search cancel

Active Directory Index and Replication fails with "Error: indexedDataStatus.ad_query_returned_unknown_error".


Article ID: 172263


Updated On:


Data Loss Prevention Enforce


You are seeing errors in the Enforce console under:

Under System -> Settings -> Directory Connections -> [connection name] ->  Index and Replication Status 

This may cause AD-based group rules/exceptions to not work correctly


Info localhost log:

SEVERE [com.vontu.profiles.manager.directoryconnection.UserGroupEntryReaderCreator] Unable to retrieve the following directory group entry: cn=cn1,ou=OU1,ou=OU2,ou=OU3,dc=dc1,dc=dc2


org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:


 ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:




An object is being searched for with an exact query for example:


If the object has been moved or deleted, the AD query no longer resolves and the objects will have a red cross against them in group details:



The solution involves two steps:

A) Eliminate the bad references in the User Groups:

  1. Find the groups which have warning signs by them such as the examples below:

  1. Resolve the issue by searching for and removing incorrect users/groups in AD and re-adding the correct ones (if needed verify it with your AD team).
  2. Reinitiate indexing (enable schedule for indexing or wait for next scheduled timeframe) to verify there are no errors when creating the new index. 

B) Add an error threshold, so a new version of the index will still be created, even if there are some unresolved items. NOTE: This option should be used if you are seeing consistent numbers of unresolved items that you are unable to eliminate with step A. 

  1. Open two properties for customer modification in the These are existing properties. Related functionality was tested.
  • First one:

# The percentage of corrupted and ignored records allowed for active directory index

In rare circumstances, the LDAP request returns an active directory record that indexing logic cannot process and breaks the index, so a threshold value was implemented to ignore such cases.

  • Second one:

# Number of attempts to reconnect to active directory service

The Enforce LDAP client may drop the connection in the middle of indexing resulting in a rejected index. As indexing can take hours, a reconnection logic was implemented so the indexer reconnects the number of times specified in the property before terminating.

Restart the DLP Manager for the above to take effect.