locked
Using Get-ADGroup in a child domain RRS feed

  • Question

  • Hey guys, I'm currently doing a migration between two old and two new domains. The domains in the old environment are domainA.com and child.domainA.com. I'm member of the enterprise admins in domainA.com, so I should be able to do pretty much anything. What I want to do, is create a list of all groups in the domains. On DomainA.com I was able to run this powershell script:

    #First, load the AD module..
    Import-Module Activedirectory


    #Then, the initial scrip:
    Get-ADGroup -filter * -properties * -searchbase "DC=domainA,DC=com"|select SAMAccountName,Description,CanonicalName|Export-Csv -Path c:\temp\ADGroupList.csv -Delimiter ";"

    This script generated a list of all groups, with their SAMaccountname, description and canonicalname. Now, I want to run this script on the child domain. First, I tried to simply add "DC=child,DC=domainA,DC=com". Powershell gave this error:

    Get-ADGroup : The supplied distinguishedName must belong to one of the following partition(s): 'DC=domainA,DC=
    com , CN=Configuration,DC=domainA,DC=com , CN=Schema,CN=Configuration,DC=domainA,DC=com , DC=ForestDnsZo
    nes,DC=domainA,DC=com , DC=DomainDnsZones,DC=domainA,DC=com'.

    I logged on to a domain controller from the child domain (dc01.child.domainA.com) and tried to run the script, but I got the same error message. I tried a couple of other things, like Get-ADgroup -server dc01.child.domainA.com, I searched the web for a couple of hours, but I just can't find a way to export the groups from the child domain. It either exports the groups from domainA.com or powershell returns an error. Can someone help me with this?


    Windows Platform Team @ Wortell

    Tuesday, September 18, 2012 10:46 AM

Answers

  • Read the following very carefully as it will show you how to debug the issue you are having.

    http://technet.microsoft.com/en-us/library/ee617224.aspx

    You will need to use both the server and your remote credentials.  If that fails of if you only have a rusted account then you may have issues with Kerberos if the remote server behind a router or gateway.  To use AD you must be able to authenticate with Kerberos and the trust between the domins must be functioning correctly.

    Try doing the child access from a local domain controller and not from a member system.  Run DCDiag to be sure the trust is working.

    I don't believe this is a scripting issue.  I believe it is an issue of how to use AD across a trust and in a WAN environment.


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, September 18, 2012 12:22 PM
    • Marked as answer by Tom_Floor Tuesday, September 18, 2012 7:03 PM
    Tuesday, September 18, 2012 12:21 PM

All replies

  • Read the following very carefully as it will show you how to debug the issue you are having.

    http://technet.microsoft.com/en-us/library/ee617224.aspx

    You will need to use both the server and your remote credentials.  If that fails of if you only have a rusted account then you may have issues with Kerberos if the remote server behind a router or gateway.  To use AD you must be able to authenticate with Kerberos and the trust between the domins must be functioning correctly.

    Try doing the child access from a local domain controller and not from a member system.  Run DCDiag to be sure the trust is working.

    I don't believe this is a scripting issue.  I believe it is an issue of how to use AD across a trust and in a WAN environment.


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, September 18, 2012 12:22 PM
    • Marked as answer by Tom_Floor Tuesday, September 18, 2012 7:03 PM
    Tuesday, September 18, 2012 12:21 PM
  • Thank you sir! I red the article and after some testing I understood what I was doing wrong. For future records, and anyone who may run into the same problem, here's what I did. The child domain controllers were running 2003 sp2.

    First thing, I needed to install Active Directory Management Gateway Service (Active Directory Web Service for Windows Server 2003 and Windows Server 2008). This has these three prerequisites for 2003 sp2:
    -http://www.microsoft.com/en-us/download/details.aspx?id=22
    -http://support.microsoft.com/kb/969166
    -http://support.microsoft.com/kb/969429

    After a reboot of the DC, I was able to install the AD management gateway service:
    http://www.microsoft.com/en-us/download/details.aspx?id=2852

    After that, I switched to a 2008r2 machine with the "Active directory module for Windows Powershell" installed. I used this command to get the data, the bold part is what I added:
    Get-ADGroup -server OldChildDomainController -filter * -properties * -searchbase "DC=child,DC=domainA,DC=com"|select sAMAccountName,Description,CanonicalName|Export-Csv -Path c:\temp\ADGroupList.csv -Delimiter ";"

    This way I was able to get the data. Thanks again for your effort!

    Tuesday, September 18, 2012 7:03 PM
  • If you had mentioned the child domains were WS2003 we would have told you that.  I assumed you were running WS2009R2 since you were using AD CmdLets abd insted that tehy worked locally.  CLearly you didn't try them on the WS2003 servers locally.  YOu would have seen that they do not work and do not exists until teh gateway is installed.

    I am glad you were able to find a solution.

    Happy Motoring;)


    ¯\_(ツ)_/¯

    Tuesday, September 18, 2012 7:10 PM
  • I thought it would be possible to get the data from the child domain from the root domain controllers, which are running on ws2008r2. I was able to get data from the root domain, using powershell on the root domain controllers. When I tried to get data from the child domain, I just edited the -searchbase parameter to specify the child domain and I ran the script from a root domain controller. This way, powershell returned an error. I didn't really explain this very well in the first post..

    • Edited by Tom_Floor Tuesday, September 18, 2012 7:35 PM
    Tuesday, September 18, 2012 7:32 PM
  • Because you specified a didfferent domain so teh get would be sent via a refereal to teh target domain which does not support the AD CmdLets.  They run over a different protocol which is installed when you install the gateway service.

    ADSI can query both but is less convenient to use.


    ¯\_(ツ)_/¯

    Tuesday, September 18, 2012 7:48 PM