我有一个powershell脚本来创建一组自定义AD属性。它与win2019一起在本地虚拟机上工作。它不适用于Win 2019服务器(在AWS-EC2映像中创建,其中一个框是主DC,另一个框则是复制的AD(。我是在复制服务器上运行的,而不是在主dc上(也许这就是问题所在?(这是脚本:
# Create a new Object Identifier (OID) using a test prefix.
Function New-AttributeID {
$Prefix = "1.2.840.113556.1.8000.2554"
$GUID = [System.Guid]::NewGuid().ToString()
$Parts = @()
$Parts += [UInt64]::Parse($GUID.SubString(0, 4), "AllowHexSpecifier")
$Parts += [UInt64]::Parse($GUID.SubString(4, 4), "AllowHexSpecifier")
$Parts += [UInt64]::Parse($GUID.SubString(9, 4), "AllowHexSpecifier")
$Parts += [UInt64]::Parse($GUID.SubString(14, 4), "AllowHexSpecifier")
$Parts += [UInt64]::Parse($GUID.SubString(19, 4), "AllowHexSpecifier")
$Parts += [UInt64]::Parse($GUID.SubString(24, 6), "AllowHexSpecifier")
$Parts += [UInt64]::Parse($GUID.SubString(30, 6), "AllowHexSpecifier")
$OID = [String]::Format("{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}", $Prefix, $Parts[0], $Parts[1], $Parts[2], $Parts[3], $Parts[4], $Parts[5], $Parts[6])
return $OID
}
# ...
#
# Create a new attribute and attach it to User Objects.
#
# PARAMETER $Name
# The name of the attribute you are creating. This will be the CN and the LDAP Display Name. Using a standard prefix
# is a good practice to follow.
#
# PARAMETER $LDAPDisplayName
# The attribute's display name.
#
# PARAMETER $AdminDescription
# A short description that is added as metadata to the attribute.
#
# PARAMETER [$AttributeID]
# An optional Object Identifier (OID) to assign to the attribute. If omitted, a new OID is generated.
Function Update-Schema {
[CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
param(
[Parameter(Mandatory, ValueFromPipelinebyPropertyName)]$Name,
[Parameter(Mandatory, ValueFromPipelinebyPropertyName)][Alias('DisplayName')]$LDAPDisplayName,
[Parameter(Mandatory, ValueFromPipelinebyPropertyName)][Alias('Description')]$AdminDescription,
[Parameter(ValueFromPipelinebyPropertyName)][Alias('OID')]$AttributeID = (New-AttributeID)
)
BEGIN {}
PROCESS {
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$type = 'attributeSchema'
$attributes = @{
lDAPDisplayName = $Name;
attributeId = $AttributeID;
oMSyntax = 4; # octet string
attributeSyntax = "2.5.5.10";
isSingleValued = $false;
adminDescription = $AdminDescription;
}
$confirmationMessage = "$schemaPath. This cannot be undone"
$caption = 'Updating Active Directory Schema'
if ($PSCmdlet.ShouldProcess($confirmationMessage, $caption)) {
# ...
#
# Create attribute.
New-ADObject -Name $Name -Type $type -Path $schemapath -OtherAttributes $attributes
# ...
#
# Attach attribute to User Object.
$userSchema = Get-ADObject -SearchBase $schemaPath -Filter 'name -eq "user"'
$userSchema | Set-ADObject -Add @{mayContain = $Name}
}
}
END {}
}
当它第一次迭代以创建第一个属性时,我得到了以下错误:
New-ADObject : A referral was returned from the server
At C:update_ad_schema_shared_ad_storage.ps1:77 char:9
+ New-ADObject -Name $Name -Type $type -Path $schemapath -Other ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (cn=sc-custom1,C...<DomainNameHere>,DC=com:String) [New-ADObject], ADReferralException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.NewADObject
Set-ADObject : The parameter is incorrect
At C:update_ad_schema_shared_ad_storage.ps1:83 char:23
+ $userSchema | Set-ADObject -Add @{mayContain = $Name}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=User,CN=Sche...<domainNameHere>,DC=com:ADObject) [Set-ADObject], ADInvalidOperationException
+ FullyQualifiedErrorId : ActiveDirectoryServer:87,Microsoft.ActiveDirectory.Management.Commands.SetADObject
在非主DC上执行脚本时会出现此错误。当在主域控制器(带FSMO(上运行时,它运行时没有错误!