1dent1ty cHa0s

If you happen to come across this when exporting to a Windows Server 2008 Active Directory:

…then you may be running into a situation whereby the ADMA has inadvertently selected an RODC to export to. Since this DC is, by definition, Read Only, the DC is returning a referral which it appears is not chased by the current ADMA (2007 FP1). To resolve this you have a few options:

1. Remove the RODC from the site the ILM server is in – obviously this entails having quite a bit of say in the site design for AD which you may not have, but it is a valid request; in most situations ILM should be in a well connected data center close to the information and so you probably shouldn't have RODC's in this particular site. If the ILM server is part of an AD Site object that contains an RODC and you're allowing the ADMA to select the DC automatically then you always run the chance that you'll get this DC as part of one of your Export runs. You should even avoid Reading from it just in case you're relying on seeing attributes that are purposefully filtered from replicating to the RODCs.
2. Configure the ADMA to use a specific set of preferred domain controllers – easily done but you lose any "self-healing" ability in the event a DC is standing in for site coverage in the event of a failure. This is a normal process of AD Site coverage that you should leverage in your ADMA designs so I would say that even though this is the easiest solution, it is by no means the one I would jump to straight away. I tend to reserve this option for when I know I have to talk to a specific DC through a firewall; however, this solution is applicable here.

My cursory inquiries have not revealed any bugs filed for this so I think I'll open the case to get it on the radar. If you've logged the bug already, please let me know.