Question: Why are replicate-directory-changes permissions needed to synchronize with AD and on what in AD?
Answer: In order to interrogate AD about “what has changed since time xyz”, we need the replicate-directory-changes permissions on partitions being synchronized, for example the domain partition being synchronized. These permissions are needed in particular to be able to read data within the deleted objects container of the partition. Standard users do not have permissions to read the content of this container, and we cannot simply grant rights over that container to the synchronization account.
In RC we also require these permissions on the cn=configuration container, in order to access the netbios information for the domain (we are working to fix this for RTM, so this container permissions will be required only if your netbios name is different than your domain name)
Question: Do the replicate-directory-change permissions allow the holder to modify AD?
Answer: Holder cannot modify AD using these permissions
Question: What additional privileges are granted (beyond the ability to read and inquire of delta changes) with replicate-directory-changes permissions?
Answer: Holder can read all AD data for the domain, except passwords. Note that most of the directory information is by default readable by everyone, including data in the configuration partition.