Here’s how to troubleshoot problems you might have when setting up and running a sync with Directory Sync.
Set up
Expand section | Collapse all & go to top
Couldn't save your directory settings error when adding the external directoryMake sure the Data Connectors API is turned on in the project. For details, go to Enable the Data Connectors API.
Multiple Directory Sync connections can't point to the same domain. Directory Sync compares base distinguished names (DNs) and, if the domains match, directory creation fails.
To resolve the issue, delete the connection with the matching DN before creating a new one with the same domain.
If you get this error in the Admin log events data, check the following:
- The Microsoft Active Directory (AD) server is up and running.
- Your network and firewalls are set up to allow incoming traffic on the LDAP port.
- You entered the authorized account credentials correctly, using the username@example.com or EXAMPLE\username format.
If you still get the error, add the Domain Name System (DNS) server details to resolve the AD host name. For details, go to Add an external directory.
You can also create a Linux virtual machine (VM) in the same subnet as the Virtual Private Cloud (VPC) access connector. Try to telnet to the AD server's IP address on port 636. If telnet fails, verify the AD sever's network settings, for example check that port 636 is open and available.
If the telnet succeeds, to verify if the AD server is using the correct certificate, enter the following command on the Linux VM:
openssl s_client -showcerts -connect external server IP address:636
You can get 2 versions of this error in the Admin log events data.
Error 1–An error occurred while attempting to connect to server (Server IP) within the configured timeout of 10000 milliseconds
This error indicates that Directory Sync failed to connect to the Active Directory (AD) server. To troubleshoot, make sure you set up AD correctly. For details, go to Add an AD directory.
Error 2–An error occurred while attempting to establish a connection to server (Server IP): (SSLHandshakeException(sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
This error indicates that the AD TLS certificate doesn't match the certificate that you attached when configuring the external directory connection. To troubleshoot, make sure the certificates match. For details, go to Add an AD directory.
To save the AD TLS certificate locally, enter the following script in Microsoft PowerShell replacing localhost with your AD server DNS record or IP address:
$webRequest = [Net.WebRequest]::Create("https://localhost:636")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "$pwd\Workspace.cer"
If you are not able to test the connection between Google and Microsoft Azure Active Directory, check the admin log events for troubleshooting information. For details, go to Admin log events.
Sync issues
Expand section | Collapse all & go to top
User could not be created errorYou might get the following error in the Directory Sync log events: "User could not be created. Message: DOMAIN_OVER_USER_LIMIT_FIX_BY_CONTACT_SUPPORT."
This error indicates a user licensing issue. If you exceed the number of licenses available in Google Workspace or no licenses are available to assign, user creation fails and you get this error.
To troubleshoot, increase the number of licenses available to your users. For details, go to Purchase more user licenses.
Related topics
If you get an error that starts with Result - referral, check that the base DN you entered when you set up the sync is correct.
If you're using global catalog port 3269, change it to 636.
In the Directory Sync log events, you might get sync errors with this description. The error usually occurs if the user account is disabled or the email ID has an incorrect domain in AD.
For more details about log events, go to Check log events for Directory Sync.
To complete these steps, you must have the super administrator or Directory Sync Admin role, or Manage Directory Sync Settings privilege.
If users and groups aren't synced:
- In your Google Admin console (at admin.google.com), click Directory Sync
External directories.
- Check the Sync Status of your directory.
- If the sync is inactive or unsuccessful, activate the sync.
For details, go to Run a sync.
If your Microsoft Domain Users group isn't syncing:
The Microsoft Domain Users group is not supported by Directory Sync. Learn more
- In Active Directory, create a new group that contains all the applicable members and permissions of the Microsoft Domain Users group.
- Add that group as a member of the Microsoft Domain Users group.
- Use the new group to manage members and sync.
Note: Don't change the attributes of the Microsoft Domain User group because it may trigger other unexpected behavior.
You can find more troubleshooting information about this error in the Directory Sync log events:
- Open the Directory Sync log events.
For details, go to Access Directory Sync log event data.
- Click Add a filter
- Enter the email address of the user and click Apply.
- If you get an:
- Object Updated event with the description New attributes {suspended: true}, Directory Sync suspended the user because their account isn't active in AD.
- Object Deprovisioned event, check if the user in AD is deleted or has been moved to another path that doesn't fall under the LDAP search scope.
Identify what users are missing and make sure that the user:
- Isn't inactive in your external directory
- Is a direct member of the group you specified when setting up the user sync
- Is a user object and not a contact in your external directory
- Has an email ID that is present in your external directory and that the domain in the email ID is the same as your Google Workspace domain
You can find more troubleshooting information in the Directory Sync log events:
- Open the Directory Sync log events.
For details, go to Access Directory Sync log event data.
- Click Add a filter
- Add the DN of the user and click Apply.
- Locate any Sync Error events and review the errors.
- Search for Read Object events with the DN of the user.
- If you can't find any Read Object events, Directory Sync has not synced the user. Common reasons are:
- The user membership doesn't fall within the LDAP search scope (the user doesn't reside at or below the base DN of the group specified when you set up the user sync).
- Directory Sync is communicating with a different domain controller, and an incremental sync isn't picking up all the changes. Verify that the hostname and IP address point to the same domain controller.
Check that the group member:
- Has the mail attribute value set and an email ID in a valid format
- Doesn't reside at or below the base DN of the group
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
