User Groups enabled for identity detection within a policy.
Missed detections when User Groups are enabled.
Active Directory Index Replication fails.
The active directory query returned an unknown error
Protect Error 1019: Active directory query returned an unknown error.
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000020EF: SvcErr: DSID-02051485, problem 5012 (DIR_ERROR), data 8333
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000020EF: SvcErr: DSID-02010575, problem 5012 (DIR_ERROR), data -1603
The unknown error has been seen where the number of results returned from the query exceed the maxPageSize configured for LDAP.
Solution 1: Re-define the directory connection to a specific group or Organizational Unit to be monitored.
Within Enforce, perform the following steps -
Create a new directory connection; specify a specific Organizational Unit as the Base DN.
Create a new User Group.
Using the new directory connection, add specific groups to be monitored from within the Organizational Unit.
Select, "Reindex on Save" and save the User Group.
Solution 2: Increase the MaxPageSize within Active Directory using the NTDSUTIL tool.
REF: Ntdsutil - https://technet.microsoft.com/en-us/library/cc753343(v=ws.11).aspx
REF: LDAP policies - https://technet.microsoft.com/en-us/library/cc770976(v=ws.11).aspx
REF: MaxPageSize - Maximum page size supported for LDAP responses (1000 records)
Suggested Change: MaxPageSize 1000 to 10000
Subscribing will provide email updates when this Article is updated. Login is required.