add-adgroupmember to group from multiple domains

PowerShell Help
1

Good morning,
While working with a script to create a group in Domain A, then add groups from Domain B and C to the initial group throws an error. However I noticed if I wait a time I can add the group without error.
To verify the new group was created I input a do\while loop with a try catch and it verifies the group is created, adds group from domain b to domain A then fails on group from domain c if I add too quickly.

 New-ADGroup -Name $DomainBRoleGroup -GroupScope Global -GroupCategory Security -Path $DomainBRoleGroupPath  -Server $DomainB
 $valDomainBRoleGroup  = Get-ADGroup -Filter {SamAccountName -eq $DomainBRoleGroup } -Properties samAccountName -Server $DomainB

New-ADGroup -Name $DomainCFunctionalGroup -GroupScope Universal -GroupCategory Security -Path $DomainCFunctionalGroupPath -Server $DomainC
$valDomainCFunctionalGroup = Get-ADGroup -Filter {SamAccountName -eq $DomainCFunctionalGroup } -Server $DomainC

If (Get-ADGroup -Filter {SamAccountName -eq $siteListGroup} -Server $DomainA) {
    $a = new-object -comobject wscript.shell
    $b = $a.popup(“The Group $siteListGroup already exists and will not be created, exiting script! “,0,”Message From DomainA Script”,1)
    Break
}Else{

  New-ADGroup -Name $siteListGroup -GroupScope DomainLocal -GroupCategory Security -Path $DomainAResourceGroupPath -Server $DomainA
}
    $ValsiteListGroup =  Get-ADGroup $siteListGroup -Server $DomainA
    Add-ADGroupMember -Identity $valSiteListGroup -Members $vaDomainBRoleGroup  -ErrorAction Stop

    Add-ADGroupMember -Identity $valSiteListGroup -Members $valDomainCFunctionalGroup -ErrorAction Stop

Add-ADGroupMember : The specified group type is invalid
At line:10 char:5

I run both add-adgroupmember back to back it errors DomainBRoleGroup but adds DomainCfunctionalGroup, then if I wait a random amount of time and go then run the add-adgroupmember line again for domain it works fine.

I have tried a do/while loops with a try catch doing a match on the sid of DomainB as a member in DomainA list group but it doesn’t work.
I am lost because the do/while works great for domainC to DomainA any time but DomainB (which is a child domain of A) only works when it likes.

Any suggestions would be greatly appreciated

2

You’re probably running into DC replication issues. You create an object in a domain and then make another call to that domain for that object. This time you get a different DC and it hasn’t yet learned about the object yet, hence the error.

You could try specifying a particular DC for the -Server parameter instead of using the domain name. I work in a single domain environment, but anytime I script anything in AD I use a single server to avoid this issue. If you don’t do this then you will need to add some logic in to check for the existence of the object first to avoid errors, but this will add bulk to the script and execution time, so it’s best to script against a particular server.

3

Thank you for the reply Matt,
I had run into that exact problem a time before. The beginning of my script uses

$Script:DomainA =                     get-addomaincontroller -discover -domain "DomainA" -sitename "datacenter" | select -ExpandProperty Hostname

Then for the entire script if I need to call domain I use $DomainA which is populate with domain_domainController1

4

A couple of other things to consider:

Are you certain you are only ending up with one domain controller in $DomainA?

Since you’re dealing with universal groups, you might need to make sure you are query a DC with the global catalog. Can you confirm that this is the case?

The error you are getting seems to indicate a problem with group type. Which line in the portion of the script you posted is line 10 in your original script? This will at least let you drill down to the appropriate portion of the code to help find where the problem lies.

5

Thank you very much for the reply, and I apologize for the delayed response.

$Script:DomainA =                     get-addomaincontroller -discover -domain "domain$.com" -sitename "companyDefault" | select -ExpandProperty Hostname

This returns domaincontrollerA.domaina.com which is a string system.object and I confirmed is a GC.
You mention the group type problem, that is the interesting hiccup. If I wait to the addition of the group, even put in a start-sleep for 10-20 sec it will work fine.

One other item is this is in a separate forest with a one way trust.domainA trusts us we don’t trust it.