I have successfully set up Google Apps Directory Sync (GADS) for one of the Active Directory forests I manage. This forest was created with a functional level of 2012R2. Now I am setting up GADS for a second forest. This forest used to be at the 2003 functional level but was later raised to a 2008 functional level.
In GADS I'm using a pair of User Account search rules that suspend Google Apps users who are Disabled in AD and un-suspend users who are Enabled in AD. This arrangement works flawlessly in the first forest I set up. But in my new forest it returns incomplete data.
Here are the queries I'm using:
Do Not Suspend
(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Suspend
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2))
Here's the problem: If I run "Test LDAP Query" in the GADS interface on that Suspend query, it returns me only two users. But there are 36 users total who should be returned. Because the query is not finding the complete list of Disabled users, when I disable someone in AD and run a sync, GADS does not disable the user in Google Apps.
When I run the same query in a non-GADS LDAP query tool (VTLDAPQuery), it returns me the complete list.
The two users that GADS returns when I test the query were created back during the 2003 days. The other 34 were, I believe, created after the functional level was raised.
Best Answer
Okay I figured it out, and now I'm so angry with myself. The problem was insufficient permissions for the service account being used to run the LDAP query. In a forest that had not gotten as screwed up as ours is, special permissions would probably not be required, but in my particular domain, adding the LDAP query account to "Domain Admins" immediately resolved the problem. I will have to continue experimenting to find the minimum level of permissions required, but it is clearly the permissions that were at fault.