I Have had the great honor of hitting a good number of errors while setting up the User Profile Sync service. I documented one error here but when setting up another environment today I hit yet another. The environment in question was a two server setup with one server being the DC and the other SharePoint + SQL Server. I use the farm account CONTOSO\FarmAccount. I setup all Service Applications using the PowerShell script found here and started the services I wanted to run. When I got to starting the User Profile Synchronization Service I would eventually see the following error in the event log.
With only this error to go on I decided to attach a debugger. Now that was probably heavy handed and ProcMon would have have probably given me the answer here too but WinDbg is much more sexy, yea! Soon after I started the service with windbg attached to the owstimer service I found a security error trying to access the registry. Poking around a bit in the debugger I was able to determine the CONTOSO\FarmAccount was attempting to gain access to HKLM\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters and was failing. I decided to shotgun this one and grant my CONTOSO\FarmAccount local admin, restarted the timer service, and retried the operation – it worked. Thinking back about what may have happened I opened the key within the registry editor…now what is strange is I noticed the CONTOSO\FarmAccount has permissions to that key – I wish I had looked before I fixed the problem however I suspect the permissions might have been set after the provision completed or at least got past the point where I failed the first time.
If anyone hits this error, before you do what I have done here I would check the permissions on HKLM\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters and see if your Farm Account is present.