Can not create a user profile synchronization connection

Question

I have a new SharePoint 2010 server farm that I'm trying to configure. Installation went fine. But I'm having trouble getting the user profiles to import.

I've created the User Profile service application, and the two user profile services are running. However, whenever I try to create a synchronization connection to our AD servers, I'm getting the following error: "The operation was aborted because the client side timeout limit was exceeded."

In the SharePoint logs, when I filter based on the correlation ID, I get the following messages:

Name=Request (POST:http://poc-bi-sp:8080/_layouts/EditDSServer.aspx?ApplicationID=b24e2e83%2D4d0a%2D4015%2D9f02%2D7969967e9733)
Site=/
LoadConnections failed trying to fill the connections list. Most likely during RetriveResources because of permissions --- {1}.  Available parameters: System.ServiceModel.EndpointNotFoundException: Could not connect to http://poc-bi-sp:5725/ResourceManagementService/MEX. TCP error code 10061: No connection could be made because the target machine actively refused it 10.32.8.190:5725.  ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 10.32.8.190:5725     at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)     at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& sock...
...et, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)     --- End of inner exception stack trace ---     at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)     at System.Net.HttpWebRequest.GetRequestStream()     at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()     --- End of inner exception stack trace ---    Server stack trace:      at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()     at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)     at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)     at System.ServiceModel.Channels.RequestChannel.Request...
...(Message message, TimeSpan timeout)     at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at System.ServiceModel.Description.IMetadataE...
...xchange.Get(Message request)     at Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier)     at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.RefreshSchema()     at Microsoft.ResourceManagement.WebServices.ResourceManager.get_SchemaManager()     at Microsoft.ResourceManagement.WebServices.ResourceManager..ctor(String typeName, LocaleAwareClientHelper localePreferences, ContextualSecurityToken securityToken)     at Microsoft.Office.Server.UserProfiles.ConnectionManager.LoadConnections() .
ConnectionManager.LoadConnections(): Could not find MOSS MA despite being marked as fully configured, was it deleted?
Leaving Monitored Scope (Request (POST:http://poc-bi-sp:8080/_layouts/EditDSServer.aspx?ApplicationID=b24e2e83%2D4d0a%2D4015%2D9f02%2D7969967e9733)). Execution Time=66685.955058534

As a side note, our AD structure is set up with 1 root domain, and 3 child domains. The SharePoint server and all the service accounts are running in the root domain, but I'm trying to set up a connection to one of the child domains. The connection service account has been granted "Replicate Directory Changes" permission on both the root and the target child domain.

Can anyone help me figure this out? Thanks.

Answer 1

Worked with MS Support on this and finally got it working. A couple things that we had to do:

1) Increase the LdapConnectionTimeout value to 60 seconds on the user profile proxy. More info on how to do that can be found on Spence's latest UP Sync article.

2) Change the "LDAP client security requirements" on the SharePoint server from "Negotiate Signing" to "None". This can be found under the Local Policy --> Security Options --> "Network Security: LDAP client signing requirements".

Answer 2

Make sure that both FIM services is started on the server running the UPS.

Answer 3

What Wictor said + read Spence's UPS guide http://www.harbar.net/articles/sp2010ups.aspx

Answer 4

forget about permissions. this is a known issue with timeouts - full ULS is needed to diagnose.

Answer 5

One tool i find very usefull, besides various tips on the web, is the new tool called MSIISCLient.exe. To monitor your User Profile imports go to C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\ and run MSIISClient.exe.

Keep that running while launching your syncronization. If still doesn't give you anything, may I suggest you re-do it, but make sure all pre-requisites that Spence H. and Shane Young(http://msmvps.com/blogs/shane/archive/2010/07/09/configuring-profile-import-in-sharepoint-2010.aspx) are mentioning, REBOOT, REBOOT and REBOOT (particularly after changing stuff in AD) and try re-creating your services, add PERMISSIONS.

Hope it helps, C. Marius

Answer 6

Start the "SQL server agent" from the windows service's.