In the past years, I’ve found many systems and many errors. Today, I’m sharing behavior in Microsoft Windows Server that had me frown and chuckle. A bug in Active Directory code I’ve been grateful for, since it illustrates the nature of software.
Note:
This behavior has not been publicized in the Microsoft KnowledgeBase (yet).
In the past two versions of Windows Server, the Active Directory team has made an effort to migrate all of the command-line stuff to PowerShell. Two of the command-line tools I still use frequently, however, have not been converted to PowerShell: redirusr.exe and redircmp.exe.
redirusr.exe and redircmp.exe were my partners in crime for the last couple of years, in which I setup loads of Active Directory structures for small sized organizations, following the Best Practice Active Directory Design for Managing Windows Networks. I used them in newly setup environments to automatically place newly created computer and user accounts in specific Organizational Units (OUs) in Active Directory.
A short history on redirusr.exe and redircmp.exe
Microsoft introduced the ability to change the default container (or Organizational Unit) where new users and computers are stored in the Windows Server 2003 Domain Functional Level (DFL). Both tools won’t work in Windows 2000 Domain Functional Level. When using the commands on a Windows Server 2008-based Domain Controller for a domain with the Windows 2000 Domain Functional Level both tools error out with the following message:
Error, unable to modify the wellKnownObjects attribute. Verify that
the domain functional level of the domain is at least Windows Server 2003:
Unwilling To Perform
Redirection was NOT successful.
This is by design. As the error indicates you need to raise the Domain Functional Level (DFL) to Windows Server 2003. It is not the subject of this blogpost.
Using redirusr.exe and redircmp.exe
On a Windows Server 2003-based Domain Controller and Windows Server 2008-based Domain Controller in an Active Directory domain with the Windows Server 2003 Domain Functional Level (DFL) you can use the following commands:
dsadd ou "OU=Redirected Users OU,DC=DomainName,DC=Tld"
dsadd ou "OU=Redirected Computers OU,DC=DomainName,DC=Tld"
redirusr "OU=Redirected Users OU,DC=DomainName,DC=Tld"
redircmp "OU=Redirected Computers OU,DC=DomainName,DC=Tld"
These commands will add two Organizational Units with names Redirected Users OU and Redirected Computers OU. After creation it will run the two commands to automagically place new useraccounts and computeraccounts in the new OUs.
The below two commands will output the following message, when successful:
Redirection was successful.
Now for the bug…
I expected the above commands to work on a Windows Server 2008-based Domain Controller for an Active Directory domain with the Windows Server 2008 Domain Functional Level (DFL)…
Unfortunately this is not the case. The error message is:
Error, unable to modify the wellKnownObjects attribute. Verify that
the domain functional level of the domain is at least Windows Server 2003:
Referral
Redirection was NOT successful.
Obviously the Verify that the domain functional level of the domain is at least Windows Server 2003 part of the message is a standard message, but the part behind it is different, compared to the Windows 2000 Domain Functional Level output. It is apparently willing to perform, but was referred.
This is actual behavior on a Domain Controller running Windows Server 2008 RTM. (or Windows Server 2008 with Service Pack 1, if you want to be 100% correct)
Unfortunately there is no way to redirect users and computers using the redirusr.exe and redircmp.exe commands on a Windows Server 2008 RTM-based Domain Controller in an Active Directory domain with the Windows Server 2008 Domain Functional Level (DFL).
The workaround
To use the redirusr.exe and redircmp.exe commands in an Active Directory domain with the Windows Server 2008 Domain Functional Level (DFL), either:
- Install Service Pack 2 on a Windows Server 2008-based Domain Controller and run the commands on this Domain Controller, or
- Upgrade a Domain Controller to Windows Server 2008 R2 or Windows Server 2012 and run the commands on this Domain Controller.
Further reading
Redirecting the users and computers containers in Windows Server 2003 domains
The Lazy Admin : Redirect New Users and Computers to an OU
Overview of the New Active Directory Tools in Windows Server 2003
Redirecting the computers container in Windows Server 2003 domains
Organizational Units, and Virtual Machines
Also occurs on 2012R2… Grrr
Same in Server 2019…
C:UsersAdministrator>redircmp "ou=_COMPANY NAME/_New Users and Computers,dc=homelab,dc=local"
Error, unable to modify the wellKnownObjects attribute. Verify that
the domain functional level of the domain is at least Windows Server 2003:
Unwilling To Perform
Redirection was NOT successful.