This topic describes prerequisites to the AD Sync installation and configuration. Verify that all steps below are done correctly before moving to the installation step.
To write passwords to any domain target via LDAP, LDAPS/STARTTLS is required.
Active Directory Recycle Bin can be activated only where all domain controllers that run on Windows Server 2008 R2 or higher. Note: Enabling Active Directory Recycle Bin is irreversible.
Execute the following command to enable Active Directory Recycle Bin for your Forest (replace -Target domain):
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=acme,DC=com' –Scope ForestOrConfigurationSet –Target 'acme.com'
If you are using Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, you can use the Active Directory Administrative Center to enable the Recycle Bin.
In case of some problems with enabling the Recyle Bin: Probably the roles ‘schema operations master’ and ‘domain naming operations master’ are not on the same domain controller server in the forest.
As each Active Directory Domain Controller increments it own update sequend numbers (uSNChanged) use only one Source Domain Controller in a AD forest for the synchronization to make sure that a unique incrementing sequence number is taken. The Primary Domain Controller (PDC) is usually a prefered source.
As multiple Domain Controllers in a forest has often a short delay in replicating each object, use only one Domain Controller as target for the synchronization to make sure target LDAP queries gets current results.
Domain User with Read permissions ond objects and attributes (as a domain user normally has on all objects and descendants in AD) that shall to be synced. An additional permission to ‘Deleted Objects’ is required, please add the required ACL on the container.
To change CN=Deleted Objects login with a Domain Administrator, you probably have to take Ownership to change de ACL on that container
dsacls "CN=Deleted Objects,DC=acme,DC=com" /takeownership
Give the permission LIST CONTENT and READ PROPERTY to the LDAP Bind account for Sync
dsacls "CN=Deleted Objects,DC=acme,DC=com" /G ACME\svcLdapRead:LCRP
See also: Microsoft KB892806
Domain User with FULL PERMISSION on the OU and all descendant objects (Applies to: This object and all descendant objects) that will be synced.