When looking through the event log on a SharePoint 2010 server I noticed the error:
The management agent “MOSSAD-DOMAIN.NAME” failed on run profile “DS_FULLIMPORT” because of connectivity issues.
Discovery Errors : “0″
Synchronization Errors : “0″
Metaverse Retry Errors : “0″
Export Errors : “0″
Warnings : “0″
View the management agent run history for details
In order to view further details of the error I opened MIISClient.exe, which is located in C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell.
Using MIISClient.exe I was able to see the user import task taking place in real time and saw the status “stopped-connectivity” against one import task. Clicking on the import task showed the connectivity issue was related to a missing permission on the CN=Configuration container in our parent domain. The user import task was attempting to import users from our child domain.
The error occured because the import task imports users from our child domain and the Replicate Directory Changes permission needed to be applied to the CN=Configuration container in our parent domain.
To grant the permission, open ADSIEdit.msc and connect to the configuration naming context. Right-click on the CN=Configuration,DC=XXX container, choose permissions and grant Replicate Directory Changes permission to the user account used for the user import.