New users or computers have been added to an Organizational Unit (OU) in Active Directory (or another supported LDAP directory server), but have not automatically been synchronized with the Symantec Endpoint Protection Manager (SEPM). Even when right-clicking on the Client Group in the SEPM and selecting "Sync now," the operation fails. The "Update" pop-up appears for a second and then closes abruptly without any error message. This worked without any difficulty the last time it was checked, and there have been no changes made to the SEPM or re-configuration of Active Directory.
Check the server's log pane in Admin, Servers. Identify the "Organization importing started" entry, and view the message directly above. If the entry reads:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data...
There is a straightforward cause and solution.
This failure to synchronize is due to LDAP Error Code 49, that frequently occurs after the Active Directory account password used by the SEPM has accidentally been changed.
Depending on the security settings in the Active Directory domain, rules often prompt administrators and users to change passwords periodically. If the password for the authorized directory server account (perhaps an administrator's account) that the SEPM uses to authenticate to the Directory server has been changed, the SEPM will no longer be able to communicate (and synchronize) with its existing configured details.
Click on Admin > Servers and highlight the entry for the SEPM server. Choose to Edit Server Properties. Click Directory Servers, Edit, and supply a User name and password that are currently valid.
Specific details can be found under "Adding directory servers" in Chapter 15, "Managing directory servers" of the Administration Guide for Symantec™ Endpoint Protection and Symantec Network Access Control.
This error code may also be seen if an Administrator attempts to log in to the SEPM using Active Directory Authentication and inputs the wrong password, even if Active Directory synchronization is not in use.