I have ADLDS instance in forest A.
I used Network Service as the service account. Also I opened a port and set the regkey to lock down the RPC port used. I set up the replica in forest B (both forests are not trusted). the replica completed with all the objects from instance in forest A. But then no further changes occurred. I found errors in the event log complaining of invalid credentials. After further investigation I found this article about ADAM http://windowsitpro.com/networking/getting-know-adam, that mentions
/////If your system isn't a member of a domain, you need to use a named user account if the instance is a replica or if you intend to create replicas of the instance later; for replication to work, the username and password must be the same for all instances.///
I took this to mean that if the system was not in the same forest.. I created to local accounts same username and password and uninstall both instances and re-installed both instances using this local account as the service account. Still getting replication issues.
here's an error on the instance in forest B
The directory server has failed to update the AD LDS serviceConnectionPoint object in Active Directory Lightweight Directory Services. This operation will be retried.
Additional Data
SCP object DN:
[]
Error value:
1326 The user name or password is incorrect.
Server error:
(n/a)
Internal ID:
3390071
AD LDS service account:
server2\svc-ADLDS
Here's an error that I get on the instance in forest A
The directory server has failed to update the AD LDS serviceConnectionPoint object in Active Directory Lightweight Directory Services. This operation will be retried.
Additional Data
SCP object DN:
[]
Error value:
1326 The user name or password is incorrect.
Server error:
(n/a)
Internal ID:
3390071
AD LDS service account:
server1\svc-ADLDS
User Action
If AD LDS is running under a local service account, it will be unable to update the data in Active Directory Lightweight Directory Services. Consider changing the AD LDS service account to either NetworkService or a domain account.
If AD LDS is running under a domain user account, make sure this account has sufficient rights to update the serviceConnectionPoint object.
ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object.
Any help would be greatly appreciated!