Hello there!
In and of itself, the LDAP error you're receiving doesn't necessarily indicate that AD data cannot be scanned. It does indicate that AD data could not be scanned by connecting to certain DCs. You can configure preferred domain controllers under Scanning\Scanning Targets but do be aware that these are only used for scanning.
For other LDAP connections, such as for performing clean-up, they're not used. Instead, the domain controllers in the domain are enumerated, and the scanning service will attempt to set up LDAP connections to domain controllers until one is successful.
In addition, certain parts of Active Directory scanning necessitate connecting to all available domain controllers, as they query the LastLogon attribute, which does not replicate across domain controllers:
- Active Directory domain scanning operates by adding computers that were recently logged on to AD and haven't been scanned within a specific interval to your scanning queue. It queries the LastLogon attribute of computer objects.
- Active Directory User Path scanning also scans the LastLogon attribute of users. Since this attribute does not replicate, we query all available domain controllers for the most recent value.
While the error in and of itself isn't necessarily indicative of an issue, you can cut down on it by doing the following:
- Disabling the scanning of the LastLogon user attribute under Configuration\Server Options
- Using Active Directory Computer Path targets rather than Active Directory Domain scanning targets
Again, this may not be necessary, and you may be able to ignore these errors. If you see no discrepancies in retrieved AD data, i.e., all AD attribute data is pulled in, you can ignore these errors.
