GCDS error messages

You might encounter the following error messages when using Google Cloud Directory Sync (GCDS). Use the table below to troubleshoot errors.

Try the Log Analyzer

This tool can identify most issues within a few moments of submission. 

Error messages & solutions

Error message Description & solution

Network problem: Unable to connect to the specified LDAP server: simple bind failed: servername:636, reason: SSLHandshakeException - No subject alternative names present

Network problem: Unable to connect to the specified LDAP server: simple bind failed: servername:636, reason: SSLHandshakeException - No subject alternative DNS name matching servername found

The certificate's Common Name (CN) and Subject Alternative Name (SAN) don't match the name of the LDAP server in your GCDS configuration file.

To fix this, either:

  • Correct your GCDS configuration file–If you have added the LDAP server IP address in the GCDS configuration, enter its Fully Qualified Domain Name (FQDN) as well (for example, dc01.solarmora.com).
  • Add a SAN to the certificate–Make sure that the SAN includes the name of the LDAP server that you're using in the GCDS configuration.

As a temporary workaround, you can turn off endpoint identification by adding a new line to the config-manager.vmoptions and sync-cmd.vmoptions files in the GCDS installation folder. Remove the line break before adding to the files:

-Dcom.sun.jndi.ldap.object. disableEndpointIdentification=true

sun.security.provider.certpath.SunCertPathBuilder Exception: unable to find valid certification path to requested target

ldap_simple_bind_s() failed: Strong Authentication Required

Follow the steps in Troubleshoot certificate-related problems.
InvalidCipherTextException: Invalid encryption parameters. Salt/Iteration/Initialization Vector If you're running GCDS on a computer that doesn't have a GUI, you might not have imported the key correctly. For steps, go to How do I authorize GCDS on a machine without a GUI?
java.lang.RuntimeException: Encountered unrecoverable SQLException. The state database specified "path-to-folder\syncState\folder-name" Locate and delete the folder identified in the message. Then, start the sync again.
java.sql.SQLException: Invalid checksum on Page

Another process is accessing the cache folder or files at the same time as GCDS.

To troubleshoot, download and run Microsoft's Process Monitor and create a filter. In the filter options, use Path, Contains, and path-to-folder\syncState to identify the processes that are accessing the folder or files.

For more information, go to Process Monitor.
Invalid Input: query You entered an invalid query in the Users Search Query field. Remove the search query or make sure that it meets the search guidelines in Search for users.

For more information about users' search queries, go to Omit data with exclusion rules & queries.

SocketException - Connection reset

If you get this message when you're connecting to the LDAP server, the server has closed the connection. Possible reasons are:

  • You're using LDAP+SSL and the LDAP server isn't configured to accept the TLS parameters that GCDS supports (for example, cipher suite). Make sure your LDAP server has the latest security updates and settings.
  • A firewall rule is blocking the connection.
A lock could not be obtained within the time requested To troubleshoot this issue:
  1. Make sure that only one instance of GCDS is running on your computer.

    You can run only one instance of GCDS at a time using the same XML file.

  2. Restart the system to ensure that no other processes are accessing the GCDS cache database. Then, run the sync again.
  3. If the issue remains, locate and rename the SyncState folder to force GCDS to create a new cache database. You can find the folder under the user profile folder (Windows) or in the home directory (Linux).
Error 400: invalid_request: The version of the app you're using doesn't include the latest security features to keep you protected. Please make sure to download from a trusted source and update to the latest, most secure version. Make sure you're using the latest version of GCDS. For details, go to Update GCDS.
java.sql.SQLException: Directory <directory> cannot be created. GCDS requires full permission to the directory to maintain the sync state database. You might see this error if:
  • GCDS is running as a different user than the one that installed GCDS
  • Permissions have changed since installation
org.jdom.input.
JDOMParseException:
Error on line 1: Content is not allowed in prolog
GCDS is trying to load a configuration file with an unsupported character encoding.

GCDS uses UTF-8 as the default character encoding. You should use the same encoding for your configuration files, although other encodings are compatible.

To resolve this issue:

  1. Change the encoding of your configuration file to UTF-8:
    1. Open a text editor.
    2. Save the file with a different encoding.
  2. Verify that the content of your configuration file is correct.
  3. Try to load the configuration file on GCDS again.

The most common unsupported encodings are UTF-7 and UTF-8 BOM.

javax.net.ssl.
SSLHandshakeException:
connection during handshake
A network connection issue prevented GCDS from completing a Secure Sockets Layer (SSL) handshake with the Google server. A computer routing a packet too slowly or your ISP losing service temporarily can cause this issue.

GCDS attempts to complete the SSL handshake up to 3 times. If you see the following message in the logs, GCDS completed the handshake successfully on subsequent attempts, and no further action is needed: [usersyncapp.sync.FullSyncAgent] No differences detected, no changes necessary.

Work with your local network administrator to see what might be causing network timeouts.

Quota exceeded for the current request If you get this error in the logs, it means that GCDS is temporarily blocked from using Google APIs. GCDS retries the APIs, and your sync should continue as expected.

