Add-ADGroupMember : A referral was returned from the server???

Question

_{Monday, April 15, 2013 7:55 PM}

I'm sure I'm missing something here...

All I want to do is add a user from a child domain to a universal distribution group in a parent domain.  Sounds simple enough right?  WRONG!

Here is the example that the help gives:

 EXAMPLE 4 
    
    C:\PS>$user = Get-ADUser "CN=Glen John,OU=UserAccounts,DC=NORTHAMERICA,DC=FABRIKAM,DC=COM" -Server "northamerica.fabrikam.com";
    $group = Get-ADGroup "CN=AccountLeads,OU=UserAccounts,DC=EUROPE,DC=FABRIKAM,DC=COM -Server "europe.fabrikam.com";
    Add-ADGroupMember $group -Member $user -Server "europe.fabrikam.com"
    
    
    Description
    
    
    
    Adds the user "CN=Glen John,OU=UserAccounts" from the North America domain to the group "CN=AccountLeads,OU=UserAccounts" in the Europe domain.

What I can gather from this is that what I am trying to accomplish SHOULD be possible however I'm missing something critical.  Here is the command I'm trying to run:

Add-ADGroupMember -Identity "CN=Test-Group,OU=Area 51,DC=rootdomain,DC=int" -Members "CN=Homer Simpson,OU=TEST,DC=childdomain,DC=rootdomain,DC=int"

And here is the Error that I'm getting:

Add-ADGroupMember : A referral was returned from the server
At line:1 char:1
+ Add-ADGroupMember -Identity "CN=Test-Group,OU=Area 51,DC=rootdomain,DC=int ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (CN=Test-Grou...DC=rootdomain,DC=int:ADGroup) [Add-ADGroupMember], ADReferralException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

I've tried adding the:

• -Server "dc01.rootdomain.int:3268"
• -Server "rootdomain.int:3268"
• -Server "rootdomain.int"
• -Server "dc01.childdomain.rootdomain.int:3268"
• -Server "childdomain.rootdomain.int:3268"
• -Server "childdomain.rootdomain.int"

I am logged in as an Enterprise administrator however one of the next things I'm going to try is to pass my credentials to the command.  Any thoughts as to what might be going on?

All replies (13)

_{Thursday, April 18, 2013 5:47 PM ✅Answered | 2 votes}

Hi Callum,

I wanted to provide you with a bit of an update.  I tried what you had suggested above (using ADSI) and low and behold it worked!  With this I can at least move forward with my script development.   However, being the geek I am I really wanted to dig in a bit more and try out a last few things.

Between your remarks about troubles running scripts against Windows 2003 DC's and a post that I made over on a different forum that led me to this KB article http://support.microsoft.com/kb/923354, I decided to do a bit more testing.  As it would happen, all but 2 DC's in our forest are still running Windows Server 2003 as their OS.  We recently opened up a new office in Munich Germany and decided that it was time to move on and start using Windows Server 2008 R2.  Because of your remarks, and the info in the KB article... I decided to modify my script as follows:

Import-Module ActiveDirectory

Clear-Variable Group1
Clear-Variable User1

$AdminCredentials = Get-Credential "rootdomain\<enterprise_admin>"

$Group1 = Get-ADGroup -Identity "Test-Group"
$User1 = Get-ADUser -Identity test.tw -Server rootdomain.int:3268

Add-ADGroupMember -Identity $Group1 -Members $User1 -Credential $AdminCredentials -Server w2k8dc.rootdomain.int

I have to admit, I had to go change my underwear when I discovered that this actually worked :P

So from this, I am going to proceed with 2 action items:

1. Because these W2K8 DC's are located in Munich and I'm located in Ottawa Canada, I'm going to promote a DC Locally initally to use for my script but "big picture" to eventually replace my a W2K3 DC locally
2. Test the HotFix in the KB article I mentioned to see if this IS the issue that I am suffering from.

In either case, I have a solution that allows me to move forward!  I honestly can't thank you enough for all of your help.  I will post back with the results of the KB Hotfix so that if someone else comes across this issue in the future, they'll have some idea of how to proceed.

