AAD DS-受管域发生网络错误 [英] AAD DS - The managed domain is experiencing a network error
问题描述
这有点紧急...
我有一个天蓝色的租户遇到Azure AD域服务的问题.
根据建议,DNS服务器已在Vnet中配置为自定义DNS.
但是,最近有人抱怨无法从Azure托管VM访问Internet.
我从Vnet删除了自定义DNS服务器,并切换到默认(已提供Azure)".并且可以访问Internet.但是,我无法使用我的user@customdomain.com帐户登录到VM.仅使用本地管理员帐户.
查看Azure AD域服务运行状况,有2条监视器消息:
消息1:
备份:最后备份在2018年9月8日星期六18:51:57 GMT
消息2:
与Azure AD同步:已同步星期四,2018年9月13日05:59:39 GMT.
3个警报
警报1:
名称:受管域出现网络错误
严重性:严重
ID:AADDS104
募集: 9/13/2018,10:44 :上午19点
最后检测到: 2018/9/13下午5:02:03
问题: Microsoft无法访问 此托管域的域控制器.如果在您的虚拟网络上配置的网络安全组(NSG)阻止了对托管域的访问,则可能会发生这种情况.另一个可能的原因是,如果存在用户定义的路由来阻止来自 互联网.
警报2:
名称:托管域已经很长时间没有备份
严重性:警告
ID:AADDS501
提出: 最后一次检测到: 问题: 托管域的最后备份时间为2018年9月8日下午6:51:57.
解决方案: 警告3:
名称:托管域已暂停
严重性:严重
ID:AADDS504
提出: 最后一次检测到: 问题: 解决方案: 请参阅以下文章以解决此问题 经过研究,我可以确定在NSG的传入规则中定义了AD同步所需的所有3个端口(443、3389、5986)
在监视"消息中,同步已完成,但备份未完成不到一周(如果您比较备份和同步之间的两个日期).
显然,根据https://docs.microsoft.com/zh-CN/azure/active-directory-domain-services/active-directory-ds-suspension,如果未解决问题,则托管域可能会在不到15天的时间内被删除.
我们当然想避免这种情况,但是看来解决此问题的唯一方法是备份域控制器.但是我们该怎么做!!!!!!这是一个Azure AD DS 托管域 .
上述同一篇文章对位于挂起"域中的受管域的内容进行了以下说明.状态:
出于以下原因,将受管理域置于已暂停状态
- 15天内未解决一个或多个严重警报.严重警报可能是由于配置错误导致阻止访问Azure AD DS所需的资源而引起的.
- 您注意到
- 备份失败,无法对托管域进行身份验证,登录到加入域的虚拟机或通过LDAP/LDAPS进行连接. .
- 与Azure AD的同步停止.
- One or more critical alerts haven't been resolved in 15 days. Critical alerts can be caused by a misconfiguration that blocks access to resources that are needed by Azure AD DS.
- For example, the alert AADDS104: Network Error has been unresolved for more than 15 days in the managed domain.
- There's a billing issue with your Azure subscription or your Azure subscription has expired.
- Domain controllers for your managed domain are de-provisioned and aren't reachable within the virtual network.
- Secure LDAP access to the managed domain over the internet (if it's enabled) stops working.
- You notice failures in authenticating to the managed domain, logging on to domain-joined virtual machines, or connecting over LDAP/LDAPS.
- Backups for your managed domain are no longer taken.
- Synchronization with Azure AD stops.
当Microsoft无法持续管理,监视,修补或备份域时,托管域将被挂起.
会发生什么
- > 托管域的域控制器已取消配置,并且在虚拟网络中无法访问.
解决警报后,您的托管域将进入已暂停"状态.然后,您需要联系支持.支持可能会还原您的托管域,但前提是存在少于30天的备份.
受管域仅处于暂停状态15天.要恢复您的托管域,Microsoft建议您立即解决严重警报.
我们有一个基本"支持计划,Azure门户绝对没有做任何更改.因此,为了让我们得到Azure支持人员的调查,我们必须购买支持计划吗?对于我们没有破坏的东西?
谢谢大家的帮助,
卡里姆.
这有点紧急...
我有一个天蓝色的租户遇到Azure AD域服务的问题.
根据建议,DNS服务器已在Vnet中配置为自定义DNS.
