When creating or updating an index on an Active Directory group the job fails.
In the localhost<date>.log file found on a Windows Enforce server at \SymantecDLP\Protect\logs\tomcat\ or on a Linux Enforce server at /var/log/SymantecDLP/tomcat/ the following error can be seen:
65 SEVERE [com.vontu.profileindexer.database.CryptoIndexCreator] "Failed to write cryptographic file for database profile "Exceeded the corruption threshold of 0% while indexing database profile ADGROUP. Rows processed: 18000, Single-token Cells: 12500, Multi-token Cells: 0, Invalid rows: 77, Cells with no data: 0, Rows with too many columns: 0, Rows with too few columns: 0, Results per column[Column 1: Invalid cells: 77; Cells with no data: 0, Column 2: Invalid cells: 0; Cells with no data: 0], Cells indexed total: 12500"."
While the error threshold for Exact Data Matching (EDM) indexes can be adjusted to exceed 0% and invalid rows can be dropped, Directory Group indexes cannot contain any invalid data.
1. Enable indexer error logging by opening Indexer.properties located in \SymantecDLP\Protect\config and updating the value for create_error_file=false to true then restart the Vontu Manager service.
2. Try the indexing job again and then refer to the .err file created in \SymantecDLP\Protect\index. That file will show all the invalid values that are preventing the index from being created.
3. Correct the invalid entries found in the .err file and try the indexing job again.
The reason for the invalid data is most likely because the directory group being indexed is too broad and includes service accounts, printers, meeting rooms and the like. To avoid this problem, try to tailor the directory group connections to specific OUs or user groups.