This will be just quick note to present a problem I’ve encountered and quick solution, however I haven’t got time to dig into this issue guts. But I will try to in the feature.

Simple scenario: ILM connecting to Active Directory through standard AD Management Agent.

Active Directory environment: single forest with multiple domains.

ILM setup: ILM was set up in one of child domains and ILM service account (AD MA account) was created in the same domain.

AD MA was set up and configured properly and without any problems. Appropriate permissions were configured at directory level, including Replicate Directory changes right as described in documentation.

When I’ve tried to perform initial "full import” operation connection to directory port was successful, however operation has failed momentarily with failed-search error and error code 8453, which translates into:

C:\>err 8453
# for decimal 8453 / hex 0x2105
  ERROR_DS_DRA_ACCESS_DENIED                                    
# Replication access was denied.

In other cases, if I would not set it up on my own I would tell anyone to double check if permissions were delegated properly. To be honest … I’ve double checked myself :). Everything was as it should be.

I’ve double checked my MA configuration and just in case I’ve changed domain in account information from NetBIOS (short) name to FQDN … and yes, you are right … it started to work right away. However in the same environment earlier (ok, few months ago) it worked in such configuration.

I will try to nail it down in a lab through sniffing network traffic, but just in case somebody will be affected by similar problem You can try to check your account logon information.