User Profile Synchronization not working with Active Directory connection

In SharePoint 2010 I have configured the User Profile Synchronization Service to import user properties from Active Directory.  However, when I run a full synchronisation none of the attributes are imported from AD.

For me, one of the best  tools to troubleshoot this is the Forefront Synchronization Service Manager.  It can be found here:

C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe

When I run this tool, and look on the Operations page, I can see that the DS_FULLIMPORT task failed.  By double-clicking it, I can see more detail:

Status: Failed-Search
Error: Replication access was denied
Error code: 8453

Connection_Log

The error suggests that the user configured for synchronisation does not have the appropriate rights in AD.  I have already granted the Replicating Directory Changes rights on the domain so what else could need doing?

Domain_Properties

Well, as it turns out the NETBOIS domain is different to the FQDN.  In this scenario I also need to grant Replicating Directory Changes rights to the domain configuration partition using ADSI Edit.  Here is how this is done:

1. Open ADSI Edit

2. Connect to the Configuration partition

3. Right-click on the Configuration partition and click Properties

4. On the Security tab click Add

5. Enter the name of the user account used by the User Profile Synchronisation Service and click OK

6. Tick the box to allow Replicating Directory Changes and click OK

7. Close ADSI Edit

Now the synchronisation job should run successfully, as can be seen in the ForeFront Synchronization Service Manager.

[BlogBookmark] [Blogsvine] [del.icio.us] [Digg] [Facebook] [Furl] [Google] [LinkedIn] [MySpace] [Reddit] [Slashdot] [StumbleUpon] [Twitter] [Windows Live] [Yahoo!] [Email]