Employee List Will Not Populate Extended Active Directory Attributes On Certain Users

Problem

When attempting to add users to the Employee List from Active Directory, the error 'Could not get Extended AD info' appears.

Error Message

[#430255] An error occurred while importing a custodian
Could not get Extended AD info - [#100000] ADS Crawler error: Catalog server matching the user DN does not exist: CN=John Doe,OU=Users,DC=XYZ,DC=COM

Cause

Either the domain(s) to crawl have been entered incorrectly, or the Global Catalog cannot be reached.

Solution

Two step resolution: 
First; determine which domains need to be crawled.
Second; point the program to query the correct Domain Controllers for each domain that is crawled.

Domains to Crawl:
Use the DC section of the error to determine what needs to be placed in the Domains to crawl:
Example: DC=XYZ,DC=COM (from the error) results in xyz.com to be placed in the Domains to crawl.

(System | Email Servers | Active Directory | 1. Domains to crawl)

By default do not include an Administrator to the Domain information.  The account used to start the Symantec/Clearwell application will be used to query Active Directory.
 

Domain Controller:
(By default, up to three Domain Controllers can be identified)

Option 1:
Use ADSCrawler_output logs to determine what server to use in the ESA property:
esa.adscrawler.preferred_dc

- Examine the ADSCrawler logs for:

INFO  DSCrawlerService - Processing Domain: DC=TEST,DC=LOCAL
INFO  DSCrawlerService - Binding to domain controller: cwlabdc01234.test.local

Repeat for each Domain to Crawl.

From the above example, the setting would be:
dc=test,dc=local:cwlabdc01234.test.local

Option 2:
Use LDP.exe to determine what server to use in the ESA property:
esa.adscrawler.preferred_dc

1. Logon to the Clearwell appliance.

2. If necessary, install 'Active Directory Lightweight Directory Services'

  - Open Server Manager
  - Add Roles
  - Select 'Active Directory Lightweight Directory Services'
  (do not restart the server or services)

3. Start | Run | ldp.exe

4. From LDP utility: Connection | Bind | 'Bind with credentials'

5. If possible, use the failing users credentials otherwise use a Symantec/Clearwell account.

6. The last line will note if the Authentication was successful
Authenticated as: 'XYZ\JohnDoe'

7. Scroll up to the line:
ldapServiceName: xyz.com:xyzdc001$@XYZ.COM

The ESA property esa.adscrawler.preferred_dc value would be:
dc=xyz,dc=com:xyzdc001

Note: additional domain controllers can be added by separating the entries with a ;
Example: dc=xyz,dc=com:xyzdc001;dc=xyz,dc=com:xyzdc002;dc=xyz,dc=com:xyzdc003

How to modify ESA property settings:

1. Logon to the web page using an account with System Administrator rights

2. Select System | Support Features | Property Browser

3. Modify the following fields: (case sensitive)
Name of property to change:  (insert the esa property)
New value (leave blank to remove): (insert the value)

4. Check: Confirm change. Are you sure?

5. Press Submit

Services do not need to be restarted.

Terms of use for this information are found in Legal Notices.