但是,最近有人抱怨无法从Azure托管VM访问Internet.
我从Vnet删除了自定义DNS服务器,并切换到默认(已提供Azure)".并且可以访问Internet.但是,我无法使用我的user@customdomain.com帐户登录到VM.仅使用本地管理员帐户.
查看Azure AD域服务运行状况,有2条监视器消息:
Hi,
This is a bit of an emergency...
I have an azure tenant that is having issues with Azure AD Domain Services.
As it is suggested, the DNS server were configured in the Vnet as custom DNS.
However, recently there was a complaint that Internet was not accessible from the Azure hosted VM.
I removed the custom DNS servers from the Vnet and switched to "Default (Azure Provided)" and Internet was accessible. However, I could not log on to the VM using my user@customdomain.com account; only with the local Admin account.
Looking at the Azure AD Domain Services Health, there are 2 Monitor messages:
Message 1:
Backup: Last backed up on Sat, 08 Sep 2018 18:51:57 GMT
Message 2:
Synchronization with Azure AD: Synchronized on Thu, 13 Sep 2018 05:59:39 GMT.
And 3 Alerts
Alert 1:
Name: The managed domain is experiencing a network error
Severity: Critical
ID: AADDS104
Raised: 9/13/2018, 10:44:19 AM
Last Detected: 9/13/2018, 5:02:03 PM
Issue: Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user defined route that blocks incoming traffic from the internet.
Resolution: Refer to the following article to resolve this issue Troubleshooting Alerts - Network Error
Alert 2:
Name: The managed domain has not been backed up for a long time
Severity: Warning
ID: AADDS501
Raised: 9/14/2018, 4:51:57 AM
Last Detected: 9/14/2018, 3:36:16 PM
Issue: The managed domain was last backed up on 9/8/2018 6:51:57 PM.
Resolution: Refer to the following article to resolve this issue Active Directory Domain Services article
Alert 3:
Name: The managed domain is suspended
Severity: Critical
ID: AADDS504
Raised: 9/13/2018, 5:06:11 PM
Last Detected: 9/14/2018, 3:36:16 PM
Issue: The managed domain is suspended due to an invalid configuration. The service has been unable to manage, patch, or update the domain controllers for your managed domain for a long time.
Resolution: Refer to the following article to resolve this issue Active Directory Domain Services article
After doing some research, I was able to ascertain that all 3 ports required for AD Synchronisation (443, 3389, 5986) are defined in the incoming rules of the NSG.
From the Monitor message, the synchronisation was done but the backup was not done for less than a week (if you compare the 2 dates between the backup and the sync).
Apparently, according to https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-suspension, if the issue is not resolved, the managed domain is at risk of being deleted in less than 15 days.
Of course we would like to avoid this but it seems that the only way we can get this resolved is by having the domain controllers backed up. BUT HOW CAN WE DO THIS!!!?? This is an Azure AD DS managed domain.
The same above-mentioned article says the following about a managed domain that is in a "suspended" state:
The "Suspended" state
A managed domain is put in the Suspended state for the following reasons:
Managed domains are suspended when Microsoft is unable to manage, monitor, patch, or back up the domain on an ongoing basis.
What to expect
After you resolve the alert, your managed domain goes into the "Suspended" state. Then you need to contact support. Support might restore your managed domain, but only if a backup that is less than 30 days old exists.
The managed domain only stays in a suspended state for 15 days. To recover your managed domain, Microsoft recommends that you resolve critical alerts immediately.
We have a 'Basic' support plan and there were absolutely no change made in Azure portal. So in order for us to have this investigated by Azure support, we have to buy a Support Plan? For something that we didn't break?
Thank you all for your help,
Karim.
解决方案Hi,
This is a bit of an emergency...
I have an azure tenant that is having issues with Azure AD Domain Services.
As it is suggested, the DNS server were configured in the Vnet as custom DNS.
However, recently there was a complaint that Internet was not accessible from the Azure hosted VM.
I removed the custom DNS servers from the Vnet and switched to "Default (Azure Provided)" and Internet was accessible. However, I could not log on to the VM using my user@customdomain.com account; only with the local Admin account.
Looking at the Azure AD Domain Services Health, there are 2 Monitor messages:
这篇关于AAD DS-受管域发生网络错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