SharePoint 2010 and 2013 both use some parts of ForeFront Identity Manager (FIM) for the synchronization of users between for example AD and SharePoint. It is possible to use the FIM client to monitor this process and review issues related to the User Profile Service Application.

The client application is located under the following folder:

SharePoint 2010

C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe

SharePoint 2013

C:\Program Files\Microsoft Office Servers\15.0\Synchronization Service\UIShell\miisclient.exe

 

Unable to connect to the Synchronization Service

The following error can occur when opening the FIM Client:

The reasons described above are normally the correct steps to investigate this issue.

1) The service is not started.

There are 2 windows services that are related to FIM:

– Forefront Identity Manager Service

– Forefront Identity Manager Synchronization Service

These services have to be started before you can use the FIM client! You can start these services by going to the Central Administration of SharePoint and start the User Profile Synchronization Service.

Note that the Windows Service can still be stopped even if Central Administration shows that the service is started! Stop this service and start it again.

Please see the following blog from Spencer for other issues related to the User Profile Service Application: http://www.harbar.net/articles/sp2010ups.aspx

2) Your account is not a member of a required security group.

First verify if you can open the client using the farm account, because this service account has sufficient permissions.

The Admin account should have local admin permissions and located permissions in the Local Security Group “WSS_ADMIN_WPG”. Members of this group have write access to system resources used by Microsoft SharePoint Foundation.

 

Starting and monitoring multiple syncs

Sync with 2 new AD Users

I have added two new users to Active Directory and will start a new incremental Sync from the SharePoint User Profile Service Application. You can now open the FIM client and view the different syncs.

The DS_DELTAIMPORT shows the import from your Synchronization Connection and you will see more if you have multiple Connections.

There are 2 users added to SharePoint. Clicking on the number shows which users have been added.

 

Sync with 1 deleted and 1 changed user

I have deleted ‘Sync Test 2’ and changed the display name for ‘Sync Test 1’ to ‘Change test 1’. DS_DELTAIMPORT now shows the following information

You can also view the user that has been deleted by clicking on the number

You can also view the changed properties of the other user by using the MOSS_EXPORT_<GUID> profile and clicking on the number next to updates.

And clicking properties for this user

 

Searching users

Looking for a specific change may be time consuming when your organizations has thousands of users

You can use the Metaverse Search to find the user you are looking for and see if this user has been updated with the correct information.

You can filter the search on multiple attributes

My filter is for users which display name contains “Change”

You can then view the properties of this user

You can find the change by clicking on the connectors tab

And opening the connector “MOSS-<GUID>”

And find the latest sync on Lineage

You can troubleshoot further if the last import change is different from the latest sync. This normally happens when the user has been moved from the specified OU in Synchronization Connections.

 

Summarizing

You can now troubleshoot the error prompted when opening the FIM client and you can do basic monitoring of the specified syncs. You can find if a user has been updated to the latest AD information and when the user has last been updated.