【问题标题】:Azure Active Directory Domain Services: The operation failed because resource is in the: 'Failed' stateAzure Active Directory 域服务:操作失败,因为资源处于:“失败”状态
【发布时间】:2021-05-26 20:25:36
【问题描述】:

当我使用 powershell 脚本运行此 cmdlet 时,

New-AzResource -ResourceId "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/will-vnet-rg/providers/Microsoft.AAD/DomainServices/xxxxx.xxxxxxxx.com" -Location eastus2 -Properties @{"DomainName"="xxxxx.xxxxxxxx.com"; "SubnetId"="/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/will-vnet-rg/providers/Microsoft.Network/virtualNetworks/will-vnet/subnets/will-core-subnet"} -ApiVersion 2017-06-01 -Force -Verbose

我收到此错误,

New-AzResource : The operation failed because resource is in the: 'Failed' state. Please check the logs for more details.
At C:\tf\advantage\dev\deploy\scripts\Azure-Functions.ps1:89 char:5
+     New-AzResource -ResourceId "/subscriptions/$subscription/resource ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzResource], InvalidOperationException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet

它所依赖的资源存在,我在脚本的前面创建了它们。我可以通过 Azure 门户手动创建域服务,但是,使用 powershell cmdlet 创建它不起作用。

在门户中,资源显示“托管域处于故障状态。请使用您的 Azure AD 租户 ID 和托管域的域名联系支持人员。”

Failed Domain in the portal

【问题讨论】:

    标签: azure powershell


    【解决方案1】:

    要使用powershell创建Azure Active Directory域服务,可以直接使用内置的powershell命令New-AzADDomainService,另外还需要先创建一些需要的Azure AD资源。

    示例:

    # Change the following values to match your deployment.
    $AaddsAdminUserUpn = "admin@contoso.onmicrosoft.com"
    $ResourceGroupName = "myResourceGroup"
    $VnetName = "myVnet"
    $AzureLocation = "westus"
    $AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID"
    $ManagedDomainName = "aaddscontoso.com"
    
    # Connect to your Azure AD directory.
    Connect-AzureAD
    
    # Login to your Azure subscription.
    Connect-AzAccount
    
    # Create the service principal for Azure AD Domain Services.
    New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
    
    # First, retrieve the object ID of the 'AAD DC Administrators' group.
    $GroupObjectId = Get-AzureADGroup `
      -Filter "DisplayName eq 'AAD DC Administrators'" | `
      Select-Object ObjectId
    
    # Create the delegated administration group for Azure AD Domain Services if it doesn't already exist.
    if (!$GroupObjectId) {
      $GroupObjectId = New-AzureADGroup -DisplayName "AAD DC Administrators" `
        -Description "Delegated group to administer Azure AD Domain Services" `
        -SecurityEnabled $true `
        -MailEnabled $false `
        -MailNickName "AADDCAdministrators"
      }
    else {
      Write-Output "Admin group already exists."
    }
    
    # Now, retrieve the object ID of the user you'd like to add to the group.
    $UserObjectId = Get-AzureADUser `
      -Filter "UserPrincipalName eq '$AaddsAdminUserUpn'" | `
      Select-Object ObjectId
    
    # Add the user to the 'AAD DC Administrators' group.
    Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId
    
    # Register the resource provider for Azure AD Domain Services with Resource Manager.
    Register-AzResourceProvider -ProviderNamespace Microsoft.AAD
    
    # Create the resource group.
    New-AzResourceGroup `
      -Name $ResourceGroupName `
      -Location $AzureLocation
    
    # Create the dedicated subnet for AAD Domain Services.
    $SubnetName = "DomainServices"
    $AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
      -Name DomainServices `
      -AddressPrefix 10.0.0.0/24
    
    $WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
      -Name Workloads `
      -AddressPrefix 10.0.1.0/24
    