If you get the error in the sync summary report and the sync didn’t complete correctly, contact support. For details, go to What GCDS information do I need before contacting support?

java.lang.RuntimeException:
Unknown LDAP search rule scope "null"
A rule in one of the following sections of Configuration Manager is empty:
  • LDAP Configurationand thenOrg Units and thenSearch Rules
  • LDAP Configurationand thenUsersand thenUser Sync
  • LDAP Configurationand thenGroupsand thenGroup Search Rules
  • LDAP Configurationand thenUser Profilesand thenUser Profiles Sync
  • LDAP Configurationand thenShared Contactsand thenContacts Sync

For more information, go to Set up your sync with Configuration Manager.

Invalid digest length for password The password encryption method for syncing passwords has not been correctly configured in Configuration Manager, or your LDAP server uses an encryption method that isn't supported by GCDS. The supported methods are Plaintext, Base64, MD5, and SHA1. To sync passwords with Microsoft Active Directory, use Password Sync.

For more information, go to How will you synchronize passwords? and Update GCDS.

0 nested group(s) GCDS isn't correctly distinguishing between users and nested groups on your LDAP server. To resolve this issue:
  1. Add the following line to your configuration file, in the <features> section:
    GROUP_NESTED_GROUPS_AS_USERS
  2. Enclose the line in <optional> tags.
  3. Save your configuration file and sync.
Suspend user GCDS might try to make unexpected changes if you perform a sync with a configuration file that was duplicated outside of Configuration Manager. The new configuration file is accessing the same cache as the original configuration file, and inconsistencies between the 2 can cause users to be suspended.

To duplicate a GCDS configuration file, always use the Save As option in Configuration Manager. Doing so ensures that the new configuration file has its own cache.

For more information, go to Work with configuration files.

Skipping unknown member You're using an older GCDS XML configuration file, and GCDS encountered a group member that isn't included in your configuration's user search rules. You should include all group members and owners in your user search rules, even if you don't want to sync those users to the Google domain. GCDS needs to extract the email addresses for these users to process groups properly.

Alternatively, create a new, blank XML configuration file. GCDS then enables an independent group sync, which forces GCDS to resolve group members regardless of user sync rules. If you're not sure, this is the recommended option.

When making any configuration changes or creating a new configuration file, make sure you run a simulation and review the results before running a full sync.

For more information, go to Define your user list.

com.google.data.client.
GoogleServiceException:
Invalid credentials
The admin account you specified in Configuration Manager isn't an administrator, or the username and password is incorrect.

In Configuration Manager, go to Google Domainand thenSettings, and verify the administrator account information specified in Admin Email Address.

For more information, go to Define your Google domain settings.

com.google.gdata.util.
ResourceNotFoundException:
The sync key attribute specified in the Shared Contacts section of Configuration Manager returns empty values from your LDAP server. Select an attribute from the LDAP server that contains the sync key value for every resource and never returns a null or empty string.
Computed differences exceed
configured deletion limits,
not applying changes
The deletion or suspension limit set in GCDS has been reached. Change the Delete Limits setting in GCDS to avoid this error, or see the sync log for more details on what would have been deleted or suspended, and decide if you need to change the limit.
InvalidEmail GCDS is attempting to create a user or email alias that exists in a domain that is not part of your Google Account. Try these options:
  • In Configuration Manager, go to User Accountsand thenExclusion Rules and create user exclusion rules that exclude users in external domains.
  • Change your user search rules so that users in external domains are not returned.
  • Add the missing domain to your Google Account as a secondary domain.
Domain user limit reached GCDS is syncing more users than your account is provisioned for. Try these options:
  • In Configuration Manager, go to User Accountsand thenSearch rules and limit the scope of your user search to return fewer users.
  • In Configuration Manager, make sure you've specified the proper DN that points to the root containing only users that need to be imported into the Google domain.
  • You can also get more user licenses. For more information, go to Purchase more user licenses.
java.lang.RuntimeException:
javax.naming.InvalidNameException:
[LDAP: error code 34 - invalid DN]
A base DN specified in Configuration Manager might be pointing to an object that doesn't exist on your LDAP server. Check the base DN specified in your LDAP connection, user, group, profile, and shared contacts filter sections. Ensure that you use an existing object as the base DN for each.
java.security.cert.
CertPathValidatorException:
revocation status check failed:
no CRL found
Another service or network device is preventing GCDS from contacting the certificate authority for the HTTPS certificate used for APIs. Check for firewall or proxy rules that would restrict connections from the machine running GCDS.

If a proxy is required to access the web from the machine running GCDS, it must be configured properly.

