Active Directory | John Savill's Corner of the Web

Email people via Office 365 from PowerShell when passwords about to expire

I have a demonstration environment where many users have accounts but they never logon to AD directly nor look at this demonstration email mailbox. They only use the environment via Azure AD where they logon at Azure AD via the replicated password hash. Because of this they don’t get password expiry notifications and continue to logon however if they try and access something that does hook into AD and not Azure AD the logon fails.

They wanted to be emailed of upcoming password expiry to their real-email. To accomplish this their real email was stored in extensionAttribute10. I didn’t use the proxyaddresses as this may have SIP information. This attribute could be easily set with:

$aduser | Set-Aduser -Replace @{extensionAttribute10=$AltEmail}

1	$aduser \| Set-Aduser -Replace @{extensionAttribute10=$AltEmail}

I had a mailbox for a core process I use. Now that user has no other rights so I placed the password in the script but that’s not ideal at all. If this was Azure Automation I could have used a credential object, I could have at least made the password harder to read by creating an encrypted version of the password and then storing that in the file (but its still reversible, just slightly harder to glance at!), e.g.

ConvertFrom-SecureString (ConvertTo-SecureString -AsPlainText -Force 'Password123') #this is run once to generate the value

$securepassword = ConvertTo-SecureString "<the huge value from previous command on one line>" #this is then in script going forward
$cred = new-object System.Management.Automation.PSCredential ("john@savilltech.com", $securepassword)

ConvertFrom-SecureString (ConvertTo-SecureString -AsPlainText -Force 'Password123') #this is run once to generate the value

$securepassword = ConvertTo-SecureString "<the huge value from previous command on one line>" #this is then in script going forward

$cred = new-object System.Management.Automation.PSCredential ("john@savilltech.com", $securepassword)

However the account can’t do anything except email and access to the script location was highly restricted so I left it as text which was also easier to demonstrate below however in my environment I used the alternate approach above just to make it a little harder to get the password on glance :-). Replace this with your own email and password.

The script looks for any password expiring in less than 10 days and emails a simple message. Customize as you like! It has a basic HTML block with a placeholder (MESSAGEHOLDER) that is replaced by a custom string for the user.

$CurrentDate = Get-Date
$Users = Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet, CannotChangePassword, extensionAttribute10

$fromEmail = 'fromuser@domain.com'
$fromPass = 'password'
$securePassword = ConvertTo-SecureString $fromPass -AsPlainText -Force
$emailcred = New-Object System.Management.Automation.PSCredential ($fromEmail, $securePassword)  
$SMTPServer = 'smtp.office365.com'
$SMTPPort = '587'

$PasswordNotifyDays = 10

$emailBody = @"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="en-us" http-equiv="Content-Language" />
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
</head>
<body>
<p>MESSAGEHOLDER</p>
<p>Please change password at <a href="https://myapps.microsoft.com">https://myapps.microsoft.com</a>.</p>
</body>
</html>
"@

foreach($user in $users)
{
    $userUPN = $user.DistinguishedName
    $userName = $user.Name

        $PasswordLastChanged = $user.PasswordLastSet
        $PasswordExpired = [datetime]::FromFileTime($user."msDS-UserPasswordExpiryTimeComputed")
        
        $PasswordTillExpired = ($PasswordExpired - $CurrentDate).Days
        if($PasswordTillExpired -lt $PasswordNotifyDays)
        {
            if($PasswordTillExpired -lt 0)
            {
                $message = "User $userName ($($user.UserPrincipalName)) password is expired ($PasswordTillExpired days past change time). Last changed $PasswordLastChanged"
            }
            else
            {
                $message = "User $userName ($($user.UserPrincipalName)) password expires in $PasswordTillExpired days. Last changed $PasswordLastChanged"
            }
            Write-Output $message
            $altemail = $user.extensionAttribute10
            if($altemail -ne $null)
            {
                write-output "   Alternate email found and message being sent to $altemail"
                Send-MailMessage -To $altemail -From $fromEmail -Subject "Password Expiry Notification - $($user.UserPrincipalName)" -BodyAsHtml $emailBody.Replace("MESSAGEHOLDER",$message) `
                    -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $emailcred
            }
        }
}

$CurrentDate = Get-Date

$Users = Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet, CannotChangePassword, extensionAttribute10

$fromEmail = 'fromuser@domain.com'

$fromPass = 'password'

$securePassword = ConvertTo-SecureString $fromPass -AsPlainText -Force

$emailcred = New-Object System.Management.Automation.PSCredential ($fromEmail, $securePassword)

$SMTPServer = 'smtp.office365.com'

