I don't think I've ever been able to find documentation on the Domain rights required for this either, but AFAIK basic Domain User rights are sufficient for the SEPM to provide AD authentication for your SEP Admins.
Essentially, it should just need Read access to the AD objects in question.
#EDIT#
Closest thing I've found to back this up is below (where they say the SEPM will never write changes to AD):
https://www-secure.symantec.com/connect/forums/how-powerful-logonid-do-you-need-synchronize-active-directory#comment-3112251
http://www.symantec.com/docs/HOWTO81142