none
Group Policy Error: A referral was returned from the server RRS feed

  • Soru

  • I'm stumped on this one.

    I have an AD environment with five sites, ten domain controllers.  All DCs are running Server 2012 R2 and that is also the functional level of the domain.  I built up a new print server (running Server 2016 w/ full GUI) and when deploying a printer from print management, I get this error when browsing for the GPO to add the printer to:

    "Failed to query for the list of Group Policy Objects linked to this container."  Details:  "A referral was returned from the server."

    If I close the error and try browsing again, eventually it will show me all of my OUs and GPOs.  It usually takes about 4 attempts.  I have never seen this error appear anywhere other than print management.  It shows up regardless of whether I'm using print management from my desktop (connected to the print server) or from the print server directly.

    I ran a dcdiag and everything passes.  Group policies are applied properly to clients.  At the site my desktop and the print server live in, I've powered off one DC at a time to see if I could isolate it to a request made to one or the other.  There was no change in the behavior when either one was shut down.

    Any ideas?  Thanks!

    27 Ocak 2017 Cuma 13:31

Tüm Yanıtlar

  • Hi,
    Regarding error “A referral was returned from the server”, please firstly make sure that UAC is already disabled on your system.
    And please check if the User Account Control: Only elevate executables that are signed and validated policy is disabled under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
    You could refer to more suggested methods about this error from: http://www.repairwin.com/fix-a-referral-was-returned-from-the-server-error/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    In addition, some articles mentioned that “A referral was returned from the server” error usually means conflict IP address, you could also check this aspect.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    30 Ocak 2017 Pazartesi 05:28
    Moderatör
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    3 Şubat 2017 Cuma 08:07
    Moderatör
  • Joe, I have exactly the same setup as you and this issue popped up today, for the first time in my experience with ANY print server setup, as I attempted to deploy a legacy TASKalfa 400ci via Group Policy.

    I have deployed 20 printers without issue to date from a new print server running Server 2016 w/GUI. Nice. We have two DCs running Server 2012 R2. The last two printers were deployed in late April, all others back in January. No issues.

    I'm having no luck at all getting this working.

    *I take that back*

    I renamed both the GPO on the DC and the printer on the Print Server to something shorter . . . the names were quite long . . . and "Deploy with GPO" fired right up, success. The shared printer name is still the same, probably unwieldy but works for me. I'm not sure if name length is the issue, but that's what worked for me..

    • Düzenleyen blinkdt 24 Mayıs 2017 Çarşamba 21:19 Amended solution to the description.
    24 Mayıs 2017 Çarşamba 20:50
  • No, Wendy, the information was NOT helpful. If you have practical experience with this issue on a Server 2016 VM with the "Printer Server" role installed, then by all means offer your thoughts. If you are supplying stock suggestions, please don't.
    24 Mayıs 2017 Çarşamba 20:54
  • I just had this problem, and the Googles landed me here. I have found that by clicking around in Group Policy Management Console when the error occurs, I can then go back and browse for the policy successfully. In other words:

    - I'm working on deploying printers in Printer Management by right-clicking the printer and selecting Deploy with Group Policy...

    - I click Browse to select the group policy object I want, and I get the error: "Failed to query for the list of Group Policy Objects linked to this container."

    - I switch to Group Policy Management Console and click on the policy itself, then click on a different policy (yep, just click around)

    - I switch back to Printer Management and retry my Browse, and now I do NOT get the error, and I find my GPO just fine.

    I don't know what exact clicks or actions actually fix the error, but each time I got the error, then did some clicking in  Group Policy Management Console, the error went away. Didn't take much - just clicking on/off a GPO or two. If I had more printers to deploy, I might get a more exact solution. However it never took me more than one try. Also, I had to do this for each of the printers I was deploying.

