Symptoms

Group synchronization may not bring all group members for groups with a very large number of members.

Release

This issue is not release dependent.

Environment

ServiceNow instance is connected to an AD LDAP server cluster front ended by a load balancer.  In the ServiceNow instance, the LDAP record URL points to the Load balancer.

Cause

Load balancer does not have set 'Sticky session' set for connections.

When a large number of members is pulled for a group, the data is retrieved using paging mechanism. If the load balancer does not keep a sticky session, the connection may be routed to a different LDAP node during paging. As consequence inconsistencies like duplicate members and some missing members, were observed in data returned from LDAP.

Resolution

When a load balancer is used in front of a group of LDAP servers, setup the load balancer to use sticky session for the LDAP connections.