Thank you again Callum!

Ken

_{Tuesday, April 16, 2013 8:00 AM}

The error: *A referral was returned from the server *is usually due to some error in an LDAP string or some other connection property.

Could you try setting a couple of variables and using them to add the groupmember?

$Group = Get-ADGroup -Identity <yourGroup>
$User = Get-ADUser -Identity <yourUser>

Then adding the groupmember like this:

Add-ADGroupMember -Identity $Group -Members $User

Also see this post: http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/cbb98c7c-455c-4ce7-93d6-6a16e26fdc55/
If you scroll down in the post, you'll see the same error. Perhaps their solution will help you.

_{Tuesday, April 16, 2013 4:35 PM}

Hi Callum,

Thanks for your thoughts and reply.  Here is the results from my testing:

• The Group is located in the Parent domain and is a Universal Distribution group called Test-Group
• The User is a test user in a child domain called test.tw

$Group1 = Get-ADGroup -Identity Test-Group
$User1 = Get-ADUser -Identity test.tw


Add-ADGroupMember -Identity $Group1 -Members $User1

As you might expect, without specifying any parameters the Get-ADUser only check in the locally connected partition/domain (as I understand it) so it returns the following error:

Get-ADUser : Cannot find an object with identity: 'test.tw' under: 'DC=rootdomain,DC=int'.
At line:2 char:10
+ $User1 = Get-ADUser -Identity test.tw
+          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (test.tw:ADUser) [Get-ADUser], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Man 
   agement.Commands.GetADUserAdd-ADGroupMember : Cannot validate argument on parameter 'Members'. The argument is null or empty. Supply an argument that is not null or empty 
and then try the command again.
At line:4 char:46
+ Add-ADGroupMember -Identity $Group1 -Members $User1
+                                              ~~~~~~
    + CategoryInfo          : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

If I check the values of each variable and I can see (as expected) that $Group1 did correctly retrieve the information about the group Test-Group and that $User1 has no data.

My approach to deal with this is to search a GC (Global Catalog) for the user.

$Group1 = Get-ADGroup -Identity Test-Group
$User1 = Get-ADUser -Identity test.tw -Server dc01.rootdomain.int:3268

Add-ADGroupMember -Identity $Group1 -Members $User1

When I do this, I get the following error:

Add-ADGroupMember : The specified group type is invalid
At line:4 char:1
+ Add-ADGroupMember -Identity $Group1 -Members $User1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Test-Group...DC=rootdomain,DC=int:ADGroup) [Add-ADGroupMember], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8513,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

I have to admit that this error confuses me.  When I check the values of the variables I get the following:

PS C:\Scripts> $Group1


DistinguishedName : CN=Test-Group,OU=Area 51,DC=rootdomain,DC=int
GroupCategory     : Distribution
GroupScope        : Universal
Name              : Test-Group
ObjectClass       : group
ObjectGUID        : 1fe23456-789b-0cf1-234d-a567f89cd0c1
SamAccountName    : Test-Group
SID               : S-1-2-34-567890123-4567890123-4567890123-45678




PS C:\Scripts> $User1


DistinguishedName : CN=Test TW,OU=TW,DC=childdomain,DC=rootdomain,DC=int
Enabled           : True
GivenName         : Test
Name              : Test TW
ObjectClass       : user
ObjectGUID        : dc1234cb-b5b6-7a89-baae-0c12b3cb4b5d
SamAccountName    : Test.TW
SID               : S-1-2-34-5678901234-567890123-456789012-34567
Surname           : TW
UserPrincipalName : [email protected]

As you can see, the Get-AD statements are retrieving the data fine.  The issue is with the Add-ADGroupMember

I tried just adding the -server statement of a GC to the Add-ADGroupMember cmdlet:

$Group1 = Get-ADGroup -Identity Test-Group
$User1 = Get-ADUser -Identity test.tw -Server dc01.rootdomain.int:3268

Add-ADGroupMember -Identity $Group1 -Members $User1  -Server dc01.rootdomain.int:3268

and it produced this error:

Add-ADGroupMember : The server is unwilling to process the request
At line:4 char:1
