add-adgroupmember to group from multiple domains

This topic contains 4 replies, has 2 voices, and was last updated by Profile photo of Jason McMahan Jason McMahan 1 year, 8 months ago.

  • Author
    Posts
  • #23590
    Profile photo of Jason McMahan
    Jason McMahan
    Participant

    Good morning,
    While working with a script to create a group in Domain A, then add groups from Domain B and C to the initial group throws an error. However I noticed if I wait a time I can add the group without error.
    To verify the new group was created I input a do\while loop with a try catch and it verifies the group is created, adds group from domain b to domain A then fails on group from domain c if I add too quickly.

    
     New-ADGroup -Name $DomainBRoleGroup -GroupScope Global -GroupCategory Security -Path $DomainBRoleGroupPath  -Server $DomainB
     $valDomainBRoleGroup  = Get-ADGroup -Filter {SamAccountName -eq $DomainBRoleGroup } -Properties samAccountName -Server $DomainB
    
    New-ADGroup -Name $DomainCFunctionalGroup -GroupScope Universal -GroupCategory Security -Path $DomainCFunctionalGroupPath -Server $DomainC
    $valDomainCFunctionalGroup = Get-ADGroup -Filter {SamAccountName -eq $DomainCFunctionalGroup } -Server $DomainC
    
    If (Get-ADGroup -Filter {SamAccountName -eq $siteListGroup} -Server $DomainA) {
        $a = new-object -comobject wscript.shell
        $b = $a.popup(“The Group $siteListGroup already exists and will not be created, exiting script! “,0,”Message From DomainA Script”,1)
        Break
    }Else{
    
      New-ADGroup -Name $siteListGroup -GroupScope DomainLocal -GroupCategory Security -Path $DomainAResourceGroupPath -Server $DomainA
    }
        $ValsiteListGroup =  Get-ADGroup $siteListGroup -Server $DomainA
        Add-ADGroupMember -Identity $valSiteListGroup -Members $vaDomainBRoleGroup  -ErrorAction Stop
    
        Add-ADGroupMember -Identity $valSiteListGroup -Members $valDomainCFunctionalGroup -ErrorAction Stop
    
    Add-ADGroupMember : The specified group type is invalid
    At line:10 char:5 
    

    I run both add-adgroupmember back to back it errors DomainBRoleGroup but adds DomainCfunctionalGroup, then if I wait a random amount of time and go then run the add-adgroupmember line again for domain it works fine.

    I have tried a do/while loops with a try catch doing a match on the sid of DomainB as a member in DomainA list group but it doesn't work.
    I am lost because the do/while works great for domainC to DomainA any time but DomainB (which is a child domain of A) only works when it likes.

    Any suggestions would be greatly appreciated

  • #23659
    Profile photo of Matt McNabb
    Matt McNabb
    Participant

    You're probably running into DC replication issues. You create an object in a domain and then make another call to that domain for that object. This time you get a different DC and it hasn't yet learned about the object yet, hence the error.

    You could try specifying a particular DC for the -Server parameter instead of using the domain name. I work in a single domain environment, but anytime I script anything in AD I use a single server to avoid this issue. If you don't do this then you will need to add some logic in to check for the existence of the object first to avoid errors, but this will add bulk to the script and execution time, so it's best to script against a particular server.

  • #23699
    Profile photo of Jason McMahan
    Jason McMahan
    Participant

    Thank you for the reply Matt,
    I had run into that exact problem a time before. The beginning of my script uses

    $Script:DomainA =                     get-addomaincontroller -discover -domain "DomainA" -sitename "datacenter" | select -ExpandProperty Hostname
    

    Then for the entire script if I need to call domain I use $DomainA which is populate with domain_domainController1

  • #23724
    Profile photo of Matt McNabb
    Matt McNabb
    Participant

    A couple of other things to consider:

    Are you certain you are only ending up with one domain controller in $DomainA?

    Since you're dealing with universal groups, you might need to make sure you are query a DC with the global catalog. Can you confirm that this is the case?

    The error you are getting seems to indicate a problem with group type. Which line in the portion of the script you posted is line 10 in your original script? This will at least let you drill down to the appropriate portion of the code to help find where the problem lies.

  • #23970
    Profile photo of Jason McMahan
    Jason McMahan
    Participant

    Thank you very much for the reply, and I apologize for the delayed response.

    $Script:DomainA =                     get-addomaincontroller -discover -domain "domain$.com" -sitename "companyDefault" | select -ExpandProperty Hostname
    

    This returns domaincontrollerA.domaina.com which is a string system.object and I confirmed is a GC.
    You mention the group type problem, that is the interesting hiccup. If I wait to the addition of the group, even put in a start-sleep for 10-20 sec it will work fine.

    One other item is this is in a separate forest with a one way trust.domainA trusts us we don't trust it.

You must be logged in to reply to this topic.