Profile Import Errors (Forefront Identity Manager Synchronization Service)

ISSUE
After setting up User Profile Service Application and configuring the synchronization connection to your active directory you receive the following error in Application Log of the Server running FIMSynchronizationService (In our case this is APP Server).

The management agent “MOSSAD-DEC” failed on run profile “DS_FULLIMPORT” because of connectivity issues. Event Id 6050

For further investigation use the MIISClient.exe tool located in “C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell” on the operations TAB you also see the following error under (DS_FULLIMPORT)  Status: stopped-conectivity.

failed-search    Replication access was denied    8453 (Error Code)



Resolution

Verify and Confirm that the service account used to run Forefront Identity Manager Synchronization Service (FIMSynchronizationService) has the AD Security right of “Replicating Directory Changes” at the Domain Level.

1. Open the "Active Directory Users and Computers" snap-in
2. On the View menu, click "Advanced Features".
3. Right-click the domain object, such as “ou.domain.com”, and then click "Properties".
4. On the Security tab, if the desired user account is not listed, click Add; if the desired user account is listed, proceed to step 7.
5. In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
6. Click OK to return to the Properties dialog box.
7. Click the desired user account.
8. Click to select the "Replicating Directory Changes" check box from the list.
9. Click Apply, and then click OK.
10. Close the snap-in.

NOTE: Group “Domain Admins” already has the above right however if you are still seeing this issue add the service account explicitly to the AD Security.

Even after applying the above Steps, we may still see the problem some times.
Perform the below steps with the help of your Systems Admin, if you don't have access to Domains/Domain Controllers.

Use this procedure to grant Replicate Directory Changes permission on the CN=Configuration container to an account.

1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
2. If the Configuration node is not already present, do the following:
   1. In the navigation pane, click ADSI Edit.
   2. On the Action menu, click Connect to.
   3. In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Configuration from the drop-down list, and then click OK.
3. Expand the Configuration node, right-click the CN=Configuration... node, and then click Properties.
4. In the Properties dialog box, click the Security tab.
5. In the Group or user names section, click Add.
6. Type the name of the synchronization account, and then click OK.
7. In the Group or user names section, select the synchronization account.
8. In the Permissions section, select the Allow check box next to the Replicating Directory Changes (Replicate Directory Changes on Windows Server 2003) permission, and then click OK.

After following all these steps, Full Synchronization was completed successfully with Profile Import.