+ Add-ADGroupMember -Identity $Group1 -Members $User1 -Server dc01.rootdomai ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=Test-Group...DC=rootdomain,DC=int:ADGroup) [Add-ADGroupMember], ADInvalidOperationException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8245,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

I suspect the error might have something to do with me trying to modify a group membership within the GC which just might not be possible. That being said, surely adding a user from a child domain to a group in a parent domain is something that PowerShell can handle?

Thoughts?

_{Tuesday, April 16, 2013 4:39 PM}

Oh, and I did review that article you linked.  I did run across that earlier but it's not clear as to what was done (other than dropping the -Server statement) to get his script to work.  I'm going to review it again and see if I missed something.

Thanks again and any help or thoughts you might have are appreciated!

Ken

_{Tuesday, April 16, 2013 8:54 PM}

Right, I've set up a child domain in my lab and tried to replicate your issues but unfortunately it just seems to work in my lab.

Basically this is my lab:
Toplevel domain: PowellShell.local
Child domain: Child
Universal Distribution Group named Test-Group in PowellShell.local domain
User Account named test.tw in Child domain

And here are the Powershell commands that just worked:

$User = Get-ADUser test.tw -Server Child.PowellShell.local:3268
$Group = Get-ADGroup Test-Group
Add-ADGroupMember -Identity $Group -Members $User

This was run from my Toplevel domain PowellShell.local as an Enterprise Administrator.

Could it have something to do with your users permissions? I'll test a few more things to try and replicate the issue.

MCITP,MCTS,MCP,MCSA

_{Tuesday, April 16, 2013 9:10 PM}

Right, I've set up a child domain in my lab and tried to replicate your issues but unfortunately it just seems to work in my lab.

Basically this is my lab:
Toplevel domain: PowellShell.local
Child domain: Child
Universal Distribution Group named Test-Group in PowellShell.local domain
User Account named test.tw in Child domain

And here are the Powershell commands that just worked:

$User = Get-ADUser test.tw -Server Child.PowellShell.local:3268
$Group = Get-ADGroup Test-Group
Add-ADGroupMember -Identity $Group -Members $User

This was run from my Toplevel domain PowellShell.local as an Enterprise Administrator.

Could it have something to do with your users permissions? I'll test a few more things to try and replicate the issue.

MCITP,MCTS,MCP,MCSA

First I want to thank you for taking the time to help.  I know these days to spin up a few VM's in a lab environment isn't a ton of effort... but that you're willing to take the time to do it means a lot so thanks!

The account that I'm logged in as is an Enterprise Administrator of the forest.  I'm open to trying to pass credentials across to the Add-ADGroupMember command.  I may try that next.  About my forest... (which isn't something I had considered before)

All of the DC's in the 2 domains that are being queried are Windows Server 2003 systems.  I don't have ADWS running on all of the DC's in each of the domains but it was my understanding that it's not a pre-requisite.  I'm going to go out on a limb here but you don't happen to think that this might have something to do with it?  Or should I just focus on trying to determine why command is coming back with either the Add-ADGroupMember : The specified group type is invalid or Add-ADGroupMember : The server is unwilling to process the request errors?

Thoughts?

_{Tuesday, April 16, 2013 9:46 PM}

Digging into issues like these are what we learn from, so you're very welcome.

My immediate thoughts are that the 2003 DC's could be the issue.

With my lab working without trouble (2012 servers in 2012 functional level) and also since you have Enterprise Admin rights there shouldn't be an issue there. It really is tempting to blame to 2003 servers.

I run a lot of Powershell against 2003 functional levels and I can tell you first hand there should be no problems there.
However running against 2003 servers is something I have had my share of issues with.

