Created: 2012-04-20 08:09:59
Modified: 2023-09-27 13:15:20
Tags: Errors Group as Group Sync Troubleshooting UnitySync

This error indicates the LDAP Add or Modify attempted to change a variable in a way that the Destination schema does not allow.

Common causes:

  • Attempting to write to the Global Catalog port (3268/3269) instead of the standard LDAP port (389/636).

  • Attempting to create an object with a blank CN (i.e. DN=CN=,OU=structname,dc=domain,dc=com).

  • Attempting to set a single valued attribute with multiple values.

  • Attempting to set attributes that are not present in the objectclass being written.

  • Attempting to modify an attribute not meant for modification after the initial object creation.

  • Attempting to create an invalid objectclass.

  • On Group as Group sync, attempting to add Universal Groups to Global Groups.

  • (As shown in the DC Event Logging) The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.

If the reason for the error is unclear, review the destination Domain Controller’s Event Logging. (The DC specified on the Destination tab of the connection). Review the Application logging. Run a sync to cause the error. Then look at the error as it appears in the Event logging Application log.

If you need further assistance troubleshooting or correcting this error, please forward your sync log to

Share this article:

  1. Directify - Self Service

  2. Mimic - Replication

  3. UnitySync - Sync
  1. emPass - Sync
  1. Profiler
  2. SimpleSync