When indexing occurs we see error LDAP error code 10 occurring in the logs and AD groups are not getting indexed as expected.

Tomcat logs showed the following (anonymized):

File: Enforce\logs\tomcat\localhost.2022-03-25.logFile: Enforce\logs\tomcat\localhost.2022-03-25.logDate: 3/25/2022 10:40:34 AM

Thread: 89

Level: SEVERE

Source: com.vontu.profiles.manager.directoryconnection.UserGroupEntryReaderCreatorMessage: Unable to retrieve the following directory group entry: cn=<CN> ,ou=<ou>,ou=<ou>,ou=<ou>,ou=<ou>,dc=<dc1>,dc=<dc2>,dc=<dc3>,dc=<dc4>

Cause:org.springframework.ldap.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-0310074A, data 0, 1 access points ref 1: '<child domain>'

Release : 16.x

Component :

LDAP error code 10 is a referral error. The LDAP server was a global catalog server but queries to port 389 may not have full access to the full AD forest.

Switching the directory connection for the server from 389 to port 3268 resolved the issue allowing the groups from the child domain to be imported as expected. 

If LDAPS is used in the environment, the port has to be changed from 636 to 3269.