This stupid error message stumped me for a bit yesterday.
Microsoft.ActiveDirectory.Management.ADReferralException: A referral was returned from the server at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.CheckAndThrowReferralException(ADResponse response) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Add(ADSessionHandle handle, ADAddRequest request) at Microsoft.ActiveDirectory.Management.ADActiveObject.Create() at Microsoft.ActiveDirectory.Management.Commands.ADNewCmdletBase
3.ADNewCmdletBaseProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase1.ProcessRecord()
It was generated by a new account creation Flow I maintain, and the error was from the New-ADUser cmdlet. There’s a bunch of posts on the Internet on this for the Set-ADUser cmdlet, but none for New-ADUser.
Upon a whim I ran the nltest /dsgetsitedc:<domain> command on the machine where New-ADUser was being run from and noticed the result was a RODC. So I did nltest /screset:<domain> which gave me a regular DC. After that New-ADUser started working fine as expected. I guess the referral it was talking about was from the RODC to a regular DC and something about that didn’t gel well with New-ADUser.
It’s been years since I ran any of the nltest commands! Am pleased I actually remembered it and thought to run the command. Past few years have been all Microsoft 365 and Power Platform, I’ve forgotten stuff from my younger days. :)
Update (16th Nov 2022): Ran into this again today. This time with Set-ADUser. Trick is to use get a DC via:
|
1 |
$domainController = (Get-ADDomainController -DomainName $domainName -Discover -Service PrimaryDC).HostName.Value |
And then use the -Server $domainController switch with the Set-ADUser and New-ADUser cmdlets. I am specifically targetting the Primary DC rather than a Global Catalog or any other DC. I noticed that if I target a Global Catalog that too gives me referrals. (Although, in this case the Primary DC is also a Global Catalog, so I am surprised I didn’t get an error…)