Share via

AD Module timeout

Handian Sudianto 7,241 Reputation points
2026-04-01T01:18:10.38+00:00

What can we do if i get timout limit showing in below picture when executed the Active Directory Power Shell Command?

User's image

Windows for business | Windows Server | Directory services | Active Directory
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harry Phan 22,230 Reputation points Independent Advisor
    2026-04-01T04:56:36.24+00:00

    Hi Handian,

    This timeout is not a PowerShell client issue; it is an LDAP server-side query timeout enforced by Active Directory while enumerating fine‑grained password policies, which typically occurs in large or slow domains when Get-ADFineGrainedPasswordPolicy is executed without a restrictive filter. The supported fix is to increase the LDAP query timeout by creating an extended LDAP query policy with a higher MaxQueryDuration value and linking it to the affected domain controller or site, using ldifde against the Configuration partition as documented by Microsoft. Running the cmdlet with a specific -Identity or a narrow -Filter can mitigate the symptom but does not resolve the underlying server timeout condition. This behavior is expected and will continue until the directory service is allowed more time to process the request. If timeouts persist after applying an extended query policy, you should validate DC performance, replication health, and network latency, as the cmdlet is often the first indicator of deeper directory service degradation. No client-side PowerShell timeout parameter exists for AD cmdlets, so increasing the LDAP query policy is the only supported and reliable resolution.

    If you find this post helpful, please accept the answer or give it a thump up, it would lighten my day!!!

    Harry.

    Was this answer helpful?

  2. AI answer

    2026-04-01T01:18:38.7066667+00:00

    The timeout is coming from Active Directory when the Get-ADFineGrainedPasswordPolicy search takes longer than the server’s configured query time limit. To resolve it, increase the LDAP/query timeout on a DC or create and link a query policy with a higher timeout.

    One supported way is to create an extended query policy with a longer timeout and link it to the DC or site:

    1. Create an LDIF file (for example, ldappolicy.ldf) that defines a query policy with higher limits (for example, MaxQueryDuration 10 minutes). The sample in the documentation shows how to build such a file.
    2. Import the policy into the configuration partition using ldifde: 
         ldifde -i -f ldappolicy.ldf -v -c DC=X DC=forest root
    3. Link the new policy to the DC by importing another LDIF file such as: 
         dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=X
   changetype: modify
   add: queryPolicyobject
   queryPolicyobject: CN=Extended Timeout,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=X
      and run: 
         ldifde -i -f link-policy-dc.ldf -v -c DC=X DC=forest root
    4. Alternatively, link the policy at the site level using the sample LDIF that targets CN=NTDS Site Settings.

    After the new query policy is in place and linked, repeat the Get-ADFineGrainedPasswordPolicy command. The longer server-side timeout should prevent the operation from failing unless there is an underlying performance or connectivity problem that must be investigated separately.

    Note: Ntdsutil.exe shows only the default query policy values; custom policies created for extended timeouts will not appear there.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.