which service account?

You have a SharePoint Server 2013 Service Pack 1 (SP1) server farm. You configure the
User Profile Synchronization Service to use a new user account as a service account. You
discover that user profiles are not imported from Active Directory. You verify that the service
is running, and then you run the Forefront IdentityManager service. You receive the
following error message: “Replication Access is Denied.” You need to ensure that the user
profiles are imported from Active Directory. Which permissions should you assign to which
service account?

You have a SharePoint Server 2013 Service Pack 1 (SP1) server farm. You configure the
User Profile Synchronization Service to use a new user account as a service account. You
discover that user profiles are not imported from Active Directory. You verify that the service
is running, and then you run the Forefront IdentityManager service. You receive the
following error message: “Replication Access is Denied.” You need to ensure that the user
profiles are imported from Active Directory. Which permissions should you assign to which
service account?

A.
the Replication synchronization permission to theservice account of the User Profile Synchronization
Service

B.
the Replication synchronization permission to theservice account of the farm

C.
the Replicating Directory Changes permission to the service account of the farm

D.
the Replicating Directory Changes permission to the service account of the User Profile Synchronization
Service

Explanation:
Setting Replicating Directory Changes using PowerShell
Posted on Sunday, 19 February, 2012
When you are setting up the User Profile Synchronization in SharePoint 2013, you need an account wich is
going to do the synchronization. This account has to be given Replicate Directory Changes permissions on
the domain.
See this article on TechNet on how to do this usingthe Active Directory Users and Computers snap-in.
If the NETBIOS name of the domain is different thanthe FQDN of the domain, these permissions also need to
be set on the Configuration Naming Context of the domain.
(Rational Guide to Implementing SharePoint Server 2013 User Profile Synchronization)
Doing this using the snap-in is OK, but I like to do things using script, so I have been looking for away to do
this using PowerShell. I found some information on how to use PowerShell to check if these permissionswhere
set but I didnt succeed in setting them.
Then, I stumbled onto a post of Sren Granfeldt, which showed me that setting these permissions are actually
very easy. You simply use the DSACLS commandline tool to set the permissions.
PowerShell
$Identity = domain\account
$RootDSE = [ADSI]LDAP://RootDSE
$DefaultNamingContext = $RootDse.defaultNamingContext
$ConfigurationNamingContext = $RootDse.configurationNamingContext
$UserPrincipal = New-Object Security.Principal.NTAccount($Identity)
DSACLS $DefaultNamingContext /G $($UserPrincipal):CA;Replicating Directory Changes
DSACLS $ConfigurationNamingContext /G $($UserPrincipal):CA;Replicating Directory Changes
http://blog.kuppens-switsers.net/tag/replicating-directory-changes/



Leave a Reply 0

Your email address will not be published. Required fields are marked *