PowerShell/Active Directory Web Services performance issue only on specific domain controllers
Last week my team noticed some of our PowerShell AD Group management scripts throwing errors. After a little digging, we found that the 'Get-ADGroupMember' command was timing out when pointed to certain domain controllers. We have nine total DCs: five VMs and four physical. The issue is repeatable only on the four physical. Those four are running Server 2016; the VMs are Server 2022.
When targeting the unaffected DCs, a sample command will return in milliseconds. The impacted DCs timeout after the five minute limit. The test group is not big. It has less than 300 members.
I put ADWS in debug mode (as described here)and captured the process on one of the slow DCs and on one of the 'normal' DCs. Nothing stand out to me other than, once the process starts getting each member object, the time each object takes to retrieve is slower. Timing on other commands, such as Get-ADUser, don't seem to show any consistent measurable differences.
We do not appear to be resource bound but, I did note that while the command is running on the slow DCs, we're seeing all the activity on a single core.
We're coming off holiday break so usage has been light so it's hard to pin down exactly when the issue started. We also made a major change to our IAM processes a few weeks ago that roughly doubled our number of user objects from circa 30k to 70k. Our DC health checks and replication all show green following that change.
Short of this being a 2016 specific issue with the December updates, I'm at a loss of where to go next. The physical servers are 8 years old but were significantly over spec. While one core is being used during the call, overall system usage is low:
Slow log sample:
ActiveDirectoryWebServices: [1/11/2025 11:47:05 PM] [31] GetADGroupMember: found sdsamGroupPrincipal CN=GroupX
ActiveDirectoryWebServices: [1/11/2025 11:47:06 PM] [31] GetADGroupMember: member of CN=XXX
DirectoryUtilities: [1/11/2025 11:47:06 PM] [31] GetTimeRemaining: remaining time is 00:05:09.5457365
ActiveDirectoryWebServices: [1/11/2025 11:47:06 PM] [31] PopulateObjectClasses: adding class top
ActiveDirectoryWebServices: [1/11/2025 11:47:06 PM] [31] PopulateObjectClasses: adding class person
ActiveDirectoryWebServices: [1/11/2025 11:47:06 PM] [31] PopulateObjectClasses: adding class organizationalPerson
ActiveDirectoryWebServices: [1/11/2025 11:47:06 PM] [31] PopulateObjectClasses: adding class user
ActiveDirectoryWebServices: [1/11/2025 11:47:06 PM] [31] GetLocalDnsDomainName: Retrieved domain name 'domain.name'
ActiveDirectoryWebServices: [1/11/2025 11:47:06 PM] [31] GetADGroupMember: member of CN=YYY
DirectoryUtilities: [1/11/2025 11:47:06 PM] [31] GetTimeRemaining: remaining time is 00:05:09.4051086
ActiveDirectoryWebServices: [1/11/2025 11:47:07 PM] [31] PopulateObjectClasses: adding class top
ActiveDirectoryWebServices: [1/11/2025 11:47:07 PM] [31] PopulateObjectClasses: adding class person
ActiveDirectoryWebServices: [1/11/2025 11:47:07 PM] [31] PopulateObjectClasses: adding class organizationalPerson
ActiveDirectoryWebServices: [1/11/2025 11:47:07 PM] [31] PopulateObjectClasses: adding class user
ActiveDirectoryWebServices: [1/11/2025 11:47:07 PM] [31] GetADGroupMember: member of CN=ZZZ
DirectoryUtilities: [1/11/2025 11:47:07 PM] [31] GetTimeRemaining: remaining time is 00:05:07.5925597
ActiveDirectoryWebServices: [1/11/2025 11:47:09 PM] [31] PopulateObjectClasses: adding class top
ActiveDirectoryWebServices: [1/11/2025 11:47:09 PM] [31] PopulateObjectClasses: adding class person
ActiveDirectoryWebServices: [1/11/2025 11:47:09 PM] [31] PopulateObjectClasses: adding class organizationalPerson
ActiveDirectoryWebServices: [1/11/2025 11:47:09 PM] [31] PopulateObjectClasses: adding class user
ActiveDirectoryWebServices: [1/11/2025 11:47:09 PM] [31] GetADGroupMember: member of CN=AAA
DirectoryUtilities: [1/11/2025 11:47:10 PM] [31] GetTimeRemaining: remaining time is 00:05:05.5456304
The first record appears to return quickly. Subsequent records look like the take 1s to 2s.
It is unclear as to why or how, but simply starting and stopping the Directory Services Authentication Scripts found here permanently resolved the issue. The issue will still manifest after the start-auth script runs; it's only remediated after the stop-auth script is executed. Now that the issue is resolved, I have no way to test or determine which specific command in the script is the key.
- MariaDB : create database and execute sql script without '<' character from the command line cmd.exe
- run install-package without it prompting to install nuget
- run powershell script from anywhere
- Right click open new powershell file open in PSIDE
- Powershell prompt, red trailing character on error
- I cannot update ini file. Treating ini file as hastable in Powershell
- PSCustomObject to Hashtable
- 'using:' and other methods not working with start-threadJob to load objects into job session
- How do I refocus a Powershell script after a Start-Process?
- How to auto extract cbz in subfolders on windows?
- How to read or get or fetch automatically the setting values from [Control Panel > Security and Maintenance] using Batch Script or PowerShell?
- Open an Excel File, Read Specific Contents, Print the Output
- Using PowerShell to write a file in UTF-8 without the BOM
- How do I fix a Powershell problem with button selection?
- Azure Yaml pipeline cancelTimeoutInMinutes not working
- PowerShell - how to import module in a script without polluting the global scope?
- Powershell Get-Process. works the first time, fails the 2nd time
- Use Invoke-SQLCmd and return number of rows deleted/affected
- UNIX format files with Powershell
- PowerShell Subprocess Launched via debugpy Doesn’t Inherit Environment Variables (but cmd.exe does)
- Force Batch file called with Invoke-Item to use a certain working directory
- Powershell and wmi, how to map logical disk/volumes to a hard disk or vice versa?
- Possible to pull info from AdditionalProperties dictionary with Microsoft Graph PowerShell cmdlets?
- Add-AppxPackage : Deployment failed with HRESULT: 0x80073CF3, Package failed updates, dependency or conflict
- PowerShell | AutoCompleter not working with TAB completion with custom array
- PowerShell compare but exclude .txt files
- Microsoft Graph PowerShell cmdlet not returning @odata.deltaLink or @odata.nextLink in delta query
- After running a custom PowerShell script in Power Automate Desktop, how do I capture the output into a new variable?
- Comparing array variables in PowerShell
- How to edit Excel Online file by Powershell using Microsoft Graph API?