Skip Ribbon Commands
Skip to main content

Quick Launch

Todd Klindt's home page > Todd Klindt's Office 365 Admin Blog > Posts > Why SharePoint backups break the User Profile Sync Service and other mysteries solved
July 07
Why SharePoint backups break the User Profile Sync Service and other mysteries solved

A few days ago on Twitter there was a discussion about yet another thing that breaks SharePoint 2010’s User Profile Service, backing up SharePoint. This is particularly frustrating because backups are so important. In this blog post I’ll explain why this happens, and some ways to work around it.

SharePoint first introduced built in Farm backups in the 2007 version of the product. You could fire one off in Central Admin under Operations, or with STSADM. It worked okay, though it wasn’t a great solution for large environments. One weird little side effect we discovered after a while was that if you ran a farm backup, it paused any search crawls that were going on. Turns out that the SharePoint Farm backup likes to keep things in a consistent state, so it would pause as much as it could when it started so that everything was in a consistent state. Since Search has so many moving parts (like the Index files and the Property database) it paused everything to make sure it backed them up just right. Its heart was in the right place, and it worked pretty well. It was just a bit unnerving when we saw our Crawls stopped unexpectedly. Then along came SharePoint 2010 and the much maligned User Profile Service Application…

The farm backup in SharePoint 2010 behaves very similarly to the one in SharePoint 2007. It still pauses the things it can to get you the very best backup it can muster. It has a new service to deal with in SharePoint 2010, the User Profile Service Application (UPA) (dun dun duuuuuuuuuun). Much like Search, the UPA has a lot of moving parts, including three databases (Profile, Social and Sync) and two service instances (User Profile Service (UP) and User Profile Sync Service (UPS)). In its quest to get you a good farm backup, SharePoint tries to pause it too during the backup. Unfortunately the UPS doesn’t pause, so the backup process actually un-provisions the UPS during the backup, undoing all your hard effort getting the damned thing to work in the first place. When the backup is finished it tries to put everything back together and it reprovisions the UPS. Now, what do we know about provisioning the UPS, besides the fact that it burns one of your three wishes from a genie, and it takes one of your cat’s nine lives each time you do it? We know that the Farm account must be a local admin when it’s provisioned. We also know that if the UPS and Central Admin are running on the same box (and they often are) that you need to do an IISRESET after it’s provisioned. Unfortunately most of us don’t leave our Farm account in the local admin group as a general rule, so the reprovisioning fails. The symptom of this is that profile syncs no longer run, and the two FIM services on the box running the UPS are set to “disabled.” Let’s say though you’re the planning ahead type of person and you leave the Farm account as a local admin. Your UPS will probably reprovision, but you won’t have the necessary IISRESET afterwards.

What’s the moral of this story? Well, if the UPS just seems to unravel itself from time to time it might be because you’re doing a SharePoint aware backup. The Farm backups in Central Admin will do this, as will some 3rd party products. If you’re going to try to schedule Farm backups in order for them to be successful you will probably need to leave your Farm account as a local admin on the box running the UPS and you’ll need to schedule an IISRESET afterwards. You could probably just put that in the same script as your backup. Smile You could also fall back to just doing database backups in SQL of your SharePoint databases. That’ll address 90% of your recovery needs.

Hope that helps. Next week I’ll solve the mystery of how they stick Teflon to a pan, when nothing sticks to Teflon.

tk

Comments

Config-only backups

Thanks for this post Todd,

Does this apply to config-only backups?
I can imagine a lot of people using the in built SQL tools alongside the farm config-only backup capability.

Ben
 on 7/7/2011 5:53 PM

Re: Config-only backups

I'm not sure. I haven't tested this with a config only backup.

You should try it and report back here and let us know what you found out. :)

tk
Todd O. KlindtNo presence information on 7/7/2011 6:25 PM

Changes

An astute reader, Shaun O'Callaghan, alerted me of a typo in paragraph 3, so I changed it. I'm not a huge fan of editing blogs posts, but this needed to be fixed. I thought I'd mention it in case anyone reads this again and notices it's different.

Thanks Shaun.

tk
Todd O. KlindtNo presence information on 7/7/2011 6:26 PM

Farm Backups...

Glad I read this before I kicked off that backup...

Recordp
Lake-Sumter Community College
 on 7/7/2011 7:08 PM

Re: Why SharePoint backups break the User Profile Sync Service and other mysteries solved

This came from what I found here - http://sharepoint.nauplius.net/2011/06/sharepoint-2010-farm-backup-and-user.html, basically if you back up the UPS via Backup-SPFarm/Central Admin, you'll cause the UPS to unprovision.  You can just backup the UPS and see this behavior if you need to quickly reproduce the issue.

However, the reason the re-provisioning fails is due to some code I believe could be changed to allow a non-admin to provision the service.  There is no need for the Farm Admin account to check for groups in the way it does (a standard user can review local group membership, for example), which is by attempting to open a handle to the local SAM.  Since everything else is already set correctly (perf counters, certificates, etc.), local administrator rights should not be required.
 on 7/7/2011 7:58 PM

Re: Why SharePoint backups break the User Profile Sync Service and other mysteries solved

Follow on question - during the UPS unprovision/reprovision process, I see several event ID234's logged, which KB2498715 indicates they can be safely ignored.

At that (exact) time as well, we get 2 server firewall rules - again, opening ports 5725/5726 - needed for UPS to function.  We now have many, many of these identical port rules listed on our CA/App farm server.

Are you able to confirm this process is the cause, if there is any reason for concern, can/should this be prevented, and should/can we clear out the duplicates with no negative impact? (Our server guys want to "clean up")

Thanks in advance for your review and comments/recommendations, Todd.
 on 4/12/2013 6:18 AM

Re: Why SharePoint backups break the User Profile Sync Service and other mysteries solved

Hey Mike,
I would assume this is the case.

tk
Todd O. KlindtNo presence information on 4/16/2013 8:41 PM

Re: Why SharePoint backups break the User Profile Sync Service and other mysteries solved

Do you know if this has been fixed yet and in what CU? The reason I ask is that I take full backups every night using Backup-SPFarm and have not noticed any deprovisioning of the UPS, or at least it's always been up in the morning.
 on 7/9/2013 5:50 PM

Re: Why SharePoint backups break the User Profile Sync Service and other mysteries solved

Do you know if this has been fixed yet and in what CU? The reason I ask is that I take full backups every night using Backup-SPFarm and have not noticed any deprovisioning of the UPS, or at least it's always been up in the morning.
 on 7/10/2013 2:46 PM

Still occurs with SP2013

FWIW, this behavior/bug still occurs with SharePoint 2013
 on 4/17/2015 3:44 PM
1 - 10Next

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title


Body *


Today's date *

Select a date from the calendar.
Please enter today's date so I know you are a real person

Twitter


Want a message when I reply to your comment? Put your Twitter handle here.

Attachments

 

 SysKit