1

I'm stumped by this issue.

I've written a powershell script which I'm trying to use to import a GPO across multiple domains and then link it with new-gplink. I've made sure all servers have GP Powershell module installed and it's been working pretty well so far, however the issue I'm running into is that on some servers my command works fine on others I get the error, on the last step I'm getting an operations error one of my invoke-commands. Other commands work on the same server with invoke-command such as get-service, or even the import-GPO command that I use.

The error in question: 

An operations error occurred. (Exception from HRESULT: 0x80072020)
    + CategoryInfo          : NotSpecified: (:) [New-GPLink], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.GroupPolicy.Commands.NewGPLinkCommand
    + PSComputerName        : 10.0.0.10

The command:

Invoke-Command -ComputerName $serverip -scriptblock {New-GPLink -Name "GPO" -Target $args[0]} -ArgumentList $oupath -credential $cred

I've tried every version of this command I can imagine. without [0], without argument list, just using the server ip and replacing the target with the OU path and I still get the same error, such as below.

Invoke-Command -ComputerName $serverip -scriptblock {New-GPLink -Name "GPOName" -Target ou=users,ou=site,ou=domain,dc=server,dc=com} -ArgumentList $oupath -credential $cred

The way I have it working is a .csv with the server info, it gets imported into a foreach loop and then fed into the script. I have it grab credentials and feed through. I know everything else is working because my invoke-command to import the GPO worked, all servers I ran to successfully imported the GPO. I also know my OU paths are correct because I use them locally with another script to place computers where I want them. a sample line in the csv would be something like

servername, 10.0.0.10, domain.com, OU=user,OU=site,DC=domain,DC=com

I've also ran the command locally and get a similar error:

PS> New-GPLink -Name "GPO" -Target "ou=users,ou=Site,dc=domain,dc=com"
New-GPLink : A referral was returned from the server.
At line:1 char:1
+ New-GPLink -Name "GPO" -Target "ou=users,ou=site,dc=domain,d ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-GPLink], DirectoryServicesCOMException
    + FullyQualifiedErrorId : System.DirectoryServices.DirectoryServicesCOMException,Microsoft.GroupPolicy.Commands.NewGPLinkCommand

Please let me know if there are additional question or if you need additional info. I'm completely stumped by this issue and I appreciate any help you can provide. Thanks in advance.

Edit: All of my servers are at least 2008 R2 and are using powershell version 3,0,1,1

PS> $psversiontable.psversion

Major  Minor  Build  Revision
-----  -----  -----  --------
3      0      -1     -1
Improve this question
2
  • Is the machine a member of another domain than domain.com? Commented Mar 10, 2015 at 17:43
  • yes, this script is applying to more than 20 different domains. Several of the domains are working without issue, but others aren't some have multiple DCs at seperate locations, others just a single server. The domain is dynamic based on the .csv so it would be servername1, 10.0.0.10, domain1.com, OU=user,OU=site=DC=domain1,DC=com, the next would be something like servername2, 10.0.1.10. domain2.com, OU=user,OU=site=DC=domain2,DC=com, the third may be. servername3, 10.0.1.11, domain2, OU=user,OU=site=DC=domain1,DC=com. I can't tell any real differences, between different domains or just site Commented Mar 10, 2015 at 18:14

1 Answer 1

Reset to default
1

You need to specify a the domain in which your trying to apply the GPO, as well as a Domain Controller from the domain in question with the -Domain and -Server parameters respectively:

$OU = "ou=users,ou=Site,dc=domain,dc=com"
New-GPLink -Name "GPO" -Target $OU -Server "domain.com" -Domain "domain.com"

Instead of just using the domain name though, the proper way to do this, is to actually locate a Domain Controller, like so:

$DC = Get-ADDomainController -Discover -DomainName "domain.com" |Select -ExpandProperty HostName
New-GPLink -Name "GPO" -Target $OU -Server $DC -Domain "domain.tld"

Or in an environment where Get-ADDomainController is not available, you can emulate the DCLocator (aka. the underlying high-availability design of AD DS) behavior with .NET:

$DomainFqdn = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$dctx = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext -ArgumentList "Domain",$DomainFqdn
$DomainController = $[System.DirectoryServices.ActiveDirectory.DomainController]::FindOne($dctx)
New-GPLink -Name "GPO" -Target $OU -Server $DomainController.Name -Domain $DomainFqdn
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hey Mathias, Unfortunately your recommendation didn't work for me. Either remotely or locally. I tried just running my command on the server and received the following error 'New-GPLink : A referral was returned from the server. At line:1 char:1 + New-GPLink -Name "ReceiveTimeout" -Target "ou=users,ou=site,dc=domain,d ... + CategoryInfo : NotSpecified: (:) [New-GPLink], DirectoryServicesCOMException + FullyQualifiedErrorId : System.DirectoryServices.DirectoryServicesCOMException,Microsoft.GroupPolicy.Commands.Ne wGPLinkCommand' any recommendations?
When a directory server says: "A referral was returned from the server", it means "I am not responsible for the partition or domain in which you are trying to make a change or fetch data from - go talk to a DC in the actual domain with which you want to interact" - from the docs it seems that you may need to specify the -Domain parameter as well
I figured it out. I used your second command, and pulled out the -domainname chunk and it works like a charm. Thanks again!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.