Get-ADuser : A referral was returned from the server

Question

I'm getting the following error when I run my script:

Get-ADUser : A referral was returned from the server At line:25 char:70
+ ... -Identity $G.name -Recursive | Get-ADUser  -Server $dom -Properties *
+                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (CN=User...,DC=org:ADUser) [Get-ADUser], ADReferral    Exception
    + FullyQualifiedErrorId : ActiveDirectoryServer:****,Microsoft.ActiveDirectory.Management.Commands.GetADUser

This is my script:

$Domains = (Get-ADForest).Domains.ForEach{(Get-ADDomain $_).PDCEmulator}

$Users = @()
$Groups = @()
$list = Get-Content C:\temp\ADGroups.txt
ForEach ($dom in $Domains) {
    Foreach ($o in $list) {
        $ObjectClass = (Get-ADObject -server $dom -Filter {SamAccountName -eq $o}).ObjectClass
        If ($ObjectClass -eq "User") {
            $U =  Get-ADUser -Properties * -Identity $o -Server $dom
            $User = "" | Select FullUserName, LoginID, Description
            $User.FullUserName = $U.DisplayName
            $User.LoginID = $U.SamAccountName
            $User.Description = $U.description
            $Users += $User
        } Else {
            If ($ObjectClass -eq "Group") {
                $G = Get-ADGroup -Properties * -Identity $o -Server $dom
                $GM = Get-ADGroupMember -Server $dom -Identity $G.name -Recursive | Get-ADUser  -Server $dom -Properties *
                Foreach ($gmember in $GM) {
                    $Group = "" | Select GroupName, GroupDescription, GroupMemberName, GroupMemberLoginID, GroupMemberDesc
                    $Group.GroupName = $G.Name
                    $Group.GroupDescription = $G.Description
                    $Group.GroupMemberName = $gmember.Name
                    $Group.GroupMemberLoginID = $gmember.SamAccountName
                    $Group.GroupMemberDesc = $gmember.Description
                    $Groups += $Group
                }
            }
        }
    }
}
$Users | Export-Csv C:\temp\Users.csv -NoTypeInformation
$Groups | Export-Csv C:\temp\Groups.csv -NoTypeInformation

The purpose of my script is to pull users that belong in a group and export to a .csv file. It works for the most part, but it gives me an error for certain users. I think it could be because those users in the group belong in a different domain.

Answer 1

I think that you can simply drop the -Server from Get-ADUser. Since Get-ADGroupMember returns a ADPrincipal[] type, every user contains a fully qualified DistinguishedName, which implies the domain ("server") that the results come from.

Yes, you are right in thinking that essentially (pesudocode):

"contoso.com\user" | Get-ADUser -Server "DC01.theOtherContoso.com"

Will not work. And when piping from Get-ADGroupMember, you get the error:

Get-ADUser : A referral was returned from the server

If you run the same query, but omitting the -Server portion from the Get-ADUser portion, it will use the distinguished name to figure out where to pull the information:

$GM = Get-ADGroupMember -Server $dom -Identity $G.name -Recursive | Get-ADUser -Properties *

It should return you the user objects that you need.

Answer 2

See the answers in this question. Answers there indicate you can retrieve the referral location in the exception and retry the Get-ADUser against the other server.

You might reconsider how you search for all these groups and users. Users are replicated throughout the forest. Global and Universal groups are too. So you could search the Global Catalog instead of iterating through one DC in every domain. Get-DomainController -GlobalCatalog and run your Get-AD* commands against that server's global catalog port, i.e. Get-ADUser -server $GCServerName:3268

However, bear in mind that the GC doesn't contain complete user and group properties, and the properties it does return are subject to replication delays.

Whether this is helpful depends on your domain architecture. In my own workplace, querying remote domain controllers is very expensive. Our site domain controller is a global catalog, though, so searching it for forest information is very fast.