The One Identity Manager (1IM) Service Account requires specific permissions/group membership to allow the service to connect to the domain correctly and for certain functions, e.g. Schema Load, to complete successfully.
What are the requirements?
Ensure the service account is a member of the Domain Admins group as per the Administration Guide for Connecting to Active Directory, Users and permissions for synchronizing with Active Directory:
The Identity Manager Service user account for synchronizing an Active Directory environment requires the following access rights to the synchronization base object:
• Member of the Active Directory group "Domain administrators"
Due to the Active Directory structure, the Identity Manager Service user account should be a subdomain member in the group “Enterprise Admins” in a hierarchical domain structure.