In order for SharePoint 2010 to successfully synchronize user profiles with Active Directory you have to allow the User Profile Service account specific permissions to the AD container. Failure to do so would result in access denied errors that are not so easy to troubleshoot if you are not familiar with this requirement.
We need to grant the Replicating Directory Changes permission on the domain to the service account. This is the account that will be used to perform the sync.
The steps are as follows:
- Right Click the Domain, choose Delegate Control… click Next
- Add the service account in question, click Next
- Select Create a Custom Task to Delegate, click Next
- Click Next
- Select the Replicating Directory Changes permission and click Next
- Click Finish
This is part of the solution, we also need to grant replicating directory changes on the Configuration Naming Context for the domain using the ADSIEdit.msc management console.
- Connect to the Configuration Partition
- Right click the configuration partition and choose properties
- From the Security tab, add the service account and give it Replicating Directory Changes permissions
This should conclude the required AD changes.