In Symantec Endpoint Protection Manager (SEPM) when you look at Monitors Tab> Logs >System log >  Server Activity log content, you may see a "Severe" event that begins "LDAP: error code 32...." What does this mean?

Symptoms
In addition to the listing in the GUI, the error message also appears when the log is exported. Here are the listings from an exported system_report.txt

<timestamp>,1000,An unexpected exception has occurred,[LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=domainname,DC=com',,,javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=domainname,DC=com',servername,My Site

When SEPM debugging is enabled, a few additional details can be seen in the ADSITask-0.log:

<timestamp> FINE: LdapUtils>> search: Met a Referral in result.hasMore. Then ignore it! baseDN=[DC=domainname,DC=com]
<timestamp> WARNING: LdapUtils>> search: Exception...
<timestamp> WARNING: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domainname,DC=com'
]; remaining name 'OU=DeletedOUname,DC=domainname,DC=com'

<timestamp> WARNING: NativeCall>> testLdapServerConnection: error msg=LDAP Query For All Failed [path=LDAP://<IpAddress>:389,baseDn=OU=DeletedOUname,DC=domainname,DC=com, filter=]

The error message is not a Symantec Endpoint Protection specific error, but an industry-standard LDAP error. This is correctly reporting that a specific object is missing. This error can occur for several reasons:

• an Active Directory (or other LDAP directory) Organizational Unit (OU) was imported into the SEPM, and then was deleted out of Active Directory / LDAP.
• an Active Directory (or other LDAP directory) Organizational Unit (OU) was imported into the SEPM, and then was renamed Active Directory / LDAP. 

The SEPM does not know that this OU no longer exists when it periodically attempts to synchronize with the Directory, and so reports an error in its logs.

The identification is based on Distinguished Name (DN) and the components of that DN are hierarchical. If a change occurs in one of the components, e.g an OU gets deleted or renamed, then the entire name space is different.

The name of the deleted or renamed OU can be seen in the debug ADSITask-0.log:

<timestamp> WARNING: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=domainname,DC=com' ]; remaining name 'OU=DeletedOUname,DC=domainname,DC=com' <-------------------------- name of the deleted OU appears here at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3010)

Comparing the OU's which are listed in SEPM with what appear in Active Directory Users and Computer console will confirm that there is a difference. Deleting an OU from Active Directory does not automatically delete the OU from SEPM.

There a different steps to resolve this depending on the client group structure in SEPM.

A top level OU was imported into SEPM

Example: Active Directory with a "Servers" OU that contains a "SEPM" OU.The top level "Servers" OU was imported into SEPM:

When the OU=Servers is renamed in Active Directory:

1. Manually Synch the renamed parent OU, by right-clicking on the Servers group in SEPM an select "Sync now", or
2. Wait until the scheduled Synchronize with Directory Servers event SEPM occurs.

Active Directory has a more complex and layered OU structure and only a nested "child OU" was imported into SEPM.

Example: Active Directory has a "Site" OU that contains nested "Workstations" and "Win10s" OUs, but only the nested "Win10s" OU was imported into SEPM.

A group named "Site" was created in SEPM as a so called Native Group, i.e. a non-imported OU group, and the Win10s" OU was imported:

When one of OU=Win10s parent OUs is renamed in Active Directory:

Re-initiate the OU import:

1. Delete the OU group from SEPM
2. Import the OU back to SEPM. This is the only way SEPM can correctly import the OU again.