    1 Haziran 2017 Perşembe 20:50
  • Blinkdt, good day! Do you manage to get any workaround or solution for this issue?

    One of my client got into this issue as well, Win server 2016 VM with Print Server role. Fresh install a new server would not help, promo a new DC & demote old one, not helping as well.

    Installed Group Policy Management in the VM, all GPO listed successfully and no error, only Print Management getting error.

    List of what I'd tried:
    - New VM with DVD installation, installed ONLY Printer Role, NOT working

    - Promo a new DC and demote the old one, work for few days, then NOT working again

    - Install Group Policy Management in the Print Server VM, all GPO listed successfully without error & NO delay

    - Disable all IPv6

    - Execute Print Management with Administrative role make no different as my account is Domain Admins

    I going to try install a Win Server 2012 VM with Print Server Role to see what will happen... Please let me know if anyone tried this... (We deployed numbered of Win Server 2012 VM with Print Server role - with Win Server 2012 DC before, no issue at all)

    Thanks!

    18 Temmuz 2017 Salı 08:06
  • Blinkdt, good day! Do you manage to get any workaround or solution for this issue?

    One of my client got into this issue as well, Win server 2016 VM with Print Server role. Fresh install a new server would not help, promo a new DC & demote old one, not helping as well.

    Installed Group Policy Management in the VM, all GPO listed successfully and no error, only Print Management getting error.

    List of what I'd tried:
    - New VM with DVD installation, installed ONLY Printer Role, NOT working

    - Promo a new DC and demote the old one, work for few days, then NOT working again

    - Install Group Policy Management in the Print Server VM, all GPO listed successfully without error & NO delay

    - Disable all IPv6

    - Execute Print Management with Administrative role make no different as my account is Domain Admins

    I going to try install a Win Server 2012 VM with Print Server Role to see what will happen... Please let me know if anyone tried this... (We deployed numbered of Win Server 2012 VM with Print Server role - with Win Server 2012 DC before, no issue at all)

    Thanks!

    Tried with Win Server 2012 R2 VM with Print Server role installed... try browsing Group Policy in Print Management, 10/10 ok. Back to my 2016 VM... 5/10 or lower get the list of GPO...

    hmm.... Microsoft, could u please test on your end?


    • Düzenleyen eh2001 18 Temmuz 2017 Salı 09:54
    18 Temmuz 2017 Salı 09:52
  • Hello, 

    I am having this issue as well. I have installed all of the Windows Updates for Server 2016 on the print server. It appears we can deploy the printers by adding the path and server into the group policy manually, which we can use as a workaround if needed. Our Server 2008 R2 print server does not have this issue. Is this a known issue with Server 2016? 

    19 Temmuz 2017 Çarşamba 15:29
  • I have the problem as well. Most notably I also have the bit about it working after four retries which clearly rules out UAC or other security issues (would be really bad if you could circumvent security by retrying).

    For me this happens when trying to deploy printers and it happens both on the print server itself as well as on a Windows 2016 server used for administrative tasks (such as managing printers).

    Now for testing, I fired up my old Admin server (Windows 2012R2) and used Print Management to manage the Windows 2016 print server. No problems. So it is not a problem that the print server is running on Windows Server 2016, only the management program.

    This looks serious enough to warrant a reply from Microsoft, I'd say.


    Jan Z


    • Düzenleyen Jan Z 3 Ekim 2017 Salı 14:50 Additional information
    3 Ekim 2017 Salı 09:05
  • I too am experiencing the same thing as you, Jan. I'm currently working on a print server migration from 2008R2 to 2016. I'm trying to deploy printers via group policy on the new 2016 VM. On the new 2016 VM, when right clicking a printer and selecting "Deploy with Group Policy"  and clicking "browse", I get the error "Failed to query for the list of Group Policy Objects linked to this container." "Details: A referral was returned from the server". If I open print management on the old 2008R2 server and connect to the new 2016 print server from there, it shows up just fine. On the 2016 VM, I've ensured that UAC is disabled and that the "User Account Control: Only elevate executables that are signed and validated policy" policy is disabled, too, but it's still not working. Every once in a while, it comes up and shows me my OUs and GPOs, but it only has maybe 2/20 times. Seems to be random whether it works or not. Everything else appears to be working on the server just fine.

