You have a SharePoint Server 2010 Service Pack 1 (SP1) server farm. You configure the User Profile
Synchronization Service to use a new user account as a service account. You discover that user
profiles are not imported from Active Directory. You verify that the service is running, and then you
run the Forefront Identity Manager service. You receive the following error message: “Replication
Access is Denied.” You need to ensure that the user profiles are imported from Active Directory.
Which permissions should you assign to which service account?
A.
the Replication synchronization permission to the service account of the User Profile
Synchronization Service
B.
the Replication synchronization permission to the service account of the farm
C.
the Replicating Directory Changes permission to the service account of the farm
D.
the Replicating Directory Changes permission to the service account of the User Profile
Synchronization Service
Explanation:
Setting “Replicating Directory Changes” using PowerShell
Posted on Sunday, 19 February, 2012
When you are setting up the User Profile Synchronization in SharePoint 2010, you need an account
which is going to do the synchronization. This account has to be given “Replicate Directory Changes”
permissions on the domain.
See this article on TechNet on how to do this using the Active Directory Users and Computers snapin.
If the NETBIOS name of the domain is different than the FQDN of the domain, these permissions also
need to be set on the Configuration Naming Context of the domain.
(Rational Guide to Implementing SharePoint Server 2010 User Profile Synchronization)Doing this using the snap-in is OK, but I like to do things using script, so I have been looking for a way
to do this using PowerShell. I found some information on how to use PowerShell to check if these
permissions where set but I didn’t succeed in setting them.
Then, I stumbled onto a post of Søren Granfeldt, which showed me that setting these permissions
are actually very easy. You simply use the DSACLS commandline tool to set the permissions.
PowerShell
$Identity = “domain\account”
$RootDSE = [ADSI]“LDAP://RootDSE”
$DefaultNamingContext = $RootDse.defaultNamingContext
$ConfigurationNamingContext = $RootDse.configurationNamingContext
$UserPrincipal = New-Object Security.Principal.NTAccount(“$Identity”)
DSACLS “$DefaultNamingContext” /G “$($UserPrincipal):CA;Replicating Directory Changes”
DSACLS “$ConfigurationNamingContext” /G “$($UserPrincipal):CA;Replicating Directory Changes”
http://blog.kuppens-switsers.net/tag/replicating-directory-changes/