Here’s how to troubleshoot problems you might have when setting up and running a sync with Directory Sync.
Set up
Expand section | Collapse all & go to top
Couldn't save your directory settings error when adding the external directoryMake sure the Data Connectors API is turned on in the project. For details, go to Enable the Data Connectors API.
Multiple Directory Sync connections can't point to the same domain. Directory Sync compares base distinguished names (DNs) and, if the domains match, directory creation fails.
To resolve the issue, delete the connection with the matching DN before creating a new one with the same domain.
If you get this error in the Admin log events data, check the following:
- The Microsoft Active Directory (AD) server is up and running.
- Your network and firewalls are set up to allow incoming traffic on the LDAP port.
- You entered the authorized account credentials correctly, using the username@example.com or EXAMPLE\username format.
If you still get the error, add the Domain Name System (DNS) server details to resolve the AD host name. For details, go to Add an external directory.
You can also create a Linux virtual machine (VM) in the same subnet as the Virtual Private Cloud (VPC) access connector. Try to telnet to the AD server's IP address on port 636. If telnet fails, verify the AD sever's network settings, for example check that port 636 is open and available.
If the telnet succeeds, to verify if the AD server is using the correct certificate, enter the following command on the Linux VM:
openssl s_client -showcerts -connect external server IP address:636
You can get 2 versions of this error in the Admin log events data.
Error 1–An error occurred while attempting to connect to server (Server IP) within the configured timeout of 10000 milliseconds
This error indicates that Directory Sync failed to connect to the Active Directory (AD) server. To troubleshoot, make sure you set up AD correctly. For details, go to Add an AD directory.
Error 2–An error occurred while attempting to establish a connection to server (Server IP): (SSLHandshakeException(sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
This error indicates that the AD TLS certificate doesn't match the certificate that you attached when configuring the external directory connection. To troubleshoot, make sure the certificates match. For details, go to Add an AD directory.
To save the AD TLS certificate locally, enter the following script in Microsoft PowerShell replacing localhost with your AD server DNS record or IP address:
$webRequest = [Net.WebRequest]::Create("https://localhost:636")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "$pwd\Workspace.cer"
If you are not able to test the connection between Google and Microsoft Azure Active Directory, check the admin log events for troubleshooting information. For details, go to Admin log events.
Sync issues
Expand section | Collapse all & go to top
User could not be created errorYou might get the following error in the Directory Sync log events: "User could not be created. Message: DOMAIN_OVER_USER_LIMIT_FIX_BY_CONTACT_SUPPORT."
This error indicates a user licensing issue. If you exceed the number of licenses available in Google Workspace or no licenses are available to assign, user creation fails and you get this error.
To troubleshoot, increase the number of licenses available to your users. For details, go to Purchase more user licenses.
Related topics
If you get an error that starts with Result - referral, check that the base DN you entered when you set up the sync is correct.
If you're using global catalog port 3269, change it to 636.
In the Directory Sync log events, you might get sync errors with this description. The error usually occurs if the user account is inactive, or the email ID has an incorrect domain in AD. Refer to the tables to troubleshoot the issue in your logs.
Troubleshoot inactive user log entries
| Log event & description | Troubleshooting steps |
|---|---|
|
Event: Read Objects Description: Read username with attributes ... ; suspended: true |
A suspended: true message means that the user is inactive in your external directory. Go to your external directory and ensure that the user is active. |
|
Event: Object Updated Description: Updated User username. Old attributes { suspended: false; }, new attributes { suspended: true; } |
You get this message if you turned on the Suspend user in Google Directory setting, and the user already exists in your Google account.
Check your external directory to make sure the user is active or update your deprovisioning rules. For details on deprovisioning, go to Suspend users not found in the external directory. |
Troubleshoot invalid email address & incorrect domain log entries
| Log event & description | Troubleshooting steps |
|---|---|
| Event: Sync Error - Individual Object
Description: User username could not be created |
Set up Directory Sync to replace the domain name for users. For details, go to Replace the domain name for synced users.
Alternatively, use the same domain on both the source and target accounts. |
| Event: Object Skipped - Unexpected Error
Description: Skipped syncing User. Update failed for username |
Set up Directory Sync to replace the domain name for users. For details, go to Replace the domain name for synced users.
Alternatively, use the same domain on both the source and target accounts. |
| Event: Sync Error
Description: Skipping user: Cannot parse user's email from remote directory |
The user has an invalid email address. Fix the email address in the external directory. |
| Event: Sync Error
Description: Skipping user: username because organization unit path is not set in attribute department |
If you turned on email domain name replacement, check the user attributes in the external directory. Ensure that the attribute you are using to place users in an organizational unit has a value.
If email domain name replacement is not turned on, ensure that you use a valid email address for the user in the external directory. |
Related topic
To complete these steps, you must have the super administrator or Directory Sync Admin role, or Manage Directory Sync Settings privilege.
If users and groups aren't synced:
- In your Google Admin console (at admin.google.com), click Directory Sync
External directories.
- Check the Sync Status of your directory.
- If the sync is inactive or unsuccessful, activate the sync.
For details, go to Run a sync.
If your Microsoft Domain Users group isn't syncing:
The Microsoft Domain Users group is not supported by Directory Sync. Learn more
- In Active Directory, create a new group that contains all the applicable members and permissions of the Microsoft Domain Users group.
- Add that group as a member of the Microsoft Domain Users group.
- Use the new group to manage members and sync.
Note: Don't change the attributes of the Microsoft Domain User group because it may trigger other unexpected behavior.
You can find more troubleshooting information about this error in the Directory Sync log events:
- Open the Directory Sync log events.
For details, go to Access Directory Sync log event data.
- Click Add a filter
- Enter the email address of the user and click Apply.
- If you get an:
- Object Updated event with the description New attributes {suspended: true}, Directory Sync suspended the user because their account isn't active in AD.
- Object Deprovisioned event, check if the user in AD is deleted or has been moved to another path that doesn't fall under the LDAP search scope.
Identify what users are missing and make sure that the user:
- Isn't inactive in your external directory
- Is a direct member of the group you specified when setting up the user sync
- Is a user object and not a contact in your external directory
- Has an email ID that is present in your external directory and that the domain in the email ID is the same as your Google Workspace domain
You can find more troubleshooting information in the Directory Sync log events:
- Open the Directory Sync log events.
For details, go to Access Directory Sync log event data.
- Click Add a filter
- Add the DN of the user and click Apply.
- Locate any Sync Error events and review the errors.
- Search for Read Object events with the DN of the user.
- If you can't find any Read Object events, Directory Sync has not synced the user. Common reasons are:
- The user membership doesn't fall within the LDAP search scope (the user doesn't reside at or below the base DN of the group specified when you set up the user sync).
- Directory Sync is communicating with a different domain controller, and an incremental sync isn't picking up all the changes. Verify that the hostname and IP address point to the same domain controller.
Check that the group member:
- Has the mail attribute value set and an email ID in a valid format
- Doesn't reside at or below the base DN of the group
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