    17 Ekim 2017 Salı 22:16
  • This bug still exists.  Im happily deploying printers by gp, using 2012R2 print mangement.  Try to do it on Server16 and its a 1/10 success rate. 

    Has anyone bottomed this out? 

    Fully patched, domain working happily.  Just the print management console cant read AD properly.

    12 Şubat 2018 Pazartesi 21:37
  • Add me to the list of those who this is happening to.  I have two completely different Windows 2016 environments where it's occurring.  One of them is maybe 1/2 of the time, the other I've tried 20-30 times and it never works.

    It's not happening on every single Server 2016 environment we've setup, but it's definitely ONLY on Server 2016.

    In both environments where I'm experiencing it, the print server itself is also a domain controller and DNS server, and it's pointing to itself for primary DNS server (as per MS best practices) and has all of the FSMO roles.

    Come on Microsoft, this is ridiculous.


    20 Mart 2018 Salı 21:09
  • Snap same thing here when deploying printers. New shiny Windows server 2016 install not a domain controller and getting this error imminently. Seems crazy as never had this problem with Windows Server 2008 R2!
    3 Nisan 2018 Salı 09:42
  • Same thing happened to me:

    Fresh install of a brand new Server 2016 (VM) environment!

    Anyone using Server 2016 domain functional level?

    3 Nisan 2018 Salı 13:24
  • Me Too...  Anyone every figure this out?  I can't even get it to work 1/10 times.  Been trying the close out and click Browse button again.  I also get an error when I click on Add new GPO.
    21 Haziran 2018 Perşembe 21:33
  • It worked for me.

    It seems like a temporary problem with retrieving data from AD. 

    Getting to AD in any other way solves the problem.

    9 Ağustos 2018 Perşembe 08:07
  • In my case, it takes 8-12 tries before I receive the "a referral was returned from the server."  I did several packet captures, and I do see that my domain controller is (correctly) responding to a particular PMC-initiated LDAP search with a referral. 

    The LDAP search filter is "(objectClass=*)," the search scope is "base," the attribute requested is "objectClass," and the base DN is my AD domain name with some garbage at the end -- e.g. "dc=ad,dc=company,dc=comageInd????dentName"  (???? is four non-ASCII characters).  The garbage characters vary in length and content.  And an LDAP referral is the correct response to an unknown base distinguished name.

    The garbage at the end of the DN could be the result of some incorrect string manipulation.  This looks like a Print Management Console bug.  

    Mark

    22 Ağustos 2018 Çarşamba 22:53
  • Now for testing, I fired up my old Admin server (Windows 2012R2) and used Print Management to manage the Windows 2016 print server. No problems. So it is not a problem that the print server is running on Windows Server 2016, only the management program.

    Thanks for that idea. I'm migrating from 2012 R2 Essentials to 2016 Standard with the Essentials role. I needed to deploy two printers. On 2016, I keep getting the "Failed to query for the list of Group Policy Objects" message. It randomly worked once and I got the first printer added, but trying 20-30 more times, I could not get past the error. Turning off UAC didn't help (and really, should I need to disable security to get Windows management tools to work?). 

    Went back to the 2012R2 machine, added the 2016 machine to its Print Management UI, and was immediately able to deploy group policy on the second printer on the first try.

    So this mostly affects 2016 machines managing themselves?

    18 Ekim 2018 Perşembe 21:03
  • Having this exact issue with Server 2016 for a while now. My 2016 print server is a VM as well. Fix it Microsoft. This is super annoying and it’s a reason we won’t be upgrading to 2019. 2008 was working perfectly fine.
    4 Kasım 2018 Pazar 08:32
  • Same thing here! We have several 2016 servers and we get the same results.
    If managed from a Windows 10 or Windows 2008 R2 it works fine.

