Employee List Will Not Populate Extended Active Directory Attributes On Certain Users

  • Article ID:100028266
  • Modified Date:
  • Product(s):


When attempting to add users to the Employee List from Active Directory, the error 'Could not get Extended AD info' appears.

Error Message

[#430255] An error occurred while importing a custodian
Could not get Extended AD info - [#100000] ADS Crawler error: Catalog server matching the user DN does not exist: CN=John Doe,OU=Users,DC=XYZ,DC=COM



Either the domain(s) to crawl have been entered incorrectly, or the Global Catalog cannot be reached.



Two step resolution: 
First; determine which domains need to be crawled.
Second; point the program to query the correct Domain Controllers for each domain that is crawled.

Domains to Crawl:
Use the DC section of the error to determine what needs to be placed in the Domains to crawl:
Example: DC=XYZ,DC=COM (from the error) results in xyz.com to be placed in the Domains to crawl.

(System | Email Servers | Active Directory | 1. Domains to crawl)

By default do not include an Administrator to the Domain information.  The account used to start the Veritas/Clearwell application will be used to query Active Directory.

Domain Controller:
(By default, up to three Domain Controllers can be identified)

Option 1:
Use ADSCrawler_output logs to determine what server to use in the ESA property:

- Examine the ADSCrawler logs for:

INFO  DSCrawlerService - Processing Domain: DC=TEST,DC=LOCAL
INFO  DSCrawlerService - Binding to domain controller: cwlabdc01234.test.local

Repeat for each Domain to Crawl.

From the above example, the setting would be:


Option 2:
Use LDP.exe to determine what server to use in the ESA property:

1. Logon to the Clearwell appliance.

2. If necessary, install 'Active Directory Lightweight Directory Services'

  - Open Server Manager
  - Add Roles
  - Select 'Active Directory Lightweight Directory Services'
  (do not restart the server or services)

3. Start | Run | ldp.exe

From LDP utility: Connection | Bind | 'Bind with credentials'

5. If possible, use the failing users credentials otherwise use a Veritas/Clearwell account.

6. The last line will note if the Authentication was successful
Authenticated as: 'XYZ\JohnDoe'

7. Scroll up to the line:
ldapServiceName: xyz.com:xyzdc001$@XYZ.COM

The ESA property esa.adscrawler.preferred_dc value would be:

Note: additional domain controllers can be added by separating the entries with a ;
Example: dc=xyz,dc=com:xyzdc001;dc=xyz,dc=com:xyzdc002;dc=xyz,dc=com:xyzdc003


How to modify ESA property settings:

1. Logon to the web page using an account with System Administrator rights

2. Select System | Support Features | Property Browser

3. Modify the following fields: (case sensitive)
Name of property to change:  (insert the esa property)
New value (leave blank to remove): (insert the value)

4. Check: Confirm change. Are you sure?

5. Press Submit

Services do not need to be restarted.

Was this content helpful?

Get Support