SharePoint User Profile on new SE server not synchronizing

Question

I know there are already posts where user profile synchronization is not working and I've read them, and I have built several SharePoint farms over the last decade, so I have experience with UPS and am still not able to get this working. So posting here! :)

Symptom:

User Profile Synchronization on new server seems to be configured correctly but no profiles are appearing after synchronization.

Details:

We have recently built a new SharePoint Subscription Edition farm with intentions to perform a database attach upgrade from our SharePoint 2019 farm. This farm is a minrole deployment with a separate SQL Server and two SharePoint servers. I performed a test upgrade using the exact method that is outlined on the Microsoft article: https://learn.microsoft.com/en-us/sharepoint/upgrade-and-update/upgrade-databases-subscription-edition

We will be keeping the same URL for the sites / web application for the new farm so in order to perform this test upgrade, I created an entry in the HOSTS file on the two SharePoint servers for the URL of the web application. This allows me to navigate to the site to make sure they work but without affecting production environment / DNS etc.  I am mentioning this in the case that this would affect the issue we are having.

So this is probably the first question I have before you keep reading... when the user profile service synchronizes with Active Directory, is AD attempting to send the results back to the SharePoint farm via a URL? If so, which URL? The entries that do exist in DNS for this new environment are the server names and the central admin web app. The home web app and the my sites web app exist in DNS but point to the IP address of our production farm, not this new farm. So when AD sends the information back to the user profile service, what address is it communicating with?

read on for my troubleshooting and screenshots.

The installation of SharePoint itself has gone well. The step that is not working out well is the "Upgrade the User Profile service application". I followed the steps exactly but the User Profile synchronization is not successful. I verified that the following before I performed this step:

The account I was logged in with has the following permissions:

• member of the Farm administrators group.
• Securityadmin fixed server role on the SQL server instance
• Db_owner fixed database role on the databases
• Local administrator on the SharePoint server.
• The Managed Metadata service application was already in place and working.
• I used the SharePoint Hosted Services application pool which is running with a managed service account “SVC-SHPT-Services”.
• Created My Site web application with managed path of “personal”.

I then ran the commands to create the User Profile Service (UPS) application and attach/upgrade databases from 2019 environment. As specified in this article: Upgrade service applications to SharePoint Server Subscription Edition - SharePoint Server | Microsoft Learn

In then edited the Synchronization connection. I changed the account name to the one for the new environment. Account: SVC-SHPT-Profiles

This account has the rights for replicate directory changes. I clicked the Populate Containers button and ensured it populated and the proper OU’s were selected.

I then ran a Full synchronization but the profiles do not populate. The status changes to “synchronizing” but then after a couple minutes it goes back to “Idle” with zero profiles.

After re-verifying all the permissions and settings, I decided to eliminate the 2019 databases as being the problem. So I removed the UPS application and proxy, deleting the databases along with it. I deleted the MySite web application and IIS app pool.

I created the My Site web application with new IIS app pool for My Sites, a new root site collection using the My Site Host template and created the UPS application and proxy all with fresh new databases with no involvement of the database attach upgrade. I ensured all permissions were set as I understand they need to be and the Full Synchronization is still not working.

The final thing I tried was creating a new application pool for the UPS but that did not have any effect. The user profiles are still not synchronizing.

I have ULS logs captured with verbose logging enabled, but I wasn't sure what to search for and what to post here. We are a sensitive company so I cannot post the entire log. I need to know what entries to share if needed. Or if someone could help me to understand what to search for in the ULS log.

THANK YOU IN ADVANCE TO ANYONE WHO READ THIS FAR! :)

Screenshots of some of the settings and statuses:

Answer 1

Hi Dominique Graves

Thank you for reaching out to Microsoft Q&A forum

Based on your descriptions and attached images I have developed several preliminary thoughts regarding the potential cause of this behavior.

Kindly note that these are my observations based on personal knowledge and available resources. As a forum moderator, my testing environment is not fully adequate to simulate the problem and provide completely accurate solutions. However, you may find them helpful as a new insight.

Initially, regarding your concern: Is AD attempting to send the results back to the SharePoint farm via a URL? If so, which URL?...

Based on my research in this DOCUMENT, in SharePoint Server SE, User Profile “synchronization” (when using SharePoint Active Directory Import / AD Import) is not a round‑trip process where Active Directory “posts results back” to your farm through a web application URL.

Instead, the SharePoint User Profile Service Application is configured to use AD Import and then creates a synchronization connection to Active Directory Domain Services (AD DS). So, that connection defines what objects to import and includes the credentials SharePoint uses to interact with AD DS. In other words, the import is initiated from SharePoint to AD DS, and the data is written into the SharePoint profile databases, there is no dependency on the public URL/DNS of your content web applications for AD to “send back” imported profile data.

From my observation, given your lab-style database‑attach upgrade setup (SE farm running side‑by‑side with production, HOSTS override for the content URL, and DNS still pointing the production web apps to the old farm), that DNS mismatch would not typically explain “no profiles appearing” if AD Import is correctly configured, because AD Import relies on the UPA sync connection and its AD DS scope/credentials, not the content web app URL.

That said, if you’re seeing zero imported profiles, the highest-value validation is to re-check the AD Import synchronization connection scope (selected OUs/containers) and how SharePoint resolves eligible objects

For example, Microsoft documents a case where an “active” user is not imported when AD metadata (like LastKnownParent) effectively places the user outside the selected OU scope, even though the user appears to be in scope.

---

Below are my suggestions about this situation:

The first step I recommend is to create a support ticket with Microsoft’s Support team directly. Advanced configuration tasks of this nature require specialists who have access to the appropriate diagnostic tools and can provide real‑time guidance throughout the troubleshooting process to ensure accuracy and prevent errors. You can submit a support request using the link below:

Link support: https://support.serviceshub.microsoft.com/supportforbusiness/onboarding?origin=/supportforbusiness/create

In the meantime, you may refer to the two methods outlined below to determine whether they help address the situation:

Option 1: Prove the AD Import timer job is actually running.

In SharePoint AD Import, profiles are brought in by the “User Profile Active Directory Import Job” timer job (it imports directly into the Profile DB), and AD Import is not a bidirectional “AD sends data back to SharePoint URL” process.

If Full Sync flips to Idle with 0 profiles, focus on whether that timer job ran and what it logged. In ULS, filter/search for UserProfileADImportJob and Category = User Profiles (these are the common identifiers used to narrow down AD Import runs).

When sharing logs publicly, you typically only need the exception block + stack trace around the job run (redact domain/usernames/OU paths, keep exception type + call stack).

Option 2: Assume the job runs, then validate “imports zero” causes: scope/filter and the LastKnownParent edge case.

AD Import only imports what your Synchronization Connection is scoped to (OU/container selection + simple LDAP filter). Mis-scope or an over-restrictive filter can result in 0 imported objects even when “Populate Containers” works.

Additionally, I have found the relevant information may help you getting more insight:

https://joshroark.com/sharepoint-2016-active-directory-import-timer-job-does-not-run-allowservicejobs/

https://sharepoint.stackexchange.com/questions/315040/sharepoint-2019-ad-sync-not-working

Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.

Hope my answer will help you.

Regards

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.