none
Group Policy Error: A referral was returned from the server

    Question

  • I'm stumped on this one.

    I have an AD environment with five sites, ten domain controllers.  All DCs are running Server 2012 R2 and that is also the functional level of the domain.  I built up a new print server (running Server 2016 w/ full GUI) and when deploying a printer from print management, I get this error when browsing for the GPO to add the printer to:

    "Failed to query for the list of Group Policy Objects linked to this container."  Details:  "A referral was returned from the server."

    If I close the error and try browsing again, eventually it will show me all of my OUs and GPOs.  It usually takes about 4 attempts.  I have never seen this error appear anywhere other than print management.  It shows up regardless of whether I'm using print management from my desktop (connected to the print server) or from the print server directly.

    I ran a dcdiag and everything passes.  Group policies are applied properly to clients.  At the site my desktop and the print server live in, I've powered off one DC at a time to see if I could isolate it to a request made to one or the other.  There was no change in the behavior when either one was shut down.

    Any ideas?  Thanks!

    Friday, January 27, 2017 1:31 PM

All replies

  • Hi,
    Regarding error “A referral was returned from the server”, please firstly make sure that UAC is already disabled on your system.
    And please check if the User Account Control: Only elevate executables that are signed and validated policy is disabled under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
    You could refer to more suggested methods about this error from: http://www.repairwin.com/fix-a-referral-was-returned-from-the-server-error/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    In addition, some articles mentioned that “A referral was returned from the server” error usually means conflict IP address, you could also check this aspect.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 30, 2017 5:28 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 3, 2017 8:07 AM
    Moderator
  • Joe, I have exactly the same setup as you and this issue popped up today, for the first time in my experience with ANY print server setup, as I attempted to deploy a legacy TASKalfa 400ci via Group Policy.

    I have deployed 20 printers without issue to date from a new print server running Server 2016 w/GUI. Nice. We have two DCs running Server 2012 R2. The last two printers were deployed in late April, all others back in January. No issues.

    I'm having no luck at all getting this working.

    *I take that back*

    I renamed both the GPO on the DC and the printer on the Print Server to something shorter . . . the names were quite long . . . and "Deploy with GPO" fired right up, success. The shared printer name is still the same, probably unwieldy but works for me. I'm not sure if name length is the issue, but that's what worked for me..

    • Edited by blinkdt Wednesday, May 24, 2017 9:19 PM Amended solution to the description.
    Wednesday, May 24, 2017 8:50 PM
  • No, Wendy, the information was NOT helpful. If you have practical experience with this issue on a Server 2016 VM with the "Printer Server" role installed, then by all means offer your thoughts. If you are supplying stock suggestions, please don't.
    Wednesday, May 24, 2017 8:54 PM
  • I just had this problem, and the Googles landed me here. I have found that by clicking around in Group Policy Management Console when the error occurs, I can then go back and browse for the policy successfully. In other words:

    - I'm working on deploying printers in Printer Management by right-clicking the printer and selecting Deploy with Group Policy...

    - I click Browse to select the group policy object I want, and I get the error: "Failed to query for the list of Group Policy Objects linked to this container."

    - I switch to Group Policy Management Console and click on the policy itself, then click on a different policy (yep, just click around)

    - I switch back to Printer Management and retry my Browse, and now I do NOT get the error, and I find my GPO just fine.

    I don't know what exact clicks or actions actually fix the error, but each time I got the error, then did some clicking in  Group Policy Management Console, the error went away. Didn't take much - just clicking on/off a GPO or two. If I had more printers to deploy, I might get a more exact solution. However it never took me more than one try. Also, I had to do this for each of the printers I was deploying.

    Thursday, June 1, 2017 8:50 PM
  • Blinkdt, good day! Do you manage to get any workaround or solution for this issue?

    One of my client got into this issue as well, Win server 2016 VM with Print Server role. Fresh install a new server would not help, promo a new DC & demote old one, not helping as well.

    Installed Group Policy Management in the VM, all GPO listed successfully and no error, only Print Management getting error.

    List of what I'd tried:
    - New VM with DVD installation, installed ONLY Printer Role, NOT working

    - Promo a new DC and demote the old one, work for few days, then NOT working again

    - Install Group Policy Management in the Print Server VM, all GPO listed successfully without error & NO delay

    - Disable all IPv6

    - Execute Print Management with Administrative role make no different as my account is Domain Admins

    I going to try install a Win Server 2012 VM with Print Server Role to see what will happen... Please let me know if anyone tried this... (We deployed numbered of Win Server 2012 VM with Print Server role - with Win Server 2012 DC before, no issue at all)

    Thanks!

    Tuesday, July 18, 2017 8:06 AM
  • Blinkdt, good day! Do you manage to get any workaround or solution for this issue?

    One of my client got into this issue as well, Win server 2016 VM with Print Server role. Fresh install a new server would not help, promo a new DC & demote old one, not helping as well.

    Installed Group Policy Management in the VM, all GPO listed successfully and no error, only Print Management getting error.

