GCDS error messages

You might encounter the following error messages when using Google Cloud Directory Sync (GCDS). Use the table below to troubleshoot errors.

Try the Log Analyzer

This tool can identify most issues within a few moments of submission. 

Error messages & solutions

Error message Description & solution
Error 400: invalid_request: The version of the app you're using doesn't include the latest security features to keep you protected. Please make sure to download from a trusted source and update to the latest, most secure version. Make sure you're using the latest version of GCDS. For details, go to Update GCDS.
java.sql.SQLException: Directory <directory> cannot be created. GCDS requires full permission to the directory to maintain the sync state database. You might see this error if:
  • GCDS is running as a different user to the one that installed GCDS.
  • Permissions have changed since installation.
Error on line 1: Content is not allowed in prolog
GCDS is trying to load a configuration file with an unsupported character encoding.

GCDS uses UTF-8 as default character encoding. It is recommended that you use the same encoding for your configuration files, although other encodings are compatible.

To resolve this issue:

  1. Change the encoding of your configuration file to UTF-8:
    1. Open a text editor.
    2. Save the file with a different encoding.
  2. Verify that the content of your configuration file is correct.
  3. Try to load the configuration file on GCDS again.

The most common unsupported encodings are UTF-7 and UTF-8 BOM.

connection during handshake
A network connection issue prevented GCDS from completing a Secure Sockets Layer (SSL) handshake with the Google server. A machine routing a packet too slowly or your ISP losing service temporarily can cause this issue.

GCDS automatically attempts to complete the SSL handshake up to 3 times. If you see the following message in the logs, GCDS completed the handshake successfully on subsequent attempts, and no further action is needed: [usersyncapp.sync.FullSyncAgent] No differences detected, no changes necessary.

Work with your local network administrator to see what might be causing network timeouts.

Quota exceeded for the current request GCDS is temporarily blocked from using Google APIs because of overuse. Wait 24 hours before attempting to sync again, as you might have reached an API quota limit.

If you see this error message again, check the final sync summary. If no users failed to sync, GCDS automatically retried the blocked request and succeeded, and no further action is needed.

Google API limits should be sufficient for day-to-day use. However, you might reach a limit if you simulate multiple syncs or sync all of your users' passwords with GCDS. If you enter the sync-cmd command with an automated script, try running it less frequently each day.

If this is a critical issue, try using a different admin account to authenticate to GCDS or use OAuth authentication.

Unknown LDAP search rule scope "null"
A rule in one of the following sections of Configuration Manager is empty:
  • LDAP Configurationand thenOrg Units and thenSearch Rules
  • LDAP Configurationand thenUsersand thenUser Sync
  • LDAP Configurationand thenGroupsand thenGroup Search Rules
  • LDAP Configurationand thenUser Profilesand thenUser Profiles Sync
  • LDAP Configurationand thenShared Contactsand thenContacts Sync

For more information, go to Set up your sync with Configuration Manager.

Invalid digest length for password The password encryption method for syncing passwords has not been correctly configured in Configuration Manager, or your LDAP server uses an encryption method that isn't supported by GCDS. The supported methods are Plaintext, Base64, MD5, and SHA1. To sync passwords with Microsoft Active Directory, use Password Sync.

For more information, go to How will you synchronize passwords? and Optional: Update GCDS.

0 nested group(s) GCDS isn't correctly distinguishing between users and nested groups on your LDAP server. To resolve this issue:
  1. Add the following line to your configuration file, in the <features> section:
  2. Enclose the line in <optional> tags.
  3. Save your configuration file and sync.
Suspend user GCDS might try to make unexpected changes if you perform a sync with a configuration file that was duplicated outside of Configuration Manager. The new configuration file is accessing the same cache as the original configuration file, and inconsistencies between the 2 can cause users to be suspended.

To duplicate a GCDS configuration file, always use the Save As option in Configuration Manager. Doing so ensures that the new configuration file has its own cache.

For more information, go to Work with configuration files.

Skipping unknown member You're using an older GCDS XML configuration file, and GCDS encountered a group member that isn't included in your configuration's user search rules. You should include all group members and owners in your user search rules, even if you don't want to sync those users to the Google domain. GCDS needs to extract the email addresses for these users to process groups properly.

Alternatively, create a new, blank XML configuration file. GCDS then enables an independent group sync, which forces GCDS to resolve group members regardless of user sync rules. If you're not sure, this is the recommended option.

When making any configuration changes or creating a new configuration file, make sure you run a simulation and review the results before running a full sync.

For more information, go to Define your user list.

Invalid credentials
The admin account you specified in Configuration Manager isn't an administrator or the username and password is incorrect.

In Configuration Manager, go to Google Domainand thenSettings and verify the administrator account information specified in Admin Email Address.

For more information, go to Define your Google domain settings.

The sync key attribute specified in the Shared Contacts section of Configuration Manager returns empty values from your LDAP server. Select an attribute from the LDAP server that contains the sync key value for every resource and never returns a null or empty string.
Computed differences exceed
configured deletion limits,
not applying changes
The deletion or suspension limit set in GCDS has been reached. Change the Delete Limits setting in GCDS to avoid this error, or see the sync log for more details on what would have been deleted or suspended and decide if you need to change the limit.
InvalidEmail GCDS is attempting to create a user or email alias that exists in a domain that is not part of your Google Account. Try these options:
  • In Configuration Manager, go to User Accountsand thenExclusion Rules and create user exclusion rules that exclude users in external domains.
  • Change your user search rules so that users in external domains are not returned.
  • Add the missing domain to your Google Account as a secondary domain.
Domain user limit reached GCDS is syncing more users than your account is provisioned for. Try these options:
  • In Configuration Manager, go to User Accountsand thenSearch rules and limit the scope of your user search to return fewer users.
  • In Configuration Manager, make sure you've specified the proper base distinguished name (DN) that points to the root containing only users that need to be imported into the Google domain.
[LDAP: error code 34 - invalid DN]
A base DN specified in Configuration Manager might be pointing to an object that doesn't exist on your LDAP server. Check the base DN specified in your LDAP connection, user, group, profile, and shared contacts filter sections. Ensure that you use an existing object as the base DN for each.
revocation status check failed:
no CRL found
Another service or network device is preventing GCDS from contacting the certificate authority for the HTTPS certificate used for APIs. Check for firewall or proxy rules that would restrict connections from the machine running GCDS.

