PowerShell script help required: Confirming computer exists under all domain controllers in a domain?

Question

Hi all. I'm new to PowerShell coding and require assistance if anyone can help me?

I work with a domain that has 5 domain controllers. 4 are local, 1 is remote and there is a 20 minute replication delay between the locals and remote. This cannot be changed by me.

We build a lot of thin clients in a scripted sequence involving multiple reboots taking around 10 minutes. The final part of this sequence adds the client computer object into AD groups and moves it to a different OU.

The problem is this sequence doesn't always complete because the computer object was initially created on the remote AD server, while the latter update is being attempted on a local AD server whilst replication is yet to occur (or vice versa!)

As mentioned, I cannot adjust or change the replication times so I need to change the final sequence so that is searches all ad servers for the computer object and picks any servers that report the object exists, rather than simply quit when it doesn't exist.

I found this great reply by Andreas Baumgarten which I thought was the answer: https://learn.microsoft.com/en-us/answers/questions/1153640

..and implemented it, but realised it wasn't working like I thought when it too fell over after replication hadn't happened.

Can someone please tell me how to fix the script so it searches all available AD controllers, and picks any of them that contains the computer object to continue with the changes? The goal is to no longer get this issue where slow replication trips up the sequence; the object will always exist on at least one server, it's just making sure it's picked over the others that don't yet contain the object.

Code below

Get-ADDomainController | ForEach-Object {  
  try {  
    $compObj = Get-AdComputer -Identity $env:computername -Server $_.Name -ErrorAction SilentlyContinue  
    if ($compObj) {  
      Set-ADComputer $env:computername -Description "T655 (Build Version 1.3)" -Server $_
      Add-ADGroupMember -Identity PatchMgr_ThinClient_Excluded -Members $env:computername$ -Server $_
      Get-ADComputer $env:computername | Move-ADObject -TargetPath '<our domain path>'
             
    }  
  }  
  catch {    
    Write-Host "($_)" -ForegroundColor Red
    Pause  
  }  
} 

Answer 1

Hi NHS Chris,

Not sure if you have considered forcing the replication of that particular object to the domain controller you need? Check Sync-ADObject cmdlet, as simple as replicating an AD object between two domain controllers. You may need to identify if the object has been created in the remote DC, and if so force the sync to the local DC so the process can continue.

I hope it helps.

Answer 2

When you use the Add-Computer cmdlet, you can specify the DC to be used for that operation by using the -Server parameter. You'll also have to provide the -Credential parameter and value.

Use that DC in each of the cmdlets in your process. There's no replication delay to worry about if you do that.

Don't depend on the DC chosen by cmdlet to be the same. In fact, don't depend on any cmdlet to choose the same DC even within the cmdlet!

You'll find that your problem is quite common when you cede control of DC choice. Even within an AD site, replication is not immediate.

Answer 3

Hi NHS Chris,

If any of the above responses helped resolve your issue, please take a moment to click 'Accept Answer.' This helps guide others with similar questions to the solution faster. Your acknowledgment also supports the community in staying effective and organized!

Thanks