1 of 1 people found this helpful
The ePO 4.X AD Sync does not write anything to the AD so you need full read permissions but not write/modify permissions. My guess would be that user accounts on a Windows 2008 AD do not have full read permissions.
Oddly enough, using a USER account from the 2008 domain did not work, possibly because the trust is only 1 way.
However, using our standard EPO (domain user) account from the original 2003 domain works fine.
I suspect the caveat has to do with the one-way-trust, and that a regular user WOULD work if the EPO server was in the new 2008 domain.
Since the trust between is only 1 way, we couldnt use a domain-user account in the new/2008 domain. using a domain-user account in the original domain (the trustED domain) did work.