Symptoms: 

• AD Groups that are created are not showing up in NSX.
• When searching an AD group under inventory, the status shows as Failed with a realization error.
  
  • This will also show in var/log/proton in the nsxapi.log:

    • ERROR providerTaskExecutor-1-130 PolicyProviderUtil 454725 POLICY [nsx@6876 comp="nsx-manager" errorCode="PM500015" level="ERROR" subcomp="manager"] Unexpected exception received during provider invocation.
      org.corfudb.runtime.exceptions.TransactionAbortedException: TX ABORT  | Snapshot Time = Token(epoch=183, sequence=00000000) | Failed Transaction ID = xxxxxx-xxxx-xxxx-xxxx-xxxxxxx | Offending Address = -1 | Conflict Key = 00 | Conflict Stream = xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx | Cause = UNDEFINED | Time = 1 ms | Message = null

• The following log is present in nsxapi.log:

  • INFO providerTaskExecutor-1-123 InternalExpressionNodeConverter 454725 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" s2comp="grouping" subcomp="manager"] Unable to find DirectoryGroup with distinguished_name CN=<CN-Name>,OU=<OU-Name>,DC=<DC>

• May see delta sync error failing in NSX UI.

  Exception occurred: com.vmware.nsx.management.directory.exceptions.DirectoryInvalidArgumentException: Error in FirewallIdentityStore configuration - '
  {0}'

VMware NSX-T Data Center 4.x

There are duplicates in DirectoryContainer table which causes a failure for AD groups to be updated. This can happen if groups are deleted and added back with the same distinguished name.

Workaround:
If you encounter this issue, please contact VMware GSS via an SR and mention this KB article.