locked
Please explain: "Replication Synchronization" permission in Active Directory RRS feed

  • Question

  • I've been trying to find some good explanation on the security permission "replication synchronization" (allow or deny) in Active Directory.

    A Consultant/Expert from Oracle is implementing an OID (Oracle Internet Directory) Synchronization. OID needs to be able to see the changes in Active Directory, so we explained the DirSync control (see http://support.microsoft.com/kb/891995 and a good blog on http://blogs.technet.com/b/isrpfeplat/archive/2010/09/20/using-the-dirsync-control.aspx) which we were already using for our FIM 2010 R2 and Sharepoint Profile sync. That was supported by Oracle, but later on they asked additional permissions in AD (support.oracle.com note 393115.1):

    • Replicate Directory Changes  => OK for me, same as FIM and Sharepoint needed
    • Replicating Directory Changes All  => OK for me
    • Replication Synchronization => ???

    The last one raised questions:
       Replication Synchronization, what does it exactly allow? What does it also allow via the LDAP interface from a non-Domain Controller?

    I've been searching for some good technical details, all goes in the direction of "in-site replication forcing", no? Most of the information on the internet are from troubleshooting perspective :(

    Thanks in advance for giving me insights in this matter.

    Kind Regards,
    David.


    Friday, February 1, 2013 8:38 AM

Answers

  • Replication Synchronization is a fine grained permission that is used to grant control on a partition to force a manual replication.  In this instance it sounds like the OID wants to be able to request a sync between the DC and itself.  My guess is the OID won't receive change notifications like normal DC to DC communications, so it is probably set on a timer to request updates from time to time.

    Replication Synchronization                                  Extended right needed to synchronize replication from a given computer
    Applies to: Domain-DNS, DMD, Configuration
    http://technet.microsoft.com/en-us/library/cc728117(v=ws.10).aspx

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.


    Friday, February 1, 2013 12:55 PM

All replies

  • Active Directory Domain Services (AD DS)

    The synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin



    • Edited by bshwjt Friday, February 1, 2013 9:02 AM
    Friday, February 1, 2013 8:59 AM
  • I appreciate the feedback, and I know all that already since we've been using MIIS 2003.....
    Don't want to be rude, but this is not an answer on my question;

          "Replication Synchronization", what does it exactly allow? What does it also allow via the LDAP interface from a non-Domain Controller?

    Regards,
    David

    Friday, February 1, 2013 9:20 AM
  • AFAIK, ""Replication Synchronization is only available only on domain lebel not any other location. Wodering what you mean by "LDAP interface from a non-Domain Controller".

    Wait for someone who is more familiar.


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Friday, February 1, 2013 9:26 AM
  • > What does it also allow via the LDAP interface from a non-Domain Controller?

    What I'm trying to say is, from a non-domain controller, eg a Linux server with Oracle Internet Directory on it, talking via LDAP protocol to the Active Directory.
    There's a difference in using ADSI (is from a Windows server/client using typically the ADSI libraries from Microsoft and very well documented), and using LDAP from a Java LDAPv3 Library. It's simmilar, but people having expierence in programming towards AD from non windows environments know what I mean ;)

    Friday, February 1, 2013 9:34 AM
  • I think that 'Replication Synchronization' only applies to DRAs and the IDL_DRSReplicaSync RPC Interface: http://msdn.microsoft.com/en-us/library/cc228241.aspx. While the other extended rights that contains "Changes" in them are used by the IDL_DRSGetNCChanges RPC interface: http://msdn.microsoft.com/en-us/library/dd207691.aspx (This is what the DirSync Control uses and calls into using a specific caller identifier that is != from the DRA)

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Friday, February 1, 2013 10:07 AM
  • Hi, In definition, Replication Synchronization allows a user to manually force the replication of the containers on which they have been assigned the Replication Synchronization permission.

    Generally we use to give this special permission if we want to allow someone to force replication between DCs in AD sites and services.

    Rgds..


    MCTS|MCSE|MCSA:Messaging|CCNA


    Friday, February 1, 2013 10:29 AM
  • Replication Synchronization is a fine grained permission that is used to grant control on a partition to force a manual replication.  In this instance it sounds like the OID wants to be able to request a sync between the DC and itself.  My guess is the OID won't receive change notifications like normal DC to DC communications, so it is probably set on a timer to request updates from time to time.

    Replication Synchronization                                  Extended right needed to synchronize replication from a given computer
    Applies to: Domain-DNS, DMD, Configuration
    http://technet.microsoft.com/en-us/library/cc728117(v=ws.10).aspx

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.


    Friday, February 1, 2013 12:55 PM