LDAP Synchronization fails when using a Windows Server 2008 R2 Domain Controller as the LDAP source.

Article:TECH97476  |  Created: 2009-01-17  |  Updated: 2011-02-10  |  Article URL http://www.symantec.com/docs/TECH97476
Article Type
Technical Solution

Product(s)

Issue



You have configured an LDAP source for synchronization using a Windows Server 2008 R2 domain controller as the LDAP server. After saving the LDAP source the initial synchronization fails.

Symptoms
In Enquire\access.log:


ErrMsg= LDAP Connector - Asynchronous search operation timed-out while fetching result entries ( 00002040: SvcErr: DSID-031401E0, problem 5010 (UNAVAIL_EXTENSION), data 0

In BrightmailLog.log

ERROR - Exception Message :ERROR: -4966:Rejected entry synch cannot be performed on a fresh dfc



 


Cause



The LDAP query associated with the sychronization has specified a critical query control that is either unavailable or unacceptable to the Active Directory 2008 LDAP source. Since the query control was marked as critical it caused the query to fail in accordance with RFC 2251 Section 4.1.12 returning error code 12. This may be due to security enhancements made to Active Directory in R2.


Solution



You will have to use recipient validation instead. There is no problem using a Windows Server 2008 R2 domain controller as an LDAP source for recipient validation. This option is only available in Brightmail Gateway versions 8x and up, it is not available in SMTP 5.

Note: Windows Server 2008 Active Directory has not been certified with Symantec Brightmail Gateway or Symantec Mail Security for SMTP and is not considered a supported LDAP source.

This issue has been resolved in Brightmail Gateway Version 9x


References
RFC 2251 4.1.12



 



Legacy ID



2009111708023654


Article URL http://www.symantec.com/docs/TECH97476


Terms of use for this information are found in Legal Notices