LDAP

This issue is a result of how Active Directory works.  Since the directory is distributed, entries in one location include referrals (also called continuation references) which, instead of returning a result, will return a URL from which to continue the search.  This is often time the way how sub-domains are searched - there is a referral in the top-level domain to a location from which to search for each sub-domain.

Active directory includes referrals which reference the domain rather than a specific host.  The Microsoft DNS should resolve the domain name in these URLs to the domain controller.  You will see three of these in Active Directory:

ldap://<domain> ldap://ForestDnsZones.<domain> ldap://DomainDnsZones.<domain>

where <domain> is your domain, (e.g. example-domain.com).

1. Open the configuration being used from the drop down in the top right.
2. Once this is selected choose "Modify."
3. Go to the LDAP section and click the "Advanced" button.
4. On the "Advanced Settings" page you will have the section "Continuation Reference."  By default this is set to "Follow."  To fix the 'Unable to follow referral' error, please change the drop down to "Ignore."
5. Save the configuration
6. Do a test and the error should not show up

While "Ignore the referral" is selected, if the search encounters a referral, the referral URL is ignored.  Schemus will not attempt to search the location indicated by the referral.  This may cause entries to be missed since the referral may be referencing a directory location that contains data you need to upload.

There are a few ways to work around DNS issues such as this:

1. If you're using a mail synchronization and you are connecting to a Global Catalog (GC) you could connect to the GC port, 3268, instead of the LDAP port, 389.  The search will be far quicker and won't follow referrals.  You can also search from the root of the directory.  A Global Catalog search will only work if all the necessary data are replicated to the GC.  For Address synchronizations, the required email addresses are usually available but for Group and User synchronizations, the full group membership information will not typically be available.
2. If you're not connecting to a GC, you could try moving the search base down a level or two so that the search doesn't encounter the referrals.
3. If you don't mind these always resolving to one host from the machine on which Schemus is running, you could force the name resolution by adding some entries to the local hosts file:

<ip address of domain controller> <domain> ForestDnsZones.<domain> DomainDnsZones.<domain>