    WOW this thread is super old and MS has done nothing to fix it?!?!?! crazy.


    - Bob

    7 Kasım 2018 Çarşamba 15:34
  • Hey All,

    Ran into this issue for the 1st time today on a 2016 Standard VM.  Co-worker was attempting to deploy printers received this when clicking browse.  

    I consoled into the machine to take a look and could not duplicate the issue.  Co-worker was accessing server via RDP.

    Same domain group providing permissions to our accounts as far as rights on the box.  This issue only seems to occur when remote, console session to the machine works fine.

    Maybe this info will be helpful to someone more knowledgeable than I.

    7 Kasım 2018 Çarşamba 20:10
  • When you open Print Management, right-click and run as adminstrator.  Works fine after that.
    3 Aralık 2018 Pazartesi 18:57
  • When you open Print Management, right-click and run as adminstrator.  Works fine after that.
    Doesn't help on Server 2016. Ran Print Management as Administrator, tried to add a printer to group policy, clicked Browse next to GPO Name, immediately got "A referral was returned from the server."
    3 Aralık 2018 Pazartesi 19:48
  • Install the Group Policy Management feature on your print server and then try to re-deploy printers after re-opening the mmc.  You should then find it working.  I had this issue on both Server 2016 and 2019 before installing the GPMC.
    10 Aralık 2018 Pazartesi 02:22
  • Install the Group Policy Management feature on your print server and then try to re-deploy printers after re-opening the mmc.  You should then find it working.  I had this issue on both Server 2016 and 2019 before installing the GPMC.
    I'm in a single-server environment:  DC, DNS, GPMC, shared printers, and Print Management all on the same server and I see this issue with 2016. Before demoting the old 2012 R2 server, I was able to use it to reliably deploy printer policy.
    • Düzenleyen mcbsys 10 Aralık 2018 Pazartesi 17:48
    10 Aralık 2018 Pazartesi 17:47
  • Happy 2 year anniversary to this thread!

    Same here. Works fine from WS2012, works intermittently from WS2016.

    31 Ocak 2019 Perşembe 20:51
  • Just hit this again going from 2016 with Essentials Role to 2016 Essentials. The trick I’ve found helpful is to go back to the old server (the one you’re migrating from), add the new server in Print Management, then Deploy with Group Policy from there. You might have to try a couple times, but not 30+ times as when using Print Management is on the domain controller. There is something about accessing the group policy over the network that seems to work better than accessing it locally.
    12 Mart 2019 Salı 00:43
  • In my case, the affected WS2016 servers (two of them) were member servers, not DCs.
    • Düzenleyen JRVCr 12 Mart 2019 Salı 13:46
    12 Mart 2019 Salı 13:45
  • got same problem with my server 2016 (FS/Print server) after clicking here and there it works. 
    4 Nisan 2019 Perşembe 08:07
  • I was having this same issue and I think I have it narrowed down.  

    I found that if I run the print management console from a domain controller or a member server with group policy management installed, there are no issues.

    16 Nisan 2019 Salı 15:02
  • Not working here on DCs or member server with GPMC.
    6 Mayıs 2019 Pazartesi 18:39
  • Workaround that I found was deploying the printers (on Server 2016 Print Server) from my old Server 2008R2 Print Server. Probably would have worked from my 2012R2 DC as well, but I needed to add the print management piece of RSAT before I could do that.

    Domain Functional Level: 2008R2

    DCs: 2012R2 (Primary), 2008R2, 2016

    Print Server: 2016

    15 Mayıs 2019 Çarşamba 17:31
  • This worked for me:

    Instead of just clicking Print Management, run Print Management as an Administrator.

    Ronald Proschan


    Ron Proschan

    17 Temmuz 2019 Çarşamba 15:55
  • I have to take that back (July 17 posting) -- it doesn't work consistently.  This is Server 2016, with GPMC installed.  Nothing seems to bring "deploy with Group Policy" back to life.