$SMTPPort = '587'

$PasswordNotifyDays = 10

$emailBody = @"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

</head>

<body>

<p>MESSAGEHOLDER</p>

<p>Please change password at <a href="https://myapps.microsoft.com">https://myapps.microsoft.com</a>.</p>

</body>

</html>

foreach($user in $users)

{

$userUPN = $user.DistinguishedName

$userName = $user.Name

$PasswordLastChanged = $user.PasswordLastSet

$PasswordExpired = [datetime]::FromFileTime($user."msDS-UserPasswordExpiryTimeComputed")

$PasswordTillExpired = ($PasswordExpired - $CurrentDate).Days

if($PasswordTillExpired -lt $PasswordNotifyDays)

{

if($PasswordTillExpired -lt 0)

{

$message = "User $userName ($($user.UserPrincipalName)) password is expired ($PasswordTillExpired days past change time). Last changed $PasswordLastChanged"

}

else

{

$message = "User $userName ($($user.UserPrincipalName)) password expires in $PasswordTillExpired days. Last changed $PasswordLastChanged"

}

Write-Output $message

$altemail = $user.extensionAttribute10

if($altemail -ne $null)

{

write-output " Alternate email found and message being sent to $altemail"

Send-MailMessage -To $altemail -From $fromEmail -Subject "Password Expiry Notification - $($user.UserPrincipalName)" -BodyAsHtml $emailBody.Replace("MESSAGEHOLDER",$message) `

-SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $emailcred

}

Have fun!

Create AD sites through PowerShell

I recently needed to create an AD site for each MTC (an office), add the IP range assigned to that MTC (which was in a CSV file) and then associate the site with a site link for its region. This is so the Active Directory automatic site coverage feature will enable DCs to populate per-site DNS records for the MTCs ensuring authentication traffic uses the most optimal DC. The DCs are spread over four regional locations.

The CSV file simply had one or two second octet numbers for the /16 IP range associated with the MTC. The code therefore enumerates through each OU, checks to see if the MTC can be found in the CSV data for the IP ranges. Next if the site does not already exist it is created, added to its regional site link (based on the parent OU name and for NA if its East or West) and then the IP ranges for the MTC assigned.

$MTCIPConfigFile = "F:\PowerShell\basicmtcips.csv"
$MTCIPInfo = Import-Csv -Path $MTCIPConfigFile 

$RootDomain = "DC=onemtc,DC=net"
$TopLevelRegions = "APAC","EMEA","NA"

foreach($TopLevelRegion in $TopLevelRegions)
{
    $MTCOUs = Get-ADOrganizationalUnit -filter * -searchbase "OU=$TopLevelRegion,$RootDomain" -SearchScope OneLevel -Properties Name, Description  
    foreach($MTCOU in $MTCOUs)
    {
        $MTCCode = $MTCOU.Name
        $MTCCodeShort = $MTCOU.Name.Substring(3)
        #Find the MTC in the IP list
        $MTCIPrange = $null
        $MTCLocation = $null
        foreach($MTCInfo in $MTCIPInfo)
        {
            if($MTCInfo.Code -eq $MTCCode)
            {
                if($MTCInfo.LocalOctet -eq $MTCInfo.SharedOctet)
                {
                    $MTCIPrange = $MTCInfo.LocalOctet
                }
                else
                {
                    $MTCIPrange = $MTCInfo.LocalOctet,$MTCInfo.SharedOctet
                }
                $MTCLocation = $MTCInfo.Location
            }
        }
        Write-Output "MTC $MTCCodeShort processing in region $TopLevelRegion"
        if($MTCIPrange -ne $null)
        {
            $MTCADSiteName = "$TopLevelRegion$MTCCodeShort"
            $MTCADSiteSearch = $null
            try
            {
                $MTCADSiteSearch = Get-ADReplicationSite -Filter {Name -eq $MTCADSiteName}
            }
            catch {}

            if($MTCADSiteSearch -eq $null)
            {
                Write-Output "Site not found, creating"
                New-ADReplicationSite $MTCADSiteName

