If you are working with a User Profile Synchronization Service (UPSS), you will need to assign a Replicate Directory Changes permission for its service account that will be used to run it.
The Replicate Directory Changes permission enables the synchronization account to read AD DS objects and to discover AD DS objects that have been changed in the domain and does not enable an account to create, modify or delete AD DS objects.
To grant a Replicate Directory Changes permission to an account on windows server 2012 Active Directory,you should follow the mentioned steps below:
- On the domain controller, click Start, search for Active Directory Users and Computers and run it as administrator.
- In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
- On the first page of the Delegation of Control Wizard, click Next.
- On the Users or Groups page, click Add then Type the name of the synchronization account, and then click OK then click Next.
- On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
- On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then clickNext.
- On the Permissions page, in the Permissions box, select Replicating Directory Changes and then click Next.
- Click Finish.