This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central AD-Sync AD-sync Utility error / user right?

Hi

Can anyone tell me, what right do the user used for AD-sync in Sophos central need to have.

We have an issue at a customer were they in counter the following error:

----------------------------------------------------------------------------------

Gathering data from LDAP...

Checking for mailboxes on LABAD.DK with filter (&(objectClass=user)(mailNickname=*)(displayName=*)(!cn=HealthMailbox*)(proxyAddresses=*)(msExchDelegateListLink=*)(userAccountControl:1.2.840.113556.1.4.803:=2)(|(|(homeMTA=*)(homeMDB=*)(msExchHomeServerName=*))(&(objectClass=contact)(targetAddress=*))))

Checking for mailboxes with search base OU=DK1234,OU=UserAccounts,OU=LABCustomers,DC=Prod,DC=LABAD,DC=DK

Got mailboxes with search base OU=DK1234,OU=UserAccounts,OU=LABCustomers,DC=Prod,DC=LABAD,DC=DK

Checking for mailboxes on PROD.LABAD.DK with filter (&(objectClass=user)(mailNickname=*)(displayName=*)(!cn=HealthMailbox*)(proxyAddresses=*)(msExchDelegateListLink=*)(userAccountControl:1.2.840.113556.1.4.803:=2)(|(|(homeMTA=*)(homeMDB=*)(msExchHomeServerName=*))(&(objectClass=contact)(targetAddress=*))))

Checking for mailboxes with search base DC=LABCustomers,DC=UserAccounts,DC=DK1234,DC=PROD,DC=LABAD,DC=DK

Synchronization failed: Error making a request over LDAP. Please review the connection settings you specified. The LDAP server returned the following error: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:

'DC=PROD,DC=LABAD,DC=DK'

-------------------------------------------------------------------------------------

The user used for the sync can connect to the AD - using Active Directory Explorer v1.44

Sincerely

Soren

This thread was automatically locked due to age.

Parents

0 Barb@Sophos over 6 years ago

Hello Eskild Søren Jensen,

AD Sync requires a Sophos Central Admin account. Otherwise, you can encounter this issue:

Sophos Central Admin AD Sync Utility (FAQ)

Why do I get an error "Failed to persist LDAP filters. Reason: Forbidden"

This error can be encountered if the Sophos Account used to link your ADsync utility does not have Admin rights (eg. help desk or read only roles).

Do you have any other AD accounts to test ?
Here are 2 articles that can help you set up AD Sync and its filters:

Sophos Central Admin AD Sync Utility filters
Sophos Central: How to set up Active Directory Sync

Regards,

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Barb@Sophos over 6 years ago

Hello Eskild Søren Jensen,

AD Sync requires a Sophos Central Admin account. Otherwise, you can encounter this issue:

Sophos Central Admin AD Sync Utility (FAQ)

Why do I get an error "Failed to persist LDAP filters. Reason: Forbidden"

This error can be encountered if the Sophos Account used to link your ADsync utility does not have Admin rights (eg. help desk or read only roles).

Do you have any other AD accounts to test ?
Here are 2 articles that can help you set up AD Sync and its filters:

Sophos Central Admin AD Sync Utility filters
Sophos Central: How to set up Active Directory Sync

Regards,

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Eskild Søren Jensen over 6 years ago in reply to Barb@Sophos

Hi Barb

Thank you for your answer

I can see from your reply that I probarbly didn't provide all the details.

The user is a Superadmin in Sophos central

It's a complex AD setup that this company is part of managed by an external provider, and we are wondering if there is a more detailed description on what right in the AD the user need to have access to all the part that AC-sync utility checks.

The description says AD admin rights, but again this user has AD admin right to parts of the AD.
Cancel
Vote Up 0 Vote Down

Cancel
0 Barb@Sophos over 6 years ago in reply to Eskild Søren Jensen

Hello Eskild Søren Jensen,

The AD account needs to have access to the AD portions/ forest you want to sync with Central, as covered in the below listed article:
What does AD Sync Utility expect from an Active Directory Environment

If your accounts meet the requirements, I would recommend to start with the FAQ and ensure you have access to the required ports, Then, make sure you have the correct filters per Sophos Central Admin AD Sync Utility filters

If the issue persists we will need to review the logs for review.

Regards,

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Eskild Søren Jensen over 6 years ago in reply to Barb@Sophos

Hi Barb

Thank you for the feedback.

We have been going through these step, but it can't hurt to do it ones more in case we missed something.

Regarding the logfiles I have already started a supportcase #8274785 - we are waiting for a supporter to make contact with us for further troubleshooting.
Your welcome to take a look at it :-)

Sincerely Søren
Cancel
Vote Up 0 Vote Down

Cancel
0 Barb@Sophos over 6 years ago in reply to Eskild Søren Jensen

Hello Eskild Søren Jensen,

Thank you for the update. Looks like the case has been transferred to the correct queue for assistance.
I will review the logs from the ticket and update this post if I can find anything else.

Regards,

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel