Troubleshooting LDAP Directory Synchronization

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on Jul 19, 2019
Version 4Show Document
  • View in full screen mode

This page outlines the possible causes and resolutions for LDAP directory Connector failures.


Mimecast monitors the directory connections to all of our customers, to ensure that the synchronization process is running smoothly. There are certain instances where the synchronization process fails resulting in end user logons failing and permission issues. Prompt resolution of directory synchronization issues ensures that users can continue to logon successfully.


When attempting to resolve a directory connection issue, you should always initially confirm whether any changes have been made to the infrastructure or devices, or if there are any known issues that may prevent successful connectivity.


Active Directory Credential Failure


Directory synchronization requires a user account in the customer infrastructure, in order to log on during the synchronization process. These account details are configured in the Administration Console. If these credentials do not match, the connection fails, and Mimecast is unable to logon and synchronize the directory.


Once you have confirmed that no infrastructure or device changes have been made, consider the following:

  • Has the Active Directory account been moved or deleted?
  • Has the password for the Active Directory account been modified or reset?
  • Is the Active Directory account still active and not expired, or locked out?


Directory Connection Connectivity Failure


If Mimecast cannot connect to your organization's environment using LDAP(s), the connection to the IP address that has been specified for the directory connector fails. As a result, Mimecast will be unable to synchronize with the directory server.


Once you have confirmed that no infrastructure or device changes have been made, consider the following:

  • Are there any connection issues that have arisen at your infrastructure?
  • Have any changes been made recently to your firewall?
  • Have you ensured that you allow connections to the appropriate port from the entire Mimecast regional IP Ranges, and have mapped them through to the correct destination?
  • Is the LDAP service currently running on your directory server?


Character Requirements


If you have special character attribute requirements in your directory structure, it is necessary to escape those characters. This is achieved by prefixing them with a backslash "\" in the attribute string. If an attribute value contains other reserved characters (e.g.) equals sign (=), non-UTF-8 characters) they must be encoded in hexadecimal by replacing the character with a backslash followed by two hex digits.

Failure to meet these requirements can cause a sync to fail.

An example of this symptom is: Common Name String containing illegal character:


Common Name String escaped and encoded to hexadecimal replacing the illegal character:


Other examples of these reserved characters could be: , \ # + < > ; " = [Leading or Trailing spaces].


cert.pngActive Directory Synchronization Failures


If your AD synchronization service starts failing, even though it has been working well for some time, check the service accounts, firewall logs, and certificate path/validity. If they look OK, try the following:

  1. Remove the public certificate from the Local Computer Personal store.
  2. Installing the public certificate in the NTDS\Personal store.