DLP AD users Index scheduled task fails with error:

Protect Error 1019: Active directory query returned an unknown error.
Unable to retrieve the following directory group entry: cn= etc. 

The index is a fail closed system if a single user can not be verified the index will fail. 

DLP 15.x

The index is a fail closed system if a single user can not be verified the index will fail. 

Issue with LDAP referrals unable to reach a group of users.

There are several options.

1.) Change the base dn to a container closer to the users rather than a root folder.

2.) Create multiple ad connections for your groups with the base dn as the container closest to your user group. This would affect policies that you may have set as one whole group.

3.) Use the Global Catalog as your AD connection.

4.) Sometimes using a Load balancer to connect to the AD server will cause issues because the query is so long that the connection times out and we get disconnected. 

5.) As of 15.7 and beyond the follow ldap referrals is set to false. However if you wish to enable ldap referrals you would add this entry:

com.vontu.profiles.directoryconnection.followLinks = true

To the file Indexer.properties, located at:

■ Windows:
<drive>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\Config
■ Linux:
/opt/Symantec/DataLossPrevention/EnforceServer/<version>\Protect\Config

Save and restart Enforce services.

This can be a very frustrating issue but generally step 1, 2, or 3 solves this issue.