You might encounter the following error messages when using Google Cloud Directory Sync (GCDS). Use the table below to troubleshoot errors.
Try the Log Analyzer
This tool can identify most issues within a few moments of submission.
Get details on how to enable trace-level logging.
Error messages & solutions
|Error message||Description & solution|
|Error 400: invalid_request: The version of the app you're using doesn't include the latest security features to keep you protected. Please make sure to download from a trusted source and update to the latest, most secure version.||Make sure you're using the latest version of GCDS. For details, go to Update GCDS.|
|java.sql.SQLException: Directory <directory> cannot be created.||GCDS requires full permission to the directory to maintain the sync state database. You might see this error if:
Error on line 1: Content is not allowed in prolog
|GCDS is trying to load a configuration file with an unsupported character encoding.
GCDS uses UTF-8 as default character encoding. It is recommended that you use the same encoding for your configuration files, although other encodings are compatible.
To resolve this issue:
The most common unsupported encodings are UTF-7 and UTF-8 BOM.
connection during handshake
|A network connection issue prevented GCDS from completing a Secure Sockets Layer (SSL) handshake with the Google server. A machine routing a packet too slowly or your ISP losing service temporarily can cause this issue.
GCDS automatically attempts to complete the SSL handshake up to 3 times. If you see the following message in the logs, GCDS completed the handshake successfully on subsequent attempts, and no further action is needed: [usersyncapp.sync.FullSyncAgent] No differences detected, no changes necessary.
Work with your local network administrator to see what might be causing network timeouts.
|Quota exceeded for the current request||GCDS is temporarily blocked from using Google APIs because of overuse. Wait 24 hours before attempting to sync again, as you might have reached an API quota limit.
If you see this error message again, check the final sync summary. If no users failed to sync, GCDS automatically retried the blocked request and succeeded, and no further action is needed.
Google API limits should be sufficient for day-to-day use. However, you might reach a limit if you simulate multiple syncs or sync all of your users' passwords with GCDS. If you enter the sync-cmd command with an automated script, try running it less frequently each day.
If this is a critical issue, try using a different admin account to authenticate to GCDS or use OAuth authentication.
Unknown LDAP search rule scope "null"
|A rule in one of the following sections of Configuration Manager is empty:
For more information, go to Set up your sync with Configuration Manager.
|Invalid digest length for password||The password encryption method for syncing passwords has not been correctly configured in Configuration Manager, or your LDAP server uses an encryption method that isn't supported by GCDS. The supported methods are Plaintext, Base64, MD5, and SHA1. To sync passwords with Microsoft Active Directory, use Password Sync.|
|0 nested group(s)||GCDS isn't correctly distinguishing between users and nested groups on your LDAP server. To resolve this issue:
|Suspend user||GCDS might try to make unexpected changes if you perform a sync with a configuration file that was duplicated outside of Configuration Manager. The new configuration file is accessing the same cache as the original configuration file, and inconsistencies between the 2 can cause users to be suspended.
To duplicate a GCDS configuration file, always use the Save As option in Configuration Manager. Doing so ensures that the new configuration file has its own cache.
For more information, go to Work with configuration files.
|Skipping unknown member||You're using an older GCDS XML configuration file, and GCDS encountered a group member that isn't included in your configuration's user search rules. You should include all group members and owners in your user search rules, even if you don't want to sync those users to the Google domain. GCDS needs to extract the email addresses for these users to process groups properly.
Alternatively, create a new, blank XML configuration file. GCDS then enables an independent group sync, which forces GCDS to resolve group members regardless of user sync rules. If you're not sure, this is the recommended option.
When making any configuration changes or creating a new configuration file, make sure you run a simulation and review the results before running a full sync.
For more information, go to Define your user list.
|The admin account you specified in Configuration Manager isn't an administrator or the username and password is incorrect.
In Configuration Manager, go to Google DomainSettings and verify the administrator account information specified in Admin Email Address.
