I recently set up the User Profile Synchronization services on SharePoint 2010 per a great article on Harbar.net: http://www.harbar.net/articles/sp2010ups.aspx

Everything seemed to run fine for several days, and then the synchronization failed to run at all and filled up the Events Log with all sorts of warning messages in regards to the MSIInstaller.

The first issue I looked at was getting the Forefront Identity Manager Service to start following a reboot; the service simply refused to start automatically despite being configured by SharePoint to do so. Interestingly, both the User Profile Service and the User Profile Synchronization Service items listed in Central Admin’s Services on Server page listed the services as running. Starting the FIM Service manually from the Windows Services snap-in succeeded.

My solution was to set both services to start automatically at boot time after a delay by reconfiguring the startup type of BOTH services and Automatic (Delayed Start) in the Windows Services snap-in.  This at least got the services up and running, but the service would stop every time I tried to run the “Start Profile Synchronization” from the Manage Profile Service: User Profile Service Application screen.

In examining the Event Logs, I saw that there was was one more thing I apparently needed to clean up; Every time I tried to kick off the synchronization job, the logs would fill up with MSIInstaller warnings about product detection failing.  Specific was a series of 1004 and 1001 Event IDs:

Event 1004:

Detection of product ‘{90140000-104C-0000-1000-0000000FF1CE}’, feature ‘PeopleILM’, component ‘{1AE472A9-E94A-41DC-9E98-F89A2821658F}’ failed.  The resource ‘C:\Program Files\Microsoft Office Servers\14.0\Tools\makecert.exe’ does not exist.

image

Event 1001:

Detection of product ‘{90140000-104C-0000-1000-0000000FF1CE}’, feature ‘PeopleILM’ failed during request for component ‘{1681AE41-ADA8-4B70-BC11-98A5A4EDD046}’

image

These were repeated for several other component GUIDs.

Now, as we know, the WMI calls are made under the credentials of the Network Service account (If in doubt about what account is trying to access the resource, the User: field is the tip-off).  For some reason during the configuration of the UPS, this account isn’t given permissions on the folder indicated in the event ( “C:\Program Files\Microsoft Office Servers\14.0” ).

As there were multiple calls to various sub-directories under the “C:\Program Files\Microsoft Office Servers\14.0” folder I gave the Network Service account read and execute permissions on the folder and sub-folders.

image

 

After this, I went back into Central Admin –> Manage Profile Service: User Profile Service Application and clicked on “Start Profile Synchronization”.  And we once again have Profile Synchronization with Active Directory working as verified by clicking on the “Synchronizing” status link and confirmed by opening the miisclient.exe on the server.