When synchronizing Active Directory groups in VMware Identity Manager, groups with a large membership count (typically >1500) may fail to sync, while smaller groups work as expected.

Symptoms include:

• The group is visible in the Sync settings but members are not populated.

• The connector.log and connector-dir-sync.log files in /opt/vmware/horizon/workspace/logs/ show the below error.

  • ERROR (resourceSyncTaskExecutor-X) [;;;] com.vmware.horizon.directory.ldap.LdapQueryService - Ldap query (UUID): Error performing group Search query for chunk. Splitting it for individual com.vmware.horizon.directory.DirectoryServiceException: Problem querying directory ldap://<DC-HOSTNAME>.<DOMAIN>.<TLD> for query

VMware Identity Manager 3.3.7

This is caused by the MaxValRange limit in Active Directory's LDAP policy. Most Windows Server configurations default this value to 1,500. When a group exceeds this limit, the vIDM connector attempts to retrieve members in "chunks." If the resulting query string is too large for the Domain Controller to parse, the synchronization fails.

To resolve this issue, you must increase the LDAP MaxValRange on your Active Directory Domain Controllers:

1. Log in to a Domain Controller with Administrative privileges.

2. Open a command prompt and run ntdsutil.

3. Navigate through: LDAP policies > Connections > Connect to server <Your_Server_FQDN> > quit.

4. Run: Set MaxValRange to 2000 (or a value higher than your largest group).

5. Run: Commit Changes and quit.

6. Restart the Directory Sync from the vIDM console.

Refer to Microsoft's documentation on How to view and set LDAP policy using Ntdsutil.exe for further technical details.