User Profile Synchronization not working with Active Directory connection
In SharePoint 2010 I have configured the User Profile Synchronization Service to import user properties from Active Directory. However, when I run a full synchronisation none of the attributes are imported from AD.
For me, one of the best tools to troubleshoot this is the Forefront Synchronization Service Manager. It can be found here:
C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe
When I run this tool, and look on the Operations page, I can see that the DS_FULLIMPORT task failed. By double-clicking it, I can see more detail:
Status: Failed-Search
Error: Replication access was denied
Error code: 8453
The error suggests that the user configured for synchronisation does not have the appropriate rights in AD. I have already granted the Replicating Directory Changes rights on the domain so what else could need doing?
Well, as it turns out the NETBOIS domain is different to the FQDN. In this scenario I also need to grant Replicating Directory Changes rights to the domain configuration partition using ADSI Edit. Here is how this is done:
1. Open ADSI Edit
2. Connect to the Configuration partition
3. Right-click on the Configuration partition and click Properties
4. On the Security tab click Add
5. Enter the name of the user account used by the User Profile Synchronisation Service and click OK
6. Tick the box to allow Replicating Directory Changes and click OK
7. Close ADSI Edit
Now the synchronisation job should run successfully, as can be seen in the ForeFront Synchronization Service Manager.
This and the article explaining the Replication rights (for AD, in AD) allowed a replacement account to successfully Replicate.
Why this isn’t all documented clearer escapes me — but THANKS!
jeff