I had some problems getting the SharePoint User Profile import to work. I finally managed to get it to work, here is how I did it.

First let me explain the situation.

I have 2 domains which are part of the same forest, Domain A and Domain B.
Domain A was the first domain ever created, and Domain B is a new domain in the same forest. I’m setting up a new SharePoint Server which will be part of Domain B.

I did setup a Active Directory Synchronization Connection in the User Profile Service Application. This Profile will be importing the user profiles of Domain B, so this connection will be established with the farm account of SharePoint 2010.

Every time I tried to run a Full Profile Import it failed.

As this technet article states, your service account needs the Replicating Directory Change permission on your Active directory. I did give it that permission, but still it failed, it seems that this is because of my domain setup. Just read on, and it will all be clear to you.

Whenever you create a Sync connection, SP2010 will use the ForeFront Identity Manager 2010 to do the import of the AD accounts. The nice thing is you can manage this by opening the “Synchronization Service Manager” (SSM) on your SP2010 server. This tool is started by executing the command:

C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe

With this tool you can also view what is going wrong with your Synchronization jobs.
Click on [Management Agents], you will then see your connection profile. You can right click it and execute the run command and select “[DS_FullImport]. In my case this resulted in the error: Replication access was denied – Error Code: 8453.

In the SSM opened the properties of my connection. Under the option “Configure Directory Partitions” I noticed 2 directory partitions named: “CN=Configuration, DC=<domain A>, DC=COM” and “DC=<Domain B>, DC=COM”.
As my sync kept failing on the first step, which obviously was the “CN=Configuration….” partition, I concluded that I had to give farm account, the “Replicate Directory Change” permission on my Configuration Partition.

For this I opened the ADSI editor on the domain controller of Domain A, and selected [Configuration] at the “Select a well known Naming Context:” drop down box. Next is to open the properties of this partition and select the Security Tab.
I then added the Farm Account and gave it the “Read and the Replicating Directory Changes” rights. This made sure that the Profile Import started working correctly.

Note: don’t forget to give the “Read and the Replicating Directory Changes” rights to your Farm Account on Domain B, as I stated earlier or else step 2 of the synchronization job will fail.