[SOLVED] Active Directory synchronization fails after upgrading to Policy Manager 13.00

Products affected: Policy Manager for Windows 13.00

When upgrading to Policy Manager 13.00 and you have Active Directory (AD) synchronization rules in place, this can cause the synchronization rule to fail, as a prerequisite exists, preventing use of LDAPS in communication.

The root-cause is that if the Active Directory synchronization rule in the Policy Manager Console is missing a prefix (either LDAP:// or LDAPS://), Policy Manager 13.00 defaults to using LDAPS. Previous PM versions defaulted to using LDAP. This prevents the AD synchronization rule from working, in case the prerequisite described below is not in place.

To fix the issue, apply the solution described to enable LDAPS on an AD server. To use a default LDAPS (secure LDAP) connection to the Domain Controller (DC) for Active Directory, import the company certificate in Policy Manager Server's Java runtime trust store to authenticate the DC, as described here:


Workaround: Edit the synchronization rule in the Policy Manager Console and add a prefix to the server-name: LDAP://my-server.domain


A future release of Policy Manager will address this challenge, by applying an LDAP:// prefix to any AD synchronization rule present during the Policy Manager upgrade.

ETA: December 2017

Fix: Policy Manager 13.01

Internal reference: CSPM-2350