User Profile Service Synchronization Timeouts

If there is one service application in SharePoint 2010 that's anything but boring, that's certainly the User profile Service App. I was recently building out a farm and after the UPS synchronization connection was successfully built, I tried importing user profiles form AD.

Looking at the  Forefront Identity Manager applet located at C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\Miisclient.exe , I noticed timeouts.

DS_FULLIMPORT step would start and after about 5-10 min would fail with stopped-connectivity error, WCF Endpoint failure.

I was on the phone with MS for couple of hours going through the logs, and trying to sync over and over (and over) again, each time being a failure.
The proposed solution was to increase timeouts values for service endpoints. Apparently, each SharePoint 2010 service has two endpoints (bindings), one for HTTP and another one for HTTPS, and their configuration files are located under:

C:\Program Files\Microsoft Office Servers\14.0\WebService


Now I am sure if you are a developer you probably already knew this, but infrastructure guys like myself don't often have to deal with the inner workings of web services. Anyways, this is where these files are located, and you are looking for web.config

Look for

There are two bindings: HTTP/HTTPS, 4 timeout intervals each: receive, send, open and close, all 20 sec by default. We had them increased to something like 5 minutes each. 


There are couple of more locations the same process was repeated:

C:\Program Files\Microsoft Office Servers\14.0\WebClients\Profile\client.config

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebClients\client.config 

Indeed, the UPS sync was more robust and did not time out as quickly as before. What I think ultimately was a fix (or part of the resolution at least) was very simple. I looked at another farm which was importing AD profiles OK, and compared the connections in Miisclient.exe side by side. 

Turns out, the farms were attaching to different domain controllers when trying to pull profiles, and my theory is that the problem child was looking at a DC that was either particularly slow, or at a distant physical location. 

I don't want to assume the latter, since I would think that any MS product would be site-aware and always use local domain resources based on SRV records and Domain sites and services subnet information. So I'll just blame it on a bad DC :)

All I had to do was to specify the same DC that the "good" farm was using, when building the synchronization connection in the "bad" farm. I never had to do that before, but hey, whatever it takes to get it fixed. After that, UPS Sync was running with no issues, and I was finally able to import my profiles.