question

JoeMiller-4485 avatar image
0 Votes"
JoeMiller-4485 asked ·

azure domain services creation powershell script fails with "resource operation completed with terminal provisioning state 'Failed' "

I'm trying to create a domain service instance according to the code at:
Enable Azure Active Directory Domain Services using PowerShell

I posted this on github but was told to post it here instead.

I'm using this powershell script to create my domain services because my domain name is longer than 15 chars. I'm using this code verbatim with no changes except for the top lines marked:
'Change the following values to match your deployment.'

I've executed the code above multiple times on different days and receive the same error.
In all attempts, I started with an empty subscription, with no res groups or any other entities.
I've always deleted the failed resource group and waited at least one hour between runs.

In the empty subscription, the powershell script typically runs for 15-20 mins, then issues a 'Write Domain Service' error. The relevant part of the error json appears to be:

 { "status": "Failed", "error": { "code": "ResourceOperationFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "InternalError", "message": "Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.42.25.107:5986" } ] } }

Googling the above error doesn't get me very far. I've already read and followed the links that usually show up. Some of the links talk about testing my vnet settings.

This link says:

I would suggest checking all your network connections and if you have any unique connections.

How would I check my network connections? What does 'unique connections' mean?
No vnet exists before I run the script and there is no existing entity to check a vnet against if it did exist. The script creates the needed vnet and the vnet always looks correct after it's created.

One possible factor: 3-4 days ago we deleted an existing subscription that contained a domain service instance also created from this script using the same long domain name. This domain service instance was created successfully at the time, but for unrelated reasons, we needed to create a new subscription and decided to put the domain in the new one. The deleted subscription still appears on the home page with status Disabled.

As required, I deleted all res groups in the subscription before deleting the subscription.

Also NOTE: If I replace my preferred domain name with a shorter (or at least a different) domain name that is also registered as a custom domain name in azure ad, the script completes and the domain services instance is created successfully.

Could the preferred domain name be locked to the deleted subscription in some way? How would I check this?

The full 'Write Domain Service' json error is available at the github link.

Thanks for your help.


azure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

eringreenlee avatar image
0 Votes"
eringreenlee answered ·

First off, let's address the 15 character limit: Using the powershell script is NOT a workaround for this. The reason for the 15 character limit is due to the limitation of Windows AD and NetBios. If the 15 character limit is ignored, the NetBios name will be truncated and could affect how your applications work.

However, it's not a limit for your entire domain name, it's just a limit for the first portion of your domain name. For example, aadds.aaddsMyDomainNameIsLongerThan15Characters.com is fine, since "aadds" is only 15 characters. Since having the prefix is a subdomain, you would want to have a domain name different than your public domain name, so you don't have DNS resolution errors. A lot of this is discussed in our documentation: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#create-an-instance

Can you try out one of those fixes and see if it works for you?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HarmHartsuiker-2961 avatar image
0 Votes"
HarmHartsuiker-2961 answered ·

i'm getting the same error. My domain is not longer then 15 chars.

tested some things.

when using location westus, everything works.
when using location westeurope, it breaks with:

"statusMessage": "{\"status\":\"Failed\",\"error\":{\"code\":\"ResourceOperationFailure\",\"message\":\"The resource operation completed with terminal provisioning state 'Failed'.\",\"details\":[{\"code\":\"InternalError\",\"message\":\"Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 51.105.197.205:5986\"}]}}"

i'm using the powershell from:

https://docs.microsoft.com/nl-nl/azure/active-directory-domain-services/powershell-create-instance

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.