Replicate Directory Change Permission” (without write permission) for User Profile Sync

The Synchronization Service Account that is used to connect in the User Profile Synchronization (UPS) required “Replicate Directory Change Permission”, all the Domain’s that we are synchronizing need to Delegate this Permission

for the Service Account. This permission will allow the service account to query the changes in the directory (AD DS) and with this permission nothing can be updated in the AD.

UPS Service uses the DirSync control an LDAP extension that enables to search Active Directory partition for objects that have changed, when UPS perform a DirSync search it creates a cookie that identifies the directory state at the time

Of an earlier DirSync query. With the Frist search the program creates an empty cookie and AD returns all objects that satisfy the query. AD also returns an updated cookie that can be passed to the next search to obtain  changes that are made since the first search. For every Synchronization this process repeats.

DirSync searches are performed against whole AD partition, and returns all the changes that are made to an AD object regardless of the permission that are set on the object. It will also return deleted objects.

However to run the DirSync control the service account that is running should have Replicating Directory Changes permission andagain there is no work around for avoiding this permission to have User Profile Synchronization to Sync.