which isn’t well enough understood by SharePoint people.
In my article I describe the rights required for the Farm Account (which is the account we must use to run the UPS service instance). The Farm Account must have:
- Log on Locally on the machine running UPS
- Local Administrator on the machine running UPS during provisioning only (this doesn't give the first in all cases)
But what I fail to mention, because it should be inherent, is that once you change the rights of a user account in Windows, you must log off and log back on for those changes to take effect.
Now, the Farm Account is logged on to the box – it’s running the app pool for Central Admin and the Timer Service at the very least. So to ensure the changes, processes that uses the account must be stopped and restarted.
The easiest way to do this and guarantee the rights will be applied, is to reboot the box.
So you should reboot the machine after you setup the permissions, but before you create the Service Application and attempt to provision the Service Instance. If you do this the provisioning won’t get “stuck”. If you don’t you will need to restart the machine before provisioning can complete successfully.
Simple, and a basic tenant (no pun intended) of Windows Security.