Troubleshoot common SDS issues

Google School Directory Sync

Configuration  |  Log files   |  Deployment

Configuration

Troubleshoot with Configuration Manager

If you're having trouble getting a synchronization to run properly, check Configuration Manager:

  1. In Configuration Manager, open the XML file and check the data you’re using to configure the sync.
  2. On the Sync page, click Simulate Sync to confirm you've completed all the required fields.
  3. On the Notifications page, click Test Notification to confirm you can send a notification.

Log files

Troubleshoot with log files

Check your logs using Log Analyzer in the G Suite Toolbox. Most issues can be identified quickly.

Error messages

If errors occur while running a sync, they're captured in a log file.

Error message What it means What to do

You are not authorized to access this API.

You don't have permission to run SDS.

Confirm you're using G Suite for Nonprofits (includes government agencies) or Education.

Enable APIs for Google Classroom and your G Suite domain. For details, see G Suite for Education requirements.

There has been an error processing “Classes”. Your classes.csv file includes a class that's associated with a course not found in the courses.csv. Remove course mappings from your classes.csv file. Or, make sure your CSV files have a courses.csv file that includes all courses.
Permission denied. Please verify that the user set as the owner of the class actually exists. You removed the primary teacher of a class from the enrollment file. Transfer the class to another primary teacher.
The course is not in a state that allows modification of its properties. You tried to archive a course that a teacher previously deleted. Change your class deletion policy to avoid archiving courses.
Quota exceeded. The request rate limit exceeds the Classroom API quota limit. See Classroom API Usage Limits.

 

Deployment

Which ports and URLs do I need for SDS?

Note: This information can change over time. For the latest information, check for SDS updates.

SDS currently accesses the following URLs:

Topic URL Port Number
Authentication https://www.google.com 443
All Feeds https://www.googleapis.com 443
Certificate Revocation List
Processing
http://www.gstatic.com/GoogleInternet
Authority/GoogleInternetAuthority.crl
80
Certificate Authority http://crl.verisign.net 80
How does SDS check certificate revocation lists?

When connecting to APIs (over HTTPS), SDS needs to validate SSL certificates by connecting (via HTTP) to certificate revocation list (CRL) providers. Sometimes, these validations fail, usually due to a proxy or firewall blocking the HTTP request.

If SDS is unable to connect to the revocation list providers, you may see the following error in your log file:

PKIX path validation failed: java.security.cert.CertPathValidatorException: revocation status check failed: no CRL found

For an up-to-date list of Google IP addresses, run a DNS TXT lookup of the subdomain _netblocks.google.com.

Can SDS use a proxy server and respond to password challenges?

SDS can use a proxy server but can't respond to password challenges. Change your network setup to allow SDS to connect without a password challenge or without a proxy server.

Do I need a notification server to run a simulated sync?

You need a server capable of sending mail to run a simulated sync. If you’re running SDS on a mail server, you can use the IP address 127.0.0.1. Otherwise, contact your mail administrator for the correct mail information.

How secure are passwords?

SDS stores passwords using a 2-way encryption scheme. This protects your sensitive information from casual snooping or reverse engineering.

I can't see OK when I create an exclusion rule

You may be using a font that's too large for the screen. The dialog box doesn't work with large or extra large fonts. Change your font size or edit your XML file directly.

For more information on using SDS, see the Help Center.

Was this helpful?
How can we improve it?