On the "install required components" page in the custom setting setup wizard we can give up a service account: 1) is this account only used to start the sync service locally on the server?
 2) is this account not used in the sync tool itself to connect to AD and in the connector configuration to connect to AD? On the "connect your directories" page in the custom setting setup wizard we need to enter credentials: 1) this account is used in the sync tool itself to connect to AD and in the connector configuration to connect to AD?
 2) this account we enter can only be a domain user right
 3) this blog (https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-aadconnect-account-summary/) spreaks about setting additional permissions on the account if we use specific scenario such as password sync and hybrid environment. The blog post describes which permissions are needed but not how to set these. Is there a guide how to set these permissions, is there a script how to set this permissions?

Hello

regarding the first part of questions:

1) yes this account is used for the sync Service only.

2) No, only to run the sync Service, and also to Access the underlying SQL database.

for the second part:

1) yes you Need one account to connect to azure and 1 account to connect to each forest, and the accounts are only used to connect to AD

2) yes, as you are trying to connect to an AD forest it must be a Domain account

3) Replicate Directory Changes/(All) is set in the security tab of the Domain itself.

for normal Scenarios this should fit but you can also have Special permissions on OU for example if you Need them.

/Peter