It sounds like you're encountering a frustrating issue with Google Cloud Directory Sync (GCDS)! It's odd that GCDS suspends the user after you make changes in Active Directory (AD) and that the user doesn't show up in LDAP queries for their new OU. Here's a breakdown of possible causes and troubleshooting steps:
Possible Causes:
* Caching Issues: GCDS might be relying on cached data, causing it to not see the updated user information.
* Configuration Problems: There could be misconfigurations in your GCDS setup, particularly in the User Profile Search Rules, User Transformation Rules, or OU mappings.
* LDAP Connection Issues: Even though the LDAP connection test passes, there might be intermittent connectivity problems or issues with authentication or authorization.
* GCDS Bugs or Compatibility: There's a possibility of encountering bugs in the GCDS version you're using or compatibility issues with your AD environment.
* AD Replication Delays: Changes made in AD might not have replicated fully to the domain controller GCDS is connected to.
Troubleshooting Steps:
* Increase GCDS Logging Verbosity: Enable debug logging in GCDS to get more detailed information about what's happening during synchronization. Look for error messages or warnings related to the user in question or the OU they were moved to.
* Verify User Profile Search Rules: Double-check that your User Profile Search Rules are correctly configured to include the new OU where the user was moved. Ensure that the search filter and attributes are set appropriately to find the user based on their updated properties.
* Examine User Transformation Rules: Review your User Transformation Rules to ensure they are not inadvertently causing the user to be suspended or excluded from synchronization. Pay close attention to rules that handle email addresses, group memberships, and OU changes.
* Force a Full Sync: Instead of a delta sync, initiate a full synchronization cycle in GCDS. This can help refresh the cached data and ensure that GCDS has the latest information from AD.
* Check AD Replication: Verify that AD replication is working correctly and that the changes you made to the user have propagated to all domain controllers. You can use the repadmin tool to check replication status.
* Test LDAP Queries Directly: Use an LDAP browser or command-line tool to directly query your AD server for the user using their new attributes and OU. This can help isolate whether the issue is with GCDS or with AD itself.
* Update GCDS: Ensure you're using the latest version of GCDS. New releases often include bug fixes and performance improvements that could address your issue.
* Contact Google Cloud Support: If you've exhausted the above steps and are still unable to resolve the issue, reach out to Google Cloud Support for assistance. They can help you diagnose the problem and provide further guidance.
Important Notes:
* Backup: Before making any significant changes to your GCDS configuration or AD environment, make sure you have a recent backup.
* Document: Keep detailed records of the steps you take and any changes you make. This will help you troubleshoot the issue and revert changes if necessary.
I hope these suggestions help you resolve the issue with GCDS. If you have any more details about your specific configuration or error messages, feel free to share them, and I'll do my best to provide more tailored advice. Willrich/Gemini