Profile import from AD fails. You are able to successfully create Synchronization Connection, but when trying to run Full or Incremental Profile Synchronization, you are greeted with errors in Application Event Log such as this:
Log Name: Application
Source: FIMSynchronizationService
Date: 17.2.2010 9:23:03
Event ID: 6050
Task Category: Management Agent Run Profile
Level: Error
Keywords: Classic
User: N/A
Computer: wv002578.eu.tieto.com
Description:
The management agent "MOSSAD-[SYNCHRONIZATION CONNECTION NAME]
Additional Information
Discovery Errors : "0"
Synchronization Errors : "0"
Metaverse Retry Errors : "0"
Export Errors : "0"
Warnings : "0"
User Action
View the management agent run history for details.
SharePoint log contains row:
UserProfile Synchronization: Encountered unexpected step result: stopped-connectivity.
Synchronization progress log contains:
[SYNCHRONIZATION CONNECTION NAME]
Additions 0
Updates 0
Unchanged 0
.............................Successes 0
Failures 1
Start Time 2/18/2010 11:06:01 AM
-----------------------------------------------------------------
Thoughts:
Explanation for the error found in the SharePoint logs is found on this blog post. It is in fact the cause of the error, but the true solution to this problem is not that trivial.
What really happens when you create a Synchronization Connection in Central Admin? Behind the scenes SP2010 uses Forefront Identity Manager 2010, amongst other things, to do the actual profile importing from AD. You can find management console for this opening FIM Synchronization Service Manager (SSM) from C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe.
In SSM you can view the status of currently running synchronization jobs, as well as history of previously ran jobs. In the picture below you see the actual error (on yellow), and it is indeed caused because of missing permissions on the AD.
But, why is there wrong DC and Partition there (circled with red)? That is not the AD that was defined in Synchronization Connection, where the defined AD was set to be eu.tieto.com.
Looking at the respective Management Agent properties in SSM (picture below), one can see that eu.tieto.com domain has been replaced by tieto.com (on yellow), which is in this case completely different AD. eu in the Domain field is related to the user name used to do the actual synchronization, and is not related to this issue.
Furthermore, looking at the Directory Partitions definition for this Management Agent, there is some strange partition, CN=Configuration,DC=tieto,DC=com, which is again not at all related to the AD that was defined in SP2010 and where the profiles should be synchronized from.
Solution:
Grant Replicate Directory Changes permission on the cn=configuration container as described here: http://technet.microsoft.com/en-us/library/hh296982.aspx#RDCcn.
---OLD SOLUTION BELOW---
- Start FIM SSM (C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe)
- Go to Management Agents screen, right click on MOSSAD-[SYNCHRONIZATION CONNECTION NAME] and select Properties
- Go to Configure Directory Partitions and uncheck the directory partition that you didn't define in SP2010
- Click OK to close Properties window
- Again, right click on MOSSAD-[SYNCHRONIZATION CONNECTION NAME] and select Configure Run Properties...
- On DS_FULLSYNC, DS_DELTASYNC, DS_FULLIMPORT, DS_DELTAIMPORT, delete step for the directory partition you removed on bullet 3. NOTE! You must only remove the step for the directory partition you removed earlier on bullet 3. I.e., if the removed directory partition was 3rd on the list, you should delete 3rd Step.
- Click OK
- Re-run profile synchronization from Central Admin
