Azure Peering Fails with HTTP error 400

Hello @IT 110

The most likely cause of the "HTTP error 400" during VNet peering with Azure AD DS is an incorrect DNS configuration on the Azure AD DS VNet (aadds-vnet). To resolve this, either configure custom DNS on ServerA-vnet to point to the Azure AD DS domain controllers, or revert the DNS settings on the aadds-vnet to use the default Azure-provided DNS servers (or ensure they only point to the AD DS IPs) and then attempt to create the peering link again.

Locate the IP addresses of the domain controllers provisioned by Azure AD DS. These are typically the first two usable IPs in the Azure AD DS VNet range (e.g., 10.0.0.4 and 10.0.0.5). You can find these in the Azure portal under the Azure AD DS resource.

Configure Custom DNS on ServerA-vnet

Troubleshoot Peering Failure (If DNS Configuration Doesn't Resolve the Issue)

1. Double-Check for Overlapping Subnets: Ensure no subnet within 10.1.0.0/24 overlaps with any subnet within 10.0.0.0/24.
2. Check Azure AD DS DNS Settings: Verify that the Azure AD DS DNS settings use the default Azure DNS configuration or are configured to use only its own DCs. If custom DNS servers are configured on the aadds-vnet, revert them to default.
3. Check Peering Direction: Ensure you are attempting to peer in both directions (from 10.0.0.0/24 to 10.1.0.0/24 AND from 10.1.0.0/24 to 10.0.0.0/24).

---

If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.

Hi IT 110,

Welcome to Microsoft Q&A and thank you for posting your query here!

You're on the right track trying to connect your ServerA to Microsoft Entra Domain Services (formerly Azure AD DS) using VNet peering. The "HTTP error 400" during VNet peering usually means there's a misconfiguration or conflict in how the peering was set up. Let's walk through the full process to resolve the error and ensure ServerA can join the Entra DS domain.

Step-by-Step Fix Based on Microsoft Docs

1. Understand the Setup:

• aadds-vnet (10.0.0.0/24): Where Entra Domain Services is deployed.
• ServerA-vnet (10.1.0.0/24): Where ServerA is hosted, needs to RDP and join the domain.
• Goal: Peering both VNets so ServerA can locate and join the domain via DNS.

2. Fix the Peering HTTP 400 Error

This usually happens if:

• Both VNets try to use the same address space.
• Or one side of the peering isn't fully configured.

Go through these steps carefully:

A. Check Address Space Conflicts

• Ensure there's no overlapping IP range between aadds-vnet (10.0.0.0/24) and ServerA-vnet (10.1.0.0/24) → You’ve already done this.

B. Create VNet Peering (From Both Sides)

• You need to configure bi-directional peering manually if you're not using "Allow remote network to initiate peering."

Do the following from each VNet:

From aadds-vnet → ServerA-vnet:

1. Go to Virtual networks > aadds-vnet > Peerings > + Add.
2. Name: aadds-to-servera
3. Peering link name (remote): servera-to-aadds
4. Subscription: Select the one for ServerA-vnet
5. Virtual network: Select ServerA-vnet
6. Check: Allow virtual network access Allow forwarded traffic (optional) Allow gateway transit (leave unchecked unless using VPN)
7. Click Add.

From ServerA-vnet → aadds-vnet:

Repeat the same steps:

1. Go to Virtual networks > ServerA-vnet > Peerings > + Add

Name: servera-to-aadds

Peering link name (remote): aadds-to-servera

Use same settings as above

If you only create peering from one side, the other side won't route traffic, and you'll get errors like HTTP 400 or connectivity failures.

3. Update DNS Settings for ServerA-vnet

This step is crucial for domain join to work!

Entra Domain Services uses custom DNS IPs, usually shown in the Overview blade of your Entra DS resource.

To set DNS on ServerA-vnet:

Go to Virtual networks > ServerA-vnet > DNS servers

Select: Custom

Add both IPs listed in Entra DS (typically the first two IPs of your aadds-vnet, e.g., 10.0.0.4 and 10.0.0.5)

Click Save

This ensures ServerA can resolve the domain name via Entra DS.

4. Restart the ServerA VM

After changing DNS settings, restart the VM in ServerA-vnet so it picks up the new DNS configuration.

5. Join ServerA to Entra DS Domain

Now, try joining ServerA to the domain:

Use a domain account from the "AAD DC Administrators" group.

Refer for info: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

https://learn.microsoft.com/en-us/entra/identity/domain-services/join-windows-vm

please do let me know if you have any questions on this.

Thanks,

Harish.

I tried to configure peering in both directions following your steps above. Both attempts to peer fail with the following errors:

→Failed to add virtual network peering 'aadds-to-servera' to aadds-vnet'. Error: Batch response item http error 400

→Failed to add virtual network peering 'servera-to-aadds' to ServerA-vnet'. Error: Batch response item http error 400

I then added Custom DNS servers to ServerA-vnet (10.0.0.4 and 10.0.0.5) successfully.

Attempted to join domain unsuccessfully.

I also tried again to set up peering both directions after adding the custom DNS servers and received the same two errors above.

The aadds-vnet DNS servers are configured as Azure provided DNS service.

This really has me stumped and is a show-stopper. I'm using the Azure free trial at the moment. I really don't understand why Entra DS doesn't provide and inbound security rule to allow RDP to begin with or allow one to be added. Many thanks for your suggestions so far!

I'm wondering if this has something to do with connectivity. My IP settings use DHCP for ServerA. It's IP is 10.1.0.4/24 with a gateway of 10.1.0.1. The DHCP server it's using is 168.63.129.16. The DNS servers are 10.0.0.4 and 10.0.0.5. All that looks fine, but I can't ping the default gate, DNS servers, or DHCP server. Is this normal in Azure VMs?