Troubleshooting AD Powershell queries: server has returned the following error – invalid enumeration context

I’ve seen a lot on the web about the error in the title (server has returned the following error – invalid enumeration context) and the reason I am writing about this is because there is a lot of confusion about this.

You might see this error when you try to query AD from powershell (get-aduser, get-adcomputer, etc) and the query is taking a long time to finish.

+ FullyQualifiedErrorId : The server has returned the following error: invalid enumeration context.,Microsoft.ActiveDirectory.Management.Commands.GetADUser

But if you pay attention you’ll notice the error comes up exactly after 30 minutes of script execution.

Why’s that? Simple, because somewhere there’s a timeout in Active Directory Web Services.

If you’ll go and read the documentation for AD WS you’ll notice a parameter named MaxEnumContextExpiration which is set by default to 30 minutes.

From the documentation:

In ADWS, there are a number of configuration parameters that determine how ADWS in Windows Server 2008 R2 handles the traffic that administrators generate. Administrators can manage AD DS domains, AD LDS instances, and Active Directory Database Mounting Tool instances by using applications such as the Active Directory module or Active Directory Administrative Center. These configuration parameters are stored in the Microsoft.ActiveDirectory.WebServices.exe.config file, under %WINDIR%\ADWS directory.

You can adjust these configuration parameters by editing the Microsoft.ActiveDirectory.WebServices.exe.config file to accommodate traffic that is directed at the ADWS service in their Active Directory environments. Any changes that you make to the ADWS configuration parameters on a given domain controller affect only the ADWS service that is running on this particular domain controller. In other words, changes that you make to the Microsoft.ActiveDirectory.WebServices.exe.config file on a domain controller in a given domain or forest do not replicate to other domain controllers in this domain or forest.

MaxEnumContextExpiration parameter description: Specifies the maximum allowed time period during which the ADWS service processes and retrieves the results of a query request from a client computer.

I’ve seen several recommendations to change –ResultPageSize & –ResultSetSize in order to fix this error. Although by changing those might improve the performance a little bit, if the query still takes more than 30 minutes, you’ll get the same error. Those two are still important. Why? Because you’ll need to optimize your query and make it faster.

So here’s your options:

1. Try with –ResultPageSize & –ResultSetSize and see if you can make it faster.

2. Go and change Microsoft.ActiveDirectory.WebServices.exe.config and increase MaxEnumContextExpiration

3. Improve your query so it will return fewer objects so it can take less than 30 minutes. (Example: return only active objects)

4. Sometimes there’s a lot of processing time spent on the client side. Think about all the pipelines in your one liner command. Change your code to retrieve everything in a local variable in memory if possible and then query that locally.

5. Use something else than AD Powershell Cmdlets. Maybe the Quest ones or directly from .Net. And remember there’s always VBScript.