Azure Active Directory 域服务：操作失败，因为资源处于：“失败”状态

Question

当我使用 powershell 脚本运行此 cmdlet 时，

New-AzResource -ResourceId "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/will-vnet-rg/providers/Microsoft.AAD/DomainServices/xxxxx.xxxxxxxx.com" -Location eastus2 -Properties @{"DomainName"="xxxxx.xxxxxxxx.com"; "SubnetId"="/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/will-vnet-rg/providers/Microsoft.Network/virtualNetworks/will-vnet/subnets/will-core-subnet"} -ApiVersion 2017-06-01 -Force -Verbose

我收到此错误，

New-AzResource : The operation failed because resource is in the: 'Failed' state. Please check the logs for more details.
At C:\tf\advantage\dev\deploy\scripts\Azure-Functions.ps1:89 char:5
+     New-AzResource -ResourceId "/subscriptions/$subscription/resource ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzResource], InvalidOperationException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet

它所依赖的资源存在，我在脚本的前面创建了它们。我可以通过 Azure 门户手动创建域服务，但是，使用 powershell cmdlet 创建它不起作用。

在门户中，资源显示“托管域处于故障状态。请使用您的 Azure AD 租户 ID 和托管域的域名联系支持人员。”

Failed Domain in the portal

Answer 1

要使用powershell创建Azure Active Directory域服务，可以直接使用内置的powershell命令New-AzADDomainService，另外还需要先创建一些需要的Azure AD资源。

示例：

# Change the following values to match your deployment.
$AaddsAdminUserUpn = "admin@contoso.onmicrosoft.com"
$ResourceGroupName = "myResourceGroup"
$VnetName = "myVnet"
$AzureLocation = "westus"
$AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID"
$ManagedDomainName = "aaddscontoso.com"

# Connect to your Azure AD directory.
Connect-AzureAD

# Login to your Azure subscription.
Connect-AzAccount

# Create the service principal for Azure AD Domain Services.
New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"

# First, retrieve the object ID of the 'AAD DC Administrators' group.
$GroupObjectId = Get-AzureADGroup `
  -Filter "DisplayName eq 'AAD DC Administrators'" | `
  Select-Object ObjectId

# Create the delegated administration group for Azure AD Domain Services if it doesn't already exist.
if (!$GroupObjectId) {
  $GroupObjectId = New-AzureADGroup -DisplayName "AAD DC Administrators" `
    -Description "Delegated group to administer Azure AD Domain Services" `
    -SecurityEnabled $true `
    -MailEnabled $false `
    -MailNickName "AADDCAdministrators"
  }
else {
  Write-Output "Admin group already exists."
}

# Now, retrieve the object ID of the user you'd like to add to the group.
$UserObjectId = Get-AzureADUser `
  -Filter "UserPrincipalName eq '$AaddsAdminUserUpn'" | `
  Select-Object ObjectId

# Add the user to the 'AAD DC Administrators' group.
Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId

# Register the resource provider for Azure AD Domain Services with Resource Manager.
Register-AzResourceProvider -ProviderNamespace Microsoft.AAD

# Create the resource group.
New-AzResourceGroup `
  -Name $ResourceGroupName `
  -Location $AzureLocation

# Create the dedicated subnet for AAD Domain Services.
$SubnetName = "DomainServices"
$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
  -Name DomainServices `
  -AddressPrefix 10.0.0.0/24

$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
  -Name Workloads `
  -AddressPrefix 10.0.1.0/24

# Create the virtual network in which you will enable Azure AD Domain Services.
$Vnet=New-AzVirtualNetwork `
  -ResourceGroupName $ResourceGroupName `
  -Location $AzureLocation `
  -Name $VnetName `
  -AddressPrefix 10.0.0.0/16 `
  -Subnet $AaddsSubnet,$WorkloadSubnet

$NSGName = "aaddsNSG"

# Create a rule to allow inbound TCP port 3389 traffic from Microsoft secure access workstations for troubleshooting
$nsg201 = New-AzNetworkSecurityRuleConfig -Name AllowRD `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 201 `
    -SourceAddressPrefix CorpNetSaw `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 3389

# Create a rule to allow TCP port 5986 traffic for PowerShell remote management
$nsg301 = New-AzNetworkSecurityRuleConfig -Name AllowPSRemoting `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 301 `
    -SourceAddressPrefix AzureActiveDirectoryDomainServices `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 5986

# Create the network security group and rules
$nsg = New-AzNetworkSecurityGroup -Name $NSGName `
    -ResourceGroupName $ResourceGroupName `
    -Location $AzureLocation `
    -SecurityRules $nsg201,$nsg301

# Get the existing virtual network resource objects and information
$vnet = Get-AzVirtualNetwork -Name $VnetName -ResourceGroupName $ResourceGroupName
$subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $SubnetName
$addressPrefix = $subnet.AddressPrefix

# Associate the network security group with the virtual network subnet
Set-AzVirtualNetworkSubnetConfig -Name $SubnetName `
    -VirtualNetwork $vnet `
    -AddressPrefix $addressPrefix `
    -NetworkSecurityGroup $nsg
$vnet | Set-AzVirtualNetwork

# Enable Azure AD Domain Services for the directory.
$replicaSetParams = @{
  Location = $AzureLocation
  SubnetId = "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices"
}
$replicaSet = New-AzADDomainServiceReplicaSetObject @replicaSetParams

$domainServiceParams = @{
  Name = $ManagedDomainName
  ResourceGroupName = $ResourceGroupName
  DomainName = $ManagedDomainName
  ReplicaSet = $replicaSet
}
New-AzADDomainService @domainServiceParams

参考 - Enable Azure Active Directory Domain Services using PowerShell

Answer 2

如果您也遇到此问题，我已经找到了解决方法。我不确定我编写的 New-AzResource cmdlet 有什么问题，但我最终在门户中手动创建了域服务，然后下载了 JSON 模板。我尝试使用反编译器将其转换为 BICEP，但无论出于何种原因，它都不会接受。为了解决这个问题，我手动编写了一个 BICEP 文件来创建域服务。

New-AzResourceGroupDeployment -ResourceGroupName $vnetResourceGroup -TemplateFile "C:\dev\pub\Bicep Files\domain.bicep" -shortName $shortName -managedDomainName $managedDomainName -location $location -subnetAddressPrefix "$($coreSubnet.AddressPrefix)"

如果您在为域服务编写 BICEP 文件时需要帮助，请使用 this link。