VMware Identity Manager (vIDM) fails to synchronize users and groups with Active Directory. This issue typically occurs after a Domain Controller (DC) has been decommissioned or removed from the environment, even if the DC is no longer present in DNS SRV records.

• Directory synchronization tasks fail immediately with an UnknownHostException.
• The connector.log or horizon.log files contain errors referencing a decommissioned DC hostname (e.g., Failed to resolve [STALE_DC_FQDN]).
• Manual connection tests in the vIDM Admin UI may result in the error: "Connector communication failed with response."
• The issue persists even after restarting the vIDM appliance or the Workspace service.

IDM 3.3.7

The failure is caused by a stale crossRef discovery cache persisted in the connector's local config-state.json file.

When vIDM configures an Active Directory integration, it queries the AD Configuration container to identify all domain partitions. If a Domain Controller issues an LDAP referral redirecting vIDM to a specific DC as the authoritative source for a partition, vIDM caches that hostname as the Key Distribution Center (KDC). If that DC is later decommissioned, vIDM continues to prioritize the cached, non-resolvable hostname over updated DNS SRV records. This cache is only refreshed when the directory configuration is modified or re-added.

There are two methods to resolve this issue and force a refresh of the config-state.json cache.

Method 1: Directory Recreation (Standard)

This method ensures a completely fresh discovery but requires re-configuring directory settings.

1. Take a snapshot of the VMware Identity Manager appliance(s).
2. Log in to the vIDM Admin UI and navigate to Identity & Access Management > Directories.
3. Note all current settings (Sync Settings, Filter, and User Attributes).
4. Delete the affected Active Directory connection.
5. Re-add the directory with the identical settings. This clears the existing config-state.json cache and re-runs crossRef discovery.

Method 2: DNS Service Location Toggle (Zero-Impact)

This method forces a cache flush without deleting the directory.

1. Navigate to Identity & Access Management > Directories > [Your Directory].
2. Go to the Sync Settings tab.
3. Temporarily enable the DNS Service Location option (or toggle it if already enabled) to force vIDM to flush the stale config-state.json cache.
4. Revert the setting to your original configuration (e.g., explicitly pointing to a healthy Domain Controller).
5. Click Save on all tabs and initiate a Sync Now to verify the connection is restored.

Expected Outcome: The synchronization engine correctly resolves active Domain Controllers from DNS, and the UnknownHostException is resolved.