During the setup of a farm, which has been previously configured by using the AutoSPInstall automated configuration scripts, it was needed to update the account used for the Windows Service “User Profile Synchronization Service”. What again was supposed to work pretty smooth it quickly popped another of the SharePoint 2013 exceptions (as depicted in the next screenshot).
“An object of the type Microsoft.SharePoint.Administration.SPWindowsServiceCredentialDeploymentJobDefinition named “windows-service-credentials-FIMSynchronizationService” already exists under the parent Microsoft.Office.Server.Administration.ProfileSynchronizationService named “FIMSynchronizationService”. Rename your object or delete the existing object.”
As a quick reminder to update the service account one uses Security > Configure Service Accounts and choose from the list “Windows Service – User Profile Synchronization Service“. As soon as this gets selected automatically the actual service account in use will be displayed. This is usually the exact same account specified during configuration as the “Farm Account” (used to create the Configuration database) used by default (particularly when using Configuration Wizard to have your Service Applications automatically created) to execute most of the services.
The first think to check was whether required permissions are properly setup (as instructed by MSDN), but also performed a one-time log-on/log-off (a tip found in one of the excellent articles from Spence Harbar).
- The farm account has Log On Locally permission to the server on which you are trying to start the User Profile Synchronization service.
- The farm account is a member of the Administrators group on the server on which you are trying to start the User Profile Synchronization service.
Basically, as soon as one starts the User Profile Synchronization service (either during the initial provisioning of the User Profile Service Application or manually via the System Settings > Manage Services on Server and start User Profile Service) two (2) other FIM services (Forefront Identity Manager Service and Forefront Identity Manager Synchronization Service) are also provisioned. These services enable synchronization with external systems, such as Active Directory services, LDAP directories or other business systems – e.g. when you need to extend User Profiles by integrating additional external data.
If one has the curiosity to check under Services on the server, both these services are automatically set to Disabled, and any attempt to start these manually will fail. The proper way to start these is when starting the “User Profiles Synchronization Service”.
As error already instructs it seems that some Job definition might exist forbidding the creation of another to set the credentials. So I head-out straight to Monitoring > Review Job Definitions and right at the end there was the culprit. Delete it and re-attempt the update of the account – all went straight as initially expected!
Conclusion – moving on to fixing next issue!