For more information, go to Define your Google domain settings.
|The sync key attribute specified in the Shared Contacts section of Configuration Manager returns empty values from your LDAP server. Select an attribute from the LDAP server that contains the sync key value for every resource and never returns a null or empty string.|
|Computed differences exceed
configured deletion limits,
not applying changes
|The deletion or suspension limit set in GCDS has been reached. Change the Delete Limits setting in GCDS to avoid this error, or see the sync log for more details on what would have been deleted or suspended and decide if you need to change the limit.|
|InvalidEmail||GCDS is attempting to create a user or email alias that exists in a domain that is not part of your Google Account. Try these options:
|Domain user limit reached||GCDS is syncing more users than your account is provisioned for. Try these options:
[LDAP: error code 34 - invalid DN]
|A base DN specified in Configuration Manager might be pointing to an object that doesn't exist on your LDAP server. Check the base DN specified in your LDAP connection, user, group, profile, and shared contacts filter sections. Ensure that you use an existing object as the base DN for each.|
revocation status check failed:
no CRL found
|Another service or network device is preventing GCDS from contacting the certificate authority for the HTTPS certificate used for APIs. Check for firewall or proxy rules that would restrict connections from the machine running GCDS.
If a proxy is required to access the web from the machine running GCDS, it must be configured properly.
To work around the issue, you can disable the certificate revocation list (CRL) check. To disable the CRL check, add the following lines to the config-manager.vmoptions and sync-cmd.vmoptions files in the GCDS installation directory:
For more information, go to How GCDS checks certificate revocation lists.
Unbalanced parenthesis; remaining name
|The queries specified in one or more of the following pages of Configuration Manager don't have balanced parentheses:
|Root exception is javax.naming.
|GCDS can't resolve the given LDAP server name. Make sure you enter a fully qualified domain name for the LDAP server and ensure that the computer running GCDS can resolve it.
Note: When using Active Directory, use your domain's fully qualified domain name as the server name.
|SSL peer shut down incorrectly||The issue is usually due to traffic being forced through a proxy. If you're using a proxy, you need to configure the GCDS proxy settings.
Ensure that GCDS can connect to these specific URLs and ports by completing the steps in Connections & security.
Security software on the local computer might create connection problems. Ask your administrator to disable any security software on the client machine and try again.
|You are not authorized to access this API||Confirm that you enabled the required Google APIs.
For more information, go to Authorize your Google Account.
|Domain user limit exceeded||You have attempted to add more users than you have user licenses for. Contact your sales representative to purchase more user licenses. Or, change your LDAP queries to synchronize fewer users.|
|java.lang.RuntimeException: Failed to execute query because the object at Base DN: "DC=domain,DC=com" is missing or inaccessible||Start by checking the DN in both the LDAP Configuration tab and in any of search rules where you've defined a base DN override.
If that does not resolve the issue, and you're certain that the DN is valid, the issue might be with DNS resolution. You might see additional error information in the log such as:
These errors identify that the hostname is refusing the connection or timing out. Try running a DNS lookup on this hostname, and make sure that all of the addresses being returned are valid and allow connections on the port you've configured.
Note: These errors can occur even if you've specified a valid hostname or IP address in the GCDS configuration. Active Directory might issue an LDAP referral response, directing GCDS to connect through a hostname. This referral might ultimately be to the hostname which is failing to resolve. You can avoid these referrals by connecting to your Active Directory server using the Global Catalog port which defaults to 3268. For details, consult your Microsoft documentation.
|Character is invalid at location||Some of the information in the custom schema is not valid. To check the limits that apply to custom schema, go to Directory API: Custom User Fields.
If you have trace-level logs enabled, you can also see the full HTTP request for the custom schema.
ExecutionException: java.lang.OutOfMemoryError: GC
overhead limit exceeded
|The defined memory limit was exceeded. This event caused the sync to fail.
To resolve this issue, go to What if I'm seeing memory-related errors?
|Failed trying to connect to the specified LDAP server||GCDS can't connect to the LDAP server. Make sure:
|Network problem: Unable to connect to the specified LDAP server||GCDS can't find the LDAP server. Make sure that the computer running GCDS has access to the specified host and port.|
|Authentication problem: Unable to connect using the credentials supplied||The LDAP server is rejecting GCDS requests due to an authentication issue.
Make sure that the authorized user and their password are correct. The authorized user should be added using their complete distinguished name (DN). For details on adding the authorized user, go to LDAP connection settings.
|Failed to execute query at Base DN <base-dn>||GCDS can't connect to the base distinguished name (DN). Make sure:
|Failed to execute query at Base DN <base-dn> for attribute: <attribute>, reason: NameNotFoundException||GCDS is failing to retrieve information from the LDAP server. Make sure:
|Member already exists||You might see this error if:
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.