DirSync, What if your services are not starting?

DirSync, what a tool, what a fantastic tool for some and what a source of frustration for the other. One of the things that happens a lot is that the services do not start.

Reason: most of the times the account which the FIMService uses to run is not added to Local Policy > Run as a service. The main reason why this happens is that those settings are being managed by a Group Policy transmitted from the AD.


There are several solutions to this problem. I’ll cover 2.

  1. Create a OU with new GPO, especially for this server. Put your dirsync server in that OU and make sure that the GPO allows you to change the Local Policies > User Rights Management > Log on as a service. When you do this before the installation of dirsync, you won’t have any issues. If you do this after, you’ll might have to do a gpupdate /force to get the new GP on your server. Check if the local policy can be changed now. If this is the case add your user or the group FimSyncAdmins. Reboot the server (or start the services manually)
  2. Add the user or the group FimSyncAdmins to the GPO that manages the  Local Policies > User Rights Management > Log on as a service. Disadvantage of this method is that every server that gets it settings from this GPO will have that group added to the Local Policy and maybe that’s something you don’t want.

The 2 services that are needed in this scenario:

Forefront Identity Manager Synchronization Service & Windows Azure Active Directory

Leave a Reply