    Ron Proschan


    Ron Proschan

    30 Temmuz 2019 Salı 20:59
  • Sorry to hear, Ron. I (we) feel your pain!
    30 Temmuz 2019 Salı 22:13
  • turning uac off on my new dcs in azure fxed this for me. 2019 datacentre.
    16 Ağustos 2019 Cuma 11:13
  • I installed the Print Management Tools on a 2012R2 server and it works fine from there.  Sad that this has not been fixed yet for 2016.  I found that it is intermittent still.  Sometimes you get the error and sometimes it just works.

    -MC

    16 Ağustos 2019 Cuma 15:02
  • What are the pro's and con's of turning off uac on the dcs?

    Thanks.

    Ron Proschan


    Ron Proschan

    16 Ağustos 2019 Cuma 15:13
  • There are no con's; only pro's. Same as on any other PC, but more important on a server, more important still if you're logging on with a privileged account, and critically important on the mother-of-all-servers, a DC.

    With UAC off, you won't be prompted if malware tries to tamper with the system. It can quietly do whatever it likes. From a user access security standpoint, you might as well be running Windows XP/2003 again.

    On servers, I prefer to turn UAC "all the way" on, like Vista/2008 UAC, rather than use the weakened UAC setting introduced and set by default on 2008R2/7 and later, wherein malware is as free to change Windows settings as you are. And enforce it by Group Policy. I'd NEVER turn it off except briefly for troubleshooting.

    16 Ağustos 2019 Cuma 15:36
  • Thanks very much, JRVCr -- that's extremely useful.  We will not turn off UAC.

    Ron Proschan


    Ron Proschan

    16 Ağustos 2019 Cuma 15:39
  • Hey everyone.

    This is a bit of a shot in the dark, but how are those with the issue installing RSAT?  As of 1809, they've added it into the FOD pack, and if you haven't installed the FOD pack for the OS version you're running Print Management from, this may be our issue.  I'm going to test this right away and see if it resolves the issue.

    Thanks.

    Derek

    20 Ağustos 2019 Salı 15:02
  • I'm running Print Management console on the WS2016 print server itself.
    20 Ağustos 2019 Salı 15:05
  • I'm doing the same as JRVCr.

    Ron Proschan


    Ron Proschan

    21 Ağustos 2019 Çarşamba 15:32
  • Alright I have a workaround for you.  I tried the following with no luck:

    • Delete the printers from the Control Panel, add them back in the Control Panel, and then deploy from the Print Management console (did note work).
    • Disable sharing in the Control Panel and re-enable sharing from the Control Panel, then try to deploy from Print Management console (did not work).
    • Change the printer drivers from both the Control Panel and the Print Management consoles and then try to deploy via the Print Management Console (did not work).
    • Delete the printers and re-add them from the Print Management Console (did not work).

    The only thing that seemed to work for me was adding the printers either via the Control Panel or via Print Management and the deploying them directly from my GPO.   

    Windows Server 2016 x64 out of the box just doesn't like the deploy with group policy from the Print Management Console feature....

    20 Eylül 2019 Cuma 13:44
  • I have a 2016 WSUS and Print server running on the same VM (Windows 2016 core).  It wasn't until I launched MMC on a non 2016 server that I was able to get to the deploy policy.  I've tried most (there was a lot of suggestions here) and it only worked with a non 2016 mmc.  I didn't try Win 10 but regardless, glad I still had a 2012 here.  
    1 Ekim 2019 Salı 01:21
  • Until Microsoft fixes this I don't think there's any other real solution than to use Print Management MMC on a down-level OS. About to have my first experience with WS2019; will be interested to see if it's fixed there. Hope so, because my only other choice on that site will be WS2016!

    It seems that on-prem problems are low priority at Microsoft these days.

    1 Ekim 2019 Salı 13:21