                #Add to site link
                switch ($TopLevelRegion)
                {
                    'NA' {if($MTCLocation -eq "W") {$siteLinkName = "NAMTCs-AzureWestUS"} else {$siteLinkName = "NAMTCs-AzureEastUS"}}
                    'APAC' {$siteLinkName = "APACMTCs-AzureSoutheastAsia"}
                    'EMEA' {$siteLinkName = "EMEAMTCs-AzureWestEurope"}
                    Default {$siteLinkName = "NAMTCs-AzureEastUS"}
                }
                Write-Output "Adding to site link $siteLinkName"
                Set-ADReplicationSiteLink $siteLinkName -SitesIncluded @{Add="$MTCADSiteName"}

                foreach($IPrange in $MTCIPrange)
                {
                    $IPCIDR = "10.$IPrange.0.0/16"
                    Write-Output "Assigning $IPCIDR to new site $MTCADSiteName"
                    New-ADReplicationSubnet -Name $IPCIDR -Site $MTCADSiteName -Location $TopLevelRegion
                }
            }
            else
            {
                Write-Output "Site exists"
            }
        }
        else
        {
            Write-Output "No IP configuration found, skipping"
        }
        Write-Output ""
    }
}

$MTCIPConfigFile = "F:\PowerShell\basicmtcips.csv"

$MTCIPInfo = Import-Csv -Path $MTCIPConfigFile

$RootDomain = "DC=onemtc,DC=net"

$TopLevelRegions = "APAC","EMEA","NA"

foreach($TopLevelRegion in $TopLevelRegions)

{

$MTCOUs = Get-ADOrganizationalUnit -filter * -searchbase "OU=$TopLevelRegion,$RootDomain" -SearchScope OneLevel -Properties Name, Description

foreach($MTCOU in $MTCOUs)

{

$MTCCode = $MTCOU.Name

$MTCCodeShort = $MTCOU.Name.Substring(3)

#Find the MTC in the IP list

$MTCIPrange = $null

$MTCLocation = $null

foreach($MTCInfo in $MTCIPInfo)

{

if($MTCInfo.Code -eq $MTCCode)

{

if($MTCInfo.LocalOctet -eq $MTCInfo.SharedOctet)

{

$MTCIPrange = $MTCInfo.LocalOctet

}

else

{

$MTCIPrange = $MTCInfo.LocalOctet,$MTCInfo.SharedOctet

}

$MTCLocation = $MTCInfo.Location

}

Write-Output "MTC $MTCCodeShort processing in region $TopLevelRegion"

if($MTCIPrange -ne $null)

{

$MTCADSiteName = "$TopLevelRegion$MTCCodeShort"

$MTCADSiteSearch = $null

try

{

$MTCADSiteSearch = Get-ADReplicationSite -Filter {Name -eq $MTCADSiteName}

}

catch {}

if($MTCADSiteSearch -eq $null)

{

Write-Output "Site not found, creating"

New-ADReplicationSite $MTCADSiteName

#Add to site link

switch ($TopLevelRegion)

{

'NA' {if($MTCLocation -eq "W") {$siteLinkName = "NAMTCs-AzureWestUS"} else {$siteLinkName = "NAMTCs-AzureEastUS"}}

'APAC' {$siteLinkName = "APACMTCs-AzureSoutheastAsia"}

'EMEA' {$siteLinkName = "EMEAMTCs-AzureWestEurope"}

Default {$siteLinkName = "NAMTCs-AzureEastUS"}

}

Write-Output "Adding to site link $siteLinkName"

Set-ADReplicationSiteLink $siteLinkName -SitesIncluded @{Add="$MTCADSiteName"}

foreach($IPrange in $MTCIPrange)

{

$IPCIDR = "10.$IPrange.0.0/16"

Write-Output "Assigning $IPCIDR to new site $MTCADSiteName"

New-ADReplicationSubnet -Name $IPCIDR -Site $MTCADSiteName -Location $TopLevelRegion

}

else

{

Write-Output "Site exists"

}

else

{

Write-Output "No IP configuration found, skipping"

}

Write-Output ""

}

Bulk created group policy objects with PowerShell

A lot of the work I do around Active Directory and Azure AD is for our OneMTC.net environment used by our global Microsoft Technology Centers. It is built around a number of region-based organizational units which then have child OUs for each MTC.

The requirement was to create a number of GPOs for each MTC which could then be modified by the local administrator of the MTC. To do this I created two template GPOs with most of the basic settings which I then just needed to copy to a new, per-MTC GPO instance then link to the GPO. This was very easy with PowerShell and the GroupPolicy module.

I also had already created the GPOs for a couple of MTCs so wanted to skip creating the objects for them. In the PowerShell below you can see I have a variable for the top-level of the MTC and then an array of the top level regional OUs. From there I have the names of the GPO templates and an array of the MTCs to skip. At that point I just enumerate for OUs, copy the GPOs and link the new per-instance GPO to the OU.