    List of what I'd tried:
    - New VM with DVD installation, installed ONLY Printer Role, NOT working

    - Promo a new DC and demote the old one, work for few days, then NOT working again

    - Install Group Policy Management in the Print Server VM, all GPO listed successfully without error & NO delay

    - Disable all IPv6

    - Execute Print Management with Administrative role make no different as my account is Domain Admins

    I going to try install a Win Server 2012 VM with Print Server Role to see what will happen... Please let me know if anyone tried this... (We deployed numbered of Win Server 2012 VM with Print Server role - with Win Server 2012 DC before, no issue at all)

    Thanks!

    Tried with Win Server 2012 R2 VM with Print Server role installed... try browsing Group Policy in Print Management, 10/10 ok. Back to my 2016 VM... 5/10 or lower get the list of GPO...

    hmm.... Microsoft, could u please test on your end?


    • Edited by eh2001 Tuesday, July 18, 2017 9:54 AM
    Tuesday, July 18, 2017 9:52 AM
  • Hello, 

    I am having this issue as well. I have installed all of the Windows Updates for Server 2016 on the print server. It appears we can deploy the printers by adding the path and server into the group policy manually, which we can use as a workaround if needed. Our Server 2008 R2 print server does not have this issue. Is this a known issue with Server 2016? 

    Wednesday, July 19, 2017 3:29 PM
  • I have the problem as well. Most notably I also have the bit about it working after four retries which clearly rules out UAC or other security issues (would be really bad if you could circumvent security by retrying).

    For me this happens when trying to deploy printers and it happens both on the print server itself as well as on a Windows 2016 server used for administrative tasks (such as managing printers).

    Now for testing, I fired up my old Admin server (Windows 2012R2) and used Print Management to manage the Windows 2016 print server. No problems. So it is not a problem that the print server is running on Windows Server 2016, only the management program.

    This looks serious enough to warrant a reply from Microsoft, I'd say.


    Jan Z


    • Edited by Jan Z Tuesday, October 3, 2017 2:50 PM Additional information
    Tuesday, October 3, 2017 9:05 AM
  • I too am experiencing the same thing as you, Jan. I'm currently working on a print server migration from 2008R2 to 2016. I'm trying to deploy printers via group policy on the new 2016 VM. On the new 2016 VM, when right clicking a printer and selecting "Deploy with Group Policy"  and clicking "browse", I get the error "Failed to query for the list of Group Policy Objects linked to this container." "Details: A referral was returned from the server". If I open print management on the old 2008R2 server and connect to the new 2016 print server from there, it shows up just fine. On the 2016 VM, I've ensured that UAC is disabled and that the "User Account Control: Only elevate executables that are signed and validated policy" policy is disabled, too, but it's still not working. Every once in a while, it comes up and shows me my OUs and GPOs, but it only has maybe 2/20 times. Seems to be random whether it works or not. Everything else appears to be working on the server just fine.

    Tuesday, October 17, 2017 10:16 PM
  • This bug still exists.  Im happily deploying printers by gp, using 2012R2 print mangement.  Try to do it on Server16 and its a 1/10 success rate. 

    Has anyone bottomed this out? 

    Fully patched, domain working happily.  Just the print management console cant read AD properly.

    Monday, February 12, 2018 9:37 PM
  • Add me to the list of those who this is happening to.  I have two completely different Windows 2016 environments where it's occurring.  One of them is maybe 1/2 of the time, the other I've tried 20-30 times and it never works.

    It's not happening on every single Server 2016 environment we've setup, but it's definitely ONLY on Server 2016.

    In both environments where I'm experiencing it, the print server itself is also a domain controller and DNS server, and it's pointing to itself for primary DNS server (as per MS best practices) and has all of the FSMO roles.

    Come on Microsoft, this is ridiculous.


    Tuesday, March 20, 2018 9:09 PM
  • Snap same thing here when deploying printers. New shiny Windows server 2016 install not a domain controller and getting this error imminently. Seems crazy as never had this problem with Windows Server 2008 R2!
    Tuesday, April 3, 2018 9:42 AM
  • Same thing happened to me:

    Fresh install of a brand new Server 2016 (VM) environment!

    Anyone using Server 2016 domain functional level?

    Tuesday, April 3, 2018 1:24 PM
  • Me Too...  Anyone every figure this out?  I can't even get it to work 1/10 times.  Been trying the close out and click Browse button again.  I also get an error when I click on Add new GPO.
    Thursday, June 21, 2018 9:33 PM
  • It worked for me.

    It seems like a temporary problem with retrieving data from AD. 

    Getting to AD in any other way solves the problem.

    Thursday, August 9, 2018 8:07 AM
  • In my case, it takes 8-12 tries before I receive the "a referral was returned from the server."  I did several packet captures, and I do see that my domain controller is (correctly) responding to a particular PMC-initiated LDAP search with a referral. 

    The LDAP search filter is "(objectClass=*)," the search scope is "base," the attribute requested is "objectClass," and the base DN is my AD domain name with some garbage at the end -- e.g. "dc=ad,dc=company,dc=comageInd????dentName"  (???? is four non-ASCII characters).  The garbage characters vary in length and content.  And an LDAP referral is the correct response to an unknown base distinguished name.

    The garbage at the end of the DN could be the result of some incorrect string manipulation.  This looks like a Print Management Console bug.  

    Mark

    Wednesday, August 22, 2018 10:53 PM