Solved it! Only the web front-end server had access via LDAP, the app-server (where the timer job was running) was blocked in the firewall. When it was opened it worked!
SharePoint User Profile Sync - The server is not operational
We have a DomainA (company.local, COMPANY) that has a one-way trust to DomainB (corp.contoso.com, CORP).
SharePoint 2016 resides in DomainA and in User Profile Sync connections we set up a connection to DomainB (with an account that exists in DomainB, CORP\syncacc). We can click on "Populate" and the OU's from DomainB is listed and we can select the OU's we want. Using port 389. Saves the settings.
But when the User Profile Sync job is executing there is an error in the ULS-logs that says:
ActiveDirectory Import failed for ConnectionForectName 'corp.contoso.com', ConnectionSynchronizationOU 'DC=corp,DC=contoso,DC=com', ConnectionUserName 'CORP\syncacc'. Error message: System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at Microsoft.Office.Server.UserProfiles.ADImport.ProfileConfiguration.GetDomain(LdapConnection ldapConnection, String rootDN, String dcName, String userName, String password, Boolean doNotChaseReferrals)
at Microsoft.Office.Server.UserProfiles.ADImport.UserProfileADImportJob.SetupLdapImportDomain(UserProfileADImportMapping mapping, ProfileConfiguration profileConfig, String spssPassword, NetworkCredential cred)
No users or groups are synced from DomainB.
The user "CORP\syncacc" has the "Replicating Directory Changes" in DomainB and it works in PeoplePicker, so that users can be selected from DomainB in permission settings.
1 additional answer
Sort by: Most helpful
-
ChelseaWu-MSFT 6,331 Reputation points
2021-01-25T03:11:02.743+00:00 The sync user account
CORP\syncacc
should have "Replicating Directory Changes" permission in Domain A as well in SharePoint Server 2016, referring to another post with similar issue: Profiles not importing from trusted domain. Check out this post and see if you can find anything useful.Also, please double check the permissions you need for the synchronization account:
https://learn.microsoft.com/en-us/SharePoint/administration/plan-profile-synchronization-for-sharepoint-server-2013?redirectedfrom=MSDN#active-directory-domain-services-ad-ds
If an Answer is helpful, please click "Accept Answer" and upvote it.
**Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. **