Import-Module GroupPolicy

$RootDomain = "DC=onemtc,DC=net"
$TopLevelRegions = "APAC","EMEA","NA"

$WSUSConfigTemplateName = "WSUS Configuration"
$AdminTemplateName = "MTC Admins Template"

$MTCsToSkip = "DAL","ATL","DEN","MPLS"

foreach($TopLevelRegion in $TopLevelRegions)
{
    $MTCOUs = Get-ADOrganizationalUnit -filter * -searchbase "OU=$TopLevelRegion,$RootDomain" -SearchScope OneLevel -Properties Name, Description  
    foreach($MTCOU in $MTCOUs)
    {
        $MTCCode = $MTCOU.Name.Substring(3)
        if($MTCsToSkip -notcontains $MTCCode)
        {
            Write-Output "Creating GPOs and linking for MTC $MTCCode"
            #Copy the two templates to the new names
            Copy-GPO -SourceName $AdminTemplateName -TargetName "$MTCCode Admins"
            Copy-GPO -SourceName $WSUSConfigTemplateName -TargetName "$MTCCode WSUS Config"

            #Link the GPOs to the OU
            New-GPLink -Name "$MTCCode Admins" -Target $MTCOU.DistinguishedName
            New-GPLink -Name "$MTCCode WSUS Config" -Target $MTCOU.DistinguishedName
        }
    }
}

Import-Module GroupPolicy

$RootDomain = "DC=onemtc,DC=net"

$TopLevelRegions = "APAC","EMEA","NA"

$WSUSConfigTemplateName = "WSUS Configuration"

$AdminTemplateName = "MTC Admins Template"

$MTCsToSkip = "DAL","ATL","DEN","MPLS"

foreach($TopLevelRegion in $TopLevelRegions)

{

$MTCOUs = Get-ADOrganizationalUnit -filter * -searchbase "OU=$TopLevelRegion,$RootDomain" -SearchScope OneLevel -Properties Name, Description

foreach($MTCOU in $MTCOUs)

{

$MTCCode = $MTCOU.Name.Substring(3)

if($MTCsToSkip -notcontains $MTCCode)

{

Write-Output "Creating GPOs and linking for MTC $MTCCode"

#Copy the two templates to the new names

Copy-GPO -SourceName $AdminTemplateName -TargetName "$MTCCode Admins"

Copy-GPO -SourceName $WSUSConfigTemplateName -TargetName "$MTCCode WSUS Config"

#Link the GPOs to the OU

New-GPLink -Name "$MTCCode Admins" -Target $MTCOU.DistinguishedName

New-GPLink -Name "$MTCCode WSUS Config" -Target $MTCOU.DistinguishedName

}

Removing a non-existent domain

Recently lost a huge storage array and with that the DC for a demo child domain. I therefore had to clean up the now non-existent domain. I did this with ntdsutil. Below are the steps involved. Basically the domain controllers for the domain are removed, then the DNS naming context and finally the domain.

C:\Users\Administrator>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server savdaldc01
Binding to savdaldc01 ...
Connected to savdaldc01 using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list sites
Found 5 site(s)
0 - CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net
1 - CN=Azure,CN=Sites,CN=Configuration,DC=savilltech,DC=net
2 - CN=Houston,CN=Sites,CN=Configuration,DC=savilltech,DC=net
3 - CN=Austin,CN=Sites,CN=Configuration,DC=savilltech,DC=net
4 - CN=SanAntonio,CN=Sites,CN=Configuration,DC=savilltech,DC=net
select operation target: select site 0
Site - CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net
Domain - DC=dev,DC=savilltech,DC=net
No current server
No current Naming Context
select operation target: list servers in site
Found 2 server(s)
0 - CN=SAVDALDC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net
1 - CN=SAVDALDEVDC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net
select operation target: select server 1
Site - CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net
Domain - DC=dev,DC=savilltech,DC=net
Server - CN=SAVDALDEVDC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net
        DSA object - CN=NTDS Settings,CN=SAVDALDEVDC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net
        DNS host name - savdaldevdc01.dev.savilltech.net
        Computer object - CN=SAVDALDEVDC01,OU=Domain Controllers,DC=dev,DC=savilltech,DC=net
No current Naming Context
select operation target: quit
metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Unable to determine FRS owner for role PDC.
Unable to determine FRS owner for role Rid Master.
Unable to determine FRS owner for role Infrastructure Master.
"CN=SAVDALDEVDC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net" removed from server "savdaldc01"


