User Profile Synchronization Service Stuck on Starting

This is a collection of issues I've encountered recently with the User Profile Synchronization Service not starting up. There are other issues that are much more common that I'm not including here since they are covered on a bazillion blogs by now, plus there is the very thorough guide by Spencer Harbar http://www.harbar.net/articles/sp2010ups.aspx. These resolutions are assuming that you've followed all of the recommendations by Spencer and you have no other issues in your environment. When I've had to troubleshoot environments set up by someone else the most common issue is access; make sure your farm admin account is a local administrator and can log on as a service, can long on as a batch job, etc.

Duplicate Certificates
If the sync service has failed at least once, it is possible that the certificates were created and not removed, and not the setup is throwing an error because the certificates are already there. Below are a few of the errors that you might see here. Also, if you search for ILM Configuration in the trace logs and the last row you see is "ILM Configuration: Configuring certificate." your problem could be the certificates.


Event IDs 3 & 6309

The server encountered an unexpected error while performing an operation for a management agent. Microsoft.ResourceManagement.ResourceManagementException: Exception from HRESULT: 0x8023060F ---> System.Runtime.InteropServices.COMException (0x8023060F): Exception from HRESULT: 0x8023060F at MIISRCW.IMMSManagementAgent.ModifyMAData(String pszMADataXML, String& ppszUpdatedXML) at Microsoft.ResourceManagement.SyncConfig.SetMaData(Guid maGuid, String maData) at Microsoft.ResourceManagement.ActionProcessor.SyncConfigActionProcessor.Update(Guid objectId, CultureInfo locale, IList`1 updateParameters, Guid cause)

Solution: Remove the certificates

Steps
1) Go to the start menu and run mmc
2) Select File then Add/Remove Snap-ins
3) Select Certificates from the list and select Service Account. When prompted for the service account, select the Forefront Identity Manager Service
4) Click OK
5) Expand the Certificates section and you should see 8 folders. Look through each folder and find an certificate named Forefront Identity Manager. If you find one, delete it.
6) Repeat steps 4-6 but select the Forefront Identity Manager Synchronization Service
7) Repeat steps 4-6 but select the computer account
8) After all certificates have been deleted, run an IISreset and restart the SPTimerV4 service.
9) If necessary, stop the provisioning of the Synchronization Service (steps below if necessary)

MSIInstaller 1001, 1004, 1005 Warnings

These errors are because the Network Service does not have access to the appropriate folders. Simply give the Network Service account access to the C:\Program Files\Microsoft Office Servers\15.0 directory. It will need Read & Execute.

Failed to connect to server. Error: 0x80070005 Detection of product '{90150000-104C-0000-1000-0000000FF1CE}', feature 'PeopleILM' failed during request for component '{9AE4D8E0-D3F6-47A8-8FAE-38496FE32FF5}'

Detection of product '{90150000-104C-0000-1000-0000000FF1CE}', feature 'PeopleILM', component '{1C12B6E6-898C-4D58-9774-AAAFBDFE273C}' failed. The resource 'C:\Program Files\Microsoft Office Servers\15.0\Service\Microsoft.ResourceManagement.Service.exe' does not exist.

Event ID 234 - Warning creating certificate

This can sometimes be a false alarm. If you see this error and the service is still starting, don't take action yet. If the service fails to start this could be a combination of the first two issues

Service is stuck on Starting for more than 10-15 minutes

The service can take 10 or more minutes to start up on a good day, so be patient. However, if you've encountered some of these errors in the event viewer and you're not seeing anything new for ILM Configuration in the ULS logs you may need to stop the provisioning of the synchronization service. You can do this by running the following powershell commands

add-pssnapin Microsoft.sharepoint.powershell
$id = get-spserviceinstance | where {$_.TypeName -eq "User Profile Synchronization Service"}
Stop-spserviceinstance -identity $id

After stopping this you can resolve the issues you encountered and try it again