azure domain services creation powershell script fails with "resource operation completed with terminal provisioning state 'Failed' "

Joe Miller 1 Reputation point
2019-12-02T08:43:47.597+00:00

I'm trying to create a domain service instance according to the code at:
Enable Azure Active Directory Domain Services using PowerShell

I posted this on github but was told to post it here instead.

I'm using this powershell script to create my domain services because my domain name is longer than 15 chars. I'm using this code verbatim with no changes except for the top lines marked:
'Change the following values to match your deployment.'

I've executed the code above multiple times on different days and receive the same error.
In all attempts, I started with an empty subscription, with no res groups or any other entities.
I've always deleted the failed resource group and waited at least one hour between runs.

In the empty subscription, the powershell script typically runs for 15-20 mins, then issues a 'Write Domain Service' error. The relevant part of the error json appears to be: 

{ "status": "Failed", "error": { "code": "ResourceOperationFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "InternalError", "message": "Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.42.25.107:5986" } ] } }

Googling the above error doesn't get me very far. I've already read and followed the links that usually show up. Some of the links talk about testing my vnet settings.

This link says:

I would suggest checking all your network connections and if you have any unique connections.

How would I check my network connections? What does 'unique connections' mean?
No vnet exists before I run the script and there is no existing entity to check a vnet against if it did exist. The script creates the needed vnet and the vnet always looks correct after it's created.

One possible factor: 3-4 days ago we deleted an existing subscription that contained a domain service instance also created from this script using the same long domain name. This domain service instance was created successfully at the time, but for unrelated reasons, we needed to create a new subscription and decided to put the domain in the new one. The deleted subscription still appears on the home page with status Disabled.

As required, I deleted all res groups in the subscription before deleting the subscription.

Also NOTE: If I replace my preferred domain name with a shorter (or at least a different) domain name that is also registered as a custom domain name in azure ad, the script completes and the domain services instance is created successfully.

Could the preferred domain name be locked to the deleted subscription in some way? How would I check this?

The full 'Write Domain Service' json error is available at the github link.

Thanks for your help.

Microsoft Entra
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Erin Greenlee 26 Reputation points Microsoft Employee
    2019-12-02T18:37:06.767+00:00

    First off, let's address the 15 character limit: Using the powershell script is NOT a workaround for this. The reason for the 15 character limit is due to the limitation of Windows AD and NetBios. If the 15 character limit is ignored, the NetBios name will be truncated and could affect how your applications work.

    However, it's not a limit for your entire domain name, it's just a limit for the first portion of your domain name. For example, aadds.aaddsMyDomainNameIsLongerThan15Characters.com is fine, since "aadds" is only 15 characters. Since having the prefix is a subdomain, you would want to have a domain name different than your public domain name, so you don't have DNS resolution errors. A lot of this is discussed in our documentation: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#create-an-instance

    Can you try out one of those fixes and see if it works for you?

    0 comments
  2. Harm Hartsuiker 1 Reputation point
    2019-12-03T09:36:51.38+00:00

    i'm getting the same error. My domain is not longer then 15 chars.

    tested some things.

    when using location westus, everything works.
    when using location westeurope, it breaks with:

    "statusMessage": "{\"status\":\"Failed\",\"error\":{\"code\":\"ResourceOperationFailure\",\"message\":\"The resource operation completed with terminal provisioning state 'Failed'.\",\"details\":[{\"code\":\"InternalError\",\"message\":\"Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 51.105.197.205:5986\"}]}}"

    i'm using the powershell from:

    https://learn.microsoft.com/nl-nl/azure/active-directory-domain-services/powershell-create-instance

    0 comments
  3. Jason Kindler 1 Reputation point
    2020-08-11T12:42:20.107+00:00

    I received the same error message while deploying Azure AD Domain Services from the Azure portal. Seems to me this is an error in the deployment steps within Microsoft. Would be useful to know what the PowerShell script is attempting to test so we can make sure the connectivity is appropriately configured to allow the test to complete.

    0 comments
  4. w8o51y7f 1 Reputation point
    2020-08-14T08:44:46.277+00:00

    I'm having exactly the same problem deploying an AADDS server via a template. I'm not sure it is to do with the region as I had it working initially, then it began to fail - all in the same region. Creating the AADDS manually works, but downloading the template and deploying that now fails (although it worked the first time I tried this).

    One thing to watch for is that it appears to create various bits of hidden infrastructure in an invisible resource group - when I tried deleting some of the visible bits of infrastructure (e.g. IP addresses for the AADDS) I received a warning about a virtual machine still using that IP in a strangely-named resource group that I couldn't see in the front end. Perhaps these aren't all being cleaned up properly when you delete the server/resource group?

    0 comments
  5. francismh 1 Reputation point
    2021-05-11T11:49:47.83+00:00

    Hi,

    I am running into the same issue while attempting to deploy AADDS to the westeurope region via pulumi:

    "azure-native:aad:DomainService (domainService):
    error: Code="InternalError" Message="Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.73.227.193:5986"

    Update - I was missing the association between the subnet and the network security group.