metadata cleanup: select operation target
select operation target: list naming contexts
Found 7 Naming Context(s)
0 - CN=Configuration,DC=savilltech,DC=net
1 - DC=savilltech,DC=net
2 - CN=Schema,CN=Configuration,DC=savilltech,DC=net
3 - DC=DomainDnsZones,DC=savilltech,DC=net
4 - DC=ForestDnsZones,DC=savilltech,DC=net
5 - DC=dev,DC=savilltech,DC=net
6 - DC=DomainDnsZones,DC=dev,DC=savilltech,DC=net
select operation target: select naming context 6
No current site
Domain - DC=dev,DC=savilltech,DC=net
No current server
Naming Context - DC=DomainDnsZones,DC=dev,DC=savilltech,DC=net
select operation target: quit
metadata cleanup: remove selected naming context
"DC=DomainDnsZones,DC=dev,DC=savilltech,DC=net" removed from server "savdaldc01"


metadata cleanup: select operation target
select operation target: list domains
Found 2 domain(s)
0 - DC=savilltech,DC=net
1 - DC=dev,DC=savilltech,DC=net
select operation target: select domain 1
No current site
Domain - DC=dev,DC=savilltech,DC=net
No current server
Naming Context - DC=DomainDnsZones,DC=dev,DC=savilltech,DC=net
select operation target: quit
metadata cleanup: remove selected domain
"DC=dev,DC=savilltech,DC=net" removed from server "savdaldc01"
metadata cleanup: quit
ntdsutil: quit

C:\Users\Administrator>ntdsutil

ntdsutil: metadata cleanup

metadata cleanup: connections

server connections: connect to server savdaldc01

Binding to savdaldc01 ...

Connected to savdaldc01 using credentials of locally logged on user.

server connections: quit

metadata cleanup: select operation target

select operation target: list sites

Found 5 site(s)

0 - CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net

1 - CN=Azure,CN=Sites,CN=Configuration,DC=savilltech,DC=net

2 - CN=Houston,CN=Sites,CN=Configuration,DC=savilltech,DC=net

3 - CN=Austin,CN=Sites,CN=Configuration,DC=savilltech,DC=net

4 - CN=SanAntonio,CN=Sites,CN=Configuration,DC=savilltech,DC=net

select operation target: select site 0

Site - CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net

Domain - DC=dev,DC=savilltech,DC=net

No current server

No current Naming Context

select operation target: list servers in site

Found 2 server(s)

0 - CN=SAVDALDC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net

1 - CN=SAVDALDEVDC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net

select operation target: select server 1

Site - CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net

Domain - DC=dev,DC=savilltech,DC=net

Server - CN=SAVDALDEVDC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net

DSA object - CN=NTDS Settings,CN=SAVDALDEVDC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net

DNS host name - savdaldevdc01.dev.savilltech.net

Computer object - CN=SAVDALDEVDC01,OU=Domain Controllers,DC=dev,DC=savilltech,DC=net

No current Naming Context

select operation target: quit

metadata cleanup: remove selected server

Transferring / Seizing FSMO roles off the selected server.

Unable to determine FRS owner for role PDC.

Unable to determine FRS owner for role Rid Master.

Unable to determine FRS owner for role Infrastructure Master.

"CN=SAVDALDEVDC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=savilltech,DC=net" removed from server "savdaldc01"

metadata cleanup: select operation target

select operation target: list naming contexts

Found 7 Naming Context(s)

0 - CN=Configuration,DC=savilltech,DC=net

1 - DC=savilltech,DC=net

2 - CN=Schema,CN=Configuration,DC=savilltech,DC=net

3 - DC=DomainDnsZones,DC=savilltech,DC=net

4 - DC=ForestDnsZones,DC=savilltech,DC=net

5 - DC=dev,DC=savilltech,DC=net

6 - DC=DomainDnsZones,DC=dev,DC=savilltech,DC=net

select operation target: select naming context 6

No current site

Domain - DC=dev,DC=savilltech,DC=net

No current server

Naming Context - DC=DomainDnsZones,DC=dev,DC=savilltech,DC=net

select operation target: quit

metadata cleanup: remove selected naming context

"DC=DomainDnsZones,DC=dev,DC=savilltech,DC=net" removed from server "savdaldc01"

metadata cleanup: select operation target

select operation target: list domains

Found 2 domain(s)

0 - DC=savilltech,DC=net

1 - DC=dev,DC=savilltech,DC=net

select operation target: select domain 1

No current site

Domain - DC=dev,DC=savilltech,DC=net

No current server

Naming Context - DC=DomainDnsZones,DC=dev,DC=savilltech,DC=net

select operation target: quit

metadata cleanup: remove selected domain

"DC=dev,DC=savilltech,DC=net" removed from server "savdaldc01"

metadata cleanup: quit

ntdsutil: quit

Note that if you receive an error that the domain cannot be remove because of a leaf object run the following to force replication.

repadmin /syncall /aped