I've been trying to find some good explanation on the security permission "replication synchronization" (allow or deny) in Active Directory.
A Consultant/Expert from Oracle is implementing an OID (Oracle Internet Directory) Synchronization. OID needs to be able to see the changes in Active Directory, so we explained the DirSync control (see http://support.microsoft.com/kb/891995 and a good blog on http://blogs.technet.com/b/isrpfeplat/archive/2010/09/20/using-the-dirsync-control.aspx) which we were already using for our FIM 2010 R2 and Sharepoint Profile sync. That was supported by Oracle, but later on they asked additional permissions in AD (support.oracle.com note 393115.1):
- Replicate Directory Changes => OK for me, same as FIM and Sharepoint needed
- Replicating Directory Changes All => OK for me
- Replication Synchronization => ???
The last one raised questions:
Replication Synchronization, what does it exactly allow? What does it also allow via the LDAP interface from a non-Domain Controller?
I've been searching for some good technical details, all goes in the direction of "in-site replication forcing", no? Most of the information on the internet are from troubleshooting perspective :(
Thanks in advance for giving me insights in this matter.
Kind Regards,
David.