LDAP Synchronization fails when using a Windows Server 2008 R2 Domain Controller as the LDAP source.

Article:TECH97476  |  Created: 2009-01-17  |  Updated: 2011-02-10  |  Article URL http://www.symantec.com/docs/TECH97476
Article Type
Technical Solution


You have configured an LDAP source for synchronization using a Windows Server 2008 R2 domain controller as the LDAP server. After saving the LDAP source the initial synchronization fails.

In Enquire\access.log:

ErrMsg= LDAP Connector - Asynchronous search operation timed-out while fetching result entries ( 00002040: SvcErr: DSID-031401E0, problem 5010 (UNAVAIL_EXTENSION), data 0

In BrightmailLog.log

ERROR - Exception Message :ERROR: -4966:Rejected entry synch cannot be performed on a fresh dfc



The LDAP query associated with the sychronization has specified a critical query control that is either unavailable or unacceptable to the Active Directory 2008 LDAP source. Since the query control was marked as critical it caused the query to fail in accordance with RFC 2251 Section 4.1.12 returning error code 12. This may be due to security enhancements made to Active Directory in R2.


You will have to use recipient validation instead. There is no problem using a Windows Server 2008 R2 domain controller as an LDAP source for recipient validation. This option is only available in Brightmail Gateway versions 8x and up, it is not available in SMTP 5.

Note: Windows Server 2008 Active Directory has not been certified with Symantec Brightmail Gateway or Symantec Mail Security for SMTP and is not considered a supported LDAP source.

This issue has been resolved in Brightmail Gateway Version 9x

RFC 2251 4.1.12


Legacy ID


Article URL http://www.symantec.com/docs/TECH97476

Terms of use for this information are found in Legal Notices