    # Create the virtual network in which you will enable Azure AD Domain Services.
    $Vnet=New-AzVirtualNetwork `
      -ResourceGroupName $ResourceGroupName `
      -Location $AzureLocation `
      -Name $VnetName `
      -AddressPrefix 10.0.0.0/16 `
      -Subnet $AaddsSubnet,$WorkloadSubnet
    
    $NSGName = "aaddsNSG"
    
    # Create a rule to allow inbound TCP port 3389 traffic from Microsoft secure access workstations for troubleshooting
    $nsg201 = New-AzNetworkSecurityRuleConfig -Name AllowRD `
        -Access Allow `
        -Protocol Tcp `
        -Direction Inbound `
        -Priority 201 `
        -SourceAddressPrefix CorpNetSaw `
        -SourcePortRange * `
        -DestinationAddressPrefix * `
        -DestinationPortRange 3389
    
    # Create a rule to allow TCP port 5986 traffic for PowerShell remote management
    $nsg301 = New-AzNetworkSecurityRuleConfig -Name AllowPSRemoting `
        -Access Allow `
        -Protocol Tcp `
        -Direction Inbound `
        -Priority 301 `
        -SourceAddressPrefix AzureActiveDirectoryDomainServices `
        -SourcePortRange * `
        -DestinationAddressPrefix * `
        -DestinationPortRange 5986
    
    # Create the network security group and rules
    $nsg = New-AzNetworkSecurityGroup -Name $NSGName `
        -ResourceGroupName $ResourceGroupName `
        -Location $AzureLocation `
        -SecurityRules $nsg201,$nsg301
    
    # Get the existing virtual network resource objects and information
    $vnet = Get-AzVirtualNetwork -Name $VnetName -ResourceGroupName $ResourceGroupName
    $subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $SubnetName
    $addressPrefix = $subnet.AddressPrefix
    
    # Associate the network security group with the virtual network subnet
    Set-AzVirtualNetworkSubnetConfig -Name $SubnetName `
        -VirtualNetwork $vnet `
        -AddressPrefix $addressPrefix `
        -NetworkSecurityGroup $nsg
    $vnet | Set-AzVirtualNetwork
    
    # Enable Azure AD Domain Services for the directory.
    $replicaSetParams = @{
      Location = $AzureLocation
      SubnetId = "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices"
    }
    $replicaSet = New-AzADDomainServiceReplicaSetObject @replicaSetParams
    
    $domainServiceParams = @{
      Name = $ManagedDomainName
      ResourceGroupName = $ResourceGroupName
      DomainName = $ManagedDomainName
      ReplicaSet = $replicaSet
    }
    New-AzADDomainService @domainServiceParams
    

    参考 - Enable Azure Active Directory Domain Services using PowerShell

    【讨论】:

    • 如果我的回复有帮助,请采纳为答案(点击回复旁边的标记选项将其从灰色切换为填写。),请参阅meta.stackexchange.com/questions/5234/…这可能对其他人有益社区成员。谢谢。
    • 我以前试过这个,让我再试一次,看看它是否有效。谢谢!
    【解决方案2】:

    如果您也遇到此问题,我已经找到了解决方法。我不确定我编写的 New-AzResource cmdlet 有什么问题,但我最终在门户中手动创建了域服务,然后下载了 JSON 模板。我尝试使用反编译器将其转换为 BICEP,但无论出于何种原因,它都不会接受。为了解决这个问题,我手动编写了一个 BICEP 文件来创建域服务。

    New-AzResourceGroupDeployment -ResourceGroupName $vnetResourceGroup -TemplateFile "C:\dev\pub\Bicep Files\domain.bicep" -shortName $shortName -managedDomainName $managedDomainName -location $location -subnetAddressPrefix "$($coreSubnet.AddressPrefix)"
    

    如果您在为域服务编写 BICEP 文件时需要帮助,请使用 this link

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2021-08-26
      • 2020-02-14
      • 2016-11-01
      相关资源
      最近更新 更多