title: Troubleshooting Sync Errors category: Troubleshooting tags: troubleshooting, sync, errors, ldap, timeout, mapping priority: Normal
Troubleshooting Sync Errors
This guide covers the most common synchronization errors in IdentityCenter, their root causes, and step-by-step solutions. Sync errors can originate from LDAP queries, attribute mappings, network conditions, or database constraints.
LDAP Query Errors
Invalid Filter Syntax
Symptoms:
- Sync fails immediately with "Invalid LDAP filter" error
- No objects returned despite valid connection
Common Causes and Fixes:
| Error | Cause | Fix |
|---|---|---|
| Missing parentheses | objectClass=user |
Wrap in parentheses: (objectClass=user) |
| Unbalanced operators | (&(objectClass=user)(objectCategory=person) |
Ensure every ( has a matching ) |
| Invalid attribute name | (objectKlass=user) |
Verify attribute name exists in the schema |
| Bad wildcard placement | (*name=John) |
Wildcards go in the value: (name=John*) |
Tip: IdentityCenter uses objectCategory in its default filters for better performance. For example, the default user filter is (&(objectClass=user)(objectCategory=person)). Always test your custom filters with a small scope first.
Access Denied
Symptoms:
- Sync returns "Insufficient access rights" or "Access is denied"
- Partial results returned (some OUs accessible, others not)
Solutions:
- Verify the service account has Read permissions on all target OUs
- Check that the account has List Contents permission on parent containers
- For cross-domain queries, ensure the account has permissions in the target domain
- In Active Directory Users and Computers, right-click the OU, select Properties > Security, and confirm the service account is listed with Read access
Search Size Limit Exceeded
Symptoms:
- Error: "Size limit exceeded" or "SizeLimitExceeded"
- Only partial results returned (typically 1000 objects)
Solutions:
- Enable paging -- IdentityCenter's DirectoryQueryService uses paged search by default with a page size of 1000. Verify paging is enabled in your connection settings.
- Reduce scope -- Target specific OUs rather than the entire directory root.
- Check Active Directory policies -- The
MaxPageSizeLDAP policy on your domain controller defaults to 1000. Verify with:ntdsutil "LDAP policies" connections "connect to server DC01" quit "show values" quit quit
Referral Chasing Issues
Symptoms:
- Error: "A referral was returned from the server"
- Objects in child domains or other partitions are not returned
Solutions:
- Point the connection directly at the target domain controller rather than relying on referrals
- Use Global Catalog (port 3268/3269) for cross-domain queries
- Check that DNS resolution works for all domain controllers in the referral chain
Timeout Errors
Large OU Timeouts
Symptoms:
- Sync starts but fails with "The operation has timed out"
- Works for small OUs but fails for large ones
Solutions:
| Setting | Location | Recommended Value |
|---|---|---|
| LDAP Query Timeout | Connection settings | 120-300 seconds |
| Command Timeout | Sync project options | 600 seconds |
| Connection Timeout | Connection settings | 30-60 seconds |
- Increase the LDAP query timeout in the connection configuration
- Reduce the attribute list -- Only request attributes you actually need in your attribute mappings
- Split large OUs -- Create multiple sync steps targeting child OUs instead of one large parent
- Check network latency -- Run
Test-Connectionfrom the IdentityCenter server to the domain controller
Slow Network Conditions
If syncs fail intermittently due to network instability:
- Ensure the IdentityCenter server is on the same site or subnet as the domain controller
- Verify no packet loss:
Test-Connection -ComputerName dc01.corp.local -Count 20 - Consider using a domain controller in the same data center
- Reduce the LDAP page size from the default 1000 to 500 to decrease per-request payload
Attribute Mapping Failures
Attribute Does Not Exist in Schema
Symptoms:
- Error: "Attribute not found in schema" or empty values for all objects
- Other attributes sync correctly
Solutions:
- Verify the attribute name is spelled correctly (attribute names are case-insensitive but must be exact)
- Check if the attribute is part of a schema extension that may not be present in your forest
- Use ADSI Edit or PowerShell to confirm the attribute exists:
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext ` -Filter "lDAPDisplayName -eq 'customAttribute'" -Properties *
Type Mismatch Errors
Symptoms:
- Error referencing data type conversion failure
- Sync completes but mapped values are incorrect or null
Common Mismatches:
| Source Type | Target Type | Issue | Solution |
|---|---|---|---|
| Multi-valued | Single-valued | Array cannot map to string | Use first-value extraction or concatenation |
| Integer | String | No automatic conversion | Apply a transformation in the mapping |
| Binary (objectGUID) | String | Raw bytes vs. formatted GUID | Use GUID format conversion |
| Windows FileTime | DateTime | Large integer timestamps | Apply timestamp conversion |
Null Value Handling
When source attributes are empty or null:
- Check the mapping's null behavior -- Configure whether to skip, set a default, or clear the target field
- Required fields -- If the target column is NOT NULL in the database, provide a default value in the mapping
- Conditional mappings -- Use expressions to provide fallback values when the primary attribute is empty
Object Count Mismatches
When the sync reports fewer objects than expected:
Objects Filtered by LDAP Query
- Review your LDAP filter -- It may exclude objects unintentionally
- Disabled accounts may be filtered out if your filter includes
(!(userAccountControl:1.2.840.113556.1.4.803:=2)) - Objects in child OUs may not be included if search scope is set to One Level instead of Subtree
Objects Deleted in AD but Cached Locally
- IdentityCenter tracks objects by their
SourceUniqueId(objectGUID). If an object is deleted in AD and recreated, it gets a new GUID. - Check the sync project's deleted object handling setting -- Objects removed from AD can be marked as inactive or deleted locally.
