Why is LDAP 'Deleted Objects' is queried?

Ever since lifting our AD to 2016 I have been getting a bunch of these warnings. The ‘User Search Base’ and ‘Role Search Base’ are set much deeper than DC=Domain,DC=com so I cannot figure out which LDAP filter or setting to change.

[profileName=Active Directory] Unable to read group attribute “cn” from group “CN=XXXX\0ADEL:24be81d1-b2aa-448b-9cf7-7bca6c4b3c3a,CN=Deleted Objects,DC=Domain,DC=com”, using distinguished name instead.

javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=xxxx\0ADEL:24be81d1-b2aa-448b-9cf7-7bca6c4b3c3a,CN=Deleted Objects,DC=Domain,DC=com' ]

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3179)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)

at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329)

at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129)

at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)

at com.inductiveautomation.ignition.gateway.authentication.impl.ActiveDirectoryUserSource$UserSearchHandler$RoleLoader.load(ActiveDirectoryUserSource.java:268)

at com.inductiveautomation.ignition.gateway.authentication.impl.ActiveDirectoryUserSource$UserSearchHandler$RoleLoader.load(ActiveDirectoryUserSource.java:253)

at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3527)

at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2319)

at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2282)

at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2197)

at com.google.common.cache.LocalCache.get(LocalCache.java:3937)

at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3941)

at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4824)

at com.inductiveautomation.ignition.gateway.authentication.impl.ActiveDirectoryUserSource$UserSearchHandler.endBatch(ActiveDirectoryUserSource.java:301)

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.search(LDAPHelper.java:323)

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.search(LDAPHelper.java:273)

at com.inductiveautomation.ignition.gateway.authentication.impl.ActiveDirectoryUserSource.getUsers(ActiveDirectoryUserSource.java:162)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.updateCache(UserSourceWrapper.java:120)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceManagerImpl$UpdateCacheTask.run(UserSourceManagerImpl.java:361)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at java.lang.Thread.run(Thread.java:748)