If a proxy is required to access the web from the machine running GCDS, it must be configured properly.

To work around the issue, you can disable the certificate revocation list (CRL) check. To disable the CRL check, add the following lines to the config-manager.vmoptions and sync-cmd.vmoptions files in the GCDS installation directory:

For more information, go to How GCDS checks certificate revocation lists.

Unbalanced parenthesis; remaining name
The queries specified in one or more of the following pages of Configuration Manager don't have balanced parentheses:
  • LDAP Configurationand thenOrg Unitsand thenSearch Rules
  • LDAP Configurationand thenUsersand thenUser Sync
  • LDAP Configurationand thenGroupsand thenGroup Search Rules
  • LDAP Configurationand thenUser Profilesand thenUser Profiles Sync
  • LDAP Configurationand thenShared Contactsand thenContacts Sync
Root exception is javax.naming.

GCDS can't resolve the given LDAP server name. Make sure you enter a fully qualified domain name for the LDAP server and ensure that the computer running GCDS can resolve it.

Note: When using Active Directory, use your domain's fully qualified domain name as the server name.

SSL peer shut down incorrectly The issue is usually due to traffic being forced through a proxy. If you're using a proxy, you need to configure the GCDS proxy settings.

Ensure that GCDS can connect to these specific URLs and ports by completing the steps in Connections & security.

Security software on the local computer might create connection problems. Ask your administrator to disable any security software on the client machine and try again.

You are not authorized to access this API Confirm that you enabled the required Google APIs.

For more information, go to Authorize your Google Account.

Domain user limit exceeded You have attempted to add more users than you have user licenses for. Contact your sales representative to purchase more user licenses. Or, change your LDAP queries to synchronize fewer users.
java.lang.RuntimeException: Failed to execute query because the object at Base DN: "DC=domain,DC=com" is missing or inaccessible Start by checking the DN in both the LDAP Configuration tab and in any of search rules where you've defined a base DN override.

If that does not resolve the issue, and you're certain that the DN is valid, the issue might be with DNS resolution. You might see additional error information in the log such as:

  • javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: domain.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]]
  • javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: domain.com:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]

These errors identify that the hostname is refusing the connection or timing out. Try running a DNS lookup on this hostname, and make sure that all of the addresses being returned are valid and allow connections on the port you've configured.

Note: These errors can occur even if you've specified a valid hostname or IP address in the GCDS configuration. Active Directory might issue an LDAP referral response, directing GCDS to connect through a hostname. This referral might ultimately be to the hostname which is failing to resolve. You can avoid these referrals by connecting to your Active Directory server using the Global Catalog port which defaults to 3268. For details, consult your Microsoft documentation.

Character is invalid at location Some of the information in the custom schema is not valid. To check the limits that apply to custom schema, go to Directory API: Custom User Fields.

If you have trace-level logs enabled, you can also see the full HTTP request for the custom schema.

ExecutionException: java.lang.OutOfMemoryError: GC
overhead limit exceeded
The defined memory limit was exceeded. This event caused the sync to fail.

To resolve this issue, go to What if I'm seeing memory-related errors?

Failed trying to connect to the specified LDAP server GCDS can't connect to the LDAP server. Make sure:
  • You’re using the correct communication protocol. If the LDAP server requires a secure protocol, use LDAP + SSL.
  • The LDAP server is active and doesn’t have any connection issues.
Network problem: Unable to connect to the specified LDAP server GCDS can't find the LDAP server. Make sure that the computer running GCDS has access to the specified host and port.
Authentication problem: Unable to connect using the credentials supplied The LDAP server is rejecting GCDS requests due to an authentication issue.

Make sure that the authorized user and their password are correct. The authorized user should be added using their complete distinguished name (DN). For details on adding the authorized user, go to LDAP connection settings.

Failed to execute query at Base DN <base-dn> GCDS can't connect to the base distinguished name (DN). Make sure:
  • The base DN exists in the LDAP server.
  • The authorized user has permissions for the base DN. For details, go to LDAP connection settings.
Failed to execute query at Base DN <base-dn> for attribute: <attribute>, reason: NameNotFoundException GCDS is failing to retrieve information from the LDAP server. Make sure:
  • The <base-dn> object exists and is accessible to the authorized user. For details, go to LDAP connection settings.
  • The <attribute> exists for the <base-dn> object in the LDAP server.
Member already exists You might see this error if:
  • You have a member whose primary LDAP address is an alias address in Google Workspace. Avoid this situation, if possible (for example, use a different username for the alias).
  • A user account has the same username for 2 alias addresses. And, on the Google Domain Configuration page, you have checked the Replace domain names in LDAP email addresses box.

    When you check the box, both email addresses are changed to match the domain listed in the Alternate email domain field.

Uncheck the box or change one of the alias usernames.

Related topic

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center