If User store or VIP Administrator configurations are not identical across all the VIP Enterprise Gateway instances that are part of the same synchronization cluster, a condition can exist where one LDAP Directory Synchronization service makes a change, while another instance may delete, update, or create users or admins based on the respective instance’s filter configurations. 

Ensure all the user stores for users and administrators are configured identically across all the instances that are part of the same synchronization cluster. Or, in cases where geographical or network limits require more than 1 instance of LDAP sync on the same cluster to run, confirm the configurations don't trample on each other by running an LDAP Sync simulation on each LDAP sync instance and reviewing the results before running a live LDAP Sync. 

Additionally, follow these suggestions: 

·         Ensure the VIP Enterprise Gateway server can reach all the domain servers. 
·         Ensure that Domain Naming System (DNS) is functioning properly.
·         Ensure that there are no connectivity issues due to firewall.
·         Configure each user store based on sub-domains (for example, cn=Users, DC=domain, DC=com) rather than configuring them using the highest level of the domain tree (for example, DC=domain, DC=com).
·         Configure separate user stores for each OU if the users are available across multiple OUs. Such a configuration avoids the possibility of searching for users over an external LDAP referral server.