Known issues: Network configuration alerts in Azure Active Directory Domain Services
To let applications and services correctly communicate with an Azure Active Directory Domain Services (Azure AD DS) managed domain, specific network ports must be open to allow traffic to flow. In Azure, you control the flow of traffic using network security groups. The health status of an Azure AD DS managed domain shows an alert if the required network security group rules aren't in place.
This article helps you understand and resolve common alerts for network security group configuration issues.
Alert AADDS104: Network error
Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user-defined route that blocks incoming traffic from the internet.
Invalid network security group rules are the most common cause of network errors for Azure AD DS. The network security group for the virtual network must allow access to specific ports and protocols. If these ports are blocked, the Azure platform can't monitor or update the managed domain. The synchronization between the Azure AD directory and Azure AD DS is also impacted. Make sure you keep the default ports open to avoid interruption in service.
Default security rules
The following default inbound and outbound security rules are applied to the network security group for a managed domain. These rules keep Azure AD DS secure and allow the Azure platform to monitor, manage, and update the managed domain.
Inbound security rules
You may also have an additional rule that allows inbound traffic if you configure secure LDAP. This additional rule is required for the correct LDAPS communication.
Outbound security rules
Azure AD DS needs unrestricted outbound access from the virtual network. We don't recommend that you create any additional rules that restrict outbound access for the virtual network.
Verify and edit existing security rules
To verify the existing security rules and make sure the default ports are open, complete the following steps:
In the Azure portal, search for and select Network security groups.
Choose the network security group associated with your managed domain, such as AADDS-contoso.com-NSG.
On the Overview page, the existing inbound and outbound security rules are shown.
Review the inbound and outbound rules and compare to the list of required rules in the previous section. If needed, select and then delete any custom rules that block required traffic. If any of the required rules are missing, add a rule in the next section.
After you add or delete rules to allow the required traffic, the managed domain's health automatically updates itself within two hours and removes the alert.
Add a security rule
To add a missing security rule, complete the following steps:
- In the Azure portal, search for and select Network security groups.
- Choose the network security group associated with your managed domain, such as AADDS-contoso.com-NSG.
- Under Settings in the left-hand panel, click Inbound security rules or Outbound security rules depending on which rule you need to add.
- Select Add, then create the required rule based on the port, protocol, direction, etc. When ready, select OK.
It takes a few moments for the security rule to be added and show in the list.
If you still have issues, open an Azure support request for additional troubleshooting assistance.