Getting a Lot of Transient Errors from Powershell Module in local mode for plan or apply

[drdamour]

I'm running on a windows host in local mode. Once i got to 10 AD groups, all my plans started randomingly failing with

Get-ADGroup : A connection to the directory on which to process the request was unavailable. This is likely a _x000D__x000A_</S><S S="Error">transient condition._x000D__x000A_

provider "ad" { winrm_hostname = "" winrm_username = "" winrm_password = "" }

i've worked around this by forcing tf to use limited parallelism eg -parallelism=6 but it certainly seems like however this thing is using the powershell ad module it isn't liking it.

Terraform Version and Provider Version

Terraform v1.1.7
on windows_amd64
+ provider registry.terraform.io/hashicorp/ad v0.4.3

Windows Version

Affected Resource(s)

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

Debug Output

Panic Output

Expected Behavior

What should have happened?

plan should have succeeded w/o having to specify parrallelism

Actual Behavior

What actually happened?

plan randomly fails with transient error message

Steps to Reproduce

1. have tf that manages > 10 groups
2. terraform plan

Important Factoids

References

• 119 has similar error

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[pvnick]

I started seeing a lot of these too yesterday afternoon and into today.

[gramsa49]

It appears the error comes from ADWS. ADWS is what WinRM/WinRS talk to when performing the AD operations. All Get-AD* operations are converted to LDAP queries by ADWS, and the error comes from this channel. There is a default limit of 5 concurrent sessions to LDAP, per AD DC.

There are two methods I found that I can use to address the issue:

1. On the AD DC, update file %windir%\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config. Increase the following and restart ADWS.
   • MaxConcurrentCalls
   • MaxPoolConnections
   • MaxConnectionsPerUser
2. Increase the number of AD DCs in the AD Site where the WinRM servers reside

I plan to do both, but doing (1) alone was enough to alleviate the issues.

Parameter Old Val New Val MaxPoolConnections 10 100 MaxConnectionsPerUser 5 50 MaxConcurrentCalls 32 64