This stupid error message stumped me for a bit yesterday.
Microsoft.ActiveDirectory.Management.ADReferralException: A referral was returned from the server at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.CheckAndThrowReferralException(ADResponse response) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Add(ADSessionHandle handle, ADAddRequest request) at Microsoft.ActiveDirectory.Management.ADActiveObject.Create() at Microsoft.ActiveDirectory.Management.Commands.ADNewCmdletBase
3.ADNewCmdletBaseProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase1.ProcessRecord()
It was generated by a new account creation Flow I maintain, and the error was from the New-ADUser cmdlet. There’s a bunch of posts on the Internet on this for the Set-ADUser cmdlet, but none for New-ADUser.
Upon a whim I ran the nltest /dsgetsitedc:<domain> command on the machine where New-ADUser was being run from and noticed the result was a RODC. So I did nltest /screset:<domain> which gave me a regular DC. After that New-ADUser started working fine as expected. I guess the referral it was talking about was from the RODC to a regular DC and something about that didn’t gel well with New-ADUser.
It’s been years since I ran any of the nltest commands! Am pleased I actually remembered it and thought to run the command. Past few years have been all Microsoft 365 and Power Platform, I’ve forgotten stuff from my younger days. :)