7,023 questions
Issue creating msDS-ShadowPrincipal in ESAE/PAM forest
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 92%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Jordan Mills
2
Reputation points
We have an ESAE forest with one domain (priv) and a user/resource forest (blue) with several domains (one.blue, two.blue, three.blue). Another domain was added to the user forest (four). Before and after creating the domain four.blue, we were and are able to create msDS-ShadowPrincipal objects for groups in one.blue, two.blue, and three.blue. But we are not able to create msDS-ShadowPrincipal objects for groups in four.blue.
When trying to create a new msDS-ShadowPrincipal object with New-ADObject, the error is "New-ADObject : The requested operation did not satisfy one or more constraints associated with the class of the object". I assumed this was an undocumented constraint based on the trust object in the priv forest. But we are still getting the error even after validating/refreshing the trust.
Is there something I'm missing? The next step is to delete/recreate the trust, but I'd like to avoid doing that.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2021-02-23T03:13:53.013+00:00 Hi,
Did you check the type of the trust ?
After the domain four was added, everything DC works well ,right?
Following link for your reference:
https://secureidentity.se/msds-shadowprincipal/(third-party link)
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.Best Regards,
Sign in to comment
Sign in to answer