none
Group query problem in cross forest scenario

    Question

  • Hello,

    I'm trying to set up Azure Active Directory Connect tool in an environment with two forests (bi-directional trust) and multiple child domains in each one. I also want to use group filtering to filter the users I want to synchronize.

    My issue is that when I add the group name from the secondary forest the tool is not able to resolve it and and the below error is thrown in Event Viewer:

    The server encountered an unexpected error while performing an operation for the client.
     
     "BAIL: MMS(4784): LdapUtils.cpp(79): 0x80004005 (Unspecified error): System.DirectoryServices.DirectoryServicesCOMException (0x8007202B): A referral was returned from the server.

       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.get_AdsObject()
       at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)

    Everything working fine for the main forrest. The servers are reachable on all ports so I don't think it's a network issue.

    Any advices?

    Thanks in advance!

    Florin

    Sunday, April 23, 2017 3:20 PM

Answers

  • Hi,

    The error "A referral was returned from the server" means that the LDAP server told the client (AAD Connect) to go somewhere else (another domain/forest) to query some specific object, and that the client did not expect this.

    Speculation: your group contains members from another forest. Suggested solution: use filtering groups with members of the same forest only.  

    Sunday, April 23, 2017 6:04 PM

All replies

  • Hi,

    The error "A referral was returned from the server" means that the LDAP server told the client (AAD Connect) to go somewhere else (another domain/forest) to query some specific object, and that the client did not expect this.

    Speculation: your group contains members from another forest. Suggested solution: use filtering groups with members of the same forest only.  

    Sunday, April 23, 2017 6:04 PM
  • In addition, you may want to ask them here:
    https://answers.microsoft.com/en-us/msofficehttps://social.technet.microsoft.com/forums/azure/en-US/home?forum=windowsazureaditpro


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Sunday, April 23, 2017 11:05 PM
  • This was the issue indeed.

    I have switched to OU filtering only.

    Thanks!

    Best regards!

    Monday, April 24, 2017 1:02 PM