Errors when using Set-ADUser and Add-ADGroupMember in child domains (across forest)

Question

I've built a script that is supposed to query for users across the forest and do a few things:

1. Set ExtensionAttribute2
2. Add the user to a domain-specific group in their own domain
3. Add the user to a group in the root domain

When I run this against a GC in the root domain of the forest, users in the root domain are processed just fine. Users in child domains process step #3 just file, but steps #1 and #2 cause errors.

Edit for clarification: These commands are being run against a 2012 domain controller in the root forest that is also a global catalog server. I'm running these commands as an Enterprise Admin with access to all child domains. Using these same credentials and the same server I can make all of these edits manually using Active Directory Users and Computers.

Here is the script that I've created:

$csvpath = ".\users.csv"
$groupcbr = Get-ADGroup "CN=test group,OU=Test OU,DC=contoso,DC=com"

Import-CSV -Path $csvpath | Foreach-Object {
    $userprincipalname = $_.userprincipalname
    $activationkey = $_.activationkey
    Get-ADUser -Filter {userprincipalname -like $userprincipalname} -SearchBase "DC=contoso,DC=com" -Server "ROOTGC.contoso.com:3268" | Foreach-Object {
        $dn = $_.DistinguishedName

        #Set default as root domain
        $domain = "contoso"
        $domainserver = "ROOTGC.contoso.com"
        $groupscript = Get-ADGroup -Identity "$domain Test Group Users"

        If ($dn -like "*DC=childdomain1*") {
            $domain = "childdomain1"
            $domainserver = "childgc1.childdomain1.contoso.com"
            $groupscript = Get-ADGroup -Identity "$domain Test Group Users" -Server "ROOTGC.contoso.com:3268"
        }
        If ($dn -like "*DC=childdomain2*") {
            $domain = "childdomain2"
            $domainserver = "childgc2.childdomain2.contoso.com"
            $groupscript = Get-ADGroup -Identity "$domain Office 365 Users" -Server "ROOTGC.contoso.com:3268"
        }

        Write-Host "$domain | $userprincipalname [$($_.SamAccountName)] will get $activationkey added, and put into groups: $groupscript | [$dn]"

        #Set ExtensionAttribute2
        SET-ADUSER -Identity $dn -replace @{ExtensionAttribute2="$activationkey"}

        #Add the user to their own domain-based group
        Add-ADGroupMember -Identity $groupscript -Members $_

        #Add the user to the root domain's universal group
        Add-ADGroupMember -Identity $groupcbr -Members $_
    }
}

Again, the users in the root domain process just fine. The users in the child domains hit errors on #1 (set the extensionattribute2) and #2 (add the their local domain group).

Here are the errors:

Setting ExtensionAttribute2:

SET-ADUSER : A referral was returned from the server
At C:\***\Untitled1.ps1:52 char:3
+         SET-ADUSER -Identity $dn -replace @{ExtensionAttribute2="$activationkey"}
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : ResourceUnavailable: (CN=User1...contoso,DC=com:ADUser) [Set-ADUser], ADReferralException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.SetADUser

Adding to the local domain group:

Add-ADGroupMember : The server is unwilling to process the request
At C:\***\Untitled1.ps1:53 char:3
+         Add-ADGroupMember -Identity $groupscript -Members $_
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (CN=ChildDomain1 Tes...contoso,DC=com:ADGroup) [Add-ADGroupMember], ADInvalidOperationException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8245,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

I've searched all over the place but haven't found any way to figure this out yet. I've tried the following (and more):

1. Added -Server "ROOTGC.contoso.com:3268" to each command to see if that helped, but all it did was break those commands for everyone (including the root users who were working already).
2. Tried to add the individual domain servers for each domain to the end of the command (as per the variable that I populated: $domainserver), but all of the child domain DC's are Windows 2003; the servers don't accept the connection.
3. Moved pieces of code around to various places (making it less efficient, but what the heck - I'm trying anything).

What am I missing? Help me please!! I had to go through my CSV file manually and set what needed to be set because it had to get done tonight, but I'm going to be processing thousands of users in the next 2 weeks.

Answer 1

The server you run this against must have a copy of the global catalog, otherwise it won't be able to resolve the referrals. Or you must run the command against a DC of the target domain. Also, your user must have Enterprise Admin privileges in order to be able to create/modify/delete objects in other domains of the forest (or appropriate delegations must be made in the target domains).

Another problem is that the shiny AD cmdlets won't work without the Active Directory Web Service, which isn't available prior to Windows Server 2008 R2, running on all involved DCs. You can work around that by handling the foreign security principals and directory objects yourself, though:

$fsp = New-Object Security.Principal.NTAccount('DOM1', 'username')
$sid = $fsp.Translate([Security.Principal.SecurityIdentifier]).Value

$dn = Get-ADGroup -Identity 'groupname' | select -Expand distinguishedName
$group = New-Object DirectoryServices.DirectoryEntry("LDAP://$dn")

[void]$group.member.Add("<SID=$sid>")
$group.CommitChanges()
$group.Close()

With that said: you do realize that Windows Server 2003 will reach end-of-life the day after tomorrow, don't you? Why are your DCs still running that antique version?