- Review the Objects page at /admin/directory/objects and filter by IsActive to see which objects the system considers current.
Sync Stuck in Running State
Symptoms:
- Sync project shows "Running" status for an extended period
- No progress updates in the sync run log
Solutions:
- Navigate to Processing Center at /admin/processing-center to view active jobs
- Check if the job is actively processing or if it has stalled
- If stalled, cancel the job from Processing Center and investigate the logs before restarting
- Check the application logs at /admin/logging for errors that occurred during the stuck run
- Verify the domain controller is responsive -- a network interruption during sync can leave it in a running state
Important: Do not start a new sync run while the previous one is stuck. Cancel the stuck run first to avoid duplicate processing.
Duplicate Object Errors
Unique Constraint Violations
Symptoms:
- Error: "Violation of UNIQUE KEY constraint" on
(SourceConnectionId, SourceUniqueId) - Objects fail to insert during bulk upsert
Causes and Solutions:
- Same object imported from two connections -- Each connection has its own
SourceConnectionId. If you have two connections pointing to the same domain controller, the same object may be imported twice with different connection IDs. Consolidate to a single connection per domain. - objectGUID collision -- Extremely rare in production. Verify with:
Get-ADUser -Filter * -Properties objectGUID | Group-Object objectGUID | Where-Object { $_.Count -gt 1 } - Stale data from previous imports -- If you changed the Base DN of a sync step, old objects from the previous scope may conflict. Review and clean up stale records.
The SyncObjectRepository.FastBulkUpsertObjectsAsync method uses a HashSet and MERGE strategy to handle duplicates efficiently. In most cases, duplicates are automatically resolved by the upsert logic. Persistent errors indicate a data quality issue that should be investigated.
Reading Sync Run Logs
Navigate to /admin/sync-project-runs to view detailed run history:
| Column | Description |
|---|---|
| Run ID | Unique identifier for the sync run |
| Status | Completed, Failed, Running, or Cancelled |
| Started / Completed | Timestamps for the run |
| Objects Processed | Total objects handled in this run |
| Objects Succeeded | Objects that synced without error |
| Objects Failed | Objects that encountered errors |
| Duration | Total elapsed time |
Tips for log analysis:
- Click a run to view step-by-step details and per-object error messages
- Filter by Failed status to focus on problem runs
- Compare successful and failed runs to identify what changed
- Export run details when opening a support ticket
When to Re-Run vs. Investigate
| Scenario | Action |
|---|---|
| Transient network error (single failure) | Re-run the sync |
| Timeout on a large OU | Increase timeout, then re-run |
| Same error on every run | Investigate root cause before re-running |
| Attribute mapping error | Fix the mapping, then re-run |
| Duplicate constraint violation | Investigate data, clean up, then re-run |
| Stuck in Running state | Cancel, check logs, then re-run |
Escalation: When to Contact Support
Contact support at support@certification-center.com if:
- The same error persists after following all troubleshooting steps above
- You see database-level errors (deadlocks, corruption warnings)
- The application crashes during sync operations
- You need help interpreting complex error messages in the logs
When contacting support, include:
- The sync run ID and timestamps
- Exported sync run logs
- Application logs from /admin/logging covering the failure window
- Your IdentityCenter version number
- A description of any recent changes (new mappings, connection changes, AD changes)