Employee List will not populate extended AD attributes on certain users

Article:TECH200365  |  Created: 2012-12-01  |  Updated: 2012-12-03  |  Article URL http://www.symantec.com/docs/TECH200365
Article Type
Technical Solution



Issue



When attempting to add users to the Employee List from Active Directory, the error 'Could not get Extended AD info' appears.

 


Error



 [#430255] An error occurred while importing a custodian
Could not get Extended AD info - [#100000] ADS Crawler error: Catalog server matching the user DN does not exist: CN=John Doe,OU=Users,DC=XYZ,DC=COM

 


Cause



Either the domain(s) to crawl have been entered incorrectly, or the global catalog cannot be reached.

 


Solution



Two step resolution: 
First; determine which domains need to be crawled.
Second; point the program to query the correct Domain Controllers for each domain that is crawled.

 

Domains to Crawl:
Use the DC section of the error to determine what needs to be placed in the Domains to crawl:
Example: DC=XYZ,DC=COM (from the error) results in xyz.com to be placed in the Domains to crawl.

(System | Email Servers | Active Directory | 1. Domains to crawl)

By default do not include an Administrator to the Domain information.  The account used to start the Symantec/Clearwell application will be used to query Active Directory.
 

Domain Controller:
(By default, up to three Domain Controllers can be identified)

Option 1:
Use ADSCrawler_output logs to determine what server to use in the ESA property:
esa.adscrawler.preferred_dc

- Examine the ADSCrawler logs for:

INFO  DSCrawlerService - Processing Domain: DC=TEST,DC=LOCAL
INFO  DSCrawlerService - Binding to domain controller: cwlabdc01234.test.local

Repeat for each Domain to Crawl.


From the above example, the setting would be:
dc=test,dc=local:cwlabdc01234.test.local

 

Option 2:
Use LDP.exe to determine what server to use in the ESA property:
esa.adscrawler.preferred_dc

1. Logon to the Clearwell appliance.

2. If necessary, install 'Active Directory Lightweight Directory Services'

  - Open Server Manager
  - Add Roles
  - Select 'Active Directory Lightweight Directory Services'
  (do not restart the server or services)

3. Start | Run | ldp.exe

4.
From LDP utility: Connection | Bind | 'Bind with credentials'

5. If possible, use the failing users credentials otherwise use a Symantec/Clearwell account.

6. The last line will note if the Authentication was successful
Authenticated as: 'XYZ\JohnDoe'

7. Scroll up to the line:
ldapServiceName: xyz.com:xyzdc001$@XYZ.COM

The ESA property esa.adscrawler.preferred_dc value would be:
dc=xyz,dc=com:xyzdc001

Note: additional domain controllers can be added by separating the entries with a ;
Example: dc=xyz,dc=com:xyzdc001;dc=xyz,dc=com:xyzdc002;dc=xyz,dc=com:xyzdc003

 

How to modify ESA property settings:

1. Logon to the web page using an account with System Administrator rights

2. Select System | Support Features | Property Browser

3. Modify the following fields: (case sensitive)
Name of property to change:  (insert the esa property)
New value (leave blank to remove): (insert the value)

4. Check: Confirm change. Are you sure?

5. Press Submit

Services do not need to be restarted.




Article URL http://www.symantec.com/docs/TECH200365


Terms of use for this information are found in Legal Notices