You could choose to disable this rule if you are confident that your farm administrators won’t use the farm account elsewhere.
Logging on as the Farm Account is a very, very bad idea and you shouldn’t be doing it.
You of course require Farm Administrator rights to perform the actions related to the farm, service application administrator rights to perform actions related to the service application, and local machine administrator to perform actions related to the machine configuration detailed below.
If you follow the procedure you will be successful unless you are hitting an environmental or other known issue.
I won’t detail all of the known issues in this article, but rather cover the most common ones.
Health Analyzer Warning Please note, that the Health Analyzer will report an error: “The server farm account should not be used for other services”. Unfortunately, this Health Analyzer Rule is not smart enough to understand that you have to run UPS as the Farm Account.
Therefore this error (with respect to UPS only) should be ignored.
Whilst it is possible to get UPS working in this configuration, you shouldn’t be doing it, and I’m not going to detail the steps. This does not effect provisioning, but it will prevent sync from working.
You must do the steps below in the correct order, otherwise you will encounter problems with the Sync DB. Additional Permissions (Do this first) Note: the December 2010 Cumulative Update breaks this capability and after setting Net BIOSDomain Names Enabled, you will not be able to create Synchronization Connections.
If something is incorrect, it will try all 15 times, and more often than not, fail 15 times.
That’s why it appears to be “stuck” when in fact its attempting each of the runs.
Before I dive in, I must stress that the number one reason people have problems is that they do not follow the procedure!