Problem
When attempting to add users to the Employee List from Active Directory, the error 'Could not get Extended AD info
' appears.
Error Message
[#430255] An error occurred while importing a custodian
Could not get Extended AD info - [#100000] ADS Crawler error: Catalog server matching the user DN does not exist: CN=John Doe,OU=Users,DC=XYZ,DC=COM
Cause
Either the domain(s) to crawl have been entered incorrectly or the Global Catalog cannot be reached.
Solution
- Determine which domains need to be crawled.
- Point the program to query the correct Domain Controllers for each domain that is crawled.
1. Domains to Crawl:
Use the DC section of the error to determine what needs to be placed in the Domains to crawl:
Example: DC=XYZ,DC=COM (from the error) results in xyz.com to be placed in the Domains to crawl.
System > Directories and Server > Active Directory > Domains to crawl
By default, do not include an Administrator to the Domain information. The Log On service account for the EsaApplicationService will be used to query Active Directory.
Domain Controller:
(By default, up to three Domain Controllers can be identified)
Option 1:
Use ADSCrawler_output logs to determine what server to use in the ESA property:
esa.adscrawler.preferred_dc
- Examine the ADSCrawler logs for:
INFO DSCrawlerService - Processing Domain: DC=TEST,DC=LOCAL
INFO DSCrawlerService - Binding to domain controller: cwlabdc01234.test.local
Repeat for each Domain to Crawl.
From the above example, the setting would be:
dc=test,dc=local:cwlabdc01234.test.local
Option 2:
Use LDP.exe to determine what server to use in the ESA property:
esa.adscrawler.preferred_dc
1. Logon to the Clearwell appliance.
2. If necessary, install 'Active Directory Lightweight Directory Services'
- Open Server Manager
- Add Roles
- Select 'Active Directory Lightweight Directory Services'
(do not restart the server or services)
3. Start | Run | ldp.exe
4. From LDP utility: Connection | Bind | 'Bind with credentials'
5. If possible, use the failing users credentials otherwise use a Veritas/Clearwell account.
6. The last line will note if the Authentication was successful
Authenticated as: 'XYZ\JohnDoe'
7. Scroll up to the line:
ldapServiceName: xyz.com:xyzdc001$@XYZ.COM
The ESA property esa.adscrawler.preferred_dc value would be:
dc=xyz,dc=com:xyzdc001
Note: additional domain controllers can be added by separating the entries with a ;
Example: dc=xyz,dc=com:xyzdc001;dc=xyz,dc=com:xyzdc002;dc=xyz,dc=com:xyzdc003
How to modify ESA property settings:
1. Logon to the web page using an account with System Administrator rights
2. Select System | Support Features | Property Browser
3. Modify the following fields: (case sensitive)
Name of property to change: (insert the esa property)
New value (leave blank to remove): (insert the value)
4. Check: Confirm change. Are you sure?
5. Press Submit
Services do not need to be restarted.