I tested the commands against some of the 2003 DC's in my environment but none of them have ADWS so no good there. They all produced the same error (as did my 2012 lab when disabling ADWS): Unable to contact the server. This may ... etc etc ... does not have the Active Directory Web Services running.

I'll look into it a little more and see if I get anywhere.

MCITP,MCTS,MCP,MCSA

_{Tuesday, April 16, 2013 10:04 PM | 2 votes}

Have you tried using ADSI? It's not pleasant but it might provide some insight.

Try adding the member like this (remember to elevate your Powershell):

$Group = [ADSI]"LDAP://rootdomain.int/<GroupDN here>"
$Group.Add("LDAP://childdomain.rootdomain.int/<UserDN here>"
$Group.setinfo()

Any luck?

If that doesn't work then troubleshooting goes elsewhere, if it does work then I'm afraid I'm going to blame the 2003 servers and suggest you promote a 2008 DC or newer ;)

MCITP,MCTS,MCP,MCSA

_{Friday, April 19, 2013 12:53 PM}

Ken,

Great to hear you figured it out!

Moving on to a 2008 R2 Server (or if you really want to have fun, try 2012) is a great idea and will certainly make life easier for you.

Callum Powell
MCITP, MCTS, MCP, MCSA
Check out my PowerShell blog: http://www.calumpowell.com

_{Friday, May 2, 2014 8:26 PM | 2 votes}

For reference, Here is another way to achieve this.  (I was never able to get Add-ADGroupMember to work)

set-adobject $Group1.distinguishedName -Add @{"member"=$User1.distinguishedName}

_{Thursday, February 5, 2015 2:34 PM}

For reference, Here is another way to achieve this.  (I was never able to get Add-ADGroupMember to work)

set-adobject $Group1.distinguishedName -Add @{"member"=$User1.distinguishedName}

This worked perfectly.  I too could not get the Add-ADGroupMember to work.  Environment is all 2008 R2 and above DCs in both parent and child domains.  We thought it was a permission issue but we had an enterprise admin in the parent domain try it and it gave same results.  If you're ever in Long Island, first beer is on me.

_{Tuesday, July 9, 2019 6:44 PM}

Hi Callum,

I wanted to provide you with a bit of an update.  I tried what you had suggested above (using ADSI) and low and behold it worked!  With this I can at least move forward with my script development.   However, being the geek I am I really wanted to dig in a bit more and try out a last few things.

Between your remarks about troubles running scripts against Windows 2003 DC's and a post that I made over on a different forum that led me to this KB article I decided to do a bit more testing.  As it would happen, all but 2 DC's in our forest are still running Windows Server 2003 as their OS.  We recently opened up a new office in Munich Germany and decided that it was time to move on and start using Windows Server 2008 R2.  Because of your remarks, and the info in the KB article... I decided to modify my script as follows:

Import-Module ActiveDirectory

Clear-Variable Group1
Clear-Variable User1

$AdminCredentials = Get-Credential "rootdomain\<enterprise_admin>"

$Group1 = Get-ADGroup -Identity "Test-Group"
$User1 = Get-ADUser -Identity test.tw -Server rootdomain.int:3268

Add-ADGroupMember -Identity $Group1 -Members $User1 -Credential $AdminCredentials -Server w2k8dc.rootdomain.int

I have to admit, I had to go change my underwear when I discovered that this actually worked :P

So from this, I am going to proceed with 2 action items:

1. Because these W2K8 DC's are located in Munich and I'm located in Ottawa Canada, I'm going to promote a DC Locally initally to use for my script but "big picture" to eventually replace my a W2K3 DC locally
2. Test the HotFix in the KB article I mentioned to see if this IS the issue that I am suffering from.

In either case, I have a solution that allows me to move forward!  I honestly can't thank you enough for all of your help.  I will post back with the results of the KB Hotfix so that if someone else comes across this issue in the future, they'll have some idea of how to proceed.

Thank you again Callum!

Ken

That global catalog port on the server name did the trick for me. Very helpfull. Thanks alot!

_{Tuesday, July 9, 2019 7:52 PM}

Please do not reactivate ancient threads just to say "thank you".Therefor we have the vote buttons.

Thanks

Live long and prosper!

(79,108,97,102|%{[char]$_})-join''