SharePoint 2013-How to Re-Provision the UPSS

So, chances are during your SharePoint lifecycle you will, at some point, come across the dreaded User Profile Synchronisation Service (UPSS) misbehaving. Don’t panic, you are not alone! There are many things that can break / halt it from functioning correctly. While I don’t intend to cover every eventuality here, nor do I intend to explain how you investigate such issues. I will, however, share the best process to re-provision that pesky UPSS on SharePoint 2013.

Pre-Requisites

  • You will need the credentials for the SPFarm account
  • Ensure the SPFarm account is a member of the Local Administrators group on the server running the UPSS
  • Log onto the UPSS server as the SPFarm account
  • In a Production environment, communicate a slight outage (during the IISReset step) only if your UPSS runs on the same server as your web front end, which I hope it isn’t!

Re-Provision Process

  • First, you need to make sure the existing UPSS is stopped. There are a few ways to accomplish this, but try this one first; open Central Administration and navigate to Manage Services on Server > [Server] > User Profile Synchronisation Service and click Stop
  • Now, stop the SharePoint Administration and SharePoint Timer Service from Windows Services (services.msc) in that order
  • Navigate to C:ProgramDataMicrosoftSharePointConfig[Latest GUID folder]
  • Delete everything except the cache.ini file (seriously, do not remove this file!)
  • Open the cache.ini file in Notepad and edit the value to “1” (without the quote marks), save and close Notepad
  • Now, open an elevated Management Shell session (or use the existing one if you opened it up in the first step) and execute the following command: stsadm –o execadmsvcjobs
  • In this order, start the SharePoint Administration and SharePoint Timer services from Windows Services (services.msc)
  • Open a new MMC window and load two Certificate snap-ins; one for the Computer Account and the other for the My User Account
  • Go through every Certificate store, in both Computer and User containers, and remove all Certificates called “ForefrontIdentityManager” (without the quote marks). There may be other Forefront related Certificates, do not remove those
  • Almost there! Open Registry Editor (regedit.exe) and navigate to the HKLM > System > CurrentControlSet > Service > FIMService hive and verify the correct synchronisation database value is set, if not manually correct it (you may also want to do this on the CurrentControlSet001 and CurrentControlSet002 hives too)
  • Perform an IISReset
  • Open Central Administration and navigate to Manage Services on Server > [Server] > User Profile Synchronisation Service and click Start. Enter the SPFarm password and click Ok
  • You will probably want to monitor the ULS logs using a filter such as Category contains “user profile” (without the quote marks) to verify the progress and provision status
  • Once provisioned, the status in Central Administration should show Started

Clean-up

  • If you do not intend to keep on track with best practices and remove the SPFarm account from the Local Administrators group, now is a good time to do it

Final Note

The UPSS can be a minefield. The FIM configuration shouldn’t be altered directly, but occasionally it’s essential to try and figure out the root cause or avoid a complete User Profile Service Application (UPSA) re-build. Err on the side of caution though if you are consider this, you could put your environment in an unsupported state or worse, bring down the UPSA completely. If you are having serious problems with your UPSS then get in touch with risual and we’ll send over a SharePoint expert who will rock up* and help you iron out those UPSS woes.
* Disclaimer: Some of our SharePoint experts may prefer to dance up, rave up or even jazz up.

About the author