I get these exceptions in ULS log.
The service instance User Profile Synchronization Service is successfully provisioned.
Exception trying to write the dbName regkey for MIIS System.Security.SecurityException: Requested registry access is not allowed. at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable) at Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService(ProfileSynchronizationServiceInstance profileSyncInstance) The Zone of the assembly that failed was: MyComputer
ProfileSynchronizationService: Provisioning TImer Job encountered an exception: System.Security.SecurityException: Requested registry access is not allowed. at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable) at Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService(ProfileSynchronizationServiceInstance profileSyncInstance) at Microsoft.Office.Server.Administration.ProfileSynchronizationSetupJob.Execute(SPJobState state) The Zone of the assembly that failed was: MyComputer
Unprovisioning service instance User Profile Synchronization Service.
We have 1 App server,1 WFE,1 Index, 1 Data base servers with Windows 2008 R2.
Thank you, Anil
I was able start synchronization, but it failed to import user profiles.
The management agent "MOSSAD-[SYNCHRONIZATION CONNECTION NAME]" failed on run profile "DS_DELTAIMPORT" because of connectivity issues.
failed on run profile "DS_FULLIMPORT" because of connectivity issues
Thank you, Anil
Seems don't have the replicate directory change permission:
For the profile synchronization to work, our service account which is being used by UPS should have the “Replicate Directory Changes” permission on a domain.
This rights for query changes in the directory. This permission does not allow an account to make any changes in the directory. Refer: http://technet.microsoft.com/en-us/library/hh296982.aspx#RDCdomain
So, Here are the steps to fix:
Open the Active Directory Users and Computers snap-in
- On the View menu, click Advanced Features.
- Right-click the domain object, such as “company.com”, and then click Properties.
- On the Security tab, if the desired user account is not listed, click Add; if the desired user account is listed, proceed to step 7.
- In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
- Click OK to return to the Properties dialog box.
- Click the desired user account.
- Click to select the "Replicating Directory Changes" check box from the list.
- Click Apply, and then click OK.
After that, start UPS full import again, and the issue will get fixed!
I am in a similar position, however we have the correct permissions for our service account for Replicate Directory Permissions and farm account is in the local adminsitrators group. Both services start but when I go to add the Configure Sync Connections, and query for containers it just hangs with a greyed out box and nothing happens. I installed SP1 and latest CU then attempted to increase the timeout settings to no avail. Our domain enviroment is kind of unique as we have a parent domain and many child domains. The child domains do not have permissions to one another. Has anyone encountered a scenario like this? We have been working on this for weeks and about to contact Microsoft for support.