To work around the issue, you can disable the certificate revocation list (CRL) check. To disable the CRL check, add the following lines to the config-manager.vmoptions and sync-cmd.vmoptions files in the GCDS installation directory:
-Dcom.sun.net.ssl.checkRevocation=false
-Dcom.sun.security.enableCRLDP=false

For more information, go to How GCDS checks certificate revocation lists.

javax.naming.directory.
InvalidSearchFilterException:
Unbalanced parenthesis; remaining name
The queries specified in one or more of the following pages of Configuration Manager don't have balanced parentheses:
  • LDAP Configurationand thenOrg Unitsand thenSearch Rules
  • LDAP Configurationand thenUsersand thenUser Sync
  • LDAP Configurationand thenGroupsand thenGroup Search Rules
  • LDAP Configurationand thenUser Profilesand thenUser Profiles Sync
  • LDAP Configurationand thenShared Contactsand thenContacts Sync
Root exception is javax.naming.
CommunicationException:

servername:389
GCDS can't resolve the given LDAP server name. Make sure you enter a fully qualified domain name for the LDAP server, and ensure that the computer running GCDS can resolve it.

Note: When using Active Directory, use your domain's fully qualified domain name as the server name.

SSL peer shut down incorrectly The issue is usually due to traffic being forced through a proxy. If you're using a proxy, you need to configure the GCDS proxy settings.

Ensure that GCDS can connect to these specific URLs and ports by completing the steps in Allow access to URLs & ports.

Security software on the local computer might create connection problems. Ask your administrator to disable any security software on the client machine and try again.

You are not authorized to access this API Confirm that you enabled the required Google APIs.

For more information, go to Authorize your Google Account.

Domain user limit exceeded You have attempted to add more users than you have user licenses for. Contact your sales representative to purchase more user licenses. Or, change your LDAP queries to synchronize fewer users.
java.lang.RuntimeException: Failed to execute query because the object at Base DN: "DC=domain,DC=com" is missing or inaccessible Start by checking the DN in both the LDAP Configuration tab and in any of search rules where you've defined a base DN override.

If that does not resolve the issue, and you're certain that the DN is valid, the issue might be with DNS resolution. You might see additional error information in the log such as:

  • javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: domain.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]]
  • javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: domain.com:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]

These errors identify that the hostname is refusing the connection or timing out. Try running a DNS lookup on this hostname, and make sure that all of the addresses being returned are valid and allow connections on the port you've configured.

Note: These errors can occur even if you've specified a valid hostname or IP address in the GCDS configuration. Active Directory might issue an LDAP referral response, directing GCDS to connect through a hostname. This referral might ultimately be to the hostname that is failing to resolve. You can avoid these referrals by connecting to your Active Directory server using the Global Catalog port, which defaults to 3268. For details, consult your Microsoft documentation.

Character is invalid at location Some of the information in the custom schema is not valid. To check the limits that apply to custom schema, go to Directory API: Custom User Fields.

If you have trace-level logs enabled, you can also see the full HTTP request for the custom schema.

java.util.concurrent.
ExecutionException: java.lang.OutOfMemoryError: GC
overhead limit exceeded
The defined memory limit was exceeded. This event caused the sync to fail.

To resolve this issue, go to What if I'm seeing memory-related errors?

Failed trying to connect to the specified LDAP server GCDS can't connect to the LDAP server. Make sure:
  • You’re using the correct communication protocol. If the LDAP server requires a secure protocol, use LDAP + SSL.
  • The LDAP server is active and doesn’t have any connection issues.
Network problem: Unable to connect to the specified LDAP server GCDS can't find the LDAP server. Make sure that the computer running GCDS has access to the specified host and port.
Authentication problem: Unable to connect using the credentials supplied The LDAP server is rejecting GCDS requests due to an authentication issue.

Make sure that the authorized user and their password are correct. You should add the authorized user using their complete DN. For details on adding the authorized user, go to LDAP connection settings.

Failed to execute query at Base DN <base-dn> GCDS can't connect to the base DN. Make sure:
  • The base DN exists in the LDAP server.
  • The authorized user has permissions for the base DN. For details, go to LDAP connection settings.
Failed to execute query at Base DN <base-dn> for attribute: <attribute>, reason: NameNotFoundException GCDS is failing to retrieve information from the LDAP server. Make sure:
  • The <base-dn> object exists and is accessible to the authorized user. For details, go to LDAP connection settings.
  • The <attribute> exists for the <base-dn> object in the LDAP server.

Member already exists

You might see this error if:
  • You have a member whose primary LDAP address is an alias address in Google Workspace. Avoid this situation, if possible (for example, use a different username for the alias).
  • A user account has the same username for 2 alias addresses. And, on the Google Domain Configuration page, you have checked the Replace domain names in LDAP email addresses box.

    When you check the box, both email addresses are changed to match the domain listed in the Alternate email domain field.

Uncheck the box or change one of the alias usernames.

If you also get the following message in the logs: "Error while adding member user-email-address to group group-email-address due to address collision" check whether:

  • GCDS excluded the user with user-email-address from the sync based on your exclusion rules. Check your exclusion rules and try again. For details, go to Omit data with exclusion rules & queries.
  • You updated the user or group outside of GCDS. Clear the cache and try again.
Invalid Input: INVALID_OU_ID GCDS is trying to place a user into an organizational unit that doesn't exist in your organization’s Google account. Adjust your user search rules and try again. For details, go to User search rules.

Related topic

Troubleshoot common GCDS issues


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
4782558446605516000
true
Search Help Center
true
